Midnight Blizzard Attack on Microsoft: Key Lessons for Strengthening Your SaaS Security

From November 2023 to January 2024, the Midnight Blizzard cyberattack targeted Microsoft’s Azure Active Directory (Entra ID) and Exchange Online, exploiting vulnerabilities in password management and OAuth applications. This breach exfiltrated sensitive data, underlining the need for stronger SaaS security.

What Happened During the Midnight Blizzard Attack?

A Russian backed hacker group known as Midnight Blizzard (also known as Nobelium or APT29) planned and carried out the attack on Microsoft’s systems starting with one of Microsoft’s test tenants. Using a password spraying attack, they were able to compromise an account in the test tenant.

While it isn’t that sophisticated in itself, password spraying is still a very effective way to breach accounts configured with weak passwords. While brute force attacks target one account with many different passwords, many identity and access management solutions limit the rate of failed attempts per account. This rate limiting of failed logins typically is effective against brute force attacks.

Password spraying helps attackers overcome the hurdle of rate limits since they use only a few well-known or breached passwords against a wide range of user accounts. This can fly under the radar and not trigger rate limiting on failed logins.

Midnight Blizzard used password spraying to target Azure AD, now Entra ID. This is not surprising. This service provides the core identity and access management capabilities for basically all Microsoft cloud services and is a high-value target for attackers who want to be able to gain control of user accounts, escalate privileges, and establish persistence.

After getting control of an account in the test tenant, the attackers began moving laterally and started targeting elevated accounts and sensitive services within the test environment, before moving to compromise a highly privileged production environment.

Below is an overview of how the attack progressed. We will examine how things unfolded in more detail.

Midnight Blizzard Attack | SaaS security for Google Workspace, Office 365, Salesforce, Slack

Legacy OAuth application compromised

One of the targets of the hacker group was a legacy OAuth application that evidently had privileged access in the Microsoft environment. Since Midnight Blizzard was able to compromise the legacy OAuth app, it is safe to say the initial compromised account had the privilege to create new secrets and certificates for OAuth applications in the test tenant.

With these privileges, it allowed the group to authenticate and masquerade as the OAuth app and also execute various actions on its behalf, including creating additional admin accounts and other malicious OAuth applications.

The real problem came from the OAuth application being trusted with consent from a highly privileged Entra ID user in a production environment. One of the consented permissions by the end user was privileged Microsoft Graph API permissions, including:

Directory.ReadWrite.All – Allows creating users in the corporate tenant
RoleManagement.ReadWrite.Directory – This role allowed the attackers to assign the Global Administrator role to users

As you would imagine, since a user in the production environment consented to the compromised OAuth permissions requested, these high-level user permissions allowed the attackers to create new Entra ID users in the corporate tenant and assign high-level permissions to these users. These permissions included the Global Administrator role, which has unrestricted access.

Exchange Online data exfiltration

Since the attackers compromised OAuth application was consented to by a high-level production Entra ID user, it allowed the attackers to broaden the scope of compromise to the corporate production tenant. As mentioned, with the consented permissions allowed by a production user, they could create new users and even escalate privilege roles.

One of the permissions they were able to give themselves was the full_access_as_app permission. This application permission allows the user the ability to have programmatic access to Exchange mailboxes in the organization. How was this carried out?

Likely using the following steps:

Additional malicious OAuth applications – With the compromised privileges, the attackers created additional OAuth applications that likely looked like they were legitimate, but had the ability to access sensitive data
Full mailbox access granted – With the AppRoleassignment.ReadWrite.All permission, attackers could grant the full_access_as_app permission to access mailbox data, including emails, attachments, and other communications.
Corporate mailbox access – With these permissions, attackers used the malicious OAuth apps to get their hands on tokens to login and access Exchange Online APIs to download email data. This activity would be hard to detect or wouldn’t have triggered traditional security alerts.

Lack of OAuth application monitoring

The attack by Midnight Blizzard sheds light on a very serious cybersecurity oversight – the lack of OAuth application monitoring and risk assessments. OAuth authentication and application integration is used to make validating your identity to an application much easier without having to reveal your password.

microsoft 365 Permissions | SaaS security for Google Workspace, Office 365, Salesforce, Slack — An example of high level permissions consent request

However, the downside is that if the consent granted to an OAuth application is not vetted properly from a security standpoint, even legitimate applications can request very high-level permissions that can put sensitive data and information in danger of breach, exfiltration, or even a ransomware attack.

Organizations operating in SaaS environments like Microsoft 365 must have clear visibility into the OAuth applications integrated into their environment. They need to understand the permissions these applications have, what data they can access, and have the ability to take control and block any application that becomes compromised or malicious. By adhering to Microsoft 365 security best practices—such as securing OAuth applications, enforcing MFA, and continuously assessing their environment—organizations can significantly strengthen their defenses.

Shedding light on the challenges

The Midnight Blizzard compromise of one of Microsoft’s own corporate environments shows just how difficult it can be for organizations to detect these types of attacks and effectively prevent data exfiltration. What challenges do we see?

Cloud security can be difficult – Traditional defenses are no longer effective against attackers who can compromise identity and access management systems, like Microsoft Entra ID.
Identity is the new attack vector – Since cloud resource authorization is based on the identity of the user, this is sure to be the focus of modern cloud attacks. Identity is the new security perimeter. Identity for systems like Microsoft Entra ID must be protected and validated at every level.
The costs of a breach are enormous – Modern data breach events lead to significant financial consequences for organizations, including regulatory fines. Long-term damage can come in the form of damaged customer confidence or other negative publicity coming from a data breach or cyberattack.

What do we learn as a result of the Midnight Blizzard attack?

Key Takeaway	Details
Enforce Universal MFA	MFA or multi-factor authentication should now be the default and standard of identity-based systems, especially for administrative and privileged accounts. MFA policies which are adaptive, such as those in Microsoft Entra ID can also factor in location and device to enforce MFA when login activity is likely malicious.
Monitor OAuth Applications	Continuously monitor and assess the risk of OAuth applications. Audit the scope of access to data and reassess risks as apps evolve.
Implement Strong Password Policies	Require strong, complex passwords. Disallow commonly guessed or breached passwords to prevent password spraying attacks.
Invest in Real-Time Threat Detection	Utilize real-time monitoring. Deploy AI-driven solutions to detect anomalous behavior, such as password spraying or unusual OAuth app registrations.

How an Advanced SaaS Security Solution Could Have Prevented the Midnight Blizzard Attack

Thinking about how the Midnight Blizzard attack could have been discovered and mitigated, we see the need for visibility and automated breach response. SpinOne is a solution that offers a robust cybersecurity solution for cloud environments like Microsoft 365 and Google Workspace. It has capabilities as part of its feature set that would directly mitigate the vulnerabilities exploited in the Midnight Blizzard attack and other modern cloud-based attacks.

Note the following SpinOne features that can help organizations protect against identity-based attacks:

Recommend and Monitor MFA Status Across All Accounts – In the Midnight Blizzard attack MFA was lacking in the compromised test environment. Due to the lack of MFA enforcement, Midnight Blizzard attackers were able to proceed without difficulty through the test environment and into the Microsoft corporate environment. SpinOne provides continuous monitoring of MFA settings across user accounts. It helps with visibility and making sure all accounts meet universal MFA compliance. This is a direct mitigation to password spraying attacks.
Alert and Automated Response to Password Spraying – In addition to MFA monitoring, SpinOne uses advanced behavior analytics to detect login attempts that are classic signs of password spraying attacks. When these are detected, it can trigger automated actions like account lockout, IP blacklisting, or password resets.
Automated Third-party app scans – Third-party applications integrated in modern cloud environments are often a blind spot for many organizations. SpinOne helps to protect businesses against this risk by continuously monitoring app registrations in the cloud environment and flagging these if these request elevated permissions. Using an intelligent risk-based score, SpinOne allows organizations to be in control of which applications are allowed or blocked from use in the environment using granular policies applied in the cloud environment.
Detection and Automated Response to Data Leaks – Data exfiltration is a common “next step” for attackers that have compromised an environment. SpinOne’s data protection features help to detect unusual file access patterns, bulk downloads, or large-scale data changes. It can revoke access and alert admins when anomalous file behaviors occur.
Automated Risk Assessments – SpinOne provides continuous automated risk assessments of cloud environments. These include identifying risky configurations and risky third-party SaaS applications and browser extensions.
Ransomware Protection and Response – It offers advanced ransomware protection that proactively stops a ransomware attack when it begins, and automatically restores any affected data. It has one of the lowest industry standard SLAs to get your data back, at 2 hours.
Insider threat detection – It can help shed light on insider threats, including suspicious data downloads and provides sensitive data leak detection.

Key Benefits of SpinOne for Protecting Your SaaS Environment:

Visibility & Control: Continuous monitoring of MFA settings, third-party apps, and user behaviors.
Automation: Automated threat detection and response to minimize manual intervention and accelerate breach containment.
Comprehensive Coverage: Protection against password spraying, data leaks, ransomware, insider threats, and more.
Rapid Recovery: Quick ransomware data restoration with one of the lowest industry SLAs.

Wrapping up

The Midnight Blizzard attack on Microsoft serves as a reminder that no organization is immune. Even organizations with the technical defenses and expertise such as Microsoft can be compromised by skilled attack groups that take advantage of the smallest vulnerabilities and oversights in security defenses.

In today’s modern cloud-driven world, privileged identities are the crown jewels for threat actors looking to compromise sensitive data. They can use many different ways to compromise identity, including password spraying, phishing attacks, and malicious OAuth applications.

SpinOne helps organizations stay ahead of the curve with artificial intelligence and machine learning capabilities to back up critical data, monitor in real-time, provide continuous risk assessments, and ransomware protection. By using the capabilities of SpinOne, organizations can drastically reduce their risk exposure and protect their data from modern cyber threats. In the case of the Midnight Blizzard attack, SpinOne’s defenses would have given visibility to the attack and protected the corporate environment from the malicious OAuth application.

To learn more about SpinOne’s modern cybersecurity solution for your SaaS data, schedule a demo here: Request a Demo of SpinOne SaaS Data Protection Platform.