On January 12th Microsoft first detected a breach by Russian-backed nation-state hackers launched in November 2023, 5 months later, the sustained attack persists. Based on the information disclosed, we can piece together the steps we know the attackers took and what it means for Microsoft and their customers. The attack highlights how active legacy services and leaked secrets remain a persistent threat to all companies.

Stage 1 - Initial access: Attack against legacy non-production test tenant account 

Initial access was made by the threat actors by targeting a legacy non-production tenant account. A tenant account is a dedicated instance of the services of Microsoft 365 and your organization's data is stored within a specific default location. Because this particular account was legacy, meaning it is no longer in use, it may have had limited security controls around it but still allowing the attacker to conduct a password spray attack to compromise the account and gain a foothold. 

“Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold” Microsoft - Source

Stage 2 - Pivot into email accounts

Using the permissions of the account, they then were able to gain access into multiple Microsoft email accounts “including members of our senior leadership team and employees in our cybersecurity, legal, and other functions” - Source

Stage 3 - Exfiltration of email data, discovery of secrets 

Once the attackers had made it into the email accounts, they were able to exfiltrate data from emails that have been stated to have secrets, including secrets belonging to Microsoft customers. 

“It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found” - Microsoft Source

Stage 4 - Pivot into internal systems and source code 

The latest development we know is that the threat actors were able to access the private source code repositories of some Microsoft services. At this stage, it is unclear what repositories the threat actors gained access to and to what Microsoft departments they belong. Source code is a valuable asset for attackers as it is known to contain lots of secrets which may allow the attackers to get deeper into Microsoft’s internal systems. It also could expose more vulnerabilities the attackers may be able to target. 

“This has included access to some of the company’s source code repositories and internal systems” - Source

Exactly how the threat actors made access to the source code isn’t yet known but we can assume it is likely through a shared identity via the compromised email accounts or through stolen secrets discovered while exfiltrating data. 

Lessons learned

While this attack is suspected to be from Midnight Blizzard (also known as NOBELIUM), a well-funded and very sophisticated group. Access was obtained by exploiting two basic security principles. Attacking forgotten legacy systems and stealing plain text secrets. Legacy systems are high-value targets for attackers as even if they appear not to have critical functionality, attackers can use them to move laterally, particularly if they are over privileges like what appears to have been the case here. 

The other basic security principle the attackers were able to exploit was discovering plain text secrets in internal systems. Secrets like certificates, passwords or API keys are the easiest way for an attacker to move from one system to another undetected. Secrets should be tightly wrapped and stored in secret management systems under tight access control. If they sprawl in plain text into different places it is only a matter of time before a bad actor will find and abuse them. When dealing with secrets, the best way to avoid a breach is to scan for secrets yourself, rotate secrets regularly and only share secrets through dedicated toolings.

Risks to Microsoft's customers

Some customers' secrets were discovered in the emails accessed by the threat actors. Microsoft stated they have reached out to all the affected customers so it is unclear who else may be affected. 

Good advice to any customers who are concerned they might be affected would be to implement good secrets practices, this includes scanning for plain text secrets on your own networks they may have sprawled and rotating secrets (or better yet implement a regular rotation policy)

Prevention 

If you are wondering what you can do to prevent an attack like this on your own systems. There are three key takeaways:

One of the biggest challenges we face is knowing what systems an attacker has access to, HoneyTokens are fake credentials you can put anyway to alert you when an attacker uses them. In this case HoneyTokens could have been placed in the emails or even source code to identify quickly where an attacker has moved.