Microsoft Corporate Email Hack Drives Change
A recent hack of Microsoft® corporate email accounts has persuaded Microsoft to make a fundamental shift in its approach to corporate cybersecurity.
The Hack
On January 12, 2024, Microsoft’s cybersecurity team detected an attack on its corporate systems and immediately activated its response process to mitigate and shut down the attack. Microsoft’s investigation revealed that the attack started in November 2023 using a password spray attack (a brute force attack using a list of common weak passwords to access hundreds of accounts) to compromise a legacy non-production test tenant account.
From there, the threat actor used the legacy account’s permissions to access the email accounts and attached documents of Microsoft senior leadership and employees working primarily in cybersecurity and legal-related functions.
Microsoft identified the threat actor as Midnight Blizzard (also known as Nobelium), an organization sponsored by the Russian government. Nobelium was responsible for the December 2020 breach of at least nine U.S. agencies using federal contractor SolarWinds® software to gain access to the agencies’ unclassified email systems to track how the U.S. government was responding to Nobelium’s breaches.
Similar to the SolarWinds attack, Microsoft’s investigation into the Microsoft corporate systems attack revealed that the threat actor was seeking information related to Midnight Blizzard itself.
Microsoft shared initial details on the attack in a January 19th Microsoft Security Response Center post, then shared response guidance in a January 25th post from Microsoft Threat Intelligence. The response guidance post revealed that Midnight Blizzard has been targeting other global technology companies in addition to Microsoft. This observation was borne out by a Hewlett Packard Enterprise (HPE) filing with the SEC revealing that Midnight Blizzard had breached HPE’s cloud-hosted email environment in May 2023.
How Did the Hack Happen?
As noted above, the Microsoft email hack used a password spray attack to compromise a legacy non-production test tenant account. This account broke two fundamental cybersecurity rules. First, the account had an easy-to-guess password. Second, the account did not have multi-factor authentication (MFA) enabled.
Microsoft admitted in its January 25th post that if that legacy account had been deployed today, standard Microsoft policy and workflows would have ensured that MFA was in place.
Once Midnight Blizzard gained access via the compromised legacy email test account, they identified and then compromised a legacy test OAuth application with elevated access to Microsoft’s corporate environment. (NOTE: OAuth is an open-standard authorization protocol that allows one application or website to access data from another application or website, for example sending cloud-stored files to another user via email, or allowing a website like ESPN.com to access your Facebook profile without providing your Facebook password.)
Then Midnight Blizzard created additional malicious OAuth applications and a new user account that allowed the malicious OAuth applications to access Microsoft’s corporate environment. Finally, Midnight Blizzard used the compromised legacy test OAuth application to grant them an Office 365 Exchange Online role that allows access to employee mailboxes.
Midnight Blizzard took advantage of the existence of a legacy email test account and a legacy test OAuth application which were never updated to meet modern cybersecurity standards.
What is Microsoft Changing in its Security Posture?
In November 2023, Microsoft announced their Secure Future Initiative (SFI) that brings together every part of Microsoft to drive substantial improvements in cybersecurity protection. The initiative strived to strike a balance between security and business risk. From a business risk perspective, running an audit to identify and secure every legacy account or application created (and then forgotten) in Microsoft’s almost 50-year history, and changing myriad business processes related to establishing and securing new accounts and applications is a task requiring considerable staff and time to complete.
Unfortunately, Midnight Blizzard is very good at exploiting legacy accounts and OAuth applications to penetrate corporate systems and gain access to corporate and customer information. Acknowledging this expertise, Microsoft has recognized the necessity of securing its legacy accounts and applications sooner rather than later, as outlined in the January 19th Microsoft Security Response Center post:
“…We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes. This will likely cause some level of disruption while we adapt to this new reality, but this is a necessary step, and only the first of several we will be taking to embrace this philosophy.”
What Can You do to Protect Your Customers and Applications?
Like Microsoft, an audit of legacy accounts and OAuth applications, with subsequent action to eliminate those no longer in use, and secure those still in use using modern cybersecurity standards, is a necessary first step. Microsoft has shared other recommendations in its January 25th post mentioned above.
ISVs, MSPs, and resellers that need to provide customers with secure web-based access to Windows applications can evaluate the technology used to make those applications accessible to users, including:
- Network communication protocol used—is it secure? (NOTE: if you’re using Microsoft Remote Desktop Protocol (RDP), according to Sophos, a global IT security company, RDP remains “one of the most widely abused tools” used to leverage compromised credentials for internal access; see our blog post for more detail.)
- Default settings—can an admin or bad actor enable sharing of server or client resources?
- Multi Factor Authentication—does your remote access solution enable multi-factor authentication? The Microsoft hack described above was in part enabled by a lack of MFA on a legacy test email application.
- Single Sign-on—does your remote access solution support single sign-on solutions? The Microsoft hack described above was enabled in part by an easy-to-guess password.
If your web-based access solution makes your application and customer data vulnerable to bad actors, consider GO-Global.
- RapidX Protocol (RXP)—RXP is a proprietary, low-bandwidth protocol for connectivity over serial lines. It is adaptive, uses multiple layers of compression, and is optimized to ensure the lowest possible bandwidth utilization. And, because RXP is closed source, it offers additional defense against attackers, compared to open-source protocols such as Microsoft RDP, where security weaknesses have been found and exploited.
- Default settings—by design, all configuration options that enable sharing of server or client resources are disabled. Additionally, GO-Global publishes no default applications.
- Two-Factor Authentication (2FA)—GO-Global provides 2FA, an advanced authentication feature that provides an extra layer of security by optionally requiring users to enter a 6-digit code from an authenticator app on a smart phone, in addition to their username and password.
- Single Sign-On Support for OpenID® Connect (OIDC)—enables organizations to use OIDC identity providers like Okta® and Microsoft® Active Directory Federated Services (ADFS) for single sign-on into GO-Global Windows hosts.
GO-Global’s multi-layer approach to securing Windows applications and customer data reduces risk from bad actors. Learn more here.
To see GO-Global’s concurrent user pricing with SSO, and calculate your estimated GO-Global pricing, click here.
To request a demo, click here; for a free 30-day GO-Global trial, click here.
