After the Midnight Blizzard attack, Microsoft urges administrators to follow new security guidelines
Microsoft was hacked recently, and hackers gained access to corporate emails
3 min. read
Published on
Share this article
Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more
Recently, Microsoft was under attack by a hacker group called Midnight Blizzard, and the company disclosed the attack in a recent blog post.
What exactly happened, and how serious this attack was? Keep on reading to find out!
The aftermath of the Midnight Blizzard on Microsoft
How did the attack occur?
On January 12, 2024, the Microsoft team detected a system-wide attack on its system performed by the Midnight Blizzard group. So how was this attack carried out?
The attackers used password spraying to guess a password on a legacy test tenant account. That account didn’t have multifactor authentication, therefore the hackers were able to guess the password and obtain access eventually.
After that, the attackers managed to compromise a legacy OAuth application that had elevated access to the corporate environment.
Hackers created a new user account to gain access to the corporate environment and Office 365 Exchange Online. They gained access to the mailboxes and targeted Microsoft corporate email accounts by doing so.
How can administrators protect themselves?
- Check the privilege level of all users and service principals using the Microsoft Graph Data Connect authorization portal. Make sure that unknown, legacy, or unused entities don’t have more privileges than needed.
- Next, check identities that have ApplicationImpersonation privileges in Exchange Online. This is crucial since with access to ApplicationImpersonation hackers can impersonate users.
- Check for OAuth apps that are using anomaly detection policies using App governance. Remove any suspicious OAuth apps.
- Implement conditional access app control. It should be used for users who are connecting from unmanaged devices.
- Review applications that are using EWS.AccessAsUser.All and EWS.full_access_as_app permissions. If these applications aren’t required, remove them.
- For applications that require access to mailboxes, implement granular and scalable access.
Since this attack initially started with a password spray attack, Microsoft shared a few guidelines on how to protect against it:
- Eliminate insecure passwords and encourage users to review sign-in activity and mark suspicious sign-in attempts.
- Reset account passwords for all accounts targeted during the attack.
- Use Microsoft Entra ID Protection and Microsoft Purview Audit (Premium) to investigate compromised accounts.
- Enforce Microsoft Entra Password Protection for Active Directory Domain.
- Utilize risk detections to trigger multifactor authentication or password changes.
In another blog on the Midnight Blizzard attack, Microsoft stated that it would act immediately on improving its security standards on legacy systems and internal processes, and that might lead to some level of disruption.
It seems that Microsoft can’t catch a break, since recently there was a zero-day exploit in Windows Event Log reported.
The good news is that Microsoft is already on this issue, and if you’re a system administrator, be sure to check Microsoft’s blog post for detailed security guidelines.
