No organization is immune to cyber threats, and the recent Midnight Blizzard attacks on Microsoft prove just that. Phishing attacks against major organizations will continue to prevail, and we can only expect threat actors to get more sophisticated and inconspicuous in the artificial intelligence (AI) era.
The attack on Microsoft was coordinated by Midnight Blizzard, a threat group affiliated with Russia's Foreign Intelligence Service—formerly known as Nobelium. According to Microsoft’s statement, the attacks were accomplished using a password-spraying method to gain access to a test account; once proven successful, this led to the compromise of corporate email accounts, including those that belonged to senior leadership. From there, the hackers were able to exfiltrate account identities to access emails and attached documents. The breach is said to have occurred in November 2023; however, Microsoft did not detect it until months later.
Identity continues to be the most used attack method and weakest link in everyday security postures. Every organization needs to reevaluate and evolve its cybersecurity strategies to keep pace with the sophisticated tactics employed by nation-state actors and keep a hyper-focus on identity. In fact, 83% of organizations have experienced data breaches involving compromised credentials, and 65% haven’t implemented multi-factor authentication (MFA) where it matters.
The tactics of Midnight Blizzard initiated through a password spray attack on a legacy, non-production test tenant, underscores several critical areas for immediate action and reflection within organizations' everyday cybersecurity practices.
Improving Cybersecurity in the Enterprise
Gaps in an organization's identity security posture continue to expose its IT infrastructure and make it easy for bad actors to gain access—essentially walking through an unlocked back door. Threat actors will continue to capitalize on this cybersecurity gap as it’s relatively easy to escalate privilege and move laterally throughout an organization without triggering alerts—just like we saw with Midnight Blizzard.
Security teams must evaluate and enhance current security measures to best protect their data, employees, and attack surfaces. Three ways to do this include:
- Pay attention to MFA: While Microsoft now enforces MFA by default to bolster security, the Midnight Blizzard attack accentuates the need for organizations to meticulously review all existing tenants, including older ones, to ensure MFA protection is everywhere. It’s a stark reminder that legacy systems and configurations can provide inadvertent entry points for attackers, making it imperative that we extend modern security measures retrospectively across all digital assets.
- Test tenant over privileges: Recent Silverfort data found that 7% of user accounts inadvertently hold admin-level access privileges. A critical lapse identified in the attack was the excessive permissions granted to a test tenant, which allowed access to Microsoft’s corporate environment. Stringent monitoring and restriction of permissions for OAuth apps and other integrations within both production and non-production environments is vital for all organizations. Ensuring that test tenants adhere to the principle of least privilege and are segregated from production systems can also be a make or break when minimizing the risk of such vulnerabilities.
- Continue phishing education: Every organization, regardless of size or industry, can be subject to a breach. Seeing that business emails of such “security-aware” companies can be compromised, in the case of Microsoft, is a reminder that email addresses cannot be the sole proof of authenticity—even if it is a legitimate-looking email or sent from a trusted company. Regardless of level or time in the role, organizations need to conduct regular security training to ensure all employees are up to date on the proper procedures. These training sessions should include details on avoiding entering personal credentials when clicking on email links or opening files without verifying the sender. Alternatively, you can open the files in a sandbox.
The Future of the Identity Attack Surface
It is impossible to say that an organization can 100% stop cyber attackers, but there are things teams can do now to reduce their attack surface and, more specifically, their identity attack surface. Recent breaches, beyond just the Midnight Blizzard attacks, show the detrimental impact of the identity attack surface—look back at SolarWinds, U.S. OPM, and Marriott, for example. We’ve seen repeatedly where traditional MFA fails. With so many options for gaining initial network access, organizations must go beyond traditional MFA and endpoint security and use identity protection methods that focus on stopping lateral movement and closing the backdoor for attackers.
The security industry puts plenty of time, resources, and money into detecting malware and removing malicious software; it's time to put that same investment and dedicated resources to spot and stop lateral movement and better secure identities.
