Back in mid-December, Microsoft Threat Intelligence reported multiple attacks involving the malicious use of Microsoft OAuth applications. They warned that threat actors such as Storm-1283 were targeting accounts with permissions to create or modify OAuth apps through phishing or password spraying. The threat actors would then use the compromised accounts to create OAuth grants with permissive scopes and use them to establish persistence in the target organization, access sensitive information, deploy virtual machines, or run spam campaigns.
Now, Microsoft has published a breakdown of a recent nation-state attack against their own corporate systems leveraging some of those same OAuth techniques, led by the Russian threat actor Midnight Blizzard.
The methods Midnight Blizzard used to compromise Microsoft provide important lessons for security teams that want to shore up their own defenses.
Initial access: password spraying with obfuscation measures
According to Microsoft, Midnight Blizzard gained initial access in late November 2023 using password spraying attacks to compromise a legacy account that was unprotected by multi-factor authentication. Password spraying involves using a list of common passwords to test logins, usually with the assistance of an automated account checker tool.
Although password spraying attacks usually involve testing a high volume of accounts at once, Midnight Blizzard used a low-and-slow approach to evade Microsoft’s detection, targeting a small number of attacks and spreading out their login attempts to make the password spraying activity more difficult to detect and block automatically. The group also used a residential proxy network to avoid detection based on methods that rely on IP addresses as indicators of compromise (IOC).
Access escalation and establishing persistence: OAuth abuse
After gaining access to the compromised account, Midnight Blizzard used their access to create new malicious OAuth applications and compromise a legacy OAuth application with elevated privileges. They escalated the legacy application’s access further by granting full access to Office 365 Exchange Online mailboxes. The threat actor granted consent to the malicious OAuth applications using a newly-created user account.
Using this access, the threat actor was able to view Microsoft email accounts belonging to senior staff members and exfiltrate some corporate emails and attachments.
Nudge Security can help you protect your organization against several of the techniques Midnight Blizzard used against Microsoft.
Using Nudge Security, you can:
Let’s take a look at how Nudge Security can help you prevent, detect, and respond to this type of attack.
Enforcing MFA can help you protect employee accounts from password spraying and credential stuffing attacks, reducing your risk of account takeover and business email compromise. Even if an employee uses a weak or previously compromised password, MFA provides an extra layer of protection against unauthorized access.
Nudge Security helps you protect your own employees’ Microsoft accounts against password spraying attacks by checking whether users have MFA enabled, particularly employees with permissions to create or modify OAuth applications. If users don’t have MFA enabled, you can prompt them to enable it by sending them a nudge through email or Slack. Directly from the nudge, employees can confirm that they have taken action or respond asking for help. To make sure accounts are protected from the outset, you can create a notification rule to nudge users to set up MFA automatically as soon as new Microsoft accounts are created.
Even for organizations with clearly-defined MFA policies, Microsoft’s situation highlights how easy it is for old and forgotten accounts to slip through the cracks and wind up unprotected. (Microsoft notes that if their compromised accounts had been created today, MFA would have been enabled by default in compliance with current mandatory policies.) Nudge Security’s patented discovery method provides visibility of all the SaaS accounts your employees have created, including legacy test accounts like the one compromised at Microsoft, giving you complete visibility of the accounts that require protection.
Nudge Security also helps you catch a hard-to-detect MFA gap that can happen when users have more than one form of authentication enabled for a particular application. Users sometimes authenticate using both an SSO provider and a username and password. If any of those authentication methods are unprotected by MFA, the accounts only have partial protection. With Nudge Security, you can identify critical accounts with mixed authentication and make sure that MFA is enabled for every method your employees can use to login.
Whether an employee inadvertently grants access to a malicious application or a bad actor escalates permissions for an existing integration, any OAuth application with excessive or risky scopes should be on your security team’s radar immediately. Unfortunately, one of the major challenges of managing OAuth risks at scale is wading through the many permissions employees have granted in order to surface the types of access that bad actors have exploited in recent attacks, such as the ability to modify email or file systems.
Nudge Security helps your organization detect and respond to OAuth abuse techniques used by Midnight Blizzard and other threat actors in recent attacks by alerting you to high-risk OAuth grants and enabling you to revoke risky grants automatically.
Nudge Security assigns a risk score to each OAuth grant and enumerates the permissions it provides, flagging OAuth grants with excessive scopes as high risk. You can tailor notification rules to alert you to grants with specific risk scores or scopes, giving you immediate awareness of grants that can expose your organization to OAuth abuse. When you discover risky or suspicious Microsoft OAuth grants, you can revoke them automatically within Nudge Security—individually or in bulk.
Investigating new OAuth grants and periodically reviewing existing grants can help you catch potential security concerns early, enabling you to revoke access swiftly and reduce the chances for misuse. If an incident involving OAuth misuse does occur, thorough investigations can help you understand the scope of the issue in order to contain the impact and remediate fully.
Nudge Security streamlines OAuth investigations by providing a detailed overview of each OAuth grant and its scopes, enabling you to reduce the legwork involved in finding grant details and evaluating the security implications for your organization.
For more information on how and when to investigate an OAuth grant, check out our in-depth tutorial on how to investigate an OAuth grant using Nudge Security, including indicators that an app provider may be untrustworthy or susceptible to account takeover.
Midnight Blizzard’s attack against Microsoft highlights the importance of cleaning up legacy access, including unnecessary accounts, applications, and OAuth grants. Lingering OAuth grants can provide an invisible foothold, which is one reason threat actors often use OAuth grants to maintain persistence in case they lose access to a compromised account.
Nudge Security helps you clean up OAuth access that users no longer need without interrupting the flow of business.
You can audit your organization’s OAuth grants and identify unused applications proactively by sending out bulk nudges asking if employees still need access to them. If users say no, Nudge revokes the grants automatically.
When employees leave your organization, their lingering SaaS accounts and OAuth grants can provide bad actors with an entry point to your environment and assist with their reconnaissance efforts.
Nudge Security helps you clean up legacy access proactively by enabling complete SaaS offboarding when employees depart, reducing opportunities for account takeover and BEC that can provide initial access to bad actors like Midnight Blizzard. Nudge Security’s employee offboarding playbook walks through Microsoft and Google best practices for SaaS offboarding and provides automated functionality to quickly revoke OAuth grants, revoke SSO access, and reset passwords for unmanaged SaaS accounts that are frequently skipped during the offboarding process.