Start with Identity
Subscribe
Breach teardown · Microsoft

Midnight Blizzard vs Microsoft: a legacy test account and an over-permissioned OAuth app

Affected: MicrosoftDisclosed: 2024-01Root cause: Password spray on a legacy account without MFA, abused OAuth app permissions

What happened

In January 2024 Microsoft disclosed that the Russia-linked group Midnight Blizzard (APT29) accessed a small percentage of corporate email accounts, including senior leadership. The entry point was a legacy, non-production test tenant account that lacked multi-factor authentication. From there the attacker abused a legacy OAuth application with elevated access to Microsoft's corporate environment to grant itself mailbox permissions.

Root cause

A password spray succeeded against an old test account that had been forgotten and was not protected by MFA. The escalation then exploited OAuth application consent: an app held broad permissions that, once controlled, opened the door to mailboxes.

The identity lesson

Two classic gaps. Forgotten non-production and legacy accounts are real attack surface, not background noise, and they are exactly where MFA exceptions tend to hide. And OAuth application permissions are standing privilege: an app with broad scopes is a powerful non-human identity that attackers prize.

How to defend

  • Enforce MFA with no exceptions, and actively hunt for accounts excluded from policy, especially legacy and test tenants.
  • Inventory and review OAuth app consents and permissions; remove unused apps and over-broad scopes.
  • Apply least privilege to applications, not just people, and alert on new high-privilege grants.
  • Decommission unused tenants and accounts. An orphaned account is a liability.

Related

Guide: what is a non-human identity. Vendors: ITDR, IGA. Glossary: password spraying, privilege escalation.

Compiled from public disclosures and incident reporting; see the linked sources. Independent, community-driven analysis, not a statement of fact about any party. See the disclaimer.