Midnight Blizzard at Microsoft: A Legacy Tenant Reads Your Mail
Threat Intelligence
APT29 read Microsoft's senior leadership email for weeks. The way in was a non-production tenant with no MFA and a permissive OAuth application.
By Arjun Raghavan, Security & Systems Lead, BIPI · May 12, 2024 · 9 min read
On January 12, 2024, Microsoft's security team detected an intrusion in its corporate environment by Midnight Blizzard, the Russian SVR cluster also tracked as APT29 or Cozy Bear. Microsoft disclosed on January 19 that the actor had read email from senior leadership accounts and members of its cybersecurity and legal teams. Later disclosures revealed the actor had also accessed source code repositories and was using exfiltrated secrets to attempt customer environment access. The way in was almost cinematic in its simplicity.
Timeline
Microsoft says initial access was in late November 2023 via password-spray against a legacy non-production test tenant. The compromised account had no MFA. The account was assigned to a legacy OAuth application that had elevated permissions into Microsoft's corporate Exchange Online tenant, the kind of cross-tenant trust that was set up years earlier and never reviewed. By late November, Midnight Blizzard was using those OAuth permissions to read corporate mailboxes. They operated for roughly seven weeks before Microsoft caught them on January 12. Disclosure was eight days later. Follow-up disclosures in March and April confirmed continued access attempts using credentials and secrets harvested from the email corpus.
Root cause: forgotten OAuth trust
The single chain of events is worth restating because it is depressingly normal. A test tenant existed. A test account in that tenant did not have MFA. A legacy OAuth application in that tenant had been granted broad permissions into the corporate tenant for a long-forgotten integration. The actor sprayed the test account, took over the legacy OAuth app, and rode the app's permissions across the tenant boundary into the corporate mail store. Each step on its own looks survivable. The composition was fatal.
Attacker actions
Once inside, Midnight Blizzard did what APT29 always does: read mail, take notes, pivot. The targeting was specific. They read mailboxes of senior leadership and of the people leading the response to APT29 itself, which is a tradecraft signature for this group. They harvested credentials and tokens that appeared in email bodies and attachments. Those secrets included some Microsoft source code repository tokens, which they used in subsequent months to attempt access to internal source repos. In a smaller number of cases, secrets harvested from the mailboxes were used to attempt access to Microsoft customer environments.
Detection
Microsoft has not published a clean detection narrative for the initial detection. What we can infer from the OAuth-abuse signature is that the loud part was application identity activity outside normal patterns: an OAuth principal making Graph API calls at hours and volumes that did not match its registered purpose, hitting mailboxes outside its declared scope. That class of signal is now baked into Microsoft Entra ID Identity Protection and similar tools, but only if you are looking at it.
Lessons
Non-production is production for the attacker. Every test tenant, dev environment, and acquired company tenant is a path with the same destination as your hardened corporate environment, as long as a single OAuth grant or trust relationship bridges them. The hygiene work is unglamorous: enumerate every tenant under organizational control, enforce MFA on all of them, periodically review and prune OAuth consent grants, and assume cross-tenant trust will eventually be abused.
The second lesson is about disclosure. Microsoft updated its public statements at least three times as the scope expanded. That cadence is the right model. Initial disclosures will always understate scope. Building a public communications loop that supports continuous correction is more useful than waiting for certainty that never arrives.
The BIPI take
The Microsoft Midnight Blizzard incident is the most accessible case study available for OAuth abuse at scale. The mitigations are not exotic. They are: MFA everywhere with no exceptions, periodic review of every OAuth consent in every tenant, and conditional access policies that constrain service principals to expected IPs and behaviors. If a vendor with Microsoft's resources and signal can be compromised through a forgotten test tenant, the rest of us should be auditing ours this week.
Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.