Written by Adam Koblentz
In a January 19 blog post, Microsoft revealed that Midnight Blizzard, a well-known Russian state-sponsored threat actor, successfully compromised the corporate email accounts of some of its most sensitive trusted identities, including senior executives and key cybersecurity and legal personnel.
While Microsoft responded to and disclosed the incident effectively and responsibly once it was discovered, it’s the latest example of how most organizations – including major identity and access management (IAM) providers like Microsoft and Okta – have a critical gap in their approach to identity security.
Let’s take a closer look at what happened, why it matters, and what lessons the industry can apply in an effort to defend against identity-based threats more effectively.
What happened?
According to Microsoft, Midnight Blizzard, the Russian threat actor group best known for executing the infamous SolarWinds attack in 2020, used a password spraying attack to compromise an account on its non-production tenants. The group then used that account’s privileges to gain access to the production email accounts of numerous Microsoft trusted identities.
Password spraying is a type of brute-force account technique where the threat actors use the same set of common passwords against many accounts to avoid triggering threat detection rules or failed password lockout policies.
Microsoft believes that the initial breach occurred in late November 2023, suggesting that Midnight Blizzard had access for over a month before Microsoft detected it and responded. While this is a better-than-average time to detection, it was still plenty of time for a motivated threat actor to execute a systematic threat campaign.
In this case, Microsoft indicated that the campaign focus was on gaining intelligence about Microsoft’s research and defensive measures relating to Midnight Blizzard themselves. According to Microsoft, “there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems.”
The new ‘material’ world
While the confirmed impact of this breach is still unfolding, it nonetheless represented a “material breach” for Microsoft. Microsoft’s filing of a Form 8-K with the U.S. Securities and Exchange Commission (SEC) for this incident is a high-profile example of the new requirements that regulators are placing on companies to disclose cybersecurity breaches promptly.
In this case, the SEC introduced a new rule in 2023 for cybersecurity risk management, strategy, governance, and incident disclosure. It requires organizations that experience a material breach to notify the SEC with an 8-K filing within four business days of becoming aware of the event. In this context, the word “material” is carried over from other areas of SEC oversight and applied to cybersecurity. An incident is considered “material” if a reasonable investor would find the information important in deciding whether to buy, sell, or hold a security, or if it would otherwise alter the overall set of data they are considering when making financial decisions.
More stringent disclosure requirements like this mean that even timely detection of threats, which is challenging in its own right, is not enough. Security teams must have the ability to gain a deep and accurate understanding of the breach details and impact quickly in order to mitigate both financial and reputational damage.
The stakes
Early indications suggest that Microsoft was very fortunate that Midnight Blizzard did not exploit their trusted account access more aggressively. However, compromised trusted identities are frequently used as a jumping off point for more for attack escalations such as:
- Moving laterally to other systems, applications, accounts, or network segments, in search of higher-level privileges or more sensitive data.
- Attempts to elevate privileges by exploiting system vulnerabilities, cracking passwords, or finding misconfigurations.
- Accessing sensitive data and exfiltrating it for various purposes, such as selling it on the dark web, using it for identity theft, or leveraging it for competitive advantage.
- Using a compromised account to disable security controls, making the network more vulnerable to future attacks and preventing the detection of their activities.
- Creating backdoors that will allow them to re-enter the network easily in the future, even if the original compromised account is secured.
- Using a compromised account to conduct additional phishing campaigns or other social engineering attacks against other employees, customers, or partners, leveraging the trust associated with the account to increase the chances of success.
The eventual business impacts of compromised trusted identities can be far-reaching, including financial loss, reputational damage, regulatory consequences, intellectual property leakage, higher cybersecurity insurance premiums, and more.
How traditional identity protection approaches are falling short
“Conventional identity and access management and security preventive controls are insufficient to protect identity systems from attack. To enhance cyberattack preparedness, security and risk management leaders must add Reveal Security capabilities to their security infrastructure.”*
However, these recent breaches at Okta and Microsoft prove that even sophisticated organizations are still late to the party in this area.The critical role of Reveal Security
- Malicious activity originating with trusted identities is detected quickly, before the threat actor can execute a more sophisticated, long-term campaign.
- Security teams have a detailed view of what happened, so they can execute a response and comply with mandated disclosure requirements in a timely and informed manner.
* Source: “Enhance Your Cyberattack Preparedness With Identity Threat Detection and Response,” Gartner, October 20, 2022.
**Source: “2023 Data Breach Investigations Report,” Verizon, June 6, 2023
Interested in learning more about how to get started?
Read more here about how Reveal Security can monitor all log activities and detect abnormalities at scale for post-authenticated users in Microsoft 365 and other business critical SaaS applications.
Contact us to request a personalized demo.