Poor Identity Hygiene at Root of Nation-State Attack Against Microsoft

The latest breach suffered by Microsoft shows once again that detection and response are not enough. Because the source of an attack almost always boils down to a single overlooked user and permission, it’s critical for organizations to have strong preventive security.

On January 19, Microsoft announced that it was breached via Entra ID (formerly Azure AD) by a nation-state threat actor called Midnight Blizzard. Microsoft shared information about the attack, including tactics, techniques and procedures (TTPs), and its guidance for responders. Companies can be intentionally vague about certain details of an attack to maintain confidentiality of their internal environment and to minimize harm to their reputation. Microsoft does, however, provide some details to help understand what Midnight Blizzard exploited to breach Microsoft’s corporate environment.

What stands out in this breach is the need for better preventive security efforts to reduce the risk created by poor identity hygiene. Overlooked identities, excessive permissions and misconfigured settings can have grave consequences - even despite sophisticated detection and response tools and capabilities. Tenable Identity Exposure identifies the vulnerabilities that attacks like these could exploit, including:

• Missing multifactor authentication (MFA) detection 
• Dangerous API permissions
• Administrator account analysis

Let’s briefly review what happened.

While Microsoft’s announcement outlined many different steps in the attack, the attack exploits some very common weaknesses including: poor password hygiene, lack of MFA, excess permissions and privileged Entra roles.

The initial access phase of this attack was a simple password spray, an attack technique in which a threat actor targets identities with weak or compromised passwords. This initial attack targeted a non-production environment and Midnight Blizzard took careful steps during this phase to avoid detection. As Microsoft explained: “The actor tailored their password spray attacks to a limited number of accounts, using a low number of attempts to evade detection (...) further launching these attacks from a distributed residential proxy infrastructure (...) account that did not have multi factor authentication enabled”.

Having MFA on this account, despite it being non-production, could have prevented the password spray attack from reaching its ultimate goal. At minimum, it would have made it harder for the password spray to succeed and thus much easier to detect.

Next, the attackers pivoted from the test environment to the corporate production environment by exploiting excessive Graph API permissions. Although the application was registered in Microsoft’s test tenant, its corresponding identity was given dangerous Graph API permissions in their corporate production tenant. 

The attackers gained access to mailboxes from key Microsoft executives for over two months. 

That allowed the threat actor to compromise the app registration and move to the production tenant via the corresponding service identity. After gaining access to Microsoft’s corporate environment, they ultimately granted the “full_access_as_app” API permission of Office 365 Exchange Online to the new malicious applications they created, allowing them to gain access to key executive mailboxes for over two months.

API permissions often grant access with ramifications that are complex to decipher and Microsoft Graph API is known to be very difficult to understand. It may be the case that Microsoft itself fell victim to this complexity. This lack of identity hygiene is clearly something the threat actor took advantage of to infiltrate Microsoft’s production environment and gain access to sensitive corporate communications.

The need for continuously assessing and understanding identity risk in order to intelligently perform remediations and reduce the attack surface before an attack occurs is clear. Although Microsoft offers many tools and services for detecting and disrupting attacks, sophisticated breaches often come down to small oversights within a single account or permission. The challenge of preventively reducing the attack surface of identities is compounded by its ever-changing nature and requires continual validation of risk.

Tenable Identity Exposure continuously validates the security posture of Microsoft identity systems and prioritizes risky identities, permissions and configurations to instantly reduce the attack surface.

Tenable provides four specific indicators of exposure (IoEs) to help prevent these types of attacks. Two Identity Exposure IoEs allow customers to identify accounts exposed due to lack of MFA. These IoEs uncover Microsoft Entra ID accounts without any registered MFA method, which are often exploited in password spray attacks:

• Missing MFA for Privileged Account
• Missing MFA for Non-Privileged Account

Identity Exposure also has two IoEs that discover and analyze dangerous Microsoft Entra roles and Microsoft Graph API permissions so these attack vectors can be eliminated before an attack occurs:

• Dangerous API Permissions Affecting the Tenant
• High Number of Administrators

With these enabled, Identity Exposure continually validates several critical and often overlooked aspects of Microsoft’s identity systems. Tenable also uncovers the riskiest identities and provides step-by-step guidance for remediation. The tactics used by Midnight Blizzard are a prime example of the types of identity risks and attack paths that Tenable Identity Exposure can help eliminate to prevent a successful attack.

For more information about how Tenable Identity Exposure helps reduce the attack surface of your Microsoft identity environment, request a demo or download our Identity Exposure datasheet.