Russian threat group crafted malicious OAuth apps to breach Microsoft

Microsoft has identified how Russian attackers used rogue OAuth applications to breach its corporate email system, stealing messages and attachments.

Last year, the NSA and FBI identified Midnight Blizzard (also known as NOBELIUM and Cozy Bear) as acting on behalf of Russia’s Foreign Intelligence Service (SVR).

As well as breaching Microsoft in an attack detected on January 12, HPE said in a January 19 Securities Exchange Commission (SEC) notice that its cloud-based email environment was breached in December 2023.

In a blog post, Microsoft said the initial attack vector was a “legacy, non-production test tenant” that lacked MFA, via a password-spray attack.

That access let the attackers compromise another legacy test app – this time, an OAuth app that had “elevated access to the Microsoft corporate environment.”

That let Midnight Blizzard create additional OAuth applications, and a user account that could grant consent in Microsoft’s corporate systems to rogue OAuth apps.

“The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes,” Microsoft said in the blog post.

In its original notification about the attack (published January 19), Microsoft said the attackers had access to “a very small percentage of Microsoft email accounts” for around four weeks. 

Victims included the company’s senior leadership team, and staff in cyber security, legal, and “other functions”.

“The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself,” Microsoft said.

The other notable feature of the attack was that Midnight Blizzard used “residential proxy networks in their attack, with traffic routed via IP addresses of compromised users”.

The HPE attack was similar, with staff in “cyber security, go-to-market, business segments, and other functions” hit. 

HPE associated the latest attack with “earlier activity” by Midnight Blizzard, “involving unauthorised access to and exfiltration of a limited number of SharePoint files as early as May 2023”.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts