Microsoft APT Phishing Breach - Your Next Steps

Microsoft’s top executives’ email accounts have been breached. What does this mean for you? What do you need to know and what should you do moving forward? 

As the news hit over the weekend (20^th Jan 2024) that Microsoft’s’ top executives had their business email accounts breached since November in, yet another targeted campaign aimed at the computer giant, many are asking questions around the security of Microsoft’s systems. In this post, we are outlining what happened but more importantly we discuss what your organization's next steps should be to ensure you remain protected?

What Happened to Microsoft?

The attack was allegedly carried out by a Russian-linked group. The same Advanced Persistent Threat (APT) group that was responsible for the notorious SolarWinds attack back in 2012. In this instance, the attackers gained initial access via a password, having executed a simple password spraying attack. 

Microsoft said:  “Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose email was accessed.  

The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required.”

How Did the Breach Happen?

The initial access attack vector was password spraying. We also know that all Microsoft senior executives use Microsoft’s MFA. However, what is still unknown is how did the attackers go from password spraying for initial access to business email compromise of the senior executives even when they had MFA enabled.

What is password-spraying?

Password-spraying is where an attacker will take a commonly used password and will try the same credential against many accounts until they gain access. 

Once the hackers had gained access, they were able to use the accounts permissions to remain undetected while they accessed corporate executive email accounts. 

‍

‍

Who is Affected by the Latest Microsoft Breach?

It is currently believed that the treat actor(s) have not accessed any customer environments, however it does raise serious questions about the level of security of Microsoft’s products and services. Security accounts for 10% of Microsoft’s overall revenue and is worth $20bn annual turnover (according to @LastCallCNBC). As confidence was shook over the weekend, Microsoft saw its share price drop and there is no doubt that this will have a negative impact. 

In terms of the impact to the business at an operational level, emails, data, and attachments have been stolen and the company is now contacting all those employees who have been impacted. 

What we do know for certain is that this attack could have been easily prevented. 

What Does This Teach Us? 

This attack teaches us a number of things. Here is our take:

1. If Microsoft is not immune to these types of attacks (even when MS Authenticator and/or conditional access was enabled), businesses of all sizes and level of maturity should take note.
2. Microsoft is not alone. These attacks happen frequently enough (Okta, Duo, Twilio). Industry needs to sit up. It needs to rip up the current playbook when it comes to: an over-reliance on detection and the centralisation of credentials 
3. Multi-factor Authentication should be enabled for all users, not just a few. 

‍

MFA Best Practice 

Here are the steps you need to take. Evaluate your current MFA solution.

1. Does it prevent all credential phishing and password-based attacks? 
2. Is it enabled for all users? 

Do you have any existing challenges with enabling MFA for all users? If so, you need to speak to us. We know that having keys or smartphones available to every user is not viable for most organisations, which is why AuthN by IDEE is a same-device MFA solution. 

Download the guide to phish-proof MFA to learn more about how our technology works and how we can protect you against these types of attacks.

‍