Recently, Microsoft’s security team detected an attack on its corporate systems, initiated by the Russian state-sponsored actor known as Nobelium, also referred to as Midnight Blizzard. The attack was discovered on January 12, 2024, which triggered an immediate activation of Microsoft’s response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access.
The investigation revealed that the threat actor used a password spray attack in late November 2023 to compromise a legacy non-production test tenant account. Subsequently, they used the account’s permissions to access some Microsoft corporate email accounts, including those of senior leadership team members and employees in cybersecurity, legal, and other functions. The threat actor exfiltrated some emails and attached documents, with an initial focus on gathering information related to Midnight Blizzard itself.
It is noteworthy that the attack did not exploit any vulnerability in Microsoft products or services, and there is currently no evidence to suggest that the threat actor gained access to customer environments, production systems, source code, or AI systems. In the event that customer action is required, Microsoft has pledged to notify them.
As part of their commitment to responsible transparency, Microsoft has emphasized the need to accelerate the application of current security standards to legacy systems and internal business processes.
Microsoft is continuing its investigation and will take further actions based on the outcomes, collaborating with law enforcement and relevant regulators. The company is committed to sharing additional information and learnings to benefit the wider community, with a promise to provide further details as appropriate.
For more information, the official update from Microsoft’s Security Response Center can be accessed at https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/.
Featured Image from Microsoft post regarding Midnight Blizzard: Midnight Blizzard conducts targeted social engineering over Microsoft Teams | Microsoft Security Blog
