Main image of article Microsoft OAuth Attack: Cybersecurity Lessons for Tech Pros

The New Year was less than two weeks old when Microsoft announced the first major cybersecurity incident of the year, one involving a Russian-affiliated group that targeted the software giant’s internal corporate network to steal documents and emails.

On Jan. 12, Microsoft's internal security uncovered a sophisticated attack that had targeted its corporate infrastructure. Two weeks later, on Jan. 25, Redmond released additional details about the incident, the nation-state group suspected of carrying it out, and what the company is doing to address the damage.

The attack, according to Microsoft’s analysis, included the malicious actors using a password spray technique that compromised an old, non-production test account that allowed the group to gain a foothold within the network. From there, the group compromised a legacy test OAuth application, allowing the threat actors to further access the company’s infrastructure and network, including the email inboxes of executives within several units.

“The actor created additional malicious OAuth applications. They created a new user account to grant consent in the Microsoft corporate environment to the actor-controlled malicious OAuth applications,” according to the summary Microsoft provided. “The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes.”

While it’s likely that the investigation into this incident will take months to unravel, the early information and the style of attack hold valuable lessons for tech professionals who are looking to stay on top of current security trends and expand their base of knowledge.

“Although this attack was by a nation-state threat actor, the breach targeting Microsoft's corporate email accounts was facilitated through a simple password-spray attack,” Michael Mumcuoglu, CEO and co-founder of security firm CardinalOps, recently told Dice. “This serves as a stark reminder for security teams to pay equal attention to safeguarding sensitive data across all systems, including those perceived as less critical such as email and file-sharing platforms.”

Anatomy of an Attack

In its analysis, Microsoft’s security team believes that that incident started in November 2023 with the attackers using a password spray technique that eventually compromised a “legacy, non-production test tenant account” that lacked multifactor authentication (MFA) protections. 

To avoid detection, the malicious actors limited their attempts and utilized residential proxy networks to hide traffic through legitimate IP addresses, according to Microsoft.

Once the attackers established a foothold, they compromised vulnerable OAuth applications. (OAuth is an industry standard for token-based authentication and authorization that enables applications to access data based on user permissions.)

By compromising OAuth apps, attackers can move laterally across networks, remain undetected by disguising their malicious traffic and compromise specific, cloud-based applications, such as email. This appears to have been the main motive, according to Microsoft. The malicious actors targeted the company’s “cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents,” according to the analysis.

These details hold the first lessons for tech pros brushing up on cybersecurity. The fact that the attackers targeted a non-production server that lacked MFA shows that while cybersecurity teams can spend time hardening production systems, it can also lead to blind spots where weak protection methods, such as passwords, are then exploited, said Jason Soroko, senior vice president of product at security firm Sectigo.

“Passwords used alone are vulnerable and, in this case, an old-fashioned spray-and-pray attack was all that was necessary for the attacker to gain a foothold,” Soroko told Dice. “The ‘thing to do now’ is to evaluate any and all systems that do not have a strong form of authentication gating their access. Take inventory, and even if a legacy system cannot be mitigated with a stronger authentication technology, this highlights the need to monitor those systems carefully.”

These incidents should also call attention to adopting more modern security approaches, such as using zero-trust principles, while removing older methods such as passwords, noted Darren Guccione, CEO and co-founder at Keeper Security.

“Organizations large and small should implement a zero-trust architecture with least-privilege access to ensure employees only have access to what they need to do their jobs,” Guccione told Dice. “Companies should also have security event monitoring in place. By adopting a zero trust framework within their infrastructure, enterprise leaders will be in a stronger position to not only identify and react to attacks on their organization but also mitigate any potential damage.”

Nation-State Actors Threaten Everyone

Besides the attack details, Microsoft pointed to a group called Midnight Blizzard as the likely culprit behind this incident. This particular nation-state group is also referred to as Nobelium, APT 29 and Cozy Bear and is linked to Russia’s Foreign Intelligence Service or SVR.

Midnight Blizzard is also a group with ties to the SolarWinds supply chain attack, which was first disclosed in December 2020. Following Microsoft’s January announcement, Hewlett Packard Enterprise reported in a regulatory filing that its internal network may have been compromised by this same group.

While a company Microsoft’s size is more likely a target of sophisticated nation-state operations, experts noted that the growing reliance on cyber operations by these types of threat actors shows nearly everyone is at risk. Tech pros should take note.

“The selection of targets like Microsoft and HPE appears to align with the broader objectives often associated with state-sponsored espionage: intelligence collection, cybersecurity defense probing and manipulation and potentially laying the groundwork for future operations,” Piyush Pandey, CEO of Pathlock, told Dice. “These companies are central to the IT infrastructure of many organizations, including government agencies, which makes them valuable targets.”

With attackers such as this able to hide their activity in legitimate traffic, Sectigo’s Soroko added that tech professionals need to think outside the box and consider what a seasoned attack group might try. This calls for looking more closely at IP traffic logs and disabling OAuth apps if they are no longer needed.

“The lesson learned here is that context is everything. Ask a soul-searching question: Is your network, and other computing systems, too trusting, too open or allowing too many conditions?  Is this done for the convenience of your systems administrators?” Soroko said. “The biggest lesson here is that convenience for systems administrators equates to convenience for attackers much of the time.”

Remember the Follow-Up

For many cybersecurity observers, following up after an attack is detected is important and a practice that tech pros need to remember. Amir Krayden, CEO and co-founder of Senser, offers a four-part checklist that can help improve the security process and stop or limit these types of incursions:

  • Leverages advanced modern technologies—such as eBPF—to holistically cover the environment, revealing "unknown unknowns" without leaving blind spots.
  • Gains deep knowledge of the unique environment by real-time learning based on a holistic environment-as-a-graph modeling; this enables efficient correlation between components and their behavior.
  • Wield machine learning to power root cause analysis and enable rapid troubleshooting and remediation instead of depending on manual chases.
  • Explain a production issue's downstream implications.

The complexity of modern infrastructure and architectures means that tech pros must learn from the details Microsoft and others release and apply those lessons to their organizations.

“This issue underscores the challenges of identifying and troubleshooting production issues at scale—complex dependencies of highly interconnected, distributed systems make root cause analysis challenging and time-consuming for even the largest and most well-equipped site reliability teams,” Krayden told Dice.