Microsoft email breach: Attackers accessed internal systems, source code

The Russian state-sponsored attackers who breached the corporate email accounts of several senior Microsoft employees and security team members in November have been using information stolen from those mailboxes to access internal systems. Some of the emails also included secrets that Microsoft exchanged with customers and which could potentially be used in further attacks, the company warns.

“In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access,” the company said in an update on its investigation Friday. “This has included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.”

Midnight Blizzard is Microsoft’s designation for a group also known in the security industry as Nobelium or APT29 and which according to the US and UK intelligence agencies, is part of Russia’s Foreign Intelligence Service, the SVR. APT29 has been responsible for many high-profile attacks over the years, including the 2021 supply chain compromise involving SolarWinds that impacted thousands of organizations and government agencies.

In January, Microsoft announced that the group managed to gain access to a legacy test tenant account on its infrastructure using a password spraying attack. This is a technique where attackers attempt to access an account using a list of passwords compromised in other breaches. In this case the attackers limited the number of attempts and the time between them to evade detection and automatic rate limiting.

The test account did not have multifactor authentication turned on and had access to an OAuth application that had further elevated access to Microsoft’s corporate environment. The attackers then created their own OAuth applications and used the compromised account to give them the full_access_as_app role to the company’s Office 365 Exchange Online. This role provides full access to mailboxes.

The attack happened in November, but Microsoft detected it on January 12, so the attackers had access to Microsoft’s corporate email system for over a month. During this time, they accessed the mailboxes of employees working in leadership, cybersecurity, and legal positions, including employees who were investigating the APT group itself.