Be on the alert: Rehmann Technology Solutions’ Risk Management team has been tracking an uptick in attacks against Microsoft and its support staff. At first glance, these attacks may make it seem like small and medium businesses don’t have a high-risk profile, but we have seen multiple historical examples of advanced nation-state techniques and tactics filtering down to less sophisticated threat actors who frequently turn their newly gained knowledge against SMBs.
Two of the most recent attacks against Microsoft were the Storm-0558 attack and the Midnight Blizzard attack.
The Storm-0558 Attack
On July 11, 2023, Microsoft disclosed that a threat actor known as Storm-0558 had executed a malicious campaign against the company, targeting customer email. A China-based threat actor with espionage objectives, Storm-0558 had used forged authentication tokens to access user email from approximately 25 organizations, including government agencies and related consumer accounts in the public cloud, beginning May 15, 2023
On September 7, 2023, Microsoft revealed that the Storm-0558 group had acquired the inactive consumer signing key to forge tokens and access Outlook by compromising an engineer’s Microsoft corporate account. The engineer’s account had access to the debugging environment, which contained privileged information that should not have been present. That information enabled attackers to access Microsoft client information, such as emails, documents, and Teams messages.
The Midnight Blizzard Attack
On January 12, 2024, Microsoft detected a nation-state attack on its corporate systems by a threat actor known as Midnight Blizzard. This threat actor is a known Russian-state-sponsored actor that has also been tracked as NOBELIUM, Cozy Bear, APT29, and UNC2452. The attack began in late November 2023, when the threat actor used a password spray attack to compromise a legacy non-production Microsoft test-tenant account and gain a foothold. The threat actor then used the account’s permissions to access a small percentage of Microsoft corporate email accounts, including members of the senior leadership team and employees in cybersecurity and customer support. The attackers then exfiltrated emails and attached documents.
How You Can Minimize Your Organization’s Risk
Both attacks demonstrate that threat actors have the will and way to gain access to privileged Microsoft corporate accounts. However, there are preventative measures that your organization can take to reduce the risks of similar attacks impacting your Microsoft public cloud assets.
- Implement conditional access policies that prevent non-managed devices from authenticating.
- Utilize role-based conditional access to restrict how, when, and to what extent applications can be accessed without approved access.
- Utilize Privileged Identity Management (PIM) to limit privileged accounts in your environment.
- In combination with PIM, utilize Customer Lockbox in your O365 and Azure tenants to require explicit approval for a Microsoft account to access resources within your tenant.
- For the full protection of PIM and Customer Lockbox, utilize a phishing-resistant MFA for — at a minimum — admin accounts, if not all users.
- Monitor and audit user activity and sign-in logs to identify any gaps in your conditional access policy or unexpected user behavior.
Rehmann Technology Solutions’ Risk Management and Professional Services teams are here to help review, design, and implement the above security measures, as well as any controls tailored to your environment, should you and your organization require assistance.