Microsoft explains the way Russian hacks were able to find its executives

Why Microsoft didn’t let me know? What happened to a Microsoft test tenant that was breached by Nobelium and Microsoft Exchange Online?

“Midnight Blizzard leveraged these malicious OAuth applications to authenticate to Microsoft Exchange Online and target Microsoft corporate email accounts,” explains Microsoft’s security team.

Adam Bauer told WIRED that the data was contained in the email boxes of the users. “We continue to investigate and analyze these mailboxes to identify information that could have been accessed and will make appropriate notifications as required.”

“We shouldn’t be surprised that Russian intelligence-backed threat actors, and SVR in particular, are targeting tech companies like Microsoft and HPE. Jake Williams, a former US National Security Agency hacker and current faculty member at the Institute for Applied Network Security, said that it would be a much bigger surprise if they found out they weren’t.

A password spray attack was used to gain access to Microsoft’s systems. This type of attack is a brute force one that sees hackers use a dictionary of potential passwords against accounts. Crucially, the non-production test tenant account that was breached didn’t have two-factor authentication enabled. Nobelium “tailored their password spray attacks to a limited number of accounts, using a low number of attempts to evade detection,” says Microsoft.

The group used their initial access to compromise a legacy application that elevated access to the Microsoft corporate environment. OAuth is a widely used open standard for token-based authentication. It’s commonly used across the web to allow you to sign into applications and services without having to provide a website with your password. If you had a Gmail account you might be able to sign into websites with it.

Kurtz was right, more has come out, but there are still some key details missing. If the same non-production test environment was deployed today then Microsoft said it would make it better to protect against attacks. If it wants customers to believe Microsoft is improving the way it designs, builds, tests, and operates its software, it has more explaining to do.