On January 12, 2024, Microsoft discovered that Russian hackers breached its systems in November 2023 and stole email from their leadership, cybersecurity, and legal teams.
Microsoft now explains that the threat actors used residential proxies and “Password spraying” brute-force attacks to target a small number of accounts, with one of these accounts being a “Legacy, non-production test tenant account.”
When Microsoft first disclosed the breach, many wondered whether MFA was enabled on this test account and how a test legacy account would have enough privileges to spread laterally to other accounts in the organization.
“Using the information gained from Microsoft’s investigation into Midnight Blizzard, Microsoft Threat Intelligence has identified that the same actor has been targeting other organizations and, as part of our usual notification processes, we have begun notifying these targeted organizations,” warns Microsoft in the new update.
In September 2023, it was also revealed that the Chinese Storm-0558 hacking group stole 60,000 emails from U.S. State Department accounts after breaching Microsoft’s cloud-based Exchange email servers earlier that year.
Finally, Microsoft advises using targeted hunting queries in Microsoft Defender XDR and Microsoft Sentinel to identify and investigate suspicious activities.
