Microsoft email exfiltration by Nobelium

Type

Incident

Actors

🐻APT29

Pub. date

January 19, 2024

Initial access

Password attack

Impact

Data exfiltration

Observed techniques

Password sprayingOAuth app creationOAuth app hijackTraffic routing through residential proxy network

Targeted technologies

Microsoft Exchange

References

https://www.wiz.io/blog/midnight-blizzard-microsoft-breach-analysis-and-best-practiceshttps://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/https://www.breaches.cloud/incidents/o365-2024/https://www.splunk.com/en_us/blog/security/hunting-m365-invaders-navigating-the-shadows-of-midnight-blizzard.htmlhttps://posts.specterops.io/microsoft-breach-what-happened-what-should-azure-admins-do-da2b7e674ebchttps://msrc.microsoft.com/blog/2024/03/update-on-microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/

Status

Finalized

Last edited

Aug 14, 2024 7:55 AM

On January 19, 2023, Microsoft disclosed that email accounts of multiple employees had been compromised by Nobelium (which overlaps with 🐻APT29).

According to Microsoft, beginning in late November 2023, Nobelium used a Password spraying attack to compromise a "legacy non-production test tenant account" in Microsoft's environment that did not have MFA enabled. According to Microsoft, Nobelium's password spraying evaded detection due to their low volume of attempts and their use of a residential proxy network to route their traffic through many different IP addresses, which masked the single origin of the activity.

Nobelium leveraged their initial access to identify and compromise a highly privileged OAuth app, and also created new OAuth apps. They then created a new user account to grant consent to the new OAuth apps, and used the legacy test OAuth app to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes.

Nobelium then used their collection of consented OAuth apps to successfully authenticate to Microsoft Exchange Online and target a "very small percentage" of Microsoft corporate email accounts of senior Microsoft leadership, as well as employees in cybersecurity, legal, and other teams. Nobelium proceeded to exfiltrate content from the compromised email accounts.

According to Microsoft, this activity was identified via a combination of reviewing Exchange Web Services (EWS) activity logs and audit logs. Microsoft have stated that they found no evidence that Nobelium had any access to customer environments, production systems, source code, or AI systems, but their investigation has shown that Nobelium has similarly targeted other organizations as well.