Security News > 2024 > January > Microsoft sheds some light on Russian email heist – and how to learn from Redmond's mistakes

Microsoft, a week after disclosing that Kremlin-backed spies broke into its network and stole internal emails and files from its executives and staff, has now confirmed the compromised corporate account used in the genesis of the heist didn't even have multi-factor authentication enabled.

On Thursday, Redmond admitted Midnight Blizzard - a Moscow-supported espionage team also known as APT29 or Cozy Bear - "Utilized password spray attacks that successfully compromised a legacy, non-production test tenant account that did not have multifactor authentication enabled."

After gaining initial access to a non-production Microsoft system, the intruders compromised a legacy test OAuth application that had access to the Windows giant's corporate IT environment.

The latest advisory from Microsoft includes guides for administrators on how to avoid being compromised in the same way the software goliath was hit.

As a recap: last Friday Redmond admitted the snoops, linked to Russia's foreign intelligence, "Used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account's permissions to access a very small percentage of Microsoft corporate email accounts."

This all happened in late November, Microsoft didn't spot the intrusion until January 12, and the compromised email accounts included those of senior leadership and cybersecurity and legal employees.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/01/27/microsoft_cozy_bear_mfa/