Heimdal
article featured image

Contents:

Midnight Blizzard hackers used Microsoft’s stolen authentication secrets to advance into their internal system and access source code.

The Russian attackers initially used password spraying to get into a legacy non-production test tenant account. Microsoft disclosed this initial attack in January 2024.

The compromised account had access to an OAuth application with elevated privilege to Microsoft’s corporate environment. The problem was this test account didn’t use multi-factor authentication, so the brute force attack was successful.

As a result, Midnight Blizzard was able to breach Microsoft’s corporate email server and steal authentication secrets.

Now Microsoft says hackers breached them again and got access to

  • some of the company’s systems
  • source code repositories

For the moment, the company said there is no evidence of customer-facing systems being compromised.

Companies choosing convenience over safety bring trouble

Enabling multi-factor authentication turns brute force attacks, like password spraying, useless.

Why? Because even if the hackers guess or steal your password, they won’t be able to sign in into your account. The other steps of the authentication process will prevent that.

Multi-factor authentication offers an additional security layer and is one of CISA’s recommendation as a prevention measure against cyberattacks:

Implementing MFA makes it more difficult for a threat actor to gain access to information systems — such as remote access technology, email, and billing systems — even if passwords are compromised through phishing attacks or other means.

Source – CISA’s Cybersecurity Best Practices

So, why is this gate still open for attackers to use?

The answer is human error. According to the 2023 Verizon Data Breach Investigations Report, 74% of the breaches were caused by a human element.

People tend to avoid using MFA and see it rather as a step that complicates their work process, than a protection tool. If they’re able not to use it and connect directly to whatever platform they need to complete a task, they will. From productivity reasons, some companies allow this to happen, even if it’s a risk factor.

In Microsoft’s case, cybersecurity expert Robertino Matausch says:

I reckon nobody was actively monitoring this forgotten environment they set up for testing. They all forgot about it, so they weren’t aware an attack was going on.

Also, most users ask for more convenience as MFA is always an additional step to do. So, it is probably for convenience reasons that they didn’t use multi-factor authentication on that.

Does MFA always save the day?

Multi-factor authentication is endpoint security best practices, but not a stand-alone solution against attacks.

Hackers can use social engineering or MFA fatigue to work around it. Use a layered security strategy to protect your endpoints and network.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE