HomeWinBuzzer NewsMicrosoft Details Exchange Online Breach Techniques Used by Russian State-Sponsored Hackers

Microsoft Details Exchange Online Breach Techniques Used by Russian State-Sponsored Hackers

Microsoft and HPE breached by Russian hackers (Midnight Blizzard/APT29). Hackers targeted executive email accounts


has confirmed that a sophisticated Russian hacking group, known within security circles as Midnight Blizzard, APT29, or Nobelium, infiltrated its systems and breached email accounts belonging to the company's highest-ranked officials. The event is an extension of the cyberespionage activities conducted by this group, which is closely associated with the Russian Foreign Intelligence Service (SVR).

HPE Hit by Security Incident

Similarly, Hewlett Packard Enterprise (HPE) disclosed that it had fallen victim to the same group, with the attackers gaining unauthorized access to HPE's Microsoft Office 365 email environment and extracting sensitive data since May 2023. The precise method by which Microsoft informed HPE of the breach remains undisclosed, though speculations point towards potential advice given as part of a notification process extended to other organizations targeted by Midnight Blizzard.

Original Breach and Investigation

Upon discovering the breach on January 12, 2024, Microsoft's  team promptly launched an investigation to assess the damage and scope of the intrusion. The investigation revealed that the spear- campaign began in late November 2023 and was particularly aimed at gathering intelligence about Midnight Blizzard itself.

Employees whose email accounts were compromised are currently being notified. Critical among those affected are members of Microsoft's senior leadership, along with employees in vital departments such as and legal. While the exfiltration of data pertained to internal communications, Microsoft has expressed confidence that customer accounts have remained unaffected by this incident.

Understanding the gravity of these breaches, Microsoft shared the techniques used by the hackers, detailing how they leveraged residential proxies alongside “password spraying” to access a critical test account not safeguarded by Multi-Factor Authentication (MFA). This account's susceptibility allowed hackers to create malicious OAuth applications, which further enabled them to reach additional corporate mailboxes.

The tech giant has not only dissected these methods but also offered extensive detection and hunting suggestions to assist cybersecurity professionals in recognizing and thwarting Midnight Blizzard's tactics. Through studying Exchange Web Services (EWS) logs and identifying the threat group's known behaviors, Microsoft aims to empower organizations against similar state-sponsored attacks.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.