schedule a demo

Identity Security and the Midnight Blizzard Attack

Updated: Jan 23

The phrase “identity is the new perimeter” has been said so often in cybersecurity circles that it has become cliché. But every day, another headline-grabbing, identity based attack proves how true the phrase is.


Late Friday, news broke that Microsoft was the target of a cyberattack by a Russia-backed group known as “Midnight Blizzard,” also called “Nobelium.” It’s the same group responsible for the SolarWinds hack. The attack began in late November and was detected by the company’s security team on January 12, 2024. 


Based on what has been published about the attack, the malicious actors carried out a password spray attack to compromise a legacy non-production test tenant account. Once they gained a foothold through a valid account, they used its permissions to access a small percentage of the company’s corporate email user accounts, including those of senior leadership and employees in cybersecurity and legal departments. They were then able to exfiltrate sensitive information, including emails and attached documents. 


In the attack, the threat actors leveraged several techniques from the MITRE ATT&CK® framework that involve identities and accounts. The initial breach was achieved through a password spray attack, a sub-technique of Brute Force. That technique involves using a common password across multiple accounts to avoid account lockouts that would normally occur when brute forcing a single account with many passwords.


Once inside, the attackers likely used other techniques to escalate privileges, move laterally, and exfiltrate data. These techniques fall under various categories in the MITRE ATT&CK® matrix, including credential access.


It’s important to note that if a tech giant with the largest market cap in the world as of January 2024, with its vast resources and advanced security measures, can fall victim to such an attack, any organization could potentially be at risk. The incident is not about pointing fingers or victim shaming but rather a wake-up call for all organizations, big or small.


It underscores the fact that cybersecurity is a shared responsibility and a continuous journey, as no organization is immune, and every organization must be proactive in securing its digital identities to reduce risk. The key takeaway is not the breach itself but the lessons learned and the measures implemented to prevent such attacks in the future.


One important lesson to take away is the importance of adhering to the best practices recommended by an organization’s identity and access management (IAM) providers. These vendors provide guidelines to help organizations fortify their identity infrastructure and reduce the attack surface. Many IAM vendors also offer health check services designed to assess the robustness of an organization’s current security posture for their particular solution. 


However, given the complexity of most environments, relying solely on the best practices from vendors who provide your identity controls is not sufficient. The incident also highlights the need for continuous monitoring with identity security posture management solutions that enable organizations to discover and resolve identity exposures that involve multiple systems before a threat actor like Midnight Blizzard can exploit them. A more proactive approach could have flagged the following exposures:

That being said, it is also the case that organizations need a deeper identity context to detect and respond to identity-related risks in real-time since not every identity exposure can be found and remediated proactively. Solutions like AuthMind can deliver identity threat detection and response (ITDR) capabilities alongside ISPM, all from a single platform. 


ITDR solutions complement SOC tools like security information and event management (SIEM) and extended detection and response (XDR) systems by providing identity alert correlation and detection logic to identify and contain identity threats rapidly. This includes detecting the password spray attack, which was the initial entry point in this incident.


The Midnight Blizzard cyberattack underscores the criticality of securing digital identities to reduce the risk of data breaches. The cliché "identity is the new perimeter" rings true more than ever, with the recent attacks serving as a stark reminder of the importance of robust ISPM and ITDR solutions alongside existing identity and cyber security controls as part of a defense-in-depth strategy.