The cyberattack on Microsoft is the latest example of an extremely sophisticated cyberattack. This sophisticated IT hack on a widely used standard software proves how vulnerable even leading technology companies with advanced security systems can be when phishing and social engineering strategies come to fruition. With regard to IT security, this new IT security incident highlights the need to continuously monitor potential attack vectors and cybersecurity and to constantly adapt your own IT security strategies in response to such creative cyberattacks.

Cyberattacks such as the one on Microsoft infrastructures are exemplary and must be regarded as a generally valid call for proactive protection in favor of robust cybersecurity architectures due to the widespread use of software solutions. Such an IT hack is therefore not only a wake-up call for the IT security community, but also always an opportunity to learn from experience and develop preventative cyber security strategies.

In the following, we will examine the events of this attack on Microsoft software in detail in order to gain a deeper understanding of the methods used and the resulting challenges for our IT security. Find out with us how the cyber attack on Microsoft took place, what impact comparable cyber attacks have on your sensitive IT infrastructure and what this means for our secure digital future.

Background: What happened during the cyberattack on Microsoft? A reconstruction of the events.

The cyberattack that Microsoft recently experienced was both precise and complex. The IT security incident was discovered on January 12, a date that now occupies a prominent place in the chronicle of cybersecurity.

Detailed explanation of the Microsoft attack and its significance for the future of cyber security

This hack is characterized by a certain sophistication: Midnight Blizzard, an IT hacker group linked to the Russian secret service, managed to gain access to highly sensitive areas using cleverly manipulated Microsoft Teams messages.

Initial situation and discovery of the attack at Microsoft

Hackers from the Russian, state-sponsored hacker group “Midnight Blizzard” (also known as Nobelium, Cozy Bear, APT29) succeeded in accessing emails from Mircosoft employees in November last year. The piquant thing is that the affected email accounts are high-ranking Microsoft managers and employees who are also supposed to be responsible for cyber security.

This compromise of sensitive communication channels reveals a serious security risk, not only for Microsoft itself, but also for a number of its global Microsoft customers.

For privacy reasons YouTube needs your permission to be loaded. For more details, please see our Datenschutzerklärung.

What is the extent of the damage and what information was obtained?

The access to emails potentially gave the attackers insight into confidential data, such as company strategies, financial information and personal data, which illustrates the scope of the attack for both the business and private world and underlines the seriousness and potential reach of the current attack.

Why should everyone – not just IT security specialists – be interested in this IT security incident?

The incident throws a harsh light on the ever-growing threats that are brutally progressive in their dimensions and, above all, in terms of the frequency of events, and know no bounds. Cyber threats that even industry giants like Microsoft are facing.

What attack method do the hackers use?

In the cyberattack on Microsoft, the attackers used social engineering techniques, in particular phishing messages via Microsoft Teams, to obtain login credentials.

These attack methods involve sophisticated social engineering techniques. In the cyberattacks on Microsoft, a special attack method was used via the MS Teams software. Microsoft Teams is a widely used communication tool that is used for chat, video conferencing, file sharing and digital team collaboration in many companies.

How could this happen?

The attackers used the integrity and confidentiality of the manipulated information as an attack vector and abused users’ trust in this platform to send targeted phishing messages that appeared to come from legitimate sources. These messages contained fake requests or links designed to trick recipients into revealing their login credentials, including their multi-factor authentication (MFA) codes. This fraudulent access to authentication information allowed the attackers to penetrate internal systems and email accounts.

These messages were designed to appear trustworthy and were used to obtain login credentials from employees. This involved deceiving recipients to get them to reveal their multi-factor authentication codes.

By successfully deceiving and exploiting trust in a known communication tool, the attackers were able to gain access to sensitive email accounts and other internal systems.

Normally, MFA is a highly secure process that requires users to enter a code in addition to their password, which is usually generated on their mobile device. In this case, however, the attackers used phishing messages about Microsoft Teams to trick employees into revealing these MFA codes.

Once the attackers had obtained the MFA codes, they were able to gain access to the employees’ email accounts. This access allowed them to access sensitive information and potentially carry out further fraudulent activities within the network.

One click too many: How a cyberattack via Microsoft Teams can affect any of us

Cyberattacks such as the one on Microsoft Teams illustrate how easily even cautious users can become victims.

Imagine you receive a message about Teams – a tool that you use every day for your work. The message appears to come from a colleague or IT support and asks for a quick confirmation or to click on a link. Without much thought and in the hustle and bustle of everyday working life, you could comply with this request.

This is exactly where the attackers come in: They use well-known platforms and deceptively real messages to gain trust and elicit sensitive information such as MFA codes. This scenario shows how subtle yet effective cyber attacks can be.

In the attack on Microsoft, the hackers exploited both technical and human vulnerabilities. Human vulnerabilities include, in particular, trust in familiar communication tools and standard software such as Microsoft Teams. The attackers used deception to trick employees into disclosing sensitive information. The aim of the attack was to gather confidential information that could be of strategic importance to both Microsoft and its customers. This included internal communications and potentially sensitive data on business strategies and security protocols.

When did this strategic cyberattack on Microsoft begin?

The cyberattack on Microsoft began at the end of November 2023 and was initiated by a so-called password spraying attack.

Password spraying attacks are a cyberattack technique in which the attacker combines a list of usernames with some commonly used or simple passwords. Instead of trying out many passwords on a single account, password spraying tests each password on a large number of accounts. This is usually done at a low frequency so as not to attract attention due to too many failed login attempts. A password spraying attack therefore uses common passwords across multiple accounts to bypass locking mechanisms.

This attack method aims to bypass the usual account lockout mechanisms that are activated when too many incorrect login attempts are made from a single account.

Eliminate unused test accounts and test accounts in your IT infrastructure!

The attackers cleverly targeted an older test tenant account that was no longer in productive use. This strategically clever approach enabled the hackers to penetrate the internal systems.

A test tenant account is essentially a test account in the IT context, specifically in relation to cloud services such as Microsoft Azure or Microsoft 365. It is therefore a separate account or area that is set up specifically for testing purposes. These accounts are designed to provide developers or administrators with an environment in which they can test new applications, settings or updates without affecting the main production environment. As these test accounts are often not subject to the same stringent security protocols as production systems, they can be more vulnerable to security breaches.

The attackers therefore deliberately targeted their hacks at an older, no longer actively used test tenant account, which may not have met the latest security standards. This choice offered them a less secure point of entry into Microsoft’s internal systems. In the public announcement, Microsoft emphasized that only a ‘very small percentage’ of employee email accounts, including executives and key employees, were affected. The incident reveals how subtle tactics can penetrate even supposedly secure networks and emphasizes the need for constant vigilance and updating of all system components.

Microsoft’s public statements state that only a “very small percentage” of Microsoft employee email accounts, including executives and employees in key areas such as cybersecurity and legal, were compromised in this way. During this attack, some emails and attached documents were exfiltrated. This incident shows the subtle methods that hackers can use to penetrate even seemingly secure networks.

Analysis of the security gaps

When analyzing the vulnerabilities that were exploited in the cyberattack on Microsoft, it is important to recognize that smaller companies are often attractive targets for hackers.

Such companies typically do not have the same extensive security measures as larger organizations. This implies a number of vulnerabilities, such as less stringent password security policies, limited IT resources for monitoring suspicious activity and often less awareness of the latest cyber threats.

These factors make it much easier for hackers to easily gain access to inadequately protected systems and use them as a springboard for more far-reaching attacks.

Classification of the cyberattack

To classify the cyberattack on Microsoft, we look at the type of attack, the vulnerabilities exploited and the severity levels:

  1. Type of attack:
    • Social engineering and password spraying.
    • Targeted attack on specific email accounts.
  2. Exploited vulnerability:
    • Human factors (social engineering).
    • Technical vulnerabilities in the IT security infrastructure (especially in older, non-productive test tenant accounts).
  3. Severity:
    • Human factors: High. Social engineering attacks are effective because they are aimed at manipulating people and are difficult to prevent.
    • Technical weaknesses: Medium. The use of older, less secure accounts shows a security vulnerability, but the limited access indicates that critical systems have not been compromised.
    • Total: High. Due to the targeted nature of the attack, the high-ranking employees affected and the potential exfiltration of sensitive data, the overall severity is classified as high.

A classification of this kind underlines the importance of a comprehensive security strategy that includes both technical measures and employee awareness.

What was the motivation behind the cyberattack?

The motivation behind the cyberattack on Microsoft and similar attacks can be multifaceted. Cyber attacks regularly pursue targets such as:

  1. Espionage: The collection of confidential information that could be valuable to governments or competing companies.
  2. Financial gain: Through the sale of stolen data or ransom demands in the event of ransomware attacks.
  3. Sabotage: The aim of disrupting or damaging operational processes, often for political or ideological reasons.
  4. Reputational damage: The aim of damaging the reputation of a company or organization.

In the case of Microsoft, the motives could be espionage and information gathering, especially if state-supported actors are involved. Such attacks are often strategically planned in order to achieve long-term goals.

What motives are typically used to carry out comparable attacks on companies?

Cyber attacks on companies are just as complex and also pursue a wide variety of objectives. This often involves the theft or sale of commercially relevant data in order to gain financial advantages. The collection of confidential company information that could be of interest to competitors or governments also often plays a role. Some attacks are aimed at disrupting a company’s operations in order to achieve either economic or political goals. Another motive may be the desire to damage a company’s reputation. In some cases, the attacks are also ideologically motivated, with the attackers trying to spread their views or messages.

Background of the attackers – Who is Midnight Blizzard and the cybercriminals around the organization?

Midnight Blizzard, also known as Nobelium, Cozy Bear or APT29, is a notorious cybercriminal group linked to the Russian foreign intelligence service SVR.

Cyber group known for sophisticated cyberattacks and espionage activities

It is known for its sophisticated cyberattacks and espionage activities, mainly targeting governments, diplomatic institutions and IT service providers in the US and Europe. Its focus is on long-term and dedicated espionage of foreign interests. The group uses a variety of methods for initial access, including stolen credentials, supply chain attacks, exploitation of on-site environments and trusted relationships with service providers.

Cyberattacks by professional hackers on standard software are a popular attack variant - hackers usually operate in highly specialized groups and act very precisely and extremely subtly. The mask is only part of the repertoire in symbolic photos like this one, but cyber criminals use AI-based code analysis to efficiently detect vulnerabilities and infiltrate companies undetected for as long as possible.

Cyber attacks by professional hackers on standard software are a popular attack variant – hackers usually operate in highly specialized groups and act very precisely and extremely subtly. The mask is only part of the repertoire in symbolic photos like this one, but cybercriminals use ki-based code analysis to efficiently detect vulnerabilities and infiltrate companies undetected for as long as possible.

From what background and with what motivation are these cyber criminals active?

The foreign intelligence service of the Russian Federation, SVR (Sluschba Vneschnei Raswedki), has a long and complex history dating back to the time of the Soviet Union. Originally founded as a civilian foreign intelligence agency in December 1920, the SVR has developed into a comprehensive espionage organization focusing on political, economic, scientific and technological areas. In addition to gathering information, the SVR also conducts counter-intelligence to monitor the activities of other intelligence services.

With the restructuring of the Russian intelligence services, the SVR was given responsibility for telecommunications reconnaissance. The service is headquartered in the municipality of Sossenskoye, outside Moscow, and employs at least 15,000 people. SVR agents, often disguised as diplomats or journalists, are deployed worldwide. A special department, “Main Department S”, coordinates agents with false identities in various countries.

The SVR’s priorities have also shifted in response to geopolitical events. President Vladimir Putin has emphasized the importance of industrial espionage, especially after the sanctions against Russia since the invasion of Ukraine. The SVR plays a decisive role in the strategic planning and analysis of international processes for Russia.

Midnight Blizzard: masters of covert cyber espionage and creative cyber attacks

Midnight Blizzard, also known as Nobelium, APT29, UNC2452 and Cozy Bear, is notorious for its consistent and persistent approach. The group always stays true to its goals and continuously adapts its methods to remain effective. Their attack tactics include a variety of techniques ranging from classic credential theft to complex supply chain attacks. A key aspect of their strategy is the use of on-premises systems as a starting point to later move into cloud environments.

In addition, Midnight Blizzard manipulates the trust relationships between service providers and their customers in order to gain undetected access to the networks of downstream customers. The group is particularly well known for its use of specialized malware that attacks the Active Directory Federation Service (AD FS), including FOGGYWEB and MAGICWEB. This malware enables them to establish themselves deep in the victims’ networks and remain unnoticed in the long term. This variety of methods and their ability to constantly evolve make Midnight Blizzard a particularly dangerous and elusive cybersecurity adversary.

What is Microsoft’s response and how do affected organizations react to the hacker attack?

Microsoft’s response to the cyberattack included various immediate measures as well as long-term strategies to improve cybersecurity.

Microsoft responded with comprehensive measures immediately after the cyberattack was discovered. Initially, the software company focused on the immediate containment and investigation of the incident. The accounts and networks used by the attackers were quickly identified and blocked. In parallel, Microsoft informed the affected organizations and worked closely with them to assess the impact of the attack and take effective countermeasures.

Reaction in the Microsoft blog to Midnight Blizzard cyberattack

Reaction in the Microsoft blog to Midnight Blizzard cyberattack

In addition to acute crisis management, Microsoft placed a strong focus on improving its security infrastructure. This included the optimization of detection systems and the implementation of stricter access controls. By its own admission, the company has also intensified the training and sensitization of its employees in the area of cyber security in order to raise awareness of potential threats and establish a stronger security culture. Microsoft had already announced a Secure Future Initiative (SFI) at the end of last year.

As part of the ongoing investigation, Microsoft is cooperating closely with law enforcement and security agencies to identify those behind the attack and develop preventative strategies against future attacks. In an effort to be transparent with its customers and the public, Microsoft publishes regular updates and detailed reports on the incident and the steps taken. This open communication demonstrates the company’s commitment to protecting its systems and maintaining the trust of its users.

What can we learn from this IT security incident?

To prevent attacks like the one on Microsoft, or at least effectively mitigate their impact, companies should apply the following security measures or mitigation strategies:

  1. Strengthen password security: Use stronger password guidelines and change passwords regularly to make password spraying attacks more difficult.
  2. Multi-level authentication: Implementation of multi-factor authentication (MFA) for all users to prevent unauthorized access.
  3. Regular security audits: Review and update security systems to identify and address vulnerabilities.
  4. Employee training: Regular cybersecurity training to raise awareness of phishing and other social engineering tactics.
  5. Use of IT security software: Use of modern IT security solutions that can detect and block suspicious activities.
  6. Network segmentation: Separation of critical systems and data to limit the spread of an attack.
  7. Zero Trust principle: In contrast to conventional approaches that are based on trust-based networks, the Zero Trust principle
    Zero Trust
     assumes that no user, device or network is automatically trustworthy.

Experience has shown that these measures are very effective in significantly reducing the risk of cyberattacks and demonstrably increasing the security of company data.

About the Author:

Sascha Block

I am Sascha Block – IT architect in Hamburg and the initiator of Rock the Prototype. I want to make prototyping learnable and experiential. With the motivation to prototype ideas and share knowledge around software prototyping, software architecture and programming, I created the format and the open source initiative Rock the Prototype.