top of page

APT29 - NOBELIUM, Midnight Blizzard

Affects:

1200px-Microsoft_365_logo.png

Severity:

HIGH

Productivity Impact:

MEDIUM

Fix Estimate:

10 minutes +

Automatically protected by:

PREMIUM-logo-label-m.png

Research:

Summary:

The Midnight Blizzard attack, orchestrated by a Russian state-sponsored group, involved techniques like password spraying and misuse of OAuth applications. These methods led to the compromise of email accounts of several Microsoft employees, including those in senior leadership positions.

Remediation details

Strengthening defenses against the Midnight Blizzard attack involves a couple of key strategies. Firstly, implementing Multi-factor Authentication (MFA) is a primary mechanism. MFA adds an extra layer of security beyond passwords, significantly reducing the risk posed by password spraying tactics used by attackers. Additionally, it's crucial to manage OAuth applications effectively. This involves ensuring that only administrators are authorized to activate both marketplace and custom enterprise applications on Microsoft tenants.


Implementing the following steps reduces the attack surface for these types of attacks, however, ongoing monitoring of your Microsoft 365 and Azure is critical, through Overe Premium. Step 1 Enable MFA on all accounts Guidance found in Overe Free: https://free.overe.io/




Step 2 If your Microsoft License allows it (Add Azure Active Directory Premium P1 required), as a secondary layer of prevention, create an MFA conditional Access policy to ensure only accounts with MFA are authorised Automatically Activate in :

Or, navigate here:




Step 3. To prevent apps being install by standard user, Do not allow user consent of applications, an administrator will be required to approve all apps.


Automatically Activate in :

Guidance found in Overe Free: https://free.overe.io/






bottom of page