Microsoft password spraying hack proves securing every account matters 

Microsoft released a statement on Friday 19th January saying their corporate network had been compromised by Russian-state hackers, who were able to exfiltrate emails and attached documents. The software giant said only a ‘very small percentage’ of corporate email accounts were accessed, although this Microsoft password spraying hack did include members of senior leadership and employees working in the Cybersecurity and Legal teams. 

The hackers were identified as Russian-state sponsored actors known as Midnight Blizzard (or sometimes Nobelium) and Microsoft suspect they were looking for information related to themselves. This group was also responsible for the infamous SolarWinds hack – one of the biggest cybersecurity breaches of the 21st century.  

Microsoft doesn’t believe customers are affected at this point and said no production systems, source code, or AI systems were accessed. The interesting aspect of this hack is that it didn’t exploit a Microsoft system or product vulnerability – it was as simple as guessing a weak or known breached password on an unused test account.  

According to Darren James, Specops Senior Product Manager, “Compromises like this show us that even the most powerful organizations can be victimized by the ongoing and aggressive attacks we’re seeing on a global basis. Security fundamentals are vital to keeping pace and staying ahead of cyber adversaries.”

Attack summary

  • Who was targeted: Microsoft   
  • Attack type: Account takeover, Data exfiltration  
  • Entry technique: Password spraying, Possible privilege escalation 
  • Impact: Senior executive, Cybersecurity, and Legal teams’ emails and files accessed  
  • Who was responsible: Russian-state hackers (Midnight Blizzard/Nobelium) 

How did the Microsoft password spraying attack happen?  

According to Microsoft’s statement, their Security team initially detected the hack on January 12th. After deploying their response process, they were able to disrupt the hackers’ activities and deny them any further access. However, it appears the hackers could have had access for as long as seven weeks.  

Microsoft haven’t provided full details yet as their investigation is ongoing, but they’ve confirmed that the attackers gained entry by using a password spray attack; a brute force technique which involves trying the same password against multiple accounts. In this case, they were able to compromise a legacy non-production test account to get an initial foothold in the Microsoft system. From the information Microsoft has made public, it would imply this test account either had an unusual amount of privilege to begin with, or the hackers were able to escalate their privileges. 

Essentially, the hackers rapidly bombarded user accounts with a known weak and compromised password until one combination worked. Successful password spraying attacks usually means no multi-factor authentication. It’s also highly likely a weak or reused password was involved, as these make up the password lists hackers use in brute force attacks. From there, they were able to gain access to email accounts belonging to senior leadership and what can only be assumed to be sensitive internal information. 

Specops analysis: What can we learn from the Microsoft hack? 

We often hear advice around paying special attention to protecting privileged accounts, as these have the most reach and access. However, this attack proves the importance of protecting all accounts. Privilege escalation means attackers don’t necessarily need an admin account to achieve their goals. A stale or inactive account will do – and these are often ignored and have old, weak, or even no passwords. Attackers can then move from their initial entry point deeper into a network, in search of high-value assets.  

We don’t know whether Microsoft’s own protections (Entra Password Protection) were applied to the account in question, though it’s likely they were not. However, it’s possible that those protections were applied and this attack made use of some of the gaps in Entra Password Protection

Any user account with login credentials can become the initial victim. A skilled attacker can exploit a user account with lower-level privileges by extending access to the stolen account, moving horizontally between accounts with similar privilege levels, or jumping vertically to accounts with more privileges such as admin or IT team accounts.  

Once a hacker gains access to any set of credentials, they’re seen as a legitimate user. From there, they’re hard to detect (as proven with Microsoft taking weeks to detect Midnight Blizzard) and have time to work. They can gain more information, gather more credentials, escalate their privileges further, and even delete their tracks. 

Darren James, Specops Senior Product Manager, adds: “There are several elements at work here, but essentially there was a fundamental breakdown in credentialing and a lack of control. A secure password policy is a must across an organization, ensuring that all accounts, including legacy, non-production, and testing, are not overlooked. In addition, blocking known compromised credentials adds another layer of protection to dampen active attacks, which could have been helpful in this case.   

“Since Microsoft is woven into the fabric of global business, this type of attack should create pause for every administrator to ensure that security basics are in place. Baseline protections should include a robust password policy, multi-factor authentication, and regular patching – all supported by an involved and well-informed executive leadership team.”   

Protect every Active Directory account from password spraying 

This case proves every user account in an organization presents an opportunity for attackers, from privileged admin accounts to forgotten, inactive test accounts. Through a mix of prevention and ongoing detection, you can secure every account from brute force attacks: 

  • Multi-factor authentication (MFA): Enabling MFA puts up an additional authentication roadblock for hackers to overcome. However, there are ways around MFA, so it’s still important to exercise strong password security on all accounts as a first step.  
  • Active Director auditing: An audit of your Active Directory can give visibility over unused and inactive accounts, as well as other password-related vulnerabilities. This can be a valuable step, although remember this only provides a snapshot rather than mitigating risk on an ongoing basis. Interested in auditing? Run a read-only scan with our free auditing tool and get an exportable interactive report.  
  • Strengthen password policies: Your password policy should block end users from creating weak passwords comprised of common base terms or keyboard walks such as ‘qwerty’ or ‘123456.’ Enforcing long, unique passwords or passphrases is a strong defense against brute force attacks. The best policies also include custom dictionaries that block terms related to your specific organization and industry.  
  • Compromised password scans: Even strong passwords can become compromised through end users reusing works passwords on personal devices, sites, and applications with weak security. You should consider adding tools to scan your Active Directory for passwords known to be involved in breaches. Keep in mind some solutions only scan at reset events, whereas solutions like Specops Password Policy with Breached Password Protection can continuously scan for compromised passwords in your environment.  

Interested in upgrading your access security? Get in touch and speak to a Specops expert today. 

(Last updated on November 25, 2024)

picture of author marcus white

Written by

Marcus White

Marcus is a Specops cybersecurity specialist based in the UK. He’s been in the B2B technology sector for 8+ years and has worked closely with products in email security, data loss prevention, endpoint security, and identity and access management.

Back to Blog