Microsoft disclosed it was also victimized by cyberespionage criminals who abused OAuth applications to access protected corporate accounts. The tech giant had previously warned of ongoing attacks by advanced persistent threat group with ties to Russia.Now Microsoft has revealed some of the technical details and the extent of the attack against its own implementation of the OAuth credential management platform in an effort to help other organizations "protect, detect, and respond to similar threats."In a Jan. 25 post, elaborating on the OAuth attacks against its own senior executives, Microsoft’s threat intelligence team said APT29 (aka Cozy Bear, Midnight Blizzard or Nobelium) attackers were adept at abusing apps that used the popular OAuth token-based authentication and authorizations open standard."Microsoft was able to identify these attacks in log data by reviewing Exchange Web Services (EWS) activity and using our audit logging features, combined with our extensive knowledge of Midnight Blizzard," according to last week's post.Hackers initially breached a Microsoft test tenant account and a legacy test OAuth application. That application had elevated access to Microsoft’s corporate environment and allowed adversaries to create additional malicious OAuth applications.“They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications,” the company said in its Jan. 25 post.“The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online 'full_access_as_app role', which allows access to mailboxes," researchers wrote.
Hardening your OAuth attack surface
Hiding its tracks was core to Midnight Blizzard or APT29's ongoing success."As part of their multiple attempts to obfuscate the source of their attack, Midnight Blizzard used residential proxy networks, routing their traffic through a vast number of IP addresses that are also used by legitimate users, to interact with the compromised tenant and, subsequently, with Exchange Online," researchers wrote.The abuse of residential proxies isn't new by adversaries, Microsoft points out. It's a technique that "makes traditional indicators of compromise (IOC)-based detection infeasible due to the high changeover rate of IP addresses," researchers said."Residential proxies allow you to choose a specific location (country, city, or mobile carrier) and surf the web as a real user in that area," according to John McHenry, data analyst and founder of Proxyplus.cz. In a Bright Proxies definition, McHenry explains that these types of proxies "can be defined as intermediaries that protect users from general web traffic. They act as buffers while also concealing your IP address. Proxies are alternative IP addresses assigned to users by the provider."Microsoft said "due to the heavy use of proxy infrastructure with a high changeover rate, searching for traditional IOCs, such as infrastructure IP addresses, is not sufficient to detect this type of Midnight Blizzard activity."Microsoft recommends a number of auditing and detection techniques to mitigate this type of OAuth-based attacks. They include:- Identify malicious OAuth apps using anomaly detection policies.
- Implement conditional access app control for users connecting from unmanaged devices.
- Auditing accounts with privilege access
- Auditing identities that hold ApplicationImpersonation privileges in Exchange Online





