Midnight Blizzard Microsoft Corporate Breach
APT29 Midnight Blizzard breach of Microsoft corporate email systems detected January 12 2024. Initial access via password spraying against a legacy test tenant account without MFA. Accessed email inboxes of senior leadership and cybersecurity teams. Actor continued exfiltrating data for months after discovery.
Start date
12 January 2024
End date
—
Techniques
14
Attributed actors
Techniques (14)
collection2
T1114.002Remote Email Collection
T1530Data from Cloud Storage
command-and-control2
T1573.002Asymmetric Cryptography
T1071.001Web Protocols
credential-access1
T1110.003Password Spraying
defense-impairment1
T1070.001Clear Windows Event Logs
discovery2
T1082System Information Discovery
T1083File and Directory Discovery
execution1
T1059.001PowerShell
initial-access1
T1078Valid Accounts
lateral-movement1
T1550.001Application Access Token
persistence1
T1078Valid Accounts
privilege-escalation1
T1078Valid Accounts
stealth4
T1078Valid Accounts
T1140Deobfuscate/Decode Files or Information
T1070.004File Deletion
T1027Obfuscated Files or Information
Indicators of compromise
No IOCs linked to this campaign yet.