Full Report
On January 19, 2023, Microsoft disclosed that email accounts of multiple employees had been compromised by Nobelium (which overlaps with APT29).According to Microsoft, beginning in late November 2023, Nobelium used a Password spraying attack to compromise a "legacy non-product...
Analysis Summary
# Incident Report: Nobelium Compromise of Microsoft Corporate Email
## Executive Summary
In late November 2023, the threat actor Nobelium (APT29) successfully compromised a legacy, non-production test tenant account at Microsoft via a low-volume password spraying attack routed through a residential proxy network. The attackers leveraged this access to hijack an existing, privileged OAuth application and create new ones, ultimately gaining the `full_access_as_app` role on Exchange Online to exfiltrate content from a small subset of senior leadership and key employee corporate email accounts.
## Incident Details
- Discovery Date: January 19, 2024 (Date of Microsoft Disclosure)
- Incident Date: Beginning late November 2023
- Affected Organization: Microsoft
- Sector: Technology
- Geography: Undisclosed (Implied Global due to Microsoft operations)
## Timeline of Events
### Initial Access
- Date/Time: Beginning late November 2023
- Vector: Password Spraying Attack
- Details: Nobelium targeted a "legacy non-production test tenant account" that lacked Multi-Factor Authentication (MFA). The attack was characterized by low volume attempts routed through a residential proxy network to evade detection.
### Lateral Movement
- Date/Time: Post-Initial Access (Late Nov/Early Dec 2023)
- Vector: OAuth Application Compromise and Creation
- Details: Attackers identified and compromised a highly privileged OAuth application. They also created new OAuth applications and a new user account to grant consent to these new applications. The legacy test OAuth app was subsequently used to grant the new application the `full_access_as_app` role on Exchange Online.
### Data Exfiltration/Impact
- Date/Time: Following establishment of OAuth access (Post-lateral movement)
- Vector: Authenticated API Access via Consent
- Details: Attackers used the granted OAuth permissions to authenticate to Exchange Online and systematically exfiltrate content from a "very small percentage" of corporate email accounts belonging to senior leadership, as well as employees in cybersecurity and legal teams.
### Detection & Response
- Date/Time: Prior to January 19, 2024 (Discovery)
- Vector: Log Review
- Details: The activity was identified through a combination of reviewing Exchange Web Services (EWS) activity logs and audit logs.
## Attack Methodology
- Initial Access: Password Spraying (low volume, proxied) targeting an MFA-disabled, legacy account.
- Persistence: Maintenance of access through consented and created OAuth applications.
- Privilege Escalation: Leveraging initial access to hijack a privileged OAuth app and assign the `full_access_as_app` role via a newly created consenting user/app combination.
- Defense Evasion: Routing traffic via a residential proxy network to mask the single origin of the activity; low volume password spraying.
- Credential Access: Not explicitly detailed, but implied successful login via password spray to the legacy account.
- Discovery: Implied review of the environment to identify high-privilege OAuth applications.
- Lateral Movement: Moving from the initial compromised user account to leveraging OAuth permissions for application-level access to mailboxes.
- Collection: Targeting and reading corporate email content.
- Exfiltration: Transfer of collected email content outside the environment.
- Impact: Data exfiltration from targeted corporate mailboxes.
## Impact Assessment
- Financial: Not publicly disclosed.
- Data Breach: Content from a "very small percentage" of corporate email accounts of senior leadership, cybersecurity, and legal staff.
- Operational: No evidence of access to customer environments, production systems, source code, or AI systems. Limited internal operational impact disclosed.
- Reputational: Potential reputational damage due to the attribution to a known, state-sponsored actor (Nobelium/APT29).
## Indicators of Compromise
*Note: No specific IoCs (IPs, hashes) were provided in the summary, but detection relied on:
- Behavioral indicators: Unusually low-volume password spraying attempts.
- Behavioral indicators: Anomalous activity related to OAuth application consent creation and privilege assignment.
- Log Indicators: Review of Exchange Web Services (EWS) activity logs and audit logs showing unusual application access.*
## Response Actions
- Containment: Steps taken to revoke the permissions granted to the malicious OAuth apps and potentially secure the legacy test tenant account (implied).
- Eradication: Identification and removal of the created user account and any unauthorized OAuth applications.
- Recovery: Restoring and securing access to targeted corporate email accounts (implied).
## Lessons Learned
- Legacy Accounts Pose Significant Risk: The initial foothold was gained via a "legacy non-product test tenant account," highlighting the danger of unmanaged or less-monitored legacy infrastructure, especially those lacking modern controls like MFA.
- MFA Evasion Strategy: Attackers successfully bypassed security measures by focusing on an account without MFA enforced.
- Traffic Masking: The use of residential proxy networks effectively masked the true origin of the initial attack, bypassing standard IP-based rate limiting or blocking.
- Reliance on OAuth: The compromise demonstrated a sophisticated pivot from standard user credential theft to exploiting the trust relationship established through OAuth applications for broad mailbox access.
## Recommendations
- **Enforce MFA Universally:** Immediately enforce MFA on *all* accounts, especially legacy, test, or service accounts, regardless of their production status.
- **Audit and Restrict OAuth Permissions:** Implement strict governance over OAuth application creation, consent approval workflows, and review applications holding broad roles like `full_access_as_app`.
- **Enhance Log Monitoring:** Tune EWS and application audit logs to detect low-volume, distributed authentication patterns indicative of proxy use, and monitor for rapid creation/modification of OAuth apps tied to suspicious user creation.
- **Decommission/Isolate Legacy Systems:** Review and either decommission or strictly isolate legacy, non-production tenants from critical production systems.