Nobelium Attack on Microsoft

In late 2023, Microsoft faced a sophisticated cyber attack by Nobelium, a group linked to Russian intelligence. This incident is notable for its use of password spraying and exploitation of weaknesses in Microsoft's Entra ID (formerly known as Azure Active Directory) settings.

Attack Vector and Methodology

1. Password Spray Attack: Nobelium initiated the attack via password spraying, targeting Microsoft's legacy non-production test tenant account in Entra ID. This account, lacking multi-factor authentication (MFA), was a vulnerable point of entry.
2. Evasion Techniques: The attackers used a residential proxy network to conduct low-volume attempts from various IP addresses, effectively evading detection mechanisms designed to flag unusual login activities.

Breach and Exploitation

1. Compromise of OAuth Applications: Nobelium's access to the Entra ID environment enabled them to compromise and create OAuth applications. These applications were then granted roles with extensive permissions, including full_access_as_app for Exchange Online.
2. Targeted Email Accounts: The attack focused on senior leadership and sensitive departments within Microsoft, leveraging the compromised OAuth applications to access and exfiltrate data from these accounts.

Detection and Mitigation

1. Log Analysis: Microsoft's detection of the breach involved reviewing Exchange Web Services (EWS) and Entra ID audit logs, highlighting the importance of comprehensive logging in cloud environments.
2. Security Enhancements in Entra ID: Post-incident, Microsoft and other organizations are encouraged to enforce MFA across all accounts in Entra ID, particularly for privileged roles and applications.
3. Restrictive Tenant Settings: Organizations should consider disabling settings that allow users to register applications or create security groups without administrative oversight in Entra ID.

Prevention Strategies

1. Regular Audits: Regularly auditing Entra ID user and application settings is crucial for identifying potential security gaps.
2. Monitoring for Password Spray Attacks: Implementing detection mechanisms for multiple failed logins followed by a successful attempt can help in early identification of password spray attacks.
3. OAuth Application Vigilance: Monitoring the creation and consent of new OAuth applications, especially those requesting extensive permissions, is critical in preventing similar attacks.

The Nobelium attack on Microsoft's Entra ID environment underscores the need for robust security measures in cloud-based identity and access management systems. Organizations must prioritize MFA enforcement, regular security audits, and vigilant monitoring to safeguard against sophisticated cyber threats.