Keypoints
- Attack began with a password spray against a Microsoft 365 account lacking MFA, using residential proxies and low‑volume attempts to evade detection.
- Compromised account was used to create OAuth apps and user accounts and to grant consent/privileged roles to those apps (notably full_access_as_app).
- Malicious apps produced a spike in Exchange Web Services (EWS) / Exchange Online API calls and accessed mailboxes anomalously, indicating email exfiltration.
- Trellix Helix provides detection via rules such as OFFICE 365 ANALYTICS [Brute Force], [Abnormal Logon], [Exchange Online App API Volume Spike], and [Abnormal Mail Item Access].
- Helix correlates multiple suspicious signals into an OFFICE 365 ANALYTICS [Suspicious User Activity] alert that increases in risk score as more criteria are met.
- Investigative tips and query examples in Helix allow searching mail accesses, app activity, and Azure user changes (e.g., archive search by appid and mailbox owner).
- Mitigations recommended: enable cloud MFA, enforce strong password policies, and audit/restrict Graph apps, service principals, and delegated permissions in non‑production tenants.
MITRE Techniques
- [T1110] Brute Force – Attackers performed password spray against Microsoft 365 accounts to gain initial access ( ‘performed a password spray’ ).
- [T1110.003] Password Spraying – Low‑volume attempts across multiple accounts and use of residential proxies to evade detection ( ‘used residential proxies to evade detections based on failed logins from a single IP address’ ).
- [T1078] Valid Accounts – Compromised legitimate Microsoft 365 account was used to access Exchange Online and perform subsequent actions ( ‘compromised a Microsoft 365 test tenant account’ ).
- [T1098] Account Manipulation – The attackers changed account access and used the compromised account to grant consent to OAuth apps and assign privileged roles ( ‘had the user accounts grant consent to the apps’ ).
- [T1106] Native API – Abuse of Exchange Web Services / Microsoft Graph APIs to access and exfiltrate mailbox content ( ‘escalate privileges and exfiltrate email messages from Microsoft’s corporate Exchange Online environment’ ).
- [T1526] Cloud Service Discovery – Reconnaissance and targeted use of Microsoft cloud services (Exchange Online, Azure AD, OAuth apps) to identify pathways for privilege escalation and data access ( ‘leveraged the account’s access to a legacy OAuth app to escalate privileges’ ).
- [T1087] Account Discovery – Discovery of accounts and targets within the tenant to select low‑value test accounts and other targets for exploitation (implied by targeted account selection and later targeting of customer environments).
- [T1589] Gather Victim Identity Information – Exfiltration of email messages to collect identity and contextual information for follow‑on operations ( ‘exfiltrate email messages’ ).
Indicators of Compromise
- [Domain] Source and advisories – https://www.trellix.com/blogs/research/midnight-blizzard-attack-detection-in-trellix-helix/, https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/
- [App/Query placeholders] App and mailbox identifiers shown in investigative queries – example placeholders: APPID, MAILBOXOWNER (used in archive query examples to find earliest app mail access).
- [Permissions/Role names] Privileged permission identifiers observed – examples: full_access_as_app, EWS.AccessAsUser.All, User.ReadWrite.All (context: permissions attackers granted to OAuth apps to access mailboxes).
The technical sequence began with password spraying against Microsoft 365 accounts that lacked MFA, using residential proxies and low‑volume attempts to avoid detection. After compromising a legacy test account, attackers created OAuth apps and additional user accounts, then had victims grant consent or assigned the apps privileged roles—specifically the full_access_as_app capability—allowing app‑level access to all mailboxes. This chain enabled the actors to call Exchange Web Services/Microsoft Graph APIs at scale, producing API volume spikes and anomalous mailbox access patterns consistent with mass email exfiltration.
To detect and investigate these behaviors, Trellix Helix leverages a mix of signature and analytic detections: brute force/password spray rules, abnormal logon detection (including novel country/ISP access), alerts for app consent and privileged OAuth role grants, and analytics for Exchange Online API volume spikes and first‑time mailbox access by apps. Helix correlates these signals into a Suspicious User Activity alert that aggregates items such as risky sign‑ins, consent events, privileged app assignments, Azure user changes, and threat‑intelligence flagged IPs to raise risk scores and guide triage.
Investigators should query Helix for all activity tied to implicated users, IPs, and app IDs (example archive search: class=ms_office365 action=mailitemsaccessed appid=APPID mailbox=MAILBOXOWNER | table [meta_ts,srcipv4,srcipv6,clientvars,Folders] | sort < meta_ts) to find earliest accesses, API call volumes, and related Azure AD changes. Mitigations include enforcing cloud MFA, strengthening password policies, and auditing/restricting Graph apps, service principals, and delegated permissions—especially in non‑production tenants that may have been granted excessive rights.
Read more: https://www.trellix.com/blogs/research/midnight-blizzard-attack-detection-in-trellix-helix/