top of page
  • Writer's pictureAnup Ghosh

Midnight Blizzard Leverages Microsoft Emails to Attack Downstream MSPs

The Download

Microsoft revealed this week that the Midnight Blizzard (Russian SVR) attacks not only are continuing, but the Russian intelligence agency is leveraging emails it has captured from executives to target Microsoft customers and resellers. As we detailed in a prior blog, Midnight Blizzard was able to leverage a legacy on-prem Microsoft Exchange server to implement conventional password spray attacks to compromise the corporate Microsoft M365 server and gain access to executives' emails.

The most significant new development by intelligence is that the Russian SVR is leveraging Microsoft emails to work their way downstream to Managed Service Providers (MSPs) who resell Microsoft and manage Microsoft M365 tenants for their clients. The target is being painted on MSPs as a single aggregated point of risk.

If an MSP is compromised, the adversary can then work their way downstream to the MSP's clients and compromise their tenants and systems by extension. The NSA and CISA published guidance on how to defend against these attacks and illustrated the attackers' path to customer systems in the figure below.

What You Can Do

As a managed service provider, recognize you are not only an aggregated risk single point of failure for many clients, but also a target of nation state adversaries. This means you must have very strong security practices including privileged account management and conditional multi-factor access to client tenants. It is also important you understand the attack surfaces you have and scan for them daily.

As a business managed by an MSP, you will need to do due diligence on the security practices of your MSP to ensure they are following security best practices and ensure they have adequate cyber insurance. In addition, you should understand your own attack surfaces. Finally, you should conduct a thorough analysis of your Microsoft M365 tenant and check which accounts may not have MFA enabled, and which 3rd party SaaS apps have access to your Microsoft tenant. ThreatMate can help you understand these risks and other attack surfaces.

To Learn More



bottom of page