In January 2024, Microsoft discovered that it had been the victim of a hack orchestrated by Russian state hackers Midnight Blizzard (sometimes known as Nobelium). The troubling detail of this case is how easy it was to hack the software giant. This wasn’t a highly technical attack that exploited a zero-day vulnerability: the hackers used a simple password spray attack to take control of an old, inactive account. This serves as a clear reminder of the importance of password security and why organizations must protect every user account.
Password spraying: a simple but effective attack
Hackers gained entry using a password spray attack in November 2023. Password spraying is a relatively simple brute force technique that involves trying the same password against multiple accounts. By bombarding user accounts with known weak and compromised passwords, the attackers gained access to a legacy non-production test account within the Microsoft system that gave them an initial foothold into the environment. This account had unusual privileges or the hackers escalated them.
The attack lasted a full seven weeks, during which hackers exfiltrated emails and attached documents. This data compromised a “very small percentage” of corporate email accounts, including those belonging to senior executives and employees in the cybersecurity and legal teams. Microsoft’s security team detected the hack on January 12 and took immediate steps to stop the hackers’ activities and deny them further access.
However, the fact that hackers were able to access such sensitive internal information highlights the potential damage that can be caused by compromising even seemingly insignificant accounts. All attackers need is an initial foothold within your organization.
The importance of protecting all accounts
While organizations often prioritize protecting privileged accounts, the attack on Microsoft demonstrates that every user account is a potential entry point for attackers. Privilege escalation means that attackers can achieve their goals without necessarily needing an elevated administrator account as an entry point.
Securing an inactive account with limited privileges is just as crucial as safeguarding an administrator account with elevated privileges for several reasons. First, attackers often target these overlooked accounts as potential entry points into a network. Inactive accounts are more likely to have weak or outdated passwords, making them easier targets for brute force attacks. Once compromised, attackers can use these accounts to move laterally within the network, escalating their privileges and accessing sensitive information.
Secondly, inactive accounts are often overlooked in terms of security measures, making them attractive targets for hackers. Organizations may neglect to implement strong password policies or multi-factor authentication for these accounts, leaving them vulnerable to exploitation. From an attacker’s perspective, even accounts with limited privileges can provide valuable access to certain systems or data within an organization.
Defend against password spray attacks
The Microsoft hack serves as a wake-up call for organizations to prioritize the security of every user account. It highlights the critical need for strong password protection measures for all accounts, regardless of their perceived importance. By implementing strong password policies, enabling multi-factor authentication, conducting regular Active Directory audits, and continuously scanning for compromised passwords, organizations can significantly reduce the risk of being caught in the same way.
- Active Directory Control: Performing regular Active Directory audits can provide visibility into unused and inactive accounts, as well as other password vulnerabilities. Audits provide a valuable snapshot of your Active Directory, but should always be complemented by ongoing risk mitigation efforts. If you don’t have visibility into your organization’s inactive and obsolete user accounts, consider running a read-only audit with our free audit tool that provides an interactive exportable report: Specops Password Auditor.
- Strong password policies: Organizations should enforce strong password policies that block weak passwords, such as common terms or keyboard steps like “qwerty” or “123456.” Implementing long, unique passwords or passphrases is a solid defense against brute force attacks. Custom dictionaries that block organization- and industry-related terms should also be included.
- Multi-factor authentication (MFA): Enabling MFA adds an authentication hurdle that hackers must overcome. MFA is an important layer of defense, although it is worth remembering that MFA is not infallible. It must be combined with strong password security.
- Compromised password scans: Even strong passwords can be compromised if end users reuse them on personal devices, sites or applications with weak security. Implementing tools to continuously scan Active Directory for compromised passwords can help identify and mitigate potential risks.
Continuously blocks attack routes for hackers
The Microsoft hack highlights the need for organizations to implement strong password protection measures across all accounts. A strong password policy is essential to ensure that all accounts, including legacy, non-production and test accounts, are not overlooked. Additionally, blocking known compromised credentials adds an additional layer of protection against active attacks.
The Specops Password Policy with Password Breach Protection offers automated, continuous protection for your Active Directory. Protects your end users from the use of more than 4 billion known unique compromised passwords, including data from known leaks and our honeypot system that collects passwords used in real password spray attacks.
Updating the Breached Password Protection API daily, coupled with ongoing scans for the use of those passwords across your network, equates to a much more comprehensive defense against the threat of attack and the risk of password reuse. Speak to an expert today to find out how the Specops password policy might fit your organization.