In January 2024, Microsoft found themselves the victim of a hack orchestrated by Russian state actor Midnight Blizzard (sometimes known as Nobelium). A worrying detail about the case is how easy it was to attack the software giant. This wasn’t a high-tech hack that exploited a zero-day vulnerability – the hackers used a simple password spray attack to take control of an old, inactive account. This is a stark reminder of the importance of password security and why organizations need to protect every user account.
Password spraying: a simple yet effective attack
Hackers gained access in November 2023 through a password spray attack. Password spraying is a relatively simple brute force technique that involves trying the same password against multiple accounts. By bombarding user accounts with known weak and compromised passwords, the attackers were able to gain access to legacy non-production test accounts within Microsoft systems, giving them an initial foothold in the environment. The account either has unusual permissions or was upgraded by a hacker.
The attack lasted for seven weeks, during which time the hackers stole archives of emails and attachments. The data was leaked from a “very small percentage” of corporate email accounts, including those belonging to senior leadership and employees on cybersecurity and legal teams. Microsoft’s security team detected the hack on January 12 and took immediate action to disrupt the hackers’ activities and deny them further access.
However, the fact that hackers were able to access such sensitive internal information highlights the potential damage that can be caused by even a seemingly insignificant account compromise. All an attacker needs is to establish an initial foothold within your organization.
The importance of protecting all accounts
While organizations typically prioritize protecting privileged accounts, the attack on Microsoft showed that every user account is a potential entry point for attackers. Privilege escalation means attackers can achieve their goals without requiring a high-privileged administrator account as an entry point.
For many reasons, protecting inactive low-privilege accounts is just as important as protecting high-privilege administrator accounts. First, attackers often target these overlooked accounts as potential entry points into the network. Inactive accounts are more likely to have weak or outdated passwords, making them easier targets for brute force attacks. Once compromised, attackers can use these accounts to move laterally within the network, escalate privileges, and access sensitive information.
Second, inactive accounts are often overlooked when it comes to security measures, making them attractive targets for hackers. Organizations may neglect to enforce strong password policies or multi-factor authentication on these accounts, leaving them vulnerable to exploitation. From an attacker’s perspective, even a low-privilege account can provide valuable access to certain systems or data within an organization.
Defend against password spray attacks
The Microsoft hack is a wake-up call for organizations to prioritize the security of each user account. It highlights the critical need for strong password protection for all accounts, regardless of importance. By implementing strong password policies, enabling multi-factor authentication, conducting regular Active Directory audits, and continuously scanning for leaked passwords, organizations can significantly reduce the risk of being discovered in the same manner.
- Active Directory Audit: Regular audits of Active Directory can identify unused and inactive accounts and other password-related vulnerabilities. Audits provide a valuable snapshot of Active Directory, but should always be supplemented by ongoing risk mitigation efforts. If you lack visibility into your organization’s inactive and outdated user accounts, consider running a read-only audit with our free audit tool, which provides interactive, exportable reports: Specops Password Auditor.
- Strong Password Policy: Organizations should implement strong password policies to block weak passwords, such as common terms or keyboard entries such as “qwerty” or “123456.” Implementing long and unique passwords or passphrases can effectively protect against brute force attacks. A custom dictionary that blocks terms related to your organization and industry should also be included.
- Multi-factor authentication (MFA): Enabling MFA increases the authentication hurdle that hackers need to overcome. MFA is an important layer of defense, but it’s worth remembering that MFA is not foolproof. It needs to be combined with strong password security.
- Leaked Password Scan: Even strong passwords can be compromised if end users reuse them on less secure personal devices, websites or applications. Implementing tools to continuously scan Active Directory for leaked passwords can help identify and mitigate potential risks.
Continue to cut off hackers’ attack routes
The Microsoft hack highlights the need for organizations to implement strong password protection across all accounts. A secure password policy is critical to ensure that all accounts, including legacy, non-production, and test accounts, are not ignored. Additionally, blocking known compromised credentials adds an extra layer of protection against active attacks.
Specops Password Policy with Leak Password Protection provides automated, continuous protection for your Active Directory. It protects your end users from over 4 billion unique known leaked passwords, including material from known leaks as well as our own honeypot system that collects passwords used in real password spraying attacks .
Daily updates to the Leaked Password Protection API, coupled with continuous scanning of the use of these passwords across the network, amount to a more comprehensive defense against the threat of password attacks and the risk of password reuse. Talk to an expert today to find out how a Specops password policy can fit your organization.
