Executive Summary
Midnight Blizzard (formerly Nobelium) has been observed utilizing a novel technique involving the abuse of OAuth applications to maintain persistent access to cloud environments. This campaign targets technology and government sectors.
Key Findings
- Persistence via OAuth: The actor creates malicious OAuth applications within compromised tenants to bypass MFA and maintain long-term access.
- Targeting Strategy: Focus remains on high-value targets in the defense and diplomatic sectors.
- Evasion: Use of residential proxy networks to mask origin traffic.
Technical Details
The actor gains initial access through password spraying attacks against accounts without MFA. Once inside, they register a new OAuth application and grant it Mail.ReadWrite permissions.
"The use of legitimate OAuth flows makes this activity extremely difficult to detect with traditional perimeter monitoring."
Mitigation
- Audit all OAuth applications with high-privilege scopes.
- Enforce phish-resistant MFA for all users.
- Monitor for
New-Applicationevents in audit logs.