Midnight Blizzard (Microsoft Email Compromise Follow-on Activity)

Jan 9

BLUF

Russian state-sponsored actors (Midnight Blizzard) are using information, including authentication details, exfiltrated from Microsoft's corporate email system to gain or attempt to gain further access to Microsoft customer systems. The volume of the attacks, such as password sprays, has increased significantly.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by follow-on compromise activity stemming from exfiltrated Microsoft corporate email data used for credential abuse and cloud tenant access:

Low-end total cost: $2M – $3M
(Rapid containment, limited tenant exposure, strong identity controls already in place)
Typical expected range: $3.5M – $6M
Upper-bound realistic scenarios: $6.5M – $9M
(Broad credential exposure, legacy tenants, regulatory scrutiny, extended assurance efforts)

Key cost driver:

Costs are driven less by service outages and more by loss of confidence in identity and email integrity. Once authentication data and internal correspondence are assumed compromised, organizations must invest heavily in validation, access reissuance, regulatory assurance, and long-term identity modernization—extending financial impact well beyond initial containment.

Targeted Sectors

· Federal Civilian Executive Branch (FCEB) agencies

· Government

· Critical infrastructure entities

· Private sector organizations

· Microsoft customers

Targeted Countries

· United States

· Global Microsoft customers

Origin of actor

· Russia (origin of actor)

Date of First Reported Activity

· January 2024 (age 2 years)

o The current follow-on activity was reported as significantly increasing in February 2024

Date of Last Reported Activity Update

· New CISA guidance issued on January 8, 2026

APT Names

· Midnight Blizzard

o Nobelium

o APT29

o Cozy Bear

Associated Criminal Organization Names

· Not Applicable

IOCs

· %WINDIR%\ADFS\version.dll

· %WINDIR%\ADFS\Microsoft.IdentityServer.Servicehost.exe.config

RDP Spear-Phishing Campaign (Late 2024)

In late 2024, Midnight Blizzard initiated a campaign using digitally signed Remote Desktop Protocol (.rdp) files as lures. Some identified malicious RDP filenames include:

· Zero Trust Architecture Configuration.rdp

· ZTS Device Compatibility Test.rdp

· Device Security Requirements Check.rdp

· AWS IAM Quick Start.rdp

· AWS IAM Configuration.rdp

Associated file hashes (SHA-256) and network infrastructure details, including attack and email server IP addresses, have been documented.

Watering Hole & Malware Campaigns (2025)

· A 2025 campaign used a "wine tasting" invitation to deliver the GRAPELOADER backdoor to European diplomats.

· Amazon disrupted a watering hole operation in mid-2025 that used infrastructure mimicking Amazon Web Services (AWS) domains for credential theft via device code authentication.

· Analysis of 39 domain IOCs revealed that most were registered in August 2024 or later, frequently in the U.S. and often through registrars like NameSilo, eNom, and Hostinger.

Ongoing Tactics & Infrastructure

Midnight Blizzard continues to employ various tactics, including the use of residential proxy networks to obscure their activities. Recent attacks involve renaming compromised Microsoft 365 tenants to impersonate "IT Support" and creating *.onmicrosoft.com subdomains to bypass reputation checks. They also continue to exploit vulnerabilities in unpatched internet-facing servers, specifically CVE-2023-42793 in JetBrains TeamCity.

Tools Used in Campaign

· Password spraying tools/scripts

· Potentially leveraging information from compromised emails to target customer accounts

· The initial entry method involved a "nation-state actor attack," details of which led to the email system compromise.

2025 CVEs and CVSS Vectors

CVE-2025-59287

CVSS:3.1

· (9.8) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Nessus ID(s)

· 271435

· 271436

· 271437

· 271438

· 271439

· 271440

· 271441

Is CVE-2025-59287 on the KEV list?

· Yes

What was the patch by date?

· November 14, 2025

What is the URL to the patch information for CVE-2025-59287

· hxxps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287

Mitigation

· Agencies and organizations are required to analyze exfiltrated email content

· Reset any compromised credentials

· Secure authentication tools for privileged Microsoft Azure accounts.

Malware Names

· Malicious RDP Configuration

· GraphicalProton (DLL)

· FOGGYWEB (Backdoor)

Malware Samples

Malicious RDP configuration file hash from a related campaign

sha256

311e9c8cf6d0b295074ffefaa9f277cb1f806343be262c59f88fbdf6fe242517

URL to sample

· hxxps://www.virustotal.com/gui/file/311e9c8cf6d0b295074ffefaa9f277cb1f806343be262c59f88fbdf6fe242517

TTPs

· T1110.003 Brute Force Password Spraying

o Midnight Blizzard gained initial entry by targeting a legacy, non-production test tenant account that lacked multi-factor authentication (MFA).

· T1078.004 Valid Accounts Cloud Accounts

o The group exploited valid but legacy or dormant accounts to bypass traditional perimeter defenses.

· T1098.003 Account Manipulation Additional Cloud Credentials

o After initial access, they created, modified, and granted high permissions to malicious OAuth applications to maintain a persistent foothold.

· T1136.003 Create Account Cloud Account

o The threat actor created new user accounts specifically to grant administrative consent to their malicious OAuth applications.

· T1098.002 Account Manipulation Additional Email Delegate Permissions

o They utilized the full_access_as_app role in Office 365 Exchange Online, allowing them to tap directly into corporate mailboxes.

· T1114.002 Email Collection Remote Email Services

o Midnight Blizzard leveraged malicious OAuth applications to authenticate via Exchange Web Services (EWS) to exfiltrate email data.

· T1090.003 Proxy Multi-hop Proxy

o To avoid detection and obfuscate their origin, they launched attacks through a distributed residential proxy infrastructure, making traffic appear as though it came from legitimate users.

· T1566.001 Phishing Spearphishing Attachment

o In follow-on campaigns, they used highly targeted spear-phishing emails containing malicious RDP configuration files (.rdp) to compromise systems in government and defense sectors.

· T1588.005 Obtain Capabilities Exploitation of Secrets

o Midnight Blizzard utilized secrets (such as credentials or tokens) exfiltrated from original email correspondence to gain unauthorized access to source code repositories and internal systems

Suggested Rules / potential hunts

Suricata

Monitor for outbound RDP traffic to unfamiliar external IPs, particularly if initiated from non-standard workstations.

alert tcp $HOME_NET any -> $EXTERNAL_NET 3389 (msg:"Potential Midnight Blizzard RDP Lure Connection"; flow:to_server,established; classtype:policy-violation; sid:100001; rev:1;)

Inspect traffic to common identity endpoints (e.g., login.microsoftonline.com) for unusual User-Agents or excessive 401/403 responses that may indicate programmatic password spraying.

SentinelOne

Hunt suggestions

OAuth Permission Escalation

Hunt for the granting of high-privilege roles like full_access_as_app in Exchange Online.

Legacy Tenant Activity Look for successful logins from external IPs to legacy or "non-production" accounts that lack MFA.

Process Hunting

Process.Name = "mstsc.exe" where the command line points to a recently downloaded .rdp file from an email attachment.

Unusual child processes spawning from web browsers or email clients after interacting with identity portals.

Splunk

Query for Error Code 50126 (invalid password) across multiple accounts from a single source IP in a short window.

index=azure_logs OperationName="Sign-in activity" Status.errorCode=50126 | stats count by src_ip, user | where count > 10

Hunt for the creation of new OAuth applications followed immediately by high-level permission consent.

index=azure_logs OperationName IN ("Add service principal", "Add app role assignment to service principal")

Delivery Method

· Exfiltration of existing data and subsequent use in online password spraying and credential stuffing attacks.

Email Samples

· No specific samples were available in the search results, as the emails in question were internal Microsoft-customer correspondence that was exfiltrated, not the delivery method itself.

References

Tenable

· hxxps://www.tenable.com/cve/CVE-2025-59287/plugins

MSRC Microsoft