The Midnight Blizzard attack, orchestrated by a Russian state-sponsored group, involved techniques like password spraying and misuse of OAuth applications. These methods led to the compromise of email accounts of several Microsoft employees, including those in senior leadership positions.
Strengthening defenses against the Midnight Blizzard attack involves a couple of key strategies. Firstly, implementing Multi-factor Authentication (MFA) is a primary mechanism. MFA adds an extra layer of security beyond passwords, significantly reducing the risk posed by password spraying tactics used by attackers. Additionally, it's crucial to manage OAuth applications effectively. This involves ensuring that only administrators are authorized to activate both marketplace and custom enterprise applications on Microsoft tenants.
Implementing the following steps reduces the attack surface for these types of attacks, however, ongoing monitoring of your Microsoft 365 and Azure is critical, through Overe Monitor/Respond
Step 1 : Enforce Policy Control 'Require MFA for all users'
This Policy Control will create a Conditional Access Policy in your Microsoft Tenant named "(Overe) Require multifactor authentication for all users", granting access to any target resource ONLY to users who go through MFA.
Step 2 : Enforce Policy Control 'Enable admin approval policy for app consent requests'
This Policy Control will oversee the admin consent workflow in your tenant, to allow users to request access to applications that require admin consent.
You can also use Policy Templates to add these Policy Controls to all your tenants at once : Step by Step Walkthrough
