Microsoft reveals how Russia’s Cozy Bear hacked its email system

Microsoft has revealed more details about how Russian hacking group Cozy Bear, also known as APT29, gained access to its network and stole internal emails and files. The compromised account used in the attack did not have multi-factor authentication (MFA) enabled, allowing the hackers to utilize password spray attacks. This type of attack involves attempting to log into multiple accounts using one password at a time, to avoid triggering monitoring systems. Once the hackers gained access to a non-production Microsoft system, they exploited a legacy test OAuth application, created additional malicious OAuth applications, and used a new user account to grant consent for these applications. With this access, they were able to steal emails and files from corporate inboxes. To make their traffic appear legitimate, Cozy Bear used residential broadband networks as proxies. Microsoft has admitted that its lack of MFA protection was a mistake and has stated its intention to fast-track MFA across the board. The company has also provided guides for administrators on how to avoid similar compromises. This incident serves as a reminder of the importance of implementing strong security measures, including multi-factor authentication, to protect against cyber attacks.