Midnight Blizzard Attack Detection in Trellix Helix By Ian Shefferman · March 18, 2024 On January 25, 2024, Microsoft reported a breach of their systems by the Russian APT group Midnight Blizzard, also known as APT29 and Cozy Bear. The attackers performed a password spray, compromised a Microsoft 365 test tenant account that didn’t have multi-factor authentication (MFA) enabled, and leveraged the account’s access to a legacy OAuth app to escalate privileges and exfiltrate email messages from Microsoft’s corporate Exchange Online environment. Later, on March 8, 2024, Microsoft published an update: “Midnight Blizzard has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024”. The attackers were also observed trying to leverage information from the initial exfiltration to breach customer environments, indicating a sustained, significant commitment to gather even more data. This article provides an overview of how Trellix Helix provides detection for and supports the investigation of the techniques observed in the Midnight Blizzard attack. Helix achieves this with a combination of rules and analytics (baseline deviation monitoring) that can detect various stages of this type of attack. Attack Techniques and Patterns Figure 1: Diagram of the Midnight Blizzard attack against Microsoft’s Exchange Online environment Phase 1 – Detection Initial access via…Read More