Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
CSA Training
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
CSA Training
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
ChaptersEventsBlog
Join CSA’s AI Safety Working Group kickoff—shape the future of secure, trustworthy AI.

Reflecting on the 2024 Microsoft Breach

Published 09/15/2025

Home
Industry Insights
Reflecting on the 2024 Microsoft Breach
Written by Megan Theimer, Content Marketing Manager, CSA.

CSA’s Top Threats to Cloud Computing Deep Dive 2025 reflects on eight recent real-world security breaches. The report presents the narrative of each incident, as well as the relevant cloud security risks and mitigations. Today we’re reflecting on the final incident covered in the Deep Dive: 2024’s Microsoft hack.

 

Midnight Blizzard, a state-backed cyber espionage group, gained access to the emails of Microsoft’s leadership and cybersecurity teams.

The threat actor employed residential proxies and “password spraying” brute-force attacks. The password spray attack used a low number of attempts to evade detection and avoid account blocks. One test account they discovered had elevated access to Microsoft’s corporate environment. This allowed the threat actors to gain elevated privileges.

More specifically, residential proxies and “password spraying” brute-force attacks targeted a small number of accounts. One account was a “legacy, non-production test tenant account” (Top Threat #2: IAM).

Microsoft had not enabled MFA for the affected test account (Top Threat #4: Inadequate Cloud Security Strategy). This allowed the threat actors to gain unauthorized access to Microsoft’s systems once they brute-forced the correct password. Midnight Blizzard leveraged this initial access to identify and compromise a legacy test OAuth application. This application had elevated access to the Microsoft corporate environment (Top Threat #3: Insecure Interfaces and APIs).

The actor then created a new user account in the Microsoft corporate environment. They used it to grant consent to actor-controlled malicious OAuth applications (Top Threat #6: Insecure Software Development).

The threat actor used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role. This permission is part of the Exchange Web Services (EWS) API. It grants an application full access to all mailboxes in the organization.

Microsoft identified the malicious activity by retrieving traces in EWS logs (Top Threat #9: Limited Cloud Visibility).

 

Technical Impacts

  • Confidentiality: The breach compromised the confidentiality of sensitive information. This included emails between Federal Civilian Executive Branch (FCEB) agencies and Microsoft. Midnight Blizzard exfiltrated email data, potentially exposing sensitive data.
  • Integrity: The attackers used advanced techniques to compromise authentication mechanisms, potentially altering or tampering with Microsoft's data.
  • Availability: The attack did not significantly impact the availability of Microsoft’s services. Microsoft’s data resiliency and redundancy measures ensured that services remained available despite the breach.

 

Business Impacts

  • Financial: The cyber attack caused noticeable financial impacts on the company. Microsoft has not disclosed specific figures. However, it’s clear from Microsoft’s statements that addressing this breach involved significant financial efforts.
  • Operational: The breach disrupted Microsoft’s operations, requiring significant resources to investigate and mitigate the attack.
  • Compliance: The breach raised compliance concerns, particularly regarding data protection regulations. Microsoft had to ensure compliance with relevant regulations and standards, such as GDPR and CCPA, while addressing the breach.
  • Reputational: The breach negatively affected Microsoft’s reputation, highlighting vulnerabilities in security practices. The incident drew attention to Microsoft’s security measures, potentially impacting customer trust and confidence.

 

Key Performance Indicators to Evaluate

  • Mean-Time-to-Detect (MTTD): On January 12, 2024, Microsoft discovered their systems were breached in November 2023. Microsoft said the hackers accessed a “small percentage” of Microsoft’s corporate email accounts for over a month. With the investments Microsoft had in prevention and detection, this indicates a lack of proactive monitoring or automated detection. It also indicates a failure to implement low-key attack detection methods.
  • Mean-Time-to-Remediate (MTTR): Microsoft reacted immediately to secure the breach. They did not provide the exact MTTR timeframe from discovery to remediation, but they did work quickly.
  • Unauthorized Access Attempts: Microsoft has not shared what triggers they use to detect unauthorized access. However, from the referenced information, the bad actors circumvented this through low-frequency attempts.

 

Preventive Mitigation

  • Security Awareness Training: Establish and maintain a security awareness training program for all employees. Provide regular training updates to raise awareness of social engineering, OTP automation attacks, and insecure use of secrets.
  • Strong Password Policy and Procedures: Establish and maintain strong password policies and procedures. Review and update the policies and procedures at least annually.
  • User Access Review: Define processes for the segregation of privileged access roles. Administrative access to data, encryption, key management, and logging capabilities should be distinct and separated.
  • Strong Authentication: Define processes for authenticating access to systems, applications, and data asset MFA. Adopt digital certificates or alternatives which achieve an equivalent security level for system identities.
  • Authorization Mechanisms: Define processes to verify authorization of access to data and system functions.

 

Detective Mitigation

  • Detection of Baseline Deviation: Implement detection measures with proactive notification in case changes deviate from the established baseline.
  • User Access Review: Regularly review and revalidate user access for least privilege and separation of duties. Programmatic access to provisioned scripts and privileged access systems can help detect gaps and exploits.
  • Security Monitoring and Alerting: Identify and monitor security-related events within applications and the underlying infrastructure. Implement a system to generate alerts to responsible tenants, security teams, and stakeholders.

 

Corrective Mitigation

  • Remediation: Establish and maintain a risk-based corrective action plan to remediate incident and breach case findings. Review and report remediation status to relevant stakeholders.
  • IAM Policy and Procedures: Establish and maintain policies and procedures for IAM. Review and update the policies and procedures at least annually.
  • Incident Response Plans: Establish and maintain a security incident response plan. This should include relevant internal departments, impacted customers, and other business-critical relationships.
  • Event Triage Processes: Define processes supporting business procedures to triage security-related events.
  • Security Breach Notification: Define processes for security breach notifications. Report security breaches, including any relevant supply chain breaches, as per applicable SLAs and laws.

 

Control Effectiveness Measurements

  • Access Provisioning Compliance Rate: Percentage of user and programmatic accounts provisioned with least privilege and MFA enabled.
  • Unauthorized Change Attempt Rate: Number of attempted unauthorized changes to critical system components over a specified period.
  • Misconfiguration Detection Rate: Percentage of applications assessed for vulnerabilities, misconfigurations, and security risks.
  • Access Control Effectiveness: Effectiveness of MFA, role-based permissions, and standing access controls.
  • Audit Frequency of Cloud Configurations: Percentage of privileged accounts audited for least privilege.

 

Key Takeaways from This Incident

  • In comparison to cyber criminals, state-backed actors host far more available resources. Regardless of the security maturity of a company, the weakest link is the key.
  • Well-known attack methods, even dated ones, are still effective and can penetrate mature and seasoned companies.
  • Enforce consistent policies across all environments, including test and beta environments. Impose least privilege, zero standing privileges, and standard security policies such as MFA.
  • Adversaries can use a passive and patient approach to sneak in unnoticed.
  • Restrict privileges in test accounts to the bare minimum. Use zero standing privileges, Just-in-Time (JIT) access, or Temporary Elevated Access (TEA). TEA involves granting users elevated privileges or access rights only for a specific period.

 

Cover of Top Threats to Cloud Computing Deep Dive 2025Interested in reading about other recent cyber incidents? CSA’s Top Threats to Cloud Computing Deep Dive 2025 analyzes seven other notable cloud breach cases. Get a detailed breakdown of the Snowflake, Football Australia, CrowdStrike, Toyota, Darkbeam, Retool/Fortress, and FTX incidents. This breakdown includes:

  • An attack detail
  • A description of the threat actor
  • The associated top threats
  • The technical and business impacts
  • Relevant Cloud Controls Matrix (CCM) controls to use for preventive, detective, and corrective mitigation
  • Essential metrics to measure control effectiveness
  • Key takeaways
Identity and Access ManagementData SecurityComplianceThreat IntelligenceCloud Incident ResponseTop Threats

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
The State of Cloud and AI Security 2025
Take the Survey on Securing AI Agents
Participate in the Cloud Threat Modeling 2025 Peer Review
Unlock Cloud Security Insights

Unlock Cloud Security Insights

Choose the CSA newsletters that match your interests:

Subscribe to our newsletter for the latest expert trends and updates

Enhance your cloud security skills with CSA's online training options.
Related Articles:
EQS Group Achieves EU Cloud Code of Conduct Compliance through the Cloud Security Alliance Framework

Published: 09/15/2025

EDR Killers: How Modern Attacks Are Outpacing Traditional Defenses

Published: 09/15/2025

Fortifying the Agentic Web: A Unified Zero Trust Architecture Against Logic-Layer Threats

Published: 09/12/2025

The Hidden Security Threats Lurking in Your Machine Learning Pipeline

Published: 09/11/2025