Sign up to save your podcasts
Or
Share Midnight Blizzard | How Russian Intelligence Breached Microsoft - w/ Alyssa Robinson, CISO @ HubSpot
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Midnight Blizzard | How Russian Intelligence Breached Microsoft - w/ Alyssa Robinson, CISO @ HubSpot
Midnight Blizzard | How Russian Intelligence Breached Microsoft
With guest CISO Co-Host Alyssa Robinson, CISO at HubSpot
In late 2023, a Russian state-sponsored threat actor known as Midnight Blizzard (also called NOBELIUM and widely associated with APT29) began probing Microsoft the old-fashioned way: password spraying.
No zero-day. No smash-and-grab.
Just patience, repetition, and one legacy gap.
Microsoft says the actor compromised a legacy, non-production test tenant account and used that foothold to access a very small percentage of Microsoft corporate email accounts, including members of senior leadership and employees in cybersecurity and legal, then exfiltrated some emails and attached documents. Microsoft detected the attack on January 12, 2024, and disclosed it publicly on January 19, 2024.
Microsoft
This was espionage, not extortion: Microsoft assessed the actor was initially seeking information related to Midnight Blizzard itself, essentially trying to learn what Microsoft knew about their operations.
Microsoft
+1
In this episode of The CISO Signal | True Cybercrime Podcast, we break down how a nation-state operation targets the most valuable asset in modern security: identity. We explore why executive inboxes are intelligence gold, why slow intrusions are so hard to see in real time, and what incident response looks like when the adversary is collecting insight, not detonating ransomware.
🎙 Guest CISO Co-Host
Alyssa Robinson
Chief Information Security Officer, HubSpot
🔍 Episode Topics
• How password spraying still works at massive scale
• Why legacy test tenants and exceptions become the entry point
• Executive identity risk and the “convenience gap”
• What changes when the attacker is a nation state
• The trust question: what downstream organizations must assume
🧊 The aftershock
Microsoft later reported evidence that the actor was using exfiltrated information to pursue additional unauthorized access, including some source code repositories and internal systems, while stating it found no evidence that Microsoft-hosted customer-facing systems were compromised.
Microsoft
CISA also issued guidance on SVR / APT29 tradecraft for initial cloud access (AA24-057A) and an Emergency Directive tied to this compromise (ED 24-02).
CISA
+1
🧩 About The CISO Signal
True cybercrime storytelling with real CISO lessons. Subscribe so you never miss an investigation.
👉 / @thecisosignal
www.linkedin.com/company/the-ciso-signal
#CISOSignal #MicrosoftBreach #MidnightBlizzard #APT29 #NOBELIUM
#CyberEspionage #IdentitySecurity #CloudSecurity #CISO #TrueCybercrime
View all episodes
By Jeremy LadnerMidnight Blizzard | How Russian Intelligence Breached Microsoft
With guest CISO Co-Host Alyssa Robinson, CISO at HubSpot
In late 2023, a Russian state-sponsored threat actor known as Midnight Blizzard (also called NOBELIUM and widely associated with APT29) began probing Microsoft the old-fashioned way: password spraying.
No zero-day. No smash-and-grab.
Just patience, repetition, and one legacy gap.
Microsoft says the actor compromised a legacy, non-production test tenant account and used that foothold to access a very small percentage of Microsoft corporate email accounts, including members of senior leadership and employees in cybersecurity and legal, then exfiltrated some emails and attached documents. Microsoft detected the attack on January 12, 2024, and disclosed it publicly on January 19, 2024.
Microsoft
This was espionage, not extortion: Microsoft assessed the actor was initially seeking information related to Midnight Blizzard itself, essentially trying to learn what Microsoft knew about their operations.
Microsoft
+1
In this episode of The CISO Signal | True Cybercrime Podcast, we break down how a nation-state operation targets the most valuable asset in modern security: identity. We explore why executive inboxes are intelligence gold, why slow intrusions are so hard to see in real time, and what incident response looks like when the adversary is collecting insight, not detonating ransomware.
🎙 Guest CISO Co-Host
Alyssa Robinson
Chief Information Security Officer, HubSpot
🔍 Episode Topics
• How password spraying still works at massive scale
• Why legacy test tenants and exceptions become the entry point
• Executive identity risk and the “convenience gap”
• What changes when the attacker is a nation state
• The trust question: what downstream organizations must assume
🧊 The aftershock
Microsoft later reported evidence that the actor was using exfiltrated information to pursue additional unauthorized access, including some source code repositories and internal systems, while stating it found no evidence that Microsoft-hosted customer-facing systems were compromised.
Microsoft
CISA also issued guidance on SVR / APT29 tradecraft for initial cloud access (AA24-057A) and an Emergency Directive tied to this compromise (ED 24-02).
CISA
+1
🧩 About The CISO Signal
True cybercrime storytelling with real CISO lessons. Subscribe so you never miss an investigation.
👉 / @thecisosignal
www.linkedin.com/company/the-ciso-signal
#CISOSignal #MicrosoftBreach #MidnightBlizzard #APT29 #NOBELIUM
#CyberEspionage #IdentitySecurity #CloudSecurity #CISO #TrueCybercrime