Midnight Blizzard | How Russian Intelligence Breached Microsoft - w/ Alyssa Robinson, CISO @ HubSpot

Midnight Blizzard | How Russian Intelligence Breached Microsoft With guest CISO Co-Host Alyssa Robinson, CISO at HubSpotIn late 2023, a Russian state-sponsored threat actor known as Midnight Blizzard (also called NOBELIUM and widely associated with APT29) began probing Microsoft the old-fashioned way: password spraying.No zero-day. No smash-and-grab.Just patience, repetition, and one legacy gap.Microsoft says the actor compromised a legacy, non-production test tenant account and used that foothold to access a very small percentage of Microsoft corporate email accounts, including members of senior leadership and employees in cybersecurity and legal, then exfiltrated some emails and attached documents. Microsoft detected the attack on January 12, 2024, and disclosed it publicly on January 19, 2024. MicrosoftThis was espionage, not extortion: Microsoft assessed the actor was initially seeking information related to Midnight Blizzard itself, essentially trying to learn what Microsoft knew about their operations. Microsoft+1In this episode of The CISO Signal | True Cybercrime Podcast, we break down how a nation-state operation targets the most valuable asset in modern security: identity. We explore why executive inboxes are intelligence gold, why slow intrusions are so hard to see in real time, and what incident response looks like when the adversary is collecting insight, not detonating ransomware.🎙 Guest CISO Co-HostAlyssa RobinsonChief Information Security Officer, HubSpot🔍 Episode Topics• How password spraying still works at massive scale• Why legacy test tenants and exceptions become the entry point• Executive identity risk and the “convenience gap”• What changes when the attacker is a nation state• The trust question: what downstream organizations must assume🧊 The aftershockMicrosoft later reported evidence that the actor was using exfiltrated information to pursue additional unauthorized access, including some source code repositories and internal systems, while stating it found no evidence that Microsoft-hosted customer-facing systems were compromised. MicrosoftCISA also issued guidance on SVR / APT29 tradecraft for initial cloud access (AA24-057A) and an Emergency Directive tied to this compromise (ED 24-02). CISA+1🧩 About The CISO SignalTrue cybercrime storytelling with real CISO lessons. Subscribe so you never miss an investigation.👉 / @thecisosignalwww.linkedin.com/company/the-ciso-signal#CISOSignal #MicrosoftBreach #MidnightBlizzard #APT29 #NOBELIUM#CyberEspionage #IdentitySecurity #CloudSecurity #CISO #TrueCybercrime