Clément Notin  Feb 1, 2024
What I think happened in the Midnight Blizzard breach of Microsoft: how could they pivot from the test tenant to the production tenant using a OAuth application? 🤔⤵️
Show threadClément Notin  Feb 1, 2024
"Midnight Blizzard leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment."
👀 Assuming we got access to this test tenant and we found this application (aka "app registration")
Show threadClément Notin  Feb 1, 2024
💪 It looks powerful given the "Directory.ReadWrite.All" MS Graph API permission it requests. But this permission isn't consented on this tenant so we can't do much. But perhaps we can get lucky 😉
Show threadClément Notin  Feb 1, 2024
We have compromised the app ("compromise a legacy test OAuth application")
For example by having the "Application Administrator" Entra built-in role https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#application-administrator in this test tenant.
🔑 Meaning we can add credentials to the app
Microsoft Entra built-in roles - Microsoft Entra ID

Describes the Microsoft Entra built-in roles and permissions.

Show threadClément Notin  Feb 1, 2024
That allows to authenticate as the application's identity, via its Service Principal to be precise. But it doesn't have any permission consented in this tenant... So as expected we can't do something like creating a group for example 😔
Show threadClément Notin  
But the report says that the test app "had elevated access to the Microsoft corporate environment". So let's reproduce this (before the attack of course) by switching to the prod tenant as a legit admin and consenting to the requested permission
https://login.microsoftonline.com/common/adminconsent?client_id=<client_id>
Sign in to your account

Feb 1, 2024 at 10:07amWeb
Show threadClément Notin  Feb 1, 2024
This creates the related Service Principal (aka "enterprise application") in the prod tenant. Notice how it has the same "Application ID" as the app in the test tenant.
And the dangerous API permission just consented is here 💣
The dangerous cocktail for the rest of the attack...
Show threadClément Notin  Feb 1, 2024
We can auth. with the same app ID and credentials, but this time targeting the prod tenant 🤞
It works and we see that we have the permission that was consented long before by a legitimate admin.
And for sure with this, we can do anything like creating a group, or much worse! 💥
Show threadClément Notin  Feb 1, 2024

Now the report continues: "The actor created additional malicious OAuth applications"
Ok so to do this, the test app would need to have been granted the "Application.ReadWrite.All" MS Graph API permission in the prod tenant. And even worse... 😨

Report also says that "The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes." 📬

Show threadClément Notin  Feb 1, 2024
Which could also mean that the test app certainly had the "AppRoleAssignment.ReadWrite.All" MS Graph API permission in the prod tenant too!
The SP in the prod tenant could have looked like this:
Show threadClément Notin  Feb 1, 2024
These allow to create a new app registration, and corresponding SP, in prod test and add credentials to the app
Show threadClément Notin  Feb 1, 2024
And finally also allowing to add and consent to the "full_access_as_app" application permission of the "Office 365 Exchange Online" API 💪
And the new SP looks like this with its new Exchange permissions allowing to read everyone's emails 🙈 (left as an exercise to you 😛)
Show threadClaus Cramon HoumannFeb 1, 2024
@cnotin so you read it as extra apps created in the prod tenant?
Show threadClément Notin  Feb 1, 2024
@claushoumann I’m not sure anymore because it the apps could also have been created in the test tenant, then consented to in the prod tenant by the users they created, to trigger the creation of the SP in prod to which the exchange online permission was granted. Otherwise I don’t see why this step was necessary.
Show threadClaus Cramon HoumannFeb 1, 2024
@cnotin ok, ty for replying. Been trying to understand and convert into proactive measures to avoid same :)
Show threadClément Notin  Feb 1, 2024
@claushoumann you can check this diagram https://x.com/amitaico/status/1752403186902835341 and also this post https://jeffreyappel.nl/pivot-via-oauth-applications-across-tenants-and-what-to-for-protection-with-microsoft-technology-midnight-blizzard/
Amitai Cohen 🎗️ (@AmitaiCo) on X

Sketch of interpretation of Midnight Blizzard's attack flow based on @MsftSecIntel's blogpost (had to make a few assumptions, noted in grey). Big h/t to @cnotin and @EricaZelic for their analysis of this incident (links in thread) and to @LSecResearch for valuable input.

X (formerly Twitter)