In January 2024, Microsoft filed an 8-K with the SEC disclosing that a Russian state-sponsored group called Midnight Blizzard had breached their corporate network and read the email of members of their senior leadership team. The attackers were in the environment for at least two months before anyone noticed.
If you manage a law firm or a CPA office, your first reaction might be to scroll past this. Microsoft is a different world. Your firm isn’t a target for Russian intelligence. Fair. But the way they got in is exactly how people get into small firms every week, and the lessons apply directly to the Microsoft 365 tenant your firm is running right now.
The initial access was a password spray attack against a legacy non-production test tenant that Microsoft hadn’t fully decommissioned. One of the accounts in that tenant didn’t have multi-factor authentication. The password was guessable. Microsoft’s own blog post on the incident documents what happened next.
Once in, the attackers found that this old test tenant had an OAuth application with elevated permissions across other Microsoft environments. They used the app’s permissions to mint their own access tokens into production mailboxes. No password needed at that point. No second factor. The OAuth app had already been granted the access, years earlier, and nobody had revoked it.
They read email for two months.
The lesson isn’t about Russian intelligence
The lesson is about OAuth applications and how nobody pays attention to them. Every Microsoft 365 tenant accumulates these over time. A user signs in with their Microsoft account to some third-party tool, the tool says “this app would like to read your mailbox and calendar,” and the user clicks yes. An OAuth consent is recorded. The app now has a long-lived permission to read that mailbox, even without the user’s password.
For most small firms, the pile of OAuth applications with access to mailboxes has never been reviewed. Apps that were installed for a trial three years ago and abandoned. Apps from a vendor the firm stopped using. Apps that a former employee installed. Apps that a current employee doesn’t remember consenting to because the consent prompt was half a line of text on a busy Tuesday.
Some of those apps have read access to everything in the mailbox, including attachments with client information.
Proofpoint has documented the pattern of attackers using OAuth phishing specifically against small-to-mid businesses. The attacker sends a link that looks like a legitimate login prompt. The user clicks through and authenticates. What they actually did was grant an attacker-controlled OAuth app access to their mailbox. There’s no password to change. There’s no credential to rotate. The app keeps working until someone revokes the consent.
Microsoft 365 has a feature called consent policies, which let an administrator decide which OAuth apps users are allowed to approve. By default, in a lot of tenants, any user can approve any app requesting any permission. Which is how you end up with 47 OAuth applications having access to mailboxes and nobody knowing why.
Three things worth checking this week
Go into the Entra admin center. Look at Enterprise applications. Review the list. You’ll probably find apps you don’t recognize. Some will be legitimate (Microsoft’s own, Adobe, DocuSign, your practice management tool). Some won’t be. Anything unrecognized, anything from a company you don’t work with anymore, anything that was granted broad permissions, revoke the consent.
Change your tenant’s user consent setting so that users can only consent to apps from verified publishers with low-risk permissions. Admin approval is required for anything more aggressive. This is a few clicks and it prevents the most common OAuth phishing variant from working at all.
Enable Microsoft’s built-in alerting for risky OAuth consents if you’re on a license tier that includes it. If you’re not, ask your IT provider to set up monitoring for new OAuth consents outside normal hours or with broad mailbox access.
The Midnight Blizzard attack also leveraged gaps in conditional access. Microsoft’s own incident write-up is unusually candid about this. A legacy account with no MFA. An OAuth app with broad permissions granted years ago. Both the sort of thing that accumulates in any environment over time and becomes forgotten until someone finds them.
The part that should scare small firms is that your tenant has the same kinds of accumulated weakness. Maybe you don’t have a rogue OAuth app with admin-level permissions across multiple environments. But you probably have a mailbox somewhere that MFA never got turned on for. A shared inbox with a password that hasn’t been rotated since 2021. A departed employee’s account that was never disabled. An OAuth app granted five years ago and never reviewed.
You don’t have to be Microsoft to have Microsoft’s problems. The difference is that Microsoft has an entire threat intelligence team watching for this stuff. Your firm has one IT person and a hope that nobody clicks the wrong thing.
Go look at your Enterprise applications list. Go look at your accounts without MFA. Go look at your conditional access policies. The attacks don’t have to be sophisticated when the environment is full of forgotten doors.