Microsoft Breached via Legacy Test Account Without MFA

In January 2024, Microsoft disclosed that Midnight Blizzard (APT29/NOBELIUM), the Russian state-sponsored group behind the SolarWinds attack, had compromised Microsoft's own corporate environment. The entry point was not a zero-day exploit or a sophisticated supply chain attack. It was a password spray against a legacy, non-production test tenant account that lacked MFA.

From that initial foothold, the attackers pivoted through OAuth application permissions. They identified and exploited an existing OAuth application with elevated access, created additional malicious OAuth apps, and granted themselves the full_access_as_app role, providing direct, API-level access to executive mailboxes without ever needing to authenticate as those users.

The exfiltrated data included emails between Microsoft leadership and security teams, containing credentials and cryptographic keys that could be used for further access.

This attack illuminates a critical identity architecture failure pattern: OAuth and application identities create lateral movement paths that are invisible to traditional security monitoring. A forgotten test account, the kind that exists in every enterprise, became the entry point to one of the world's most security-conscious organizations.

The lesson is not that Microsoft had a bad security team. It is that identity architecture must account for every identity, every OAuth grant, and every application permission, especially the ones nobody remembers exist. Forgotten identities are not dormant risk. They are open doors.