On January 25, 2024, the Microsoft Threat Intelligence Team published a report concerning new malicious activities observed on January 12, 2024, and attributed to the Russian state-sponsored actor APT29 (also known as "Cozy Bear," "Nobelium," "Midnight Blizzard").
Tactics, techniques, and procedures (TTPs) observed in the events include:
Initial intrusion via password spraying, targeting in particular accounts without multi-factor authentication (MFA).
Once an account has been compromised, the actor attempts to abuse Auth0 applications to gain access to other accounts and potentially retain a foothold even if the account compromised during initial intrusion becomes unavailable.
Via Auth0, the actor attempts to gain access to Exchange Web Services and Microsoft Office 365, hiding traffic via residential network proxies in an attempt to mix malicious traffic with proxy-based traffic originating from legitimate users.
According to the Microsoft report, the investigation is still ongoing.
The events appear to be consistent with a broad APT29-attributed espionage campaign which has been active at least since last Autumn. The Russia-nexus actor targeted in particular NATO countries and Ukraine as well as a number of non-NATO members in the Middle East.
As Microsoft recommends, countermeasures include implementing secure password policies, especially by enabling MFA, and putting in place security monitoring to detect instances of unusual access and authentication anomalies.