ARIES SECURITY BRIEF | March 2025 | PCA Technology Inc.
What Happened
In January 2024, Microsoft disclosed that a Russian state-sponsored hacking group — known as Midnight Blizzard, also called Cozy Bear, attributed to Russia’s SVR foreign intelligence service — had successfully breached Microsoft’s corporate systems.
The attackers accessed the email accounts of Microsoft’s senior leadership, including members of the executive team and cybersecurity staff. They exfiltrated internal emails, attachments, and correspondence. They also obtained portions of Microsoft’s source code — the code that powers the software used by hundreds of millions of businesses and government agencies worldwide.
The same group subsequently compromised Hewlett Packard Enterprise and penetrated systems at multiple US federal agencies. This was not an isolated incident — it was a coordinated intelligence operation at the highest level of nation-state cyber capability.
And they got in through a door that shouldn’t have existed.
How They Got In
The entry point — the initial access that allowed Russia’s elite intelligence hackers to breach Microsoft — was a legacy test account.
An old OAuth test account. Non-production. Not actively used. Created for testing purposes at some point in the past, then forgotten. It had a weak password. It had no MFA.
“Nobody uses that account.”
The attackers used a password spray attack — systematically trying common passwords against many accounts — and found the test account’s weak credentials. From that low-privilege entry point, they leveraged the account’s OAuth permissions to move laterally into production systems, ultimately reaching executive email accounts.
The most sophisticated cyber operation of 2024 started with a forgotten account that “nobody uses.”
What It Cost
For Microsoft, the immediate damage was reputational as much as operational. A company that sells security products and services to enterprises worldwide had its own executive communications stolen by foreign intelligence. The disclosure triggered congressional scrutiny, a Cyber Safety Review Board investigation that delivered a scathing report on Microsoft’s security culture, and ongoing questions about the integrity of US government systems that depend on Microsoft infrastructure.
The longer-term cost — compromised source code, intelligence on Microsoft’s security team communications, potential persistence in systems not yet discovered — is still being assessed.
HPE disclosed a similar breach shortly after. US federal agencies tied to the same campaign faced extensive remediation efforts. The total cost to the ecosystem runs into the billions.
Why YOUR Business Is at Risk
Let me be direct: if this can happen to Microsoft, it can happen to you.
Not because Russian intelligence is targeting your Houston business specifically — though supply chain and vendor attacks mean you can be caught in crossfire. The lesson here is about forgotten accounts, and every business has them.
Think about your own organization right now:
- Employees who left six months ago — is their Microsoft 365 account still active?
- A contractor who finished a project last year — do they still have CRM access?
- A vendor integration account created for a project that ended — still sitting there?
- Old email aliases, service accounts, shared mailboxes no one actively monitors?
- Admin accounts created “for testing” that never got cleaned up?
Every one of those accounts is an unlocked door. Attackers don’t need to break locks. They just walk through the ones that are already open.
Password spray attacks — trying common passwords like “Summer2024!” or “Welcome1” or “CompanyName123” against every account — are fully automated. Attackers run them continuously against Microsoft 365 tenants, Google Workspace accounts, VPN gateways, and web portals. They’re looking for exactly what they found at Microsoft: a low-priority account with a weak password and no MFA.
Your forgotten accounts are being tested right now. The question is whether they’ll pass.
What to Do TODAY
- Conduct an immediate account audit. Pull a full list of every active account in Microsoft 365 (or Google Workspace). When did each account last log in? Any account inactive for 90 days or more should be reviewed and disabled if not needed. Former employees must be disabled the day they leave — not the week after, not “when IT gets to it.” That day.
- Enable MFA on every account — no exceptions. Legacy accounts, service accounts, shared mailboxes, test accounts — everything. If an account can authenticate, it needs MFA. There is no category of account exempt from this rule.
- Implement Conditional Access policies. Restrict account logins by geography, device compliance, and risk level. A login attempt from an unexpected country at 3am should be blocked automatically.
- Audit OAuth app permissions. In Microsoft 365 and Google Workspace, third-party apps can be granted broad permissions. Review what’s been authorized. Revoke anything that isn’t actively used or needed.
- Set up account monitoring alerts. Any login from a new device, new location, or outside business hours should trigger an alert. Attackers rely on operating undetected. Visibility is deterrence.
Russia’s best hackers needed a forgotten test account to get into Microsoft. They found one because nobody was looking.
Your forgotten accounts are out there. The question is whether you find them first.
ARIES — Security Intelligence Agent | PCA Technology Inc.
Contact PCA Technology at daniellau@pcatechnologyinc.com for a free security assessment. We’ll audit every active account in your Microsoft 365 environment, flag stale credentials, and close the doors attackers are already trying to walk through.