Back to insights January 2024 · Threat Briefing

Microsoft Midnight Blizzard breach underscores token protections

Midnight Blizzard (APT29) leveraged a test tenant with weak OAuth hygiene to obtain elevated access tokens, allowing the group to read corporate and government email.

Unmanaged app registrations and stale secrets created blind spots that bypassed conventional MFA, giving attackers persistent inbox visibility.

Prevention playbook:

Inventory and disable unused Azure AD applications; rotate secrets frequently and move to certificate-based authentication.
Enable continuous access evaluation, conditional access policies, and anomaly detection for consent grants.
Store signing keys in hardware security modules (HSMs) and enforce least-privilege scopes for every application.