APT29 — tracked by Microsoft as Midnight Blizzard, by Mandiant as UNC2452/APT29, and publicly attributed to Russia's Foreign Intelligence Service (SVR) by CISA and its Five Eyes partners — has spent the last five years rebuilding its toolkit around identity and cloud. The December 2020 SolarWinds intrusion made the group a household name. The January 2024 Microsoft disclosure of Midnight Blizzard's access to corporate email, the joint NCSC-UK/CISA/NSA advisory on APT29 cloud TTPs from February 2024, and the August 2024 Microsoft Threat Intelligence report on Midnight Blizzard's exploitation of OAuth consent workflows together document a tradecraft update that every defender needs to understand.
This post is focused on what has changed in 2024-2025 and what it means for software and identity supply chains. APT29 is not a ransomware actor. It is a long-dwell espionage operator that treats identity providers, collaboration platforms, and SaaS integrations as components of its target's supply chain.
What did APT29 change after the SolarWinds campaign?
APT29's 2020 SolarWinds campaign (tracked in CISA's AA20-352A advisory) demonstrated that a single software supply chain compromise could yield access to thousands of organizations. After the public disclosure, the group's tooling went quiet — the SUNBURST/TEARDROP/GoldMax chain was burned. What emerged in 2021-2022 was a different posture: fewer custom implants, more abuse of native cloud identity features.
Mandiant's 2022 report "Assembling the Russian Nesting Doll" documented APT29's early shift to cloud-native tradecraft. By 2023-2024, the pattern had consolidated: legacy authentication abuse, OAuth application consent phishing, service principal creation in victim tenants, and credential theft via token replay rather than classical implant delivery.
How did Midnight Blizzard compromise Microsoft's corporate environment?
Microsoft's 25 January 2024 disclosure and follow-up filings (including the 8-K update) described a password-spray attack in November 2023 against a legacy, non-production test tenant lacking MFA. The attackers discovered a legacy OAuth application with elevated access to Microsoft's corporate environment, used it to create additional malicious OAuth applications, and harvested email from senior staff and security researchers.
The CSRB report on the separate 2023 Storm-0558 incident, published 2 April 2024, did not cover Midnight Blizzard but described a structurally similar failure pattern: legacy identity artifacts persisting beyond their intended scope, insufficient lifecycle management for non-production tenants, and audit gaps that delayed detection. Both incidents point at identity configuration drift as the attack surface.
In the Midnight Blizzard case, the attackers maintained access for nearly two months before detection, according to Microsoft's March 2024 update. Exfiltrated material reportedly included security research correspondence — content with operational value for an actor whose mission is espionage against the defenders themselves.
What are APT29's current cloud-native techniques?
The NCSC-UK advisory from February 2024 (published jointly with CISA, NSA, FBI, and allied agencies) enumerates APT29's current toolkit. Four techniques dominate.
Legacy authentication abuse: password spray against legacy protocols (IMAP, SMTP AUTH, EWS) where MFA cannot be enforced. Microsoft's retirement of basic authentication for Exchange Online (completed October 2022) narrowed this surface, but non-production tenants and hybrid configurations often retain it.
OAuth application consent abuse: phishing users into granting consent to an attacker-registered application with mail.read or files.read scopes. Once consent is granted, the application carries a refresh token that survives password resets and MFA challenges until explicitly revoked.
Device code phishing: the attacker initiates a device-code authentication flow and tricks a victim into completing it on the victim's authenticated session. Volexity's February 2025 and Microsoft's August 2024 reports both document APT29 use of this technique against think tanks, defense contractors, and NGOs.
Service principal creation and abuse: once in the tenant, the attacker creates new service principals or repurposes existing ones to preserve access even if user accounts are remediated. Microsoft's August 2024 report noted multiple incidents where APT29 created service principals with names designed to blend into normal tenant activity.
Where does the Teams vector fit?
Microsoft's August 2023 disclosure on Midnight Blizzard's Teams-based credential phishing — sending messages from compromised tenants disguised as security prompts — launched a two-year arc of Teams-centric phishing. The vector exploits inter-tenant federation: if a victim tenant is federated with a compromised tenant, the attacker can send Teams messages into the victim from a seemingly trusted domain.
2024 saw multiple reported campaigns using this technique against government and NGO targets. The defensive posture — restricting inter-tenant federation, filtering Teams messages for external senders, requiring attestation on device-code flows — has matured, but enforcement across large tenants remains inconsistent.
How does APT29's tradecraft implicate third-party SaaS?
The supply chain angle is the OAuth application ecosystem. A victim tenant integrates with dozens to hundreds of SaaS apps via OAuth. Each integration grants scopes — mailbox read, files read, calendar read. When APT29 registers a lookalike app or compromises a legitimate vendor's app registration, the blast radius includes any tenant that consented to the relevant scopes.
This is supply chain risk that traditional TPRM misses because the "vendor" is an OAuth application, often installed by a single user without procurement review. Microsoft's 2023-2024 rollout of consent governance features (admin consent workflow, app ID verification, publisher verification) provides the controls, but they require active policy configuration.
The DOJ's July 2024 indictment of five FSB-linked individuals (Case No. 1:24-cr-00221, D.D.C.) for the WhisperGate campaign against Ukraine targets is a different actor cluster but reinforces the pattern that state-sponsored Russian operators increasingly work through identity and cloud rather than on-premises implants.
What advisories and reports define the current public picture?
The authoritative set: NCSC-UK/CISA/NSA/FBI joint advisory on APT29 cloud TTPs (February 2024), Microsoft's January-March 2024 Midnight Blizzard disclosures, Microsoft's August 2024 Threat Intelligence report on device-code phishing, Volexity's February 2025 report on APT29 device-code operations against think tanks, and Mandiant's 2024 "M-Trends" APT29 section.
Supplementing those: the CSRB Storm-0558 report (April 2024) for structurally adjacent lessons, CISA's 2024 Secure Cloud Business Applications (SCuBA) baselines for Microsoft 365 and Google Workspace as the current federal hardening reference, and CISA's October 2024 ENCORE guidance on identity-centric monitoring.
What detections catch APT29 in 2026?
Four detection families carry the load. First, sign-in anomaly detection tuned for legacy authentication from geographies or user agents inconsistent with the user's baseline — Microsoft Entra's Identity Protection signals cover this if configured. Second, OAuth consent monitoring for newly registered applications with high-privilege scopes, especially those created by non-admin users. CISA SCuBA baselines include this as a mandatory check.
Third, device-code flow alerts. The flow is legitimate — useful for CLI and IoT — but a flow initiated from one geography and completed from another in a short window is the APT29 signature. Fourth, service principal creation auditing. Every new SP should be attributable to a change ticket; the ones that are not should surface immediately.
How Safeguard.sh Helps
Safeguard.sh treats identity and SaaS integrations as supply chain components. Eagle detection inventories OAuth applications, service principals, federated relationships, and legacy authentication exposures across major identity providers, scoring each against the NCSC/CISA APT29 TTP set and CISA SCuBA baselines. Configuration drift — a legacy test tenant lacking MFA, an OAuth app with unused mail.read scope — surfaces as an actionable finding tied to the specific TTP it enables.
The zero-day pipeline watches identity-provider advisories, researcher disclosures on consent-grant exploits, and exploit broker traffic; when a new technique emerges, the affected tenants and integrations are flagged automatically. SBOM lineage extends beyond code to include OAuth application manifests and their permission scopes, so defenders can answer "which apps in our tenant can read mail?" in seconds.
For TPRM, Safeguard.sh tracks SaaS vendors whose OAuth applications operate in your tenants, monitors their publisher verification status, and alerts when a vendor's app scopes expand. Lino compliance mapping aligns SCuBA baselines, NIST SP 800-207 zero-trust guidance, and FedRAMP Rev. 5 identity controls with your concrete configuration evidence. Griffin AI remediation proposes the specific conditional-access policy, consent-grant revocation, or service-principal retirement needed to close an APT29-class exposure, with an audit trail that stands up to regulator review.