Midnight Blizzard — the threat actor most public reporting also knows as APT29, Cozy Bear, or Nobelium, attributed by the US and UK governments to Russia's SVR — has spent a long time inside Microsoft. The intrusion that Microsoft disclosed on January 19, 2024 turned out, as more detail emerged through that spring, to be substantially broader and longer-running than the first press release suggested. This post reconstructs what is publicly known about the timeline, pulling from Microsoft's own disclosures, the US Cybersecurity and Infrastructure Security Agency's emergency directive, and the reporting from federal agencies whose correspondence with Microsoft was exfiltrated.
November 2023: The Initial Password Spray
The intrusion began in late November 2023. Midnight Blizzard ran a password spray against a legacy non-production test tenant that had been created years earlier and never retired. The account the attackers landed on was a legacy OAuth application with elevated privileges in Microsoft's corporate environment. Critically, this account did not have multi-factor authentication enabled — a control that Microsoft's current policy would have required for any new account but which predated that policy.
Password spray as an initial technique is significant because it is slow and noisy. It works when detection is not looking. Microsoft's public post-incident analysis acknowledged that the spray went undetected because the volume per account was low and the source IP infrastructure was a residential proxy network that blended with normal traffic.
December 2023: Lateral Movement and OAuth Abuse
Once inside the legacy tenant, the attackers used its OAuth application to grant themselves the full_access_as_app permission to Office 365 Exchange Online. This is a powerful permission that, for historical reasons, existed in older application registrations and had not been scoped down. From there, Midnight Blizzard created additional malicious OAuth applications, authenticated to them using credentials they controlled, and began reading mailboxes.
The mailbox selection was targeted. The attackers went after a small number of senior leadership mailboxes at Microsoft, the cybersecurity team itself, the legal team, and several other corporate functions. The purpose, Microsoft later assessed, was to determine what Microsoft knew about Midnight Blizzard.
January 12, 2024: Detection
Microsoft's security team detected the intrusion on January 12, 2024. The detection happened when routine log review caught an unusual OAuth consent grant pattern. Incident response was activated immediately, the malicious OAuth applications were revoked, and the legacy test tenant was locked down.
Microsoft's outside counsel notified the Securities and Exchange Commission, and on January 19, 2024, Microsoft filed an 8-K disclosure and published a blog post. The initial disclosure described the intrusion as limited in scope: a small percentage of corporate mailboxes had been accessed, and the attack did not affect customer-facing production systems or customer data.
January 25, 2024: Microsoft Expands the Scope
Six days after the initial disclosure, Microsoft published a follow-up that was noticeably broader. The company acknowledged that Midnight Blizzard had used the same password spray technique to attempt access to other organizations and was using the stolen email data to identify additional targets. Hewlett Packard Enterprise disclosed its own Midnight Blizzard intrusion on January 24 — a separate but contemporaneous event, also involving cloud-based email.
March 8, 2024: The Source Code Disclosure
The most consequential update landed on March 8, 2024. Microsoft filed a second 8-K disclosing that Midnight Blizzard had, in fact, used information exfiltrated from the corporate mailboxes — including secrets shared between Microsoft and customers — to attempt further access. The attackers had accessed some Microsoft source code repositories and internal systems. Microsoft stated that, as of the filing, there was no evidence that any customer-facing systems had been compromised, but the qualifier "as of the filing" was doing work.
Source code access is the pivot point in this story. If the attackers had Microsoft source, they could plausibly find zero-days in Microsoft products — a classic supply chain trajectory.
April 2024: CISA Emergency Directive 24-02
On April 2, 2024, CISA issued Emergency Directive 24-02, titled "Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System." The directive required all US federal civilian executive branch agencies to treat any Microsoft-provided email correspondence that had been exfiltrated as potentially compromised. Agencies had to reset credentials for any authentication token that had been shared via email with Microsoft, review logs for signs of compromise, and report back to CISA within specific deadlines.
The scope implied by the directive was striking. CISA was acknowledging, on the public record, that Midnight Blizzard had exfiltrated email correspondence between Microsoft and an unspecified number of federal agencies, and that the contents of those emails were sensitive enough to warrant an emergency response.
April 11, 2024: The Cyber Safety Review Board Report
A separate but related report landed on April 2, 2024, from the US Cyber Safety Review Board. This report covered the Storm-0558 intrusion — a different Microsoft incident from 2023, in which a China-attributed actor stole a Microsoft Services Account key and used it to forge authentication tokens against multiple cloud email accounts, including the State Department and Commerce Department. The CSRB concluded that the Storm-0558 intrusion was "preventable" and delivered a stinging assessment of Microsoft's security culture. The report was not about Midnight Blizzard, but it landed in the same news cycle and colored how Midnight Blizzard was received.
Mid-2024: Continued Targeting
Through spring and summer 2024, Microsoft's threat intelligence team published further detail about Midnight Blizzard's ongoing operations. The actor was using the same techniques — OAuth abuse, cloud email targeting, residential proxies — against a range of non-Microsoft targets, including US and European government agencies and NGOs.
What Actually Went Wrong
Several failures stacked to produce this outcome, and none of them are exotic.
A legacy test tenant with a privileged OAuth application and no MFA existed for years without being retired. This is the classic "we'll clean that up later" artifact. The initial blast radius of the intrusion was determined entirely by what that tenant could reach, and because the application had full_access_as_app, it could reach a lot.
Password spray is a slow, ten-year-old technique. It worked because detection thresholds were tuned for volume rather than pattern. When an attacker makes one attempt per account across a wide list of accounts from a rotating residential proxy, most SIEM rules do not fire.
Source code repositories were reachable from corporate identity. There is a reasonable architectural case for this — developers need access — but it means that an identity compromise escalates into a source compromise without a second trust boundary.
The initial disclosure understated the scope. This is not unusual during incident response — visibility expands as forensics progresses — but the gap between the January 19 and March 8 disclosures was large enough that customers who made decisions on January 19 had to redo them in March.
How Safeguard Helps
Safeguard treats vendor incidents like Midnight Blizzard as events that evolve — an initial disclosure rarely tells the whole story, and customers need a system that updates alongside public reporting. The platform correlates vendor advisories with the specific integrations, OAuth grants, and service accounts in your environment, so that when a follow-up disclosure reveals new scope, the blast radius against your tenant is recomputed automatically. Safeguard also surfaces legacy OAuth applications with broad permissions and flags any service that has not enforced MFA — the exact preconditions that Midnight Blizzard exploited. Combined with source-code provenance monitoring, this gives security teams a way to know, rather than guess, whether a state-sponsored intrusion at a major vendor has reached into their own perimeter.