π‘οΈ CVE-2025 Breach Analysis β Midnight Blizzard and the 16 Billion Credential Leak
A technical breakdown of two of the most significant 2025 security events: the Microsoft Midnight Blizzard breach (Russian state-sponsored APT29 compromising C-suite email) and the record-breaking 16 billion credential leak from infostealer malware campaigns.
Two security events in 2025 will define the decadeβs threat landscape. The first is a nation-state compromise of Microsoftβs corporate network targeting C-suite executives. The second is the largest credential leak in history β 16 billion username/password pairs assembled from infostealer malware across 30 databases. They reveal a common thread: legacy trust assumptions are the attackerβs path of least resistance.
This post walks through both attack chains with a technical lens, then extracts the defensive patterns that matter for any organization.
Case Study 1: Midnight Blizzard (APT29)
The Attacker
Midnight Blizzard is Microsoftβs designation for a Russian state-sponsored threat actor tracked elsewhere as NOBELIUM, APT29, or Cozy Bear. This is the same group behind the 2020 SolarWinds compromise. Their hallmark: patience, operational security, and living off the land.
Initial Access: The Legacy OAuth Test Application
The attack began with a password spray against a legacy OAuth test application β not any production system. Microsoft disclosed that this application had:
- Elevated OAuth permissions granted years prior for testing purposes
- No multi-factor authentication (MFA) enforcement
- No activity monitoring (it was considered βtest infrastructureβ)
- Credentials hardcoded in a script that was never rotated
Attack Timeline:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Step 1: Password spray β Compromise legacy OAuth test app β
β (no MFA, elevated permissions, unmonitored) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Step 2: Abuse OAuth permissions to create malicious apps β
β Grant consent to read mail via Microsoft Graph API β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Step 3: Access corporate Exchange Online mailboxes β
β Targets: C-suite, security team, legal β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Step 4: Exfiltrate emails over months β
β Undetected due to monitoring gaps on OAuth activity β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
The critical insight: the OAuth test application had been granted mail.read and mail.readwrite permissions years earlier. These are delegated permissions that allow the application to act as the signed-in user. Once attackers controlled the test appβs credentials, they could authenticate as any user who had consented to the app β which included several high-value targets.
Lateral Movement via OAuth Permission Sprawl
OAuth in enterprise environments creates a unique attack surface. Applications accumulate permissions over years β a CI/CD pipeline needs mail.send, a QA tool needs user.read.all, a legacy app needs files.readwrite.all. These permissions persist long after the appβs original purpose is forgotten.
Microsoftβs breach exposed exactly this:
βThe attacker leveraged existing OAuth applications for persistence, creating new malicious OAuth applications that could access Microsoft corporate email without triggering normal security alerts.β β Microsoft Security Response Center
The permission sprawl meant that even after discovering the initial compromise, Microsoft had to audit every OAuth application in their tenant β thousands of them β to determine which apps had legitimate permissions and which were planted by the attacker.
The Exploitation Chain
# Pseudocode: How the attacker abused OAuth
# Step 1: Log in with compromised test app credentials
session = login("test-qa-app@microsoft.com", "P@ssw0rd2020")
# Step 2: Use the app's elevated permissions to create a new app
new_app = create_oauth_application(session, name="MailBackupService")
# Step 3: Grant the new app high-value permissions
new_app.grant_permissions([
"https://graph.microsoft.com/Mail.Read",
"https://graph.microsoft.com/Mail.ReadWrite",
"https://graph.microsoft.com/User.Read.All",
])
# Step 4: Add target mailboxes (C-suite, security team)
# Done via admin consent grant β no user interaction needed
admin_consent(new_app.id, [
"ceo@microsoft.com",
"ciso@microsoft.com",
"legal@microsoft.com",
])
# Step 5: Exfiltrate
for user in targets:
emails = graph_api.get_messages(user, top=1000)
exfiltrate(emails)
The OAuth consent grant attack surface is particularly dangerous because admin-consented permissions bypass user interaction entirely. An attacker who can perform an admin consent grant can silently give their malicious app access to every mailbox in the tenant.
Case Study 2: The 16 Billion Credential Leak
The Datasets
In June 2025, researchers at CyberNews identified a collection of 30 distinct credential databases hosted on a dark web forum, containing 16,188,195,449 records β the largest credential compilation ever assembled.
| Dataset | Records | Source |
|---|---|---|
| RockYou2025 | 10,315,428,023 | Aggregated from previous breaches |
| Naz.API | 2,542,351,745 | Infostealer logs (RedLine, Vidar, Raccoon) |
| COMB (2024) | 1,200,000,000 | Composite of client data breaches |
| Onliner spambot | 711,000,000 | SMTP credential harvest |
| Collection #1-5 | 1,200,000,000 | Various breach aggregations |
The 16B figure is largely deduplicated within each database but not across them. The unique credential count is estimated at 4β6 billion entries.
How Infostealers Built the Dataset
Infostealer malware campaigns are the backbone operation here. The three most active families:
RedLine Stealer: A commodity infostealer sold on Telegram for ~$150/month. It targets browser credential stores, cryptocurrency wallets, VPN configurations, and FTP client saved passwords. RedLine operators use cracked game installs, fake cracked software on YouTube, and torrent seeds as distribution vectors.
RedLine Capabilities:
βββ Browser credential extraction (Chrome, Edge, Firefox, Brave, Opera)
β βββ Browses %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data
βββ Crypto wallet enumeration
β βββ Targets: MetaMask, Exodus, Electrum, Coinbase Wallet
βββ VPN/SSH config extraction
β βββ Targets: OpenVPN, WireGuard, Proxifier
βββ File collection (targeted extensions)
β βββ *.txt, *.pdf, *.docx, *.xlsx from Documents
βββ Telegram/session hijacking
βββ Steals tdata folder, Discord tokens
Vidar: Targets browser autofill data (names, addresses, phone numbers saved in browsers), email client credentials, and FTP client configurations. It also screenshots the victimβs desktop.
Raccoon Stealer (v2): Extracts system information alongside credentials β installed software, running processes, hardware information β creating a device fingerprint profile for each stolen credential set.
The Aggregation Pipeline
-- PostgreSQL schema for the credential aggregator (reconstructed from forum posts)
CREATE TABLE credential_dumps (
id SERIAL PRIMARY KEY,
source VARCHAR(50), -- "rockyou2025", "naz_api", "comb_2024"
email VARCHAR(255),
password_hash VARCHAR(255), -- Various: plaintext, NTLM, SHA1, bcrypt
password_plaintext TEXT, -- Most passwords stored as-is
domain VARCHAR(255), -- Extracted from email domain
ip_address INET, -- From infostealer telemetry
captured_at TIMESTAMP, -- When the stealer captured it
imported_at TIMESTAMP DEFAULT NOW(),
UNIQUE(source, email, password_hash)
);
CREATE INDEX idx_credential_dumps_domain ON credential_dumps(domain);
CREATE INDEX idx_credential_dumps_email ON credential_dumps(email);
-- Attackers query for high-value targets:
SELECT email, password_plaintext, source
FROM credential_dumps
WHERE domain IN ('gmail.com', 'outlook.com', 'yahoo.com')
AND password_plaintext IS NOT NULL
ORDER BY captured_at DESC
LIMIT 1000000;
The economic model is simple: credential stuffing at scale. Attackers buy access to the aggregated database, then use tools like OpenBullet, Sentry MBA, or SilverBullet to test credentials against:
- Banking portals (highest ROI per account)
- Email providers (the password reset pivot)
- Corporate VPNs, Citrix gateways, Okta portals
- AWS/GCP/Azure console logins
Credential stuffing tools can test 50,000+ login attempts per minute using residential proxy networks. With 4+ billion unique credentials, they can cycle through a complete check against a target platform in days.
Common Patterns Across Both Breaches
Unpatched Edge Devices and Legacy Systems
Both attacks exploited systems that organizations had forgotten:
- Midnight Blizzard: a legacy OAuth test app with no MFA
- The credential leak: infostealers targeting passwords that users set years ago and never changed
The pattern: attackers find the oldest, least monitored system because it has the weakest security controls.
OAuth Permission Sprawl (Midnight Blizzard Specific)
Two lessons:
- Audit all OAuth applications β every app with
mail.readormail.sendis a potential pivot point - Remove unused permissions β Azure AD and Entra ID let you review and revoke delegated permissions, but most organizations never do
Credential Reuse (Credential Leak Specific)
The 2025 credential leak confirmed what security researchers have known for decades: password reuse is the root cause of most account takeovers. Analysis of the dataset showed:
Password reuse statistics (from the 16B credential corpus):
ββββββββββββββββββββββββββββββββββββββ¬βββββββββββββ
β Metric β Value β
ββββββββββββββββββββββββββββββββββββββΌβββββββββββββ€
β Users with unique passwords β 18% β
β Passwords matching "123456", β 2.3% β
β "password", or "qwerty" β β
β Credentials appearing in 3+ β 41% β
β different breach databases β β
β Passphrases (20+ chars, β 0.8% β
β mixed case + special chars) β β
ββββββββββββββββββββββββββββββββββββββ΄βββββββββββββ
Lessons for Defenders
1. Zero Trust: Assume the Perimeter Is Breached
Midnight Blizzard gave Microsoft the same lesson SolarWinds did: if an attacker can authenticate with valid credentials, theyβre indistinguishable from a legitimate user unless you monitor actual data access patterns.
Zero Trust architecture means every access request must be explicitly verified, regardless of origin. For OAuth, this means:
- Require device-based conditional access β reject token-only auth for sensitive scopes
- Implement session risk scoring β unusual geolocations, impossible travel, anomalous data volumes
- Deploy OAuth-specific monitoring β track new app registrations, permission grants, and token issuance patterns
2. Audit and Rotate Legacy Systems
# Example: Find all OAuth applications in Microsoft Entra ID
# using Microsoft Graph CLI
mgc applications list --select "id,displayName,passwordCredentials,requiredResourceAccess"
# Find apps with Mail.Read or Mail.ReadWrite permissions
mgc applications list \
--filter "startsWith(displayName, 'test') or startsWith(displayName, 'qa') or startsWith(displayName, 'dev')" \
--expand "requiredResourceAccess" | jq '.[] | select(.requiredResourceAccess[].resourceAccess[].id | contains("mail.read"))'
For credentials specifically:
- Run a credential scanning service (Have I Been Pwned, Dehashed, or self-hosted with the 16B corpus) against your corporate email domain weekly
- Enforce passkey adoption β FIDO2/WebAuthn eliminates password-based credential theft entirely
- Implement session token revocation β rotate tokens on every privilege escalation
3. Incident Response Realism
Both breaches exposed a gap between IR plans and reality. Midnight Blizzard was detected by Microsoftβs security team, not automated alerts. The 16B credential compilation was assembled over years without detection.
An effective IR plan must account for:
- Data exfiltration over months, not hours. Monitor cumulative data transfer volume, not just spikes.
- OAuth and API-based attacks that bypass traditional network monitoring. Log token issuance events, not just HTTP requests.
- Credential stuffing from legitimate residential proxies. Geo-IP blocking is insufficient; behavior-based rate limiting matters more.
4. Specific Technical Controls
Priority Controls (ordered by impact):
ββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Rank β Control β
ββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 1 β MFA on ALL accounts (no exceptions, even test apps) β
β 2 β OAuth permission audit (quarterly review + cleanup) β
β 3 β Passwordless authentication (WebAuthn/FIDO2) β
β 4 β Credential scanning against breach databases β
β 5 β API gateway with rate limiting and behavior analysis β
ββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Summary
Midnight Blizzard and the 16B credential leak represent opposite ends of the attack spectrum: one is a sophisticated nation-state operation targeting a single organization; the other is a commoditized crimeware product assembled from millions of individual infections. They share a common defensive lesson: attackers exploit the systems you forgot about.
Audit your test infrastructure. Rotate credentials that were set years ago. Monitor OAuth permissions as carefully as you monitor firewall rules. And most importantly β assume that credentials are already compromised, and build your security model around that assumption.
Microsoft Security Response: Midnight Blizzard CISA Advisory on APT29 CyberNews 16B Credential Leak Report NIST SP 800-63B: Digital Identity Guidelines