Midnight Blizzard (Russian SVR, also known as Nobelium/Cozy Bear/APT29) conducted a password spray attack against a legacy Microsoft test tenant account with no MFA enabled in November 2023. Using that account’s permissions, attackers accessed a small percentage of corporate email accounts including senior executives and staff in cybersecurity and legal departments. Detected 12 January 2024, disclosed 19 January 2024. Subsequent investigation (March 2024) revealed attackers also accessed some Microsoft source code repositories and internal systems using information exfiltrated from the corporate emails. CISA emergency directive issued. This was part of a broader Midnight Blizzard campaign targeting governments and tech companies.