Microsoft has warned customers that some of their emails were accessed by Russian hackers during a breach on its internal systems in late 2023, after initially stating that only its internal communications were exposed.
On 19 January 2024, Microsoft notified customers it had detected a cyber attack on its corporate email system.
The attack, leveraged by Russian state-affiliated hacking group Midnight Blizzard, also known as Nobelium, began in November 2023, reportedly using a password spraying technique to compromise a legacy account.
Once the attackers gained a foothold within Microsoft’s corporate network, they used the account’s permissions to access what it described as “a very small percentage” of Microsoft corporate email accounts.
These accounts included some belonging to members of its senior leadership team as well as staff from the tech giant’s security and legal teams.
Microsoft noted the attackers appeared to be focused on finding and exfiltrating any information Microsoft had pertaining to the threat collective and their malicious activities.
In March 2024, Microsoft updated customers that it had observed evidence of the threat actors using the information exfiltrated during the initial breach to attempt to gain further unauthorized access to its environments, including some of the firm’s source code repositories and internal systems.
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security – newly updated for 2024.
Now, more than six months after the initial incident, Micorosft is informing certain users that their emails were also compromised during the breach.
According to a statement provided to Bloomberg, Microsoft is currently in the process of notifying those customers who corresponded with its corporate email accounts and thus had their communications exposed.
A Microsoft spokesperson told Reuters it was sharing the compromised emails with its customers to give them more information, stressing its commitment to keeping them in the loop as the situation develops.
“This is increased detail for customers who have already been notified and also included new notifications… we’re committed to sharing information with our customers as our investigation continues”
ITPro has approached Microsoft for clarification on how many customers were impacted by the breach, and the number of emails the hackers were able to steal.
Microsoft is battling on all fronts over security failures
This latest disclosure comes amid intense scrutiny of the firm’s cyber practices, with a series of high profile incidents raising questions around the company’s security posture.
Earlier this year, a report from the Cyber Safety Review Board heavily criticized Microsoft’s conduct in response to the Summer 2023 Exchange Intrusion, which saw state-backed Chinese threat actors gain access to the mailboxes of over 500 individuals at 22 different organizations.
Many of the individuals exposed during the breach were senior US government officials, including Secretary of State of Commerce Gina Raimondo and Ambassador to China R. Nicholas Burns.
The report slammed the tech giant for a “cascade of security failures” and a “lax corporate culture” that deprioritized enterprise security investments and rigorous risk management.
Giving testimony to the US House Committee on Homeland Security, Microsoft president Brad Smith recently acknowledged Microsoft’s role in developing and maintaining many of the systems that underpin critical infrastructure in the nation.
Smith promised the company would be taking additional steps to improve its security shortcomings, one of which was tying senior executive pay to meeting internal security targets to ensure leaders prioritize security outcomes, regardless of their vertical.