Microsoft has warned customers that some of their emails were accessed by Russian hackers during a breach on its internal systems in late 2023, after initially stating that only its internal communications were exposed.
On 19 January 2024, Microsoft notified customers it had detected a cyber attack on its corporate email system.
The attack, leveraged by Russian state-affiliated hacking group Midnight Blizzard, also known as Nobelium, began in November 2023, reportedly using a password spraying technique to compromise a legacy account.
Once the attackers gained a foothold within Microsoft’s corporate network, they used the account’s permissions to access what it described as “a very small percentage” of Microsoft corporate email accounts.
These accounts included some belonging to members of its senior leadership team as well as staff from the tech giant’s security and legal teams.
Microsoft noted the attackers appeared to be focused on finding and exfiltrating any information Microsoft had pertaining to the threat collective and their malicious activities.
In March 2024, Microsoft updated customers that it had observed evidence of the threat actors using the information exfiltrated during the initial breach to attempt to gain further unauthorized access to its environments, including some of the firm’s source code repositories and internal systems.
Now, more than six months after the initial incident, Micorosft is informing certain users that their emails were also compromised during the breach.
According to a statement provided to Bloomberg, Microsoft is currently in the process of notifying those customers who corresponded with its corporate email accounts and thus had their communications exposed.
A Microsoft spokesperson told ITPro it was sharing the compromised emails with customers to give them more details on the scope of the information accessed by threat actors. The company stressed its continued commitment to keeping them in the loop as the situation develops.
“This week we are continuing notifications to customers who corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor, and we are providing the customers the email correspondence that was accessed by this actor," the spokesperson said.
"This is increased detail for customers who have already been notified and also includes new notifications. As we said previously, we’re committed to sharing information with our customers as our investigation continues.”
Microsoft is battling on all fronts over security failures
This latest disclosure comes amid intense scrutiny of the firm’s cyber practices, with a series of high profile incidents raising questions around the company’s security posture.
Earlier this year, a report from the Cyber Safety Review Board heavily criticized Microsoft’s conduct in response to the Summer 2023 Exchange Intrusion, which saw state-backed Chinese threat actors gain access to the mailboxes of over 500 individuals at 22 different organizations.
Many of the individuals exposed during the breach were senior US government officials, including Secretary of State of Commerce Gina Raimondo and Ambassador to China R. Nicholas Burns.
The report slammed the tech giant for a “cascade of security failures” and a “lax corporate culture” that deprioritized enterprise security investments and rigorous risk management.
Giving testimony to the US House Committee on Homeland Security, Microsoft president Brad Smith recently acknowledged Microsoft’s role in developing and maintaining many of the systems that underpin critical infrastructure in the nation.
Smith promised the company would be taking additional steps to improve its security shortcomings, one of which was tying senior executive pay to meeting internal security targets to ensure leaders prioritize security outcomes, regardless of their vertical.
