Dive Brief:
- Microsoft has notified additional enterprise customers this week that a password-spray campaign by the state-linked Midnight Blizzard threat group led to a compromise of their emails.
- Microsoft also provided additional detail to other customers that were previously notified about the intrusions. Customers who received the notifications took to social media, as they feared they were being potentially phished. The new disclosures were first reported by Bloomberg.
- “This week we are continuing notifications to customers who corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor, and we are providing the customers the email correspondence that was accessed by this actor,” the company said in an emailed statement. “This is increased detail for customers who have already been notified and also includes new notifications.”
Dive Insight:
Midnight Blizzard, a group linked to the 2020 Sunburst attacks and known as Nobelium, stole information from numerous senior executives at Microsoft starting in November 2023 and used that information to hack into customer accounts.
The notifications mark the latest in a series of rolling disclosures by Microsoft since the hacks were originally discovered in January. Midnight Blizzard used a series of password-spray attacks to compromise a legacy, non-production test tenant account.
At the time, HPE disclosed Midnight Blizzard attacks against its Microsoft environment. An HPE spokesperson said Friday the company has not heard from Microsoft with any new detail.
Microsoft in March said the hackers had gained access to some source code repositories and internal systems through continued, ramped up password-spray attacks.
The attacks led to the theft of some federal agency credentials after the hacker intercepted data shared between Microsoft and the Cybersecurity and Infrastructure Security Agency.
Microsoft got lambasted in an April report by the Cyber Safety Review Board, which examined a compromise last summer by China-linked threat actors that stole tens of thousands of State Department emails.
The company sped up plans to reform its security practices under a program called the Secure Future Initiative. Microsoft President Brad Smith took ownership for the compromises and promised the company would make wholesale changes.
“This should be a reminder to everyone that a cyber event is not a ‘just in time’ event,” said Katell Thielemann, distinguished VP analyst at Gartner, said via email. “Much is often learned later in the forensics process.”