Microsoft Expands Notices To Customers Over Russia-Linked Email Hack: Report

Additional customers are now believed to have had their emails viewed in connection with the compromise of Microsoft’s corporate email system by the Midnight Blizzard threat group.

Microsoft has reportedly sent out more notifications to customers impacted by the compromise of its corporate email system by Russian threat actor Midnight Blizzard.

According to Bloomberg, the tech giant has notified customers that their emails were viewed in connection with the breach initially disclosed by Microsoft in January.

Microsoft has attributed the attack to the nation-state group it calls Midnight Blizzard, which has previously been connected to Russia’s SVR foreign intelligence unit by the U.S. government.

Portions of the text of the notification message shared by Bloomberg match those found in a message on a Microsoft.com support site, which appeared to have been posted by an impacted customer. The message is dated Tuesday, two days before Bloomberg’s report.

“You are receiving this notification because emails were exchanged between Microsoft and accounts in your organization, and those emails were accessed by the threat actor Midnight Blizzard as part of their cyberattack on Microsoft,” the Microsoft notification said, according to the support site post and Bloomberg report.

“As part of our commitment to transparency, we are proactively sharing these emails,” the notification, shared on the support site post, said. “We have custom built a secure system to enable the approved members of your organization to review the exfiltrated emails between Microsoft and your company.”

In a statement provided to CRN Friday, Microsoft confirmed that “this week we are continuing notifications to customers who corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor, and we are providing the customers the email correspondence that was accessed by this actor.”

“This is increased detail for customers who have already been notified and also includes new notifications,” the company said in the statement.

Customers known to have been impacted in the incident included multiple federal agencies, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) previously confirmed.

Through the compromise of Microsoft corporate email accounts, Midnight Blizzard has “exfiltrated email correspondence between Federal Civilian Executive Branch (FCEB) agencies and Microsoft,” CISA said in a prior emergency directive.

“The threat actor is using information initially exfiltrated from the corporate email systems, including authentication details shared between Microsoft customers and Microsoft by email, to gain, or attempt to gain, additional access to Microsoft customer systems,” CISA said in the directive.

Lack Of MFA Blamed

The breach, which is believed to have begun in November 2023, was initially thought to have affected members of Microsoft’s senior leadership team as well as employees on its cybersecurity and legal teams. Hackers initially gained access by exploiting a lack of MFA (multifactor authentication) on a “legacy” account, according to the company.

In an update on the incident in early March, Microsoft disclosed that Midnight Blizzard had been observed continuing to seek to exploit information gathered in the attack. The threat group has previously been held responsible for attacks including the widely felt 2020 breach of SolarWinds.

The reported expansion of customer notifications related to the Russia-linked email breach follows the scathing report about Microsoft’s security culture and practices issued by the U.S. Homeland Security-appointed Cyber Safety Review Board in April.

The board released the 34-page report on last year’s Microsoft Exchange Online breach, which was linked to China and impacted multiple federal agencies and officials including Commerce Secretary Gina Raimondo. The review board pinned the cloud email breach on a “cascade of Microsoft’s avoidable errors.”