Microsoft: News from the Midnight Blizzard hack – customers may also be affected

[German]Microsoft's e-mail system (Exchange Online, Outlook.com) was compromised by hackers from the state group Midnight Blizzard Hackers. The hackers were able to read emails and also steal source code. Microsoft has now informed various customers that their e-mails could also be read if the customers corresponded with certain Microsoft accounts. Here is the continuation of the never-ending story about Microsoft, its cloud and security.


Advertising

Review: The Midnight Blizzard hack

In January 2024, it became known that hackers from the state group Midnight Blizzard hackers were able to penetrate Microsoft's email system and read targeted messages from executives or security experts. The hackers had been in the system since November 2023, as I noted in the blog post Microsoft hacked by Russian Midnight Blizzard; emails exfiltrated since Nov. 2023. This is really embarrassing for the US company, which has always advertised the security of its cloud offerings.

But there's more to the story. I raised a number of questions in the above blog post. For example, the hack could allegedly start via an old test account without MFA. I had wondered how a password spray attack was possible on an old, non-production test tenant account and no multi-factor authentication (MFA) was used there. And the question arose as to how the attackers could gain access to product systems, i.e. Microsoft's email system, from this test account

In the blog post How Midnight Blizzard hackers were able to penetrate Microsoft's email system, I traced the hackers' attack path. It points to a chain of omissions on Microsoft's part. But Redmond played it down and said "danger recognized, danger averted, the hackers from Midnight Blizzard have been successfully locked out". Microsoft later had to admit that the attacks by Midnight Blizzard were continuing – but it remained unclear whether the attackers were still able to access Microsoft's systems. However, it became known that the group was able to extract source code (see Microsoft confirms: Russian spies (Midnight Blizzard) stole source code while accessing systems).

And something else got me all jittery: I had reported on a hack at another US company in the blog post Hewlett Packard Enterprise (HPE) hacked by Midnight Blizzard since May 2023. It was known from the Microsoft hack that the attackers had probably captured information about customers – possibly also access information for systems – from Microsoft's email accounts. The question in the back of my mind was whether the HP hack was possibly related to the Microsoft hack.

Microsoft informs customers about hack

Blog reader Thomas has now emailed me about this Reuters article from June 28, 2024 (thanks for that). Microsoft seems to have admitted in an emailed statement, first reported by Bloomberg, that there may be more to it. It reads from a Microsoft spokesperson:


Advertising

This week we are continuing to notify customers who have corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor.

In other words, Microsoft cannot rule out the possibility that Midnight Blizzard has read information concerning customers from the Microsoft email accounts in question and may be able to misuse it for attacks. According to Reuters, Microsoft said that it had also sent the compromised emails to its customers (so customers can check if and how they are affected). However, Microsoft did not say how many customers were affected or how many emails were viewed by Midnight Blizzard. The Microsoft spokesperson said:

"These are further details for customers who have already been notified and also new notifications. We are committed to sharing information with our customers as our investigation continues."

Somehow all I can think of there is "after the game is before the game". Question to the readership: Have any of you in the company received such a notification?

Similar articles:
China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud
Stolen AAD key allowed (Storm-0558) wide-ranging access to Microsoft cloud services
Microsoft hacked by Russian Midnight Blizzard; emails exfiltrated since Nov. 2023
How Midnight Blizzard hackers were able to penetrate Microsoft's email system
Hewlett Packard Enterprise (HPE) hacked by Midnight Blizzard since May 2023
Microsoft confirms: Russian spies (Midnight Blizzard) stole source code while accessing systems

Whistleblower: Microsoft ignored warnings about AD bug; was exploited in 2020 SolarWinds hack
Microsoft engages in damage limitation at congressional hearing (13.6.2024): Safety takes priority over AI


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *