Microsoft has revealed that emails and attachments from senior executives and employees of the cybersecurity and legal departments were compromised. Microsoft attributed the attack to an advanced persistent threat (APT) group known as Midnight Blizzard (formerly Nobelium), allegedly linked to Russia. This group is also known as APT29, BlueBravo, Cloaked Ursa, Cozy Bear, and The Dukes.
Microsoft stated that the company immediately took the necessary steps to investigate, disrupt, and mitigate this incident upon discovering it on 12 January. The company updated that this campaign commenced in late November of 2023.
Microsoft shared, 'The threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account's permissions to access a tiny percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents.'
Microsoft has not revealed the number of email accounts or type of information that was accessed and only mentioned that the process was on to notify employees who were impacted.
It is alleged that this hacking group was responsible for the Solar Wind attack and has attacked Microsoft twice earlier -the first time in December 2020 to siphon source code related to Azure, Intune, and Exchange components, and the second time breached three of its customers in June 2021 by adopting password spraying and brute-force attacks.