Microsoft Execs’ Emails Hacked: Sophisticated Attack by Russia-Linked APT

TLDR: Microsoft has revealed that it was the victim of a nation-state attack on its corporate systems that resulted in the theft of emails and attachments from senior executives and other individuals in the company’s cybersecurity and legal departments. The attack was attributed to a Russian advanced persistent threat (APT) group known as Midnight Blizzard (formerly Nobelium). Microsoft took immediate action to investigate and mitigate the malicious activity. The company stated that the attack was not the result of any security vulnerability in its products and there is no evidence that customer environments or production systems were accessed. Microsoft has not disclosed how many email accounts were infiltrated or what information was accessed. The company is in the process of notifying affected employees.

Key Points:

• Microsoft targeted in nation-state attack that resulted in the theft of emails and attachments from senior executives
• Attack attributed to Russian APT group Midnight Blizzard
• Microsoft took immediate action to investigate and mitigate the attack, stating it was not the result of a security vulnerability in its products
• No evidence that customer environments, production systems, source code, or AI systems were accessed
• Number of email accounts infiltrated and information accessed not disclosed

Microsoft has revealed that it was targeted in a nation-state attack on its corporate systems that resulted in the theft of emails and attachments from senior executives and other individuals in the company’s cybersecurity and legal departments. The attack was attributed to a Russian advanced persistent threat (APT) group known as Midnight Blizzard, which Microsoft tracks. The group is also known as APT29, BlueBravo, Cloaked Ursa, Cozy Bear, and The Dukes.

The attack was discovered on January 12, 2024, but is believed to have commenced in late November 2023. Microsoft immediately took steps to investigate, disrupt, and mitigate the malicious activity. The company stated that the attack was not the result of any security vulnerability in its products and that there is no evidence that the adversary accessed customer environments, production systems, source code, or AI systems.

Microsoft did not disclose the number of email accounts that were infiltrated or what specific information was accessed. However, the company did state that the attack targeted a very small percentage of Microsoft corporate email accounts, including members of the senior leadership team and employees in cybersecurity, legal, and other functions.

The nature of the targeting suggests that the threat actors were looking to access information related to themselves. Microsoft is in the process of notifying employees who were impacted as a result of the incident. Microsoft previously faced attacks from Midnight Blizzard, including one in December 2020 to siphon source code related to Azure, Intune, and Exchange components, and a second time in June 2021 when three customers were breached via password spraying and brute-force attacks.