In a blog post, Microsoft said the intrusion began in late November 2023 and was discovered on January 12. It said the same highly skilled Russian hacking team behind the 2020 SolarWinds breach was responsible.
“A very small percentage” of Microsoft corporate accounts were accessed, the company said, and some emails and attached documents were stolen.
A company spokesperson said Microsoft had no immediate comment on which or how many members of its senior leadership had their email accounts breached, but was in the process of notifying any affected employees.
In a regulatory filing on Friday, Microsoft said it was able to remove the hackers’s access from the compromised accounts on or about January 13.
In a blog post, the company said the hackers were from a unit which Microsoft calls Midnight Blizzard. The group is also known as APT29, Nobelium or Cozy Bear by cybersecurity researchers and linked to Russia’s SVR spy agency, according to US officials.
“This attack does highlight the continued risk posed to all organisations from well-resourced nation-state threat actors like Midnight Blizzard,” Microsoft said, noting that the attack was not the result of a specific vulnerability in its products or services.
“To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems.”
Hackers used ‘password spraying’ technique
Microsoft said the hackers were able to gain access by compromising credentials on a “legacy” test account, suggesting it had outdated code. After gaining a foothold, they used the account’s permissions to access the accounts of the senior leadership team and others.
The brute-force attack technique used by the hackers is called “password spraying”, in which a threat actor uses a simple or often-used password to try to log into multiple accounts.
Microsoft added that its investigation indicated the hackers were initially targeting email accounts for information related to their own activities.
Microsoft’s disclosure of the intrusion comes a month after a new rule took effect in the US which compels publicly traded companies to disclose breaches that could negatively impact their business. It gives them four days to do so unless they obtain a national-security waiver.
In Friday’s filing, Microsoft said that “as of the date of this filing, the incident has not had a material impact” on its operations. It added that it has not, however, “determined whether the incident is reasonably likely to materially impact” its finances.
Email attack follows earlier Microsoft incidents
In an August blog post, Microsoft described how its threat-intelligence team discovered that the same Russian hacking team had used the password spraying technique to try to steal credentials from at least 40 different global organisations through Microsoft Teams chats.
In a 2021 blog post, Microsoft called the 2020 SolarWinds hacking campaign — which it was caught up in, and which involved the Midnight Blizzard hackers — “the most sophisticated nation-state attack in history”.
In addition to US government agencies, more than 100 private companies and think tanks were compromised, including software and telecommunications providers.
Microsoft also faced criticism for its security practices in 2023 after Chinese hackers stole emails belonging to senior US State Department officials.
In October, the Australian government announced Microsoft would help the country build a “cyber shield” to fend off global online threats.