In January, Microsoft disclosed that a Russia-aligned threat actor was able to steal emails from members of its senior leadership team as well as from employees on its cybersecurity and legal teams. The tech giant attributed the attack to a group it tracks as Midnight Blizzard, which has previously been connected to Russia’s SVR foreign intelligence unit by the U.S. government and blamed for attacks including the widely felt 2020 breach of SolarWinds.
Customers known to have been impacted in the incident included multiple federal agencies, CISA confirmed. Through the compromise of Microsoft corporate email accounts, Midnight Blizzard has “exfiltrated email correspondence between Federal Civilian Executive Branch (FCEB) agencies and Microsoft,” CISA said in an emergency directive.
In June, Microsoft confirmed that it had sent out more notices to customers impacted by the compromise, which were notified that their emails were viewed. “This is increased detail for customers who have already been notified and also includes new notifications,” the company said in a statement.
The breach, which is believed to have begun in November 2023, saw hackers initially gain access by exploiting a lack of MFA (multifactor authentication) on a “legacy” account, Microsoft said.