On Friday, Microsoft publicly disclosed that it had fallen victim to a sophisticated nation-state attack targeting its corporate systems. This breach resulted in the unauthorized access and theft of emails and attachments belonging to senior executives, as well as individuals within the company's cybersecurity and legal departments. The orchestrator of this attack was identified as the Russian advanced persistent threat group Midnight Blizzard, formerly known as Nobelium or APT29. Notably, this group has also been associated with monikers such as BlueBravo, Cloaked Ursa, Cozy Bear, and The Dukes.

Microsoft revealed that the cyber campaign initiated by Midnight Blizzard began in late November 2023 and was discovered by the company on January 12, 2024. Upon detection, Microsoft promptly launched an investigation and took immediate steps to disrupt and mitigate the malicious activity. The attack vector involved a password spray attack targeting a legacy non-production test tenant account. Once compromised, the attackers utilized the account's permissions to gain access to a limited number of Microsoft corporate email accounts, specifically targeting members of the senior leadership team and employees in cybersecurity, legal, and other functions. The threat actors successfully exfiltrated some emails and attached documents during this breach.

Crucially, Microsoft emphasized that the security incident was not a result of any vulnerabilities in its products. Furthermore, there is no evidence to suggest that the attackers gained access to customer environments, production systems, source code, or artificial intelligence systems.

Despite the disclosure, Microsoft did not provide specific details regarding the number of email accounts infiltrated or the nature of the information accessed. The company, however, assured ongoing efforts to notify employees affected by the incident.

This incident is not the first time Midnight Blizzard has targeted Microsoft. In December 2020, the group was responsible for a high-profile breach aimed at siphoning source code related to Azure, Intune, and Exchange components. Additionally, in June 2021, Midnight Blizzard breached three of Microsoft's customers using password spraying and brute-force attacks.

The Microsoft Security Response Center (MSRC) underscored that this latest attack highlights the persistent risk posed to organizations by well-resourced nation-state threat actors like Midnight Blizzard. The group, previously implicated in the SolarWinds supply chain compromise, continues to be a notable force in the realm of advanced cyber threats.

Source: https://thehackernews.com/2024/01/microsofts-top-execs-emails-breached-in.html