Hackers compromise senior leadership email accounts of Microsoft via forgotten account

Microsoft is reporting that its corporate email system was compromised by a hacking group called Midnight Blizzard, also known as Nobelium or APT29. The breach, detected on January 12th, was traced back to an attack that occurred in November 2023. The hackers employed a password spray attack, a brute force method involving the systematic use of a single password against multiple accounts before trying another password. This technique successfully breached a legacy non-production test tenant account in Microsoft's system, which surprisingly had access to a range of other corporate email accounts.

The breach led to unauthorized access to a small portion of Microsoft's corporate email accounts, including those of some members of its leadership team as well as employees in cybersecurity and legal departments. This unauthorized access lasted for over a month, during which the hackers were able to steal emails and attachments.

Microsoft has emphasized that the breach was not due to any inherent vulnerability in its products or services but rather was a consequence of the compromised account lacking robust security measures like two-factor or multi-factor authentication (2FA/MFA), which are strongly advocated by Microsoft.

The incident raises concerns about why a non-production test account had permissions that allowed such extensive access within Microsoft's corporate email system. The company has begun notifying employees whose email accounts were compromised and is continuing its investigation into the breach. Despite the seriousness of the breach, Microsoft has reported in a Form 8-K filing with the SEC that the incident has not materially impacted its operations.