What Microsoft's latest email breach says about this IT security heavyweight
Senator Wyden tells The Reg this latest infosec lapse is 'inexcusable'
Comment For most organizations – especially security vendors – disclosing a corporate email breach, in which executives' internal messages and attachments were stolen, would noticeably ding their stock prices.
But Microsoft apparently doesn't operate by the laws of Wall Street.
Late Friday afternoon, Redmond revealed that Russia's Cozy Bear had, once again, broken into its network and stolen emails and files belonging to the tech titan's leadership team, and cybersecurity and legal employees. According to Microsoft, the intrusion happened in late November 2023, and it only detected it on January 12.
"The company has not yet determined whether the incident is reasonably likely to materially impact the Company's financial condition or results of operations," the Windows giant disclosed in a filing to investors via the SEC.
If history is any indication, however, it won't.
Microsoft declined to answer The Register's questions about the digital heist, or its security in general. Instead, a spokesperson emailed us the following statement:
Our security team recently detected an attack on our corporate systems attributed to the Russian state-sponsored actor Midnight Blizzard. We immediately activated our response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access. The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. More information is available in our blog.
This marks the second time since 2020 the same gang of Kremlin-backed cyber spies – whom Microsoft now calls Midnight Blizzard, used to track as Nobelium, and most call Cozy Bear – has invaded Microsoft. The first was via the SolarWinds supply-chain attack. Since then, Lapsus$ hoodlums and China's snoops have also busted through Redmond's digital perimeter and stolen source code, a private cryptographic key, government messages, and other important, supposedly secret stuff.
Following the theft of the Microsoft security key that China used to break into US government email accounts in July – and at the urging of US Senator Ron Wyden (D-OR) – the US Cyber Safety Review Board launched an investigation into the Microsoft breach and the larger issues surrounding cloud security.
That probe, or even an expected publication date, has yet to be released.
Presumably, the review board had begun its Microsoft analysis when Cozy Bear broke into corporate email accounts last year. Here's how Redmond described the latest intrusion:
Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account's permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents.
This access, and earlier breaches, could have been prevented, according to Wyden. One main thing is that the intruders got in through an old testing environment, seemingly with no multi-factor authentication in the way. Redmond also warned there may be some "disruption" to its systems as it shores up the security of its legacy IT estate and brings all that up to the same level of defenses as the rest of its empire.
"It is inexcusable that Microsoft still hasn't required multi-factor authentication, which is cybersecurity 101 and would have prevented this latest attack," Wyden told The Register.
"This is yet another wholly avoidable hack that was caused by Microsoft's negligence," he added. "The US government needs to reevaluate its dependence on Microsoft."
Once, such a privacy breach might be enough to sink a software maker – or at the very least render its name synonymous with a cyber intrusion. But Microsoft seemingly remains immune.
Instead it keeps winning government and enterprise contracts and, with security business revenue topping $20 billion last year, it remains one of the largest cybersecurity vendors on the planet – if not the largest.
- Russians invade Microsoft exec mail while China jabs at VMware vCenter Server
- Microsoft: China stole secret key that unlocked US govt email from crash debug dump
- Russia's Cozy Bear is back and hitting Microsoft Teams to phish top targets
- Stolen Microsoft key may have opened up a lot more than US govt email inboxes
"It's kind of like the mafia," Adam Meyers, head of Counter Adversary Operations at CrowdStrike, lamented. "I mean, what are you gonna do, you're gonna switch to Linux? Get out of here. You've got no choice."
In an interview with The Register, Meyers conceded that Microsoft makes a good operating system. He spends more time than he'd like to admit in PowerPoint and other Microsoft applications. And, he added, Redmond has built "pretty robust" cloud infrastructure and email.
"But the thing they are really bad at is the security side," Meyers argued. "So if you're using them for your operating systems, for your productivity applications, for all of your cloud infrastructure, then don't use them for security also, because you're putting all of your eggs in one basket. And that basket has giant, egg-shaped holes in it." ®
Updated to add on January 24
Looks like Hewlett Packard Enterprise was also hit by Cozy Bear, which again went after the IT giant's cloud-based email.