Skip links

Microsoft breach allowed Russian spies to steal emails from US government

The US Cybersecurity and Infrastructure Security Agency (CISA) warns that Russian spies who gained access to Microsoft’s email system were able to steal sensitive data, including authentication details and that immediate remedial action is required by affected agencies.

In an Emergency Directive dated April 2 but only just disclosed, CISA warned that state-sponsored operatives had managed to exfiltrate email correspondence between Federal Civilian Executive Branch (FCEB) agencies and Microsoft itself following the breach of Redmond’s internal systems reported last month.

The culprits, identified as Midnight Blizzard but also known as Cozy Bear, were able to glean information that was shared between customers and Microsoft by email, including authentication details. According to CISA, these are now being used to attempt to gain access to other systems, including those of Microsoft customers.

In response, Emergency Directive ED 24-02 issued by CISA requires federal agencies to wade through and analyze the content of exfiltrated emails, reset any compromised credentials, and take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure.

CISA instructed agencies to report status across all required actions by April 8, plus provide a further status update by May 1. They additionally have to provide weekly updates on remediation actions until completion. It has provided the agencies with a reporting template and instructions for this purpose.

Microsoft and CISA said they have already notified all federal agencies whose email correspondence with Microsoft was identified as exfiltrated by Midnight Blizzard.

The software giant reportedly agreed to provide all affected agencies with metadata regarding exfiltrated emails that contain credentials, and will also supply CISA with metadata for all exfiltrated federal agency correspondence, upon the request of the National Cyber Investigative Joint Task Force, which is led by the FBI.

Microsoft also stated that Midnight Blizzard has increased the volume of its intrusion attempts, such as password spraying attacks, as much as tenfold during February, compared with an already considerable volume of attempts observed in January 2024.

This latest development will be another blow to Microsoft’s reputation following the original incident in January.

“Microsoft’s lackadaisical security practices and negligent approach to disclosure have national security implications, and should alarm their commercial clients, which don’t necessarily have the voice or get the attention that the US government might,” commented Amit Yoran, chairman and CEO of cybersecurity biz Tenable.

“Unfortunately it’s not surprising to learn that Midnight Blizzard’s intrusion campaign escalated after initially being discovered. Given Microsoft’s consistent track record of partial disclosure, misleading statements and downplaying security incidents, it was only a matter of when the other shoe would drop,” he added.

We asked Microsoft for its reaction to this latest development, and will report back if we get an answer.

In the meantime, CISA aims to provide a report by September 1 to the Secretary of Homeland Security and the Director of the Office of Management and Budget, identifying cross-agency status and outstanding issues. A copy will also go to the National Cyber Director, it said. ®