Data Breaches

US Government on High Alert as Russian Hackers Steal Critical Correspondence From Microsoft

The US government says Midnight Blizzard’s compromise of Microsoft corporate email accounts “presents a grave and unacceptable risk to federal agencies.”

The US cybersecurity agency CISA on Thursday issued an emergency directive mandating that all federal agencies immediately hunt for signs of a known Russian APT that broke into Microsoft’s corporate network and pivoted to steal sensitive correspondence from US government agencies.

The directive comes less than three months after Redmond disclosed the embarrassing hack and confirmed the ‘Midnight Blizzard’ attackers also stole source code and may still be poking around its internal computer systems. 

According to the CISA directive, federal agencies must immediately “analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure.”

“Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” CISA said.

The agency warned that the Russian government-backed hackers are using information initially exfiltrated from the corporate email systems — including authentication details shared between Microsoft customers and Microsoft by email — to gain, or attempt to gain, additional access to Microsoft customer systems. 

The agency said it worked with the world’s largest software maker to notify all federal agencies whose email correspondence with Microsoft was identified as exfiltrated by the Midnight Blizzard threat actor.

Advertisement. Scroll to continue reading.

“In addition, Microsoft has represented to CISA that for the subset of affected agencies whose exfiltrated emails contain authentication secrets, such as credentials or passwords, Microsoft will provide metadata for such emails to those agencies,” CISA said.

The agency said Micrsooft also agreed to provide metadata for all exfiltrated federal agency correspondence — regardless of the presence of authentication secrets — upon the request of the National Cyber Investigative Joint Task Force (NCIJTF), which is the single federal point of contact for this incident.

Earlier this year, Microsoft said the professional hacking team used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts.

“[They] exfiltrated some emails and attached documents,” Microsoft said in a filing with the Securities and Exchange Commission (SEC). The company said its security team detected the nation-state attack on our corporate systems on January 12, 2024 and traced the infection back to November 2023.

The discovery of Russian hackers in Microsoft’s network comes less than six months after Chinese cyberspies were caught using forged authentication tokens using a stolen Azure AD enterprise signing key to break into M365 email inboxes. 

Following that breach, which led to the theft of email data from about 25 government organizations in the United States, the Cyber Security Review Board (CSRB) issued a scathing report that called out “a cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed.”

“Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations,” according to the CSRB report.

Related: Microsoft’s Security Chickens Have Come Home to Roost

Related: Microsoft Says Russian Hackers Stole Source Code

Related: Microsoft Says Russian Gov Hackers Stole Email Data From Senior Execs

Related: Chinese Cyperspies Use Stolen Microsoft Key to Hack Gov Emails

Related: Microsoft Blames Russian APT for Outlook Zero-Day Exploits

Related Content

Vulnerabilities

Two flaws in Active Directory and SharePoint Server have been exploited as zero-days, and a BitLocker bug was publicly disclosed.

Government

Multiple state-sponsored APTs are compromising poorly secured devices across critical infrastructure sector networks.

Cyberwarfare

The move targeted people and entities accused of links to an online spying network that the EU claims targeted governments and carried out sabotage...

Vulnerabilities

Two newly disclosed critical vulnerabilities in Adobe ColdFusion and Langflow join two Joomla extension flaws in CISA's Known Exploited Vulnerabilities catalog, with federal agencies...

Artificial Intelligence

Microsoft's new Teams admin policy requires organizer approval for external AI bots, giving organizations greater visibility and control over automated participants in sensitive meetings.

Government

UNC5792 and UNC4221 have been targeting US government officials, military leaders, and allied personnel.

Malware & Threats

Turla has been using the backdoor against government and military organizations in Ukraine for espionage.

Cybercrime

Hundreds of C&C servers were disrupted in an operation involving law enforcement and several cybersecurity companies.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version