The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive regarding a Microsoft email breach in late 2023.
Microsoft notified customers of an attack on its corporate email systems on January 12, 2024. The breach began in November 2023 and was carried out by the Russian state-sponsored actor known as Midnight Blizzard.
According to Microsoft’s report at the time, “the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents.”
Unfortunately, CISA says Midnight Blizzard is using the information it exfiltrated to gain a further foothold and compromise Microsoft customers and government agencies.
“As America’s cyber defense agency and the operational lead for federal civilian cybersecurity, ensuring that federal civilian agencies are taking all necessary steps to secure their networks and systems is among our top priorities. This Emergency Directive requires immediate action by agencies to reduce risk to our federal systems,” said CISA Director Jen Easterly. “For several years, the U.S. government has documented malicious cyber activity as a standard part of the Russian playbook; this latest compromise of Microsoft adds to their long list. We will continue efforts in collaboration with our federal government and private sector partners to protect and defend our systems from such threat activity.”
CISA’s emergency directive underscored the danger Microsoft’s security breach exposed various agencies to.
The threat actor is using information initially exfiltrated from the corporate email systems, including authentication details shared between Microsoft customers and Microsoft by email, to gain, or attempt to gain, additional access to Microsoft customer systems. According to Microsoft, Midnight Blizzard has increased the volume of some aspects of the intrusion campaign, such as password sprays, by as much as 10-fold in February, compared to an already large volume seen in January 2024.
Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies (emphasis ours). This Emergency Directive requires agencies to analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure. CISA has assessed that the below required actions are most appropriate to understand and mitigate the risk posed by Midnight Blizzard’s possession of the exfiltrated correspondence between FCEB agencies and Microsoft.
Microsoft has been under increased scrutiny for its security issues and data breaches. Homeland Security’s Cyber Safety Review Board recently released its report on Microsoft’s Exchange breach last year, slamming the company’s “inadequate” security culture.
The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.
The review board went on say that Microsoft needed to completely overhaul its security culture, from the CEO down. It’s a safe bet that CISA having to issue an emergency directive over yet another Microsoft breach is only going to increase the heat on the Redmond giant.