The breach, which occurred last November, compromised email accounts belonging to senior leadership and employees across various sectors, including members of the cybersecurity, legal, and other functions.
The company outlined the breach in a notice published on Friday, stating that a “Russian state-sponsored actor” dubbed “Midnight Blizzard” had gained access to multiple corporate email accounts beginning last November, RT reported.
“The threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents,” the statement said.
Password spraying is a type of ‘brute force’ cyber attack in which a hacker attempts to use a single password to try and access many different user accounts. The method is used to avoid automatic lockouts that might occur with multiple login attempts, and is most effective on systems with lax security that allow default passwords or shared login credentials for several users.
Microsoft went on to say that the hackers apparently initially targeted its systems in search of information about “Midnight Blizzard” itself, but did not say what else they might have found in CEOs’ email boxes.
The company noted that there was no indication the attackers gained access to customer information, production systems or source code, and emphasized that the breach was “not the result of a vulnerability in Microsoft products or services.”
The tech giant has claimed to have been affected by several other “nation-state” cyber attacks in recent months, including a breach allegedly carried out by a “China-based threat actor” last summer. That hack was said to have accessed ten US government email accounts, including that of Commerce Secretary Gina Raimondo and some 60,000 messages between State Department staffers. In a blog post published at the time, Microsoft said the hackers had “espionage objectives,” but stated its conclusions were held with only “moderate confidence.”