Microsoft: Russian hackers spied on emails of Microsoft customers

The revelation comes six months after the initial report of the intrusion and results in Microsoft losing face. The software company was already under increased scrutiny by the U.S. government because of the security of its software and systems against foreign threats (2). The hackers, known as Midnight Blizzard, managed to gain access to "a very small percentage" of Microsoft's corporate e-mail accounts. Although the company has said it will share the compromised emails with affected customers, it remains unclear exactly how many customers were affected and how many emails were involved.

Profit over safety

The revelation follows a report by ProPublica (3). According to this report, Microsoft had known about a serious security flaw in Active Directory Federation Services (AD FS), a product used by millions of users to log into their work computers, since 2017. The flaw allowed attackers to impersonate employees and gain access to sensitive data.

In the report, former Microsoft engineer Andrew Harris states that the company ignored his repeated warnings about the vulnerability (4). Product managers reportedly dismissed his concerns as a threat to Microsoft's business goals, particularly for winning government contracts and beating competitors.

Hearing in the U.S. Congress

ProPublica's revelations led to a hearing in the U.S. Congress, where Microsoft President Brad Smith was questioned about the company's approach to cybersecurity. Smith's defense: Microsoft would be in the process of overhauling its security procedures and culture. He emphasized that the company is committed to a culture where every employee is encouraged to report and resolve problems. (5)

Still, members of Congress were critical of Microsoft. Delia Ramirez, Member of the U.S. House of Representatives, called the ProPublica report a "bombshell" and the hearing a "moment of reckoning" for the company. Microsoft, according to members of Congress, would have repeatedly downplayed its role in the SolarWinds hack in 2020 (6). The question now is whether Microsoft's promises to change its security culture will be enough to restore customer and government confidence.

(1) https://www.reuters.com/technology/cybersecurity/microsoft-tells-clients-russian-hackers-viewed-emails-bloomberg-news-reports-2024-06-27/

(2) https://www.theregister.com/2024/04/21/microsoft_national_security_risk/

(3) https://www.propublica.org/article/microsoft-solarwinds-golden-saml-data-breach-russian-hackers

(4) https://www.propublica.org/article/microsoft-solarwinds-golden-saml-data-breach-russian-hackers

(5) https://www.propublica.org/article/microsoft-solarwinds-cybersecurity-house-homeland-security-hearing

(6) https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know