Microsoft Corporate Email Hack Affects Federal Agencies

In January, hackers breached the Microsoft corporate email servers and accessed other corporate systems. The hacked accounts belonged to Microsoft’s leadership team and employees in the cybersecurity and legal departments which allowed the attackers to steal data from corporate mailboxes.

On April 2 the Cybersecurity and Infrastructure Agency (CISA) issued an emergency directive to all Federal Civilian Executive Branch agencies ordering them to address risks from the breach. Bleeping Computer reports that the agencies are ordered to investigate potentially affected emails, reset any compromised credentials, and secure privileged Microsoft Azure accounts.

The CISA directive is the first confirmation by the U.S. government that federal agencies as well as corporate emails were exfiltrated. The Bleeping Computer article quotes CISA Director Jen Easterly, who calls malicious cyber activity like the Microsoft attack “a standard part of the Russian playbook,” and references risk to the federal system. 

According to CISA, Russian intelligence operatives are using information stolen from Microsoft’s corporate email systems, including authentication details shared between Microsoft and its customers, to gain access to customer systems.

The directive orders agencies that detect signs of authentication compromises to: Take immediate remediation action for tokens, passwords, API keys, or other authentication credentials; reset credentials in associated applications and deactivate associated applications that are no longer of use to the agency; review sign-in, token issuance, and other account activity logs for potential malicious activity.

The requirements only apply to civilian executive branch agencies, but the exfiltration of Microsoft corporate accounts might impact other organizations. They are urged to seek guidance from their Microsoft account teams.