Microsoft hasn’t publicly commented on the intrusions. On Thursday, an executive with the tech giant sought to downplay the issue’s significance.
“Our investigation of recent attacks has found incidents involving abuse of credentials to gain access, which can come in several forms,” Jeff Jones, Microsoft’s senior director for communications, said. “We have still not identified any vulnerabilities or compromise of Microsoft product or cloud services.”
The troubling revelation comes several days after Microsoft’s president, Brad Smith, said the Fortune 500 company had not seen any customers breached through its services, including the vaunted Azure cloud platform used by governments, major corporations and universities worldwide.
“I think we can give you a blanket answer that affirmatively states, no, we are not aware of any customers being attacked through Microsoft’s cloud services or any of our other services, for that matter, by this hacker,” Smith told The Washington Post on Dec. 17.
Yet two days earlier, Microsoft notified the cybersecurity firm CrowdStrike of an issue with a third-party reseller that handles licensing for its Azure customers, according to a blog post CrowdStrike published Wednesday. In its post, CrowdStrike alerted customers that Microsoft had detected unusual behavior in CrowdStrike’s Azure account and that “there was an attempt to read email, which failed.” CrowdStrike does not use Microsoft’s email service. It did not link the tactic to Russia.
People familiar with the previously undisclosed email theft said it does not exploit any Microsoft vulnerability. The company itself was not hacked — only one of its partners, they said.
Nevertheless, the troubling development raises concerns about the extent of Microsoft’s disclosure obligations, cybersecurity experts said.
“If it’s true that a cloud service provider customer’s data has been exfiltrated and is in the hands of some threat actor, that’s a very serious situation,” said John Reed Stark, who runs a consulting firm and is former chief of the Securities and Exchange Commission’s Office of Internet Enforcement. “It should raise all sorts of alerts within that cloud provider that could trigger a litany of notification, remediation and disclosure requirements — both national and international.”
In a blog post last week, Microsoft stated it was notifying “more than 40 customers” that they had been breached. Some of them were compromised through the third party, people familiar with the matter said.
Specifically, the adversary hacked the reseller, stealing credentials that can be used to gain broad access to its customers’ Azure accounts. Once inside a particular customer’s account, the adversary had the ability to read — and steal — emails, among other information.
Microsoft began alerting private-sector clients to the…
Read More: Russian hackers compromised Microsoft’s cloud customers through a third