It also disclosed the intrusion in a filing with the Securities and Exchange Commission, which last year began requiring public companies to do so within four days of determining that a breach is material, including when a reasonable investor would want to know about a potential impact on reputation or relationships with customers.
Friday’s SEC filing said Microsoft “has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.”
A person familiar with Microsoft’s thinking said it filed with the regulator without being convinced of the material impact to comply with the spirit of the new regulation. That person spoke on the condition of anonymity to discuss internal matters.
Microsoft said the breach was not due to any flaw in its widely used software. Instead it began with a “password spraying,” in which an attacker tries a common password to log in as many users in rapid succession in hopes that one combination works.
The password worked on what Microsoft said was an old test account. The hacker then used the account’s privileges to get access to multiple streams of email. Soon after the intrusion, the hackers searched through the email accounts to find out what Microsoft knew about them, the company said.
“To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems,” the company said in an emailed statement.
Even so, the intrusion is embarrassing for the maker of Windows and Office software, which also runs some of the world’s largest cloud services businesses.
The same hacking group was behind the massive breach of SolarWinds network management software that was disclosed in late 2020. In that case, the hackers inserted a backdoor into SolarWinds code that allowed them to delve into nine federal agencies and 100 other customers of SolarWinds.
As part of that hacking spree, the intruders compromised Microsoft resellers with ongoing access to customers, then added or modified accounts at those customers in pursuit of email to steal. The SEC sued Solar Winds last year for failing to tell stockholders its systems were subject to hacks.
Government officials and outside security experts have repeatedly called out weak authentication requirements, test accounts and the ease in creating new accounts as major holes in Microsoft service protections. Similar holes were used in the new attack on Microsoft.
Friday’s disclosure also comes during investigations by the Department of Homeland Security’s cyber safety review board and others into lapses in Microsoft security that allowed Chinese government hackers to steal unclassified email from top U.S. diplomats ahead of a summit between the two nations last year.
In that instance, the hackers were able to steal Microsoft’s digital keys for validating new organizational customers.
Since then, Microsoft has said it is redoubling its efforts in security.
In that instance, the hackers were able to steal Microsoft’s digital keys for validating new organizational customers.
