Midnight Blizzard, a Russian nation-state hacker gang, breached Microsoft's security last year, gaining access to the emails of multiple customers. In late June, Microsoft revealed that more organisations were affected than previously assumed. However, the company's attempts to notify users may not have reached the intended recipients.
According to Kevin Beaumont, a cybersecurity expert and former senior threat intelligence analyst at Microsoft, the company chose to notify affected victims via email.
“The notifications aren’t in the portal – they emailed tenant admins instead. The emails can go into spam, and tenant admin accounts are supposed to be secure breakglass accounts without email. They also haven’t informed orgs via account managers,” Beaumont stated on LinkedIn.
Apart from Beaumont's warnings, there is some evidence that Microsoft customers are genuinely perplexed. In a Microsoft support page, one customer revealed the email their company received in an attempt to determine whether it was a real Microsoft email.
Others commented on Beaumont's post, alleging that several organisations misunderstood Microsoft's email for a phishing attempt and deleted it or marked it as spam. The breach notification emails allegedly lacked basic email authentication tools including SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).
“Well, at first glance, this did not inspire trust for the recipients, who started asking in forums or reaching out to Microsoft account managers to eventually confirm that the email was legitimate...weird way for a provider like this to communicate an important issue to potentially affected customers,” the Greece-based cybersecurity consultant noted.
In January, Microsoft admitted that Midnight Blizzard attempted to hack the tech giant's internal systems. The same hacking group was behind the infamous SolarWinds hack, which caused havoc on US government installations in 2020.