Microsoft is scrambling to handle an ongoing November cyber attack which saw Russia-linked hackers crack into senior executive email accounts and access sensitive company source code.

The tech giant first reported the attack in mid-January after discovering hackers used a brute-force password spray attack to crack into its systems and move laterally into a “small percentage” of Microsoft corporate email accounts.

Security experts at Microsoft attributed the attack to Russian state-sponsored threat actor Midnight Blizzard – which gained notoriety after claiming a historical supply chain attack at networking company Solarwinds in 2021.

While the company first reported it was actively investigating and working with law enforcement to address the attack, Microsoft now admits the hackers have been causing havoc in its system for about three months.

Furthermore, Midnight Blizzard – also tracked as Cozy Bear and APT29 – has since managed to access some of the company’s sensitive source code repositories, though Microsoft did not specify which source code had been accessed.

“Midnight Blizzard’s ongoing attack is characterised by a sustained, significant commitment of the threat actor’s resources, coordination, and focus,” Microsoft said on Friday.

“In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorised access.”

Microsoft said it has found “no evidence” of compromise for Microsoft-hosted customer-facing systems, but did note the gang was “attempting to use secrets” shared between customers and Microsoft via email.

While Microsoft’s announcement did not specify the nature of those “secrets”, a spokesperson later told Information Age the company was referring to cryptographic measures such as passwords, certificates and keys.

The company said it has been reaching out to impacted customers to help them take mitigative measures.

Are customers at risk?

Blizzard is attempting to target customers through its attack, though none have expressly confirmed a related supply-chain attack since Microsoft first reported the incident.

Meanwhile, cloud computing giant Hewlett-Packard Enterprise (HPE) disclosed in late January that it was victim to the same attackers, with Midnight Blizzard having accessed the company’s Microsoft Office 365 email environment to pilfer corporate data.

Although HPE’s announcement coincided with Microsoft’s, HPE has not expressly linked the two incidents.

As investigations continue, Microsoft noted the hackers may be using stolen information to “accumulate a picture of areas to attack” and “enhance its ability” to carry out further attacks.

“This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks,” said Microsoft.

Microsoft further revealed the Russia-linked attackers have not only persisted in their targeted attack, but have increased their criminal efforts significantly.

“Midnight Blizzard has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024.”

Notably, the months-long attack started when Midnight Blizzard managed to access an account which did not have multi-factor authentication enabled – indicating a glaring security oversight by Microsoft.

“The giants of the tech industry, despite their global influence and innovation, find themselves grappling with the enforcement of their own lax cyber security measures,” said Andrew Jenkinson, chief executive of UK cyber security company Cybersec Innovation Partners.

“As the interconnected world is totally dependent upon technology, it is imperative for tech giants to prioritise robust cyber security measures.

“Sadly, this is not being enforced.”

In its Friday update, Microsoft said it has bolstered its investments in security and improved its ability to coordinate and mobilise across its enterprise.

“We have and will continue to put in place additional enhanced security controls, detections, and monitoring,” said Microsoft.