Microsoft 365 customers are furious after the company reportedly fumbled its notification processes for a major Russia-linked data breach – likely leaving customers in the dark following significant email data leaks.
Earlier this year, tech giant Microsoft announced a nation-state attack had exposed corporate email accounts – including those for some of the company’s senior leadership team – to Russia-linked threat actor Midnight Blizzard.
Now, some six months after disclosing the incident, the company has told customers the same Russian hackers also got their hands on confidential customer emails.
“You are receiving this notification because emails were exchanged between Microsoft and accounts in your organisation,” Microsoft told affected customers.
“Those emails were accessed by the threat actor Midnight Blizzard as part of their cyber attack on Microsoft.”
To make matters worse, security researcher Kevin Beaumont revealed Microsoft failed to follow its own customer data breach process – likely landing some critical notifications in email spam folders rather than the relevant Microsoft 365 (M365) portal.
“The notifications aren’t in the portal, they emailed tenant admins instead,” said Beaumont.
“They also haven’t informed orgs via account managers.”
Beaumont explained Microsoft broke its “customer data breach notification process” by instead emailing the information to tenant admins, and that these crucial emails “don’t even pass” crucial email security checks such as SPF and DKIM.
Since this effectively meant the emails could arrive in spam, Beaumont warned the issue is “widespread” and urged M365 tenants to “check all emails going back to June”.
Furthermore, Beaumont stressed the ‘tenant admins’ receiving these security notifications are “supposed to be secure break glass accounts without email”, meaning they’re typically reserved for emergency or ‘break glass’ scenarios where normal administrative accounts can't be used.
“Knowing Microsoft, they genuinely are trying… it’s such a large organisation – imagine a spider with 800 legs and 10 brains,” wrote Beaumont.
“It’s great that MS are being transparent — but they need to get down how to notify organisations.”
Cyber security consultant Thanos Vrachnos said several of his clients received the email, and that “all of them” were worried it was a phishing attempt given the lack of appropriate SPF and DKIM.
“This did not inspire trust for the recipients, who started asking in forums or reaching out to Microsoft account managers to eventually confirm that the email was legitimate…” said Vrachnos.
“Weird way for a provider like this to communicate an important issue to potentially affected customers.”
Concerns regarding the legitimacy of the email also reached discussions platform Reddit, where members of the Microsoft and Office 365 subreddits debated whether the notification was from Microsoft or a potential phishing scammer.
Meanwhile, in a copy of the email shared by Beaumont, Microsoft directs affected victims on how to view their potentially exposed data.
If missed, companies could be left unaware as Russian hackers leverage sensitive data accessed from their confidential emails.
This seemingly lackadaisical approach from Microsoft is made worse by the fact that, in March, the company admitted Midnight Blizzard had been wrecking havoc on its systems for about three months.
Furthermore, the tech giant was subject to a whistleblowing event in June which saw a former employee chastise the company for ignoring a crucial flaw which exposed countless organisations and US government to a major Russian-led hack.