Microsoft: Midnight Blizzard Attempting To Exploit Customer ‘Secrets’

The tech giant says the information was ‘shared between customers and Microsoft in email.’

The Russian state-sponsored threat actor known as Midnight Blizzard has been trying to exploit information shared by customers with Microsoft over email, the tech giant said Friday.

The disclosure came in an update by Microsoft about the continued activities of Midnight Blizzard, which the company has blamed for the hack of multiple senior executive accounts, in an attack that began in late November.

[Related: CrowdStrike CEO: Microsoft Explanation For Russia Hack Doesn’t Add Up]

Microsoft said it has seen a recent surge in the activity by Midnight Blizzard. The company previously attributed the widely felt 2020 breach of SolarWinds to the group, which the U.S. and U.K. governments have associated with Russia’s SVR foreign intelligence unit.

In the wake of the recent breach of Microsoft executives’ email accounts, it’s “apparent that Midnight Blizzard is attempting to use secrets of different types it has found,” Microsoft said in the post Friday.

The company noted that “some of these secrets were shared between customers and Microsoft in email.”

In an email to CRN Friday, a Microsoft representative clarified that the secrets being referenced in the post are cryptographic secrets such as passwords, credentials, certificates and keys.

In the post, Microsoft said that as it discovers these customer “secrets” in the emails that are known to have been stolen, “we have been and are reaching out to these customers to assist them in taking mitigating measures.”

Notably, “Midnight Blizzard has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024,” the company said.

Microsoft initially disclosed the attack on Jan. 19, revealing that the group known as Midnight Blizzard was able to steal emails from members of its senior leadership team as well as from employees on its cybersecurity and legal teams.

The activity has continued in “recent weeks,” and Microsoft has now “seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access,” the company said.

“This has included access to some of the company’s source code repositories and internal systems,” Microsoft said. “To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.”

Microsoft confirmed Jan. 26 that the threat group responsible initially gained access by exploiting a lack of multifactor authentication (MFA) on a “legacy” account.

Meanwhile, Hewlett Packard Enterprise revealed in January that it was also compromised by the threat actor known as Midnight Blizzard last year. HPE said that it was notified about the incident on Dec. 12, a month before Microsoft learned of its own breach on Jan. 12.