Microsoft Cloud Breach Included Theft Of 60,000 State Department Emails: Reports

A Senate staff member reportedly disclosed that the emails were stolen from 10 U.S. State Department accounts by the attackers, which have been linked to China.


A total of 60,000 emails were stolen from 10 U.S. State Department accounts in the compromise of Microsoft cloud email accounts that was first discovered in June, according to reports.

The reported disclosure by an unidentified staff member for U.S. Sen. Eric Schmitt offers new details about the scope of the high-profile, China-linked attack, which has intensified the scrutiny of Microsoft’s security practices from both industry and government.

Reports by Reuters and The Washington Post’s Cybersecurity 202 newsletter revealed the new details, indicating that nine of the 10 State Department victims were focused on East Asia and the Pacific, with the 10th focused on Europe.

Sponsored post

[Related: Microsoft: Flaw In Windows Crash Process Enabled Cloud Email Breach]

Microsoft declined to comment Thursday.

The breach is believed to have impacted the emails of Commerce Secretary Gina Raimondo as well as U.S. Ambassador to China Nicholas Burns and officials in the Commerce Department. The incident previously prompted U.S. Sen. Ron Wyden to request a federal investigation to determine “whether lax security practices by Microsoft” led to the hack.

‘Pattern Of Behavior’

In a recent interview with CRN, CrowdStrike CEO George Kurtz said the Microsoft cloud email breach is just the latest high-profile indicator that Microsoft’s “architectural flaws” pose a massive security risk. Tenable CEO Amit Yoran has also pointed to a “pattern of behavior” from Microsoft that “undermines security.”

Earlier this month, Microsoft disclosed that it had identified additional issues that enabled the China-linked threat actor — tracked as “Storm-0558” — to compromise the cloud email accounts of U.S. officials.

In a blog post, the tech giant disclosed that a flaw caused an Azure Active Directory key used in the compromise to be improperly captured and stored in a file following a Windows system crash in 2021. Another flaw led to the presence of the key not being detected, Microsoft said.

Additionally, the threat actor behind the breach was only able to access the file containing the key through compromising a corporate account belonging to a Microsoft engineer, according to the company.

Previously, Microsoft had said a stolen Azure Active Directory key was misused to forge authentication tokens and gain access to emails from an estimated 25 organizations.

‘More Questions’

Another new detail revealed by Microsoft in its latest post on the topic is that the timeline for the incident most likely stretches back to April 2021 — more than two years earlier than previously believed.

In a recent interview, Wiz CTO Ami Luttwak told CRN that Microsoft still has a lot to answer for over the breach. For instance, given that Microsoft had initially believed the incident began on May 15, the new timeline “raises a ton more questions” about whether the threat actor’s activities may have involved more than compromising the email accounts of 25 organizations, as Microsoft previously thought, according to Luttwak.