Hackers reportedly compromised a Microsoft Corp. support agent’s credentials, allowing them to gain unauthorized access to the company’s various web-based email services, including Outlook, MSN and Hotmail, for at least three months in 2019.
This breach exposed not only information pertaining to certain customers’ email accounts, but also in some cases the content of the emails themselves, according to an April 14 Motherboard report that provided new details into the attack, following an initial report by TechCrunch.
Microsoft last week informed affected customers of the incident via emailed notifications, one version of which was posted on Reddit by a recipient: “We have identified that a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account,” the message states. “This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your email address, folder names, the subject lines of emails and the names of other email addresses you communicate with), but not the content of any emails or attachments, between January 1st 2019 and March 28th 2019.”
However, Microsoft reportedly confirmed to Motherboard that another group of its web mail users received a different notification that informed them their email content was also impacted. Citing screenshots and other information provided by an anonymous source, Motherboard also reported that additional information such as customers’ calendars and birth dates may also have been up for grabs, and that the culprits may have had access for six months, not three (although Microsoft reportedly disputes this final point).
“We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access,” said a Microsoft spokesperson in comments provided to SC Media. The company also noted that the total number of impacted customers was “limited” and that only about six percent of this affected group had their email content exposed.
It remains unclear exactly how many customers are affected. However, Motherboard’s anonymous source reportedly said that the malicious actors had access to Microsoft’s customer support portal, potentially enabling them to access any email account, provided it wasn’t a corporate- or enterprise-level account.
In its notification, Microsoft says it responded to the threat by disabling the compromised credentials and forbidding their future use. The company also says it has increased detection and monitoring for the affected accounts.
Although the company says it is not aware of the actors’ motives, Microsoft has warned customers to look out for targeted phishing attacks that leverage stolen information as a way of seeming more legitimate.
“For example, a phisher could use the same subject line as a recently sent or received email and add ‘Re:’ before to trick users into opening the email and possibly malicious documents that contain malware,” said Robert Vamosi, senior product marketing manager at ForgeRock, in emailed comments. For that reason, “all users should make sure to check the sender’s email addresses of emails they receive to make sure they are legitimate.”
Microsoft recommends that users reset their email passwords as a precaution, even though customers. credentials were apparently not impacted.
As for the compromised support agent’s credentials, “There’s no doubt that Microsoft is scrambling to find out how the credentials were compromised, and to make changes so it doesn’t happen again,” Tim Erlin, vice president of product management and strategy at Tripwire, said in emailed comments. “When valid user credentials are compromised, it’s much more difficult to detect attacks because the activity seems legitimate. Clear, enforced separation of duties can help mitigate the scope of damage and force attackers into more detectable activities in order to escalate their level of access.”