Microsoft is one of the world's largest technology companies, entrusted with vast amounts of data for millions of users and organizations around the world. As such, it is a frequent target of cyberattacks. Microsoft's tools are immensely valuable to millions of global users, who use its software to create and share their corporate and personal information. When these users leverage Microsoft tools like Outlook, OneDrive, and the 365 Office suite, they are often putting sensitive data into Microsoft's hands — so the downstream impacts of a Microsoft data breach, on organizations and individuals, can be enormous.
In the past three years, there have been several high-profile Microsoft data breaches and over 1,200 vulnerabilities reported, affecting millions of users and organizations. Here are the most notable events from fall 2021 through the time of writing, April 2024.
January 2024: Russian Hackers Used Password Spraying to Breach Microsoft in November 2023
In January 2024, Microsoft disclosed that Russian state-backed hackers, known as Midnight Blizzard, compromised the company's corporate network by exploiting a weak password on a legacy non-production test tenant account. Using a technique called "password spraying" - or guessing passwords The hackers gained access to emails and documents belonging to senior executives and employees in security and legal teams, with the breach potentially lasting up to two months before being detected on January 12.
The compromised account lacked two-factor authentication which attackers to pivot and access sensitive employee accounts. While Microsoft stated that there is no evidence of the hackers gaining access to customer environments, production systems, source code, or AI systems, some researchers expressed doubts and called for more transparency and technical and cultural transformation within the company to retain trust.
September 2023: State Department Breached by Chinese Hackers; 60,0000 Emails Stolen
Chinese hackers breached Microsoft's email platform, stealing approximately 60,000 emails from 10 U.S. State Department accounts, primarily targeting individuals working on Indo-Pacific and European diplomacy efforts. The breach, which strained the already tense relationship between the U.S. and China, was carried out by compromising a Microsoft engineer's device, allowing the hackers to access the State Department's email accounts.
The incident raised concerns about the U.S. government's reliance on a single vendor, and prompted the State Department to adopt measures such as moving to "hybrid" environments with multiple vendor companies and improving the uptake of multi-factor authentication to protect its systems. Senator Eric Schmitt - whose staffer was the entry point of the attack - has called for a thorough examination of the federal government's reliance on a single vendor as a potential weak point.
July 2023: A China-Based Adversary Breaches U.S. Government Agencies Via Microsoft Cloud
In July 2023, Microsoft disclosed that a China-based adversary gained access to the email systems of several U.S. government agencies and think tanks. The breach affected approximately 10,000 organizations.
Virtru penned two blog posts with more context on the breach: One detailing the events that led to the discovery of the Microsoft Cloud hack, and one on the later revelations about the Microsoft encryption key management issues that amplified the attack’s impact. The hackers are believed to have used a vulnerability in Microsoft's cloud computing platform, Azure, to gain access to the systems. Furthermore, research from Wiz highlighted that the stolen MSA key could have allowed hackers to create access tokens for several Azure Active Directory applications.
This was, of course, highly concerning — especially as the impacted customers were largely government organizations. Virtru's Rob McDonald, NYU Adjunct Professor Michael Wilkes, and Chertoff Group's David London sat down to hash out the details of the Microsoft breach in this video.
October 2022: Data for 548,000+ Users Exposed in BlueBleed Data Leak
In October 2022, a misconfiguration in Microsoft's Azure Blob Storage service exposed the personal data of over 548,000 users. The exposed data included names, email addresses, and phone numbers. Microsoft said that the data was not sensitive enough to warrant a notification to affected users.
March 2022: Lapsus$ Group Breaches Microsoft
In March 2022, the Lapsus$ group, a hacking group known for targeting major technology companies, breached Microsoft's internal systems. The group claimed to have stolen source code for several Microsoft products, including Bing, Cortana, and Exchange Server. Microsoft said that the breach did not affect customer data.
August 2021: Organizations Expose 38 Million Records Due to Power Apps Misconfiguration
In August 2021, a misconfiguration in Microsoft's Power Apps platform exposed the personal data of over 38 million users. The exposed data included names, email addresses, and phone numbers. Microsoft said that the misconfiguration was caused by a third-party partner.
August 2021: Thousands of Microsoft Azure Customer Accounts and Databases Exposed
In August 2021, thousands of customer accounts and databases were exposed due to a Microsoft Azure misconfiguration. The exposed data included names, email addresses, and passwords. Microsoft said that the misconfiguration was caused by a third-party partner.
April 2021: 500 Million LinkedIn Users' Data Scraped and Sold
In April 2021, a massive LinkedIn data breach exposed the personal data of over 500 million LinkedIn users. The exposed data included names, email addresses, phone numbers, and passwords. The breach was caused by a vulnerability in LinkedIn's platform. (LinkedIn was acquired by Microsoft in 2016.)
From 2021 to 2023: 1,200+ Microsoft Vulnerabilities
According to the Common Vulnerabilities and Exposures (CVE) database, there have been over 1,292 Microsoft vulnerabilities reported in the past 24 months. This number includes vulnerabilities in Microsoft Windows, Microsoft Office, Microsoft Edge, and other Microsoft products.
One of the vulnerabilities that was most concerning was the Microsoft Office Message Encryption (OME) vulnerability that surfaced in 2022. The vulnerability itself was due to Microsoft OME utilizing a block cipher mode of operation called Electronic Code Book (ECB). Microsoft acknowledged the report and paid WithSecure a bug bounty. However, the vulnerability was not deemed enough of a priority to pursue a fix for. In an email to The Register at the time, a Microsoft spokesperson said, “The rights management feature is intended as a tool to prevent accidental misuse and is not a security boundary.” Since then, Microsoft has deprecated OME in favor of Purview Message Encryption, available for users of certain Microsoft subscription plans.
Lessons Learned: Diversify Your Risk with Layered Data Security for Microsoft
There are many benefits of leveraging Microsoft's software, but that doesn't mean you can't take precautions to protect your data on a more granular level that puts true power in your hands.
These breaches and vulnerabilities highlight the importance of layered protections: If you’re using Microsoft’s productivity software, of course you’ll want to make sure you’re regularly scanning systems for vulnerabilities, installing patches, and updating software. But beyond this, it’s important to consider the following questions:
- Is my organization’s sensitive data properly encrypted in the cloud, both in transit and at rest?
- How are my encryption keys managed? Does Microsoft host both the content and the keys?
- Could Microsoft have the ability to unlock my organization’s encrypted sensitive data?
- Are system access and data access managed separately, or are they one and the same?
- How hard would it be for a cyber attacker to get access to my data, whether encrypted or unencrypted?
If you are looking for a solution that adds layers of security to your Microsoft environment, Virtru can help. Virtru’s data-centric security for Microsoft includes:
- Virtru Data Protection Gateway, which can automate encryption for sensitive data leaving the organization — including options for advanced, AI-driven data loss prevention (DLP) via Nightfall
- Virtru for Microsoft Outlook, which provides easy-to-use client-side encryption for users of Microsoft 365 Outlook, as well as centralized visibility and auditability for admins
- Virtru Private Keystore, which allows you to host and manage your own encryption keys in the location of your choosing, while Virtru handles the heavy lifting of policy enforcement at scale.
Ready to shift some of your risk away from Microsoft and take control of your own data destiny? Contact Virtru for a demo. We’d love to show you what our products can do to secure your business and protect your data.
