In March, Microsoft confirmed that Russian government hackers known as Midnight Blizzard (APT29) had broken into the company's systems with the intent of stealing a variety of information, including Microsoft customer data.
Months later, Microsoft is still notifying affected customers, but the process appears to be bungled, with experts criticizing the company for sending out emails that look like spam and even phishing attempts.
Kevin Beaumont, a former Microsoft employee and cybersecurity researcher who now follows the company closely, is warning businesses to be wary of emails from Microsoft.
“Microsoft suffered a Russian breach that affected customer data, but did not follow Microsoft 365 customer data breach process. Notifications were not sent to the portal, but instead emailed to tenant administrators,” Beaumont wrote on his LinkedIn account. “Emails can get lost in spam. Tenant administrator accounts are supposed to be secure emergency accounts with no email. They did not notify the organization via their account manager. I urge you to review all emails going back to June. This is widespread.”
One of the main issues with Microsoft notification emails is that they contain “safe links” to domains that are obviously not related to Microsoft. Instead, the emails contain a link to “purviewcustomer.powerappsportals.com”.
“Basically this serious alert looks like a phishing attack,” one person wrote to X.
This link has been submitted over 100 times to urlscan.io, a site that helps detect malicious links, which suggests there are a large number of organizations that have seen an official, legitimate email from Microsoft and deemed it malicious.
Contact Us Do you have more information about this Microsoft incident? You can securely contact Lorenzo Franceschi-Bicchierai from a non-work device via Signal (+1 917 257 1382), Telegram, Keybase, Wire @lorenzofb, or email. You can also contact TechCrunch via SecureDrop.
A filing from urlscan.io suggests at least 100 companies were affected by the Russian government hack of Microsoft, and the US cybersecurity agency CISA has previously said Russian hackers also stole emails from several federal agencies.
Aside from Beaumont's warning, there's some evidence that Microsoft customers are genuinely confused. On Microsoft's support portal, one customer shared an email their organization received, trying to clarify whether it was a genuine Microsoft email.
“This email has a few red flags for me: the request for a tenant ID and essentially an admin or higher level email address, the bare minimum of a PowerApps page, and the fact that the title of this email or anything related to its contents is not easily searchable on Google. [sic] “The contents are unclear,” the person wrote. “Can anyone confirm this is a legitimate Microsoft email request?”
Commenting on Beaumont's LinkedIn post, the cybersecurity consultant said “several” clients had received the email and “all were concerned it was phishing.”
“At first glance, this does not engender confidence among recipients, who eventually verified the email was legitimate by asking questions on forums and contacting their Microsoft account managers. It's a strange way for such a provider to communicate a significant issue to potentially affected customers,” the consultants wrote.
A Microsoft spokesperson did not respond to TechCrunch's request to say how many organizations had been notified or whether the company plans to change how it notifies affected customers.