State-sponsored hacking group targets more Microsoft users with cyberattacks reported
Microsoft has been forced to respond swiftly to a series of cyber attacks by the state-linked Midnight Blizzard threat group, with the tech giant notifying additional enterprise customers this week that their emails were compromised.
The attacks, first reported by Bloomberg, began as early as January 2024 and continued actively into 2025. Midnight Blizzard targeted Microsoft's corporate and cloud environments, including Microsoft Entra ID and Azure Active Directory, using password-spray campaigns and credential-stuffing techniques.
According to Microsoft, 99.9% of compromised Entra ID accounts resulted from password spray and similar brute-force attacks, suggesting the large scale of this technique used by Midnight Blizzard and related groups. The hackers managed to steal Microsoft encryption keys and create forged access tokens, significantly amplifying the breach's impact on Azure Active Directory and related cloud services.
Customers who received the notifications expressed their concerns on social media, fearing potential phishing attempts. However, Microsoft has provided additional details to customers previously notified about the intrusions.
The Midnight Blizzard group, known as Nobelium, used the stolen information to hack into customer accounts. They compromised a legacy, non-production test tenant account and gained access to some source code repositories and internal systems.
In response, Microsoft has accelerated plans to reform its security practices under a program called the Secure Future Initiative. The company's President, Brad Smith, took ownership for the compromises and promised the company would make wholesale changes.
However, Microsoft has faced criticism following a report by the Cyber Safety Review Board of a compromise last summer by China-linked threat actors that stole tens of thousands of State Department emails.
As of Friday, HPE has not heard from Microsoft with any new details about the attacks. Katell Thielemann, distinguished VP analyst at Gartner, stated that a cyber event is not a 'just in time' event, much is often learned later in the forensics process.
The Midnight Blizzard threat group continued deploying customized malware and engaged in phishing campaigns into 2025, indicating ongoing espionage efforts after initial compromises. Public reporting around April to July 2025 mentions continued monitoring of Midnight Blizzard activity showing sustained threat and attempts against Microsoft enterprise customers and global government targets.
Microsoft's response to these attacks serves as a reminder of the ongoing threat of cyber attacks and the importance of robust security practices. The company's Secure Future Initiative aims to strengthen its defenses and protect its customers from similar threats in the future.
- The cybersecurity industry is closely monitoring the ongoing threat posed by the Midnight Blizzard group, a state-linked threat actor known for their extensive espionage efforts on Microsoft's corporate and cloud environments.
- The cybersecurity landscape is undergoing significant changes due to political factors, as evidenced by Microsoft's accelerated security reform under the Secure Future Initiative in response to multiple high-profile cyber attacks.
