In March, Microsoft confirmed that Russian government hackers known as Midnight Blizzard (or APT29) had broken into its systems with the goal of stealing various kinds of information, including data on Microsoft customers.
Months later, Microsoft is still in the process of notifying its affected customers, and it looks like the process isn’t going very well, with experts criticizing Microsoft for sending emails that look like spam, or even phishing attempts.
Kevin Beaumont, a former Microsoft employee and now a cybersecurity researcher who closely follows the company, has been warning companies to keep an eye out for these Microsoft emails.
“Microsoft had a breach by Russia impacting customer data and didn’t follow the Microsoft 365 customer data breach process. The notifications aren’t in the portal, they emailed tenant admins instead.” Beaumont wrote on his LinkedIn account. “The emails can go into spam — and tenant admin accounts are supposed to be secure breakglass accounts without email. They also haven’t informed orgs via account managers. You want to check all emails going back to June. It is widespread.”
One of the main issues with Microsoft’s notification email is that it includes a “secure link” to a domain that bears no apparent connection to Microsoft. Instead, the email includes a link to: “purviewcustomer.powerappsportals.com.”
“Basically, the critical alert looks like a phishing attack,” one person wrote on X.
That link has been submitted to urlscan.io, a site that can help spot malicious links, more than a hundred times. That suggests that there are a lot of organizations that saw that official legitimate Microsoft email and thought it was malicious.
Contact Us
Do you have more information about this Microsoft incident? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
The urlscan.io submissions also suggest there are at least a hundred companies that were affected by the Russian government hack on Microsoft. U.S. cybersecurity agency CISA previously said that the Russian hackers also stole emails of several federal agencies.
Apart from Beaumont’s warnings, there is some evidence that Microsoft customers are legitimately confused. In a Microsoft support portal, one customer shared the email their organization received in an attempt to get clarity on whether it was a genuine Microsoft email.
“This email has several red flags for me, the request for the TenantID and essentially admin or high level email addresses, the powerapps page being barebones, and some quick Googling not finding anything related to the title of this email or it’s [sic] contents,” the person wrote. “Can anyone confirm this is a legit Microsoft email request?”
Commenting on Beaumont’s LinkedIn post, a cybersecurity consultant said that “several” of his clients received the email and “All of them were worried it was phishing.”
“At first glance, this did not inspire trust for the recipients, who started asking in forums or reaching out to Microsoft account managers to eventually confirm that the email was legitimate…weird way for a provider like this to communicate an important issue to potentially affected customers,” the consultant wrote.
Microsoft spokespeople did not respond when TechCrunch asked how many organizations have been notified, or if the company plans to change the way it notifies affected customers.
