Microsoft has claimed to have been the subject of a Russian state-sponsored cyberattack.

The company said that the hacker group known as Nobelium was able to access "a very small percentage" of its corporate email accounts, including accounts belonging to some members of its senior leadership team.

Starting in Late November 2023, Nobelium, also known as Midnight Blizzard, used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, Microsoft said.

The company added that the group also gained access to accounts of members of the cybersecurity and legal team, and that it exfiltrated some emails and attached documents.

In a blog post, Microsoft said that the attack was not the result of a vulnerability in its products or services, and that there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems.

The post notes: “Given the reality of threat actors that are resourced and funded by nation states, we are shifting the balance we need to strike between security and business risk – the traditional sort of calculus is simply no longer sufficient.

“For Microsoft, this incident has highlighted the urgent need to move even faster. We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes.”

Microsoft was compelled to disclose the attack as a result of a new regulatory requirement of the US Securities and Exchange Commission (SEC) which mandates that publicly-owned companies promptly disclose cyber incidents, with affected parties made to file a report about a hack’s impact within four business days of discovery.

---