In March, Microsoft confirmed that Russian government hackers known as Midnight Blizzard (or APT29) had breached the company’s systems with the goal of stealing various types of information, including Microsoft customer data.
Months later, Microsoft is still in the process of notifying affected customers, a process that appears to have not gone smoothly, with experts criticizing Microsoft for sending spam-looking emails and even phishing attempts.
Kevin Beaumont, a former Microsoft employee and current cybersecurity researcher who closely follows the company, has been warning companies to be wary of these Microsoft emails.
“Microsoft had customer data impacted by the Russian breach but did not follow the Microsoft 365 Customer Data Breach Process. Notification was not in the portal and instead an email was sent to the tenant admin,” Beaumont wrote on his LinkedIn account. “The email would likely go to spam and the tenant admin account should be a secure Breakglass account with no email. They also did not notify the organization through the account admin. You should check all emails going back to June. It is widespread.”
One of the main problems with Microsoft’s notification emails is that they contain “secure links” to domains that are obviously not associated with Microsoft. Instead, the emails contain links to “purviewcustomer.powerappsportals.com.”
“Basically the critical warning looks like a phishing attack,” one person wrote on X.
The link has been submitted over 100 times to urlscan.io, a site that helps spot malicious links, suggesting that there are many organizations that have seen official, legitimate Microsoft emails and thought they were malicious.
Contact Us
Do you have any more information about this Microsoft incident? You can securely contact Lorenzo Franceschi-Bicchierai on Signal at +1 917 257 1382 from a non-work device, or via Telegram, Keybase, and Wire @lorenzofb, or via email. You can also contact TechCrunch via SecureDrop.
The urlscan.io submission also suggests that at least 100 companies were affected by the Russian government’s Microsoft hack. The U.S. cybersecurity agency CISA has previously said Russian hackers also stole emails from several federal agencies.
In addition to Beaumont’s warning, there is evidence that Microsoft customers are legitimately confused. On the Microsoft support portal, one customer shared an email he received from his organization, trying to clarify whether it was a genuine Microsoft email.
“This email raises a few red flags for me: It asks for a TenantID, it basically asks for an admin or top level email address, the PowerApps page is bare bones, and a quick Google search doesn’t reveal anything relevant in the subject line or (sic) content of this email,” the person wrote. “Can anyone confirm if this is a legitimate Microsoft email request?”
In a comment on Beaumont's LinkedIn post, the cybersecurity consultant said “several” of his clients had received the email and “were all concerned it was phishing.”
“At first, the recipients were not convinced, and eventually they had to ask questions on forums or contact their Microsoft account managers to confirm that the email was legitimate… This is a strange way for a vendor like this to communicate a critical issue to potentially affected customers,” the consultant wrote.
When TechCrunch asked how many organizations had been notified and whether the company plans to change how it notifies affected customers, a Microsoft spokesperson did not respond.
