The U.S. government has made public an emergency directive that it issued last week, ordering federal agencies to take various mitigation measures after a previously disclosed Microsoft compromise allowed threat actors to exfiltrate email correspondence between the agencies and Microsoft.
The emergency directive, which was originally issued privately to federal agencies on April 2 - and first reported on by CyberScoop - orders impacted agencies to take immediate action for tokens, passwords, API key or authentication credentials suspected of being compromised. Additionally, by April 30, agencies with any authentication compromises must reset their credentials and deactivate any associated applications, and review their sign ins, token issuances and other account activity logs for users with compromised credentials.
The Microsoft compromise, which was first disclosed in January but dated back to two months before that, impacted an undisclosed number of government agencies after a Russian state-sponsored actor called Midnight Blizzard compromised a number of internal Microsoft corporate email accounts and stole sensitive company information. In its advisory for the emergency directive, CISA said that the threat actor is using authentication details and other information exfiltrated from corporate email systems in order to gain additional access to customers.
“Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” according to CISA in the emergency directive. “This Emergency Directive requires agencies to analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure.”
All federal agencies known to be impacted by the compromise have been notified, according to CISA, and the required actions apply primarily to them. The emergency directive also orders all affected agencies to take steps to identify the full content of their correspondence with Microsoft and carry out a cybersecurity impact analysis by April 30. On CISA’s end, the agency will provide federal agencies with instructions for accessing and analyzing the content of emails, work to identify instances associated with the threat activity and provide technical support for impacted agencies.
The initial attack, which began in November, had specifically targeted high-value people inside the company, like senior leaders. According to Microsoft in an update in March on the attack, it is apparent that the threat group is attempting to "use secrets of different types it has found." The attack is ongoing, according to Microsoft, and Midnight Blizzard may be using the stolen information to create a picture of vulnerable areas to attack.
"Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures," according to Microsoft's last update on the attack, on March 8. "Midnight Blizzard has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024."