Microsoft has been notifying its customers of a data breach caused by Russian government hackers, known as Midnight Blizzard (or APT29), which stole various kinds of information, including customer data. However, the notification process has been criticized for sending emails that resemble spam or phishing attempts.
Kevin Beaumont, a former Microsoft employee and cybersecurity researcher, has warned companies to be cautious of these emails. “Microsoft had a breach by Russia impacting customer data and didn’t follow the Microsoft 365 customer data breach process. The notifications aren’t in the portal, they emailed tenant admins instead,” Beaumont wrote on LinkedIn. “The emails can go into spam — and tenant admin accounts are supposed to be secure breakglass accounts without email. They also haven’t informed orgs via account managers. You want to check all emails going back to June. It is widespread.”
One of the main issues with Microsoft’s notification email is that it includes a “secure link” to a domain that bears no apparent connection to Microsoft, specifically “purviewcustomer.powerappsportals.com.” This has led many to question the legitimacy of the email, with some even submitting the link to urlscan.io, a site that helps spot malicious links, over a hundred times.
The urlscan.io submissions suggest that at least a hundred companies were affected by the Russian government hack on Microsoft. The U.S. cybersecurity agency CISA previously said that the Russian hackers also stole emails of several federal agencies.
Apart from Beaumont’s warnings, there is evidence that Microsoft customers are genuinely confused. In a Microsoft support portal, one customer shared the email their organization received in an attempt to get clarity on whether it was a genuine Microsoft email.
“This email has several red flags for me, the request for the TenantID and essentially admin or high level email addresses, the powerapps page being barebones, and some quick Googling not finding anything related to the title of this email or it’s contents,” the person wrote. “Can anyone confirm this is a legit Microsoft email request?”
A cybersecurity consultant commented on Beaumont’s LinkedIn post, saying that “several” of his clients received the email and “All of them were worried it was phishing.”
“At first glance, this did not inspire trust for the recipients, who started asking in forums or reaching out to Microsoft account managers to eventually confirm that the email was legitimate…weird way for a provider like this to communicate an important issue to potentially affected customers,” the consultant wrote.
Microsoft spokespeople did not respond when asked how many organizations have been notified, or if the company plans to change the way it notifies affected customers.
