Microsoft Criticized for Warning Emails About Russian Hacks That Resemble Spam and Phishing Attempts

In a revelation earlier this year, Microsoft disclosed that it had been the target of an intrusion by Russian state-sponsored attackers known as Midnight Blizzard, or APT29, who aimed to pilfer a variety of information, including details pertaining to Microsoft’s clientele. 

Several months down the line, Microsoft finds itself still in the throes of alerting those customers impacted by the breach. However, the company’s outreach efforts have been met with criticism for the manner in which the notification emails have been perceived, with some likening them to spam or phishing schemes. 

Kevin Beaumont, who has insight into Microsoft’s operations both as a former employee and a current cybersecurity analyst, has been vocal in advising organizations to be vigilant for communications from Microsoft. 

“Microsoft’s encounter with a Russian cyber invasion, impacting customer data, deviated from its usual data breach protocol for Microsoft 365 users. Notifications were sent directly to tenant administrators via email, bypassing the portal,” Beaumont expressed on LinkedIn. “Such emails often end up in spam, and it’s unusual since tenant admin accounts, being highly secure, typically don’t receive direct emails. Moreover, organizations weren’t informed through their account managers. It’s critical to check emails from as far back as June. The issue is widespread.”

Complicating the issue further is the notification email’s inclusion of a “secure link” that directs to an unrelated domain, “purviewcustomer.powerappsportals.com,” further muddling its legitimacy. 

“Essentially, the alert could easily be mistaken for a phishing attempt,” commented a user on X.

This dubious link has triggered over a hundred checks on urlscan.io, indicating that numerous organizations have questioned the legitimacy of what is an official Microsoft communication.

The enlisted inquiries on urlscan.io hint at the broad impact of the cyber intrusion by Russian operatives on Microsoft, corroborated by CISA’s announcement that federal agencies’ emails were also compromised.

Beyond Beaumont’s cautions, there’s tangible confusion among Microsoft’s clientele, evidenced by a customer seeking verification of the veracity of the received email on a Microsoft support forum. 

“The email raised multiple red flags for me, with its request for sensitive information including the TenantID and high-level email addresses, alongside a bare-bones powerapps page, and a lack of information on quick searches,” the individual shared. “Is this email genuinely from Microsoft?”

Echoing Beaumont’s concerns, a cybersecurity consultant mentioned that the dubious emails worried several of his clients, fearing them to be phishing attempts. “The recipients’ initial mistrust led them to seek confirmation in forums or by contacting their Microsoft account managers, only to find out the communications were authentic. Odd strategy for such a major provider to address a significant security matter impacting its customers,” the consultant added.

Inquiries directed to Microsoft representatives regarding the extent of the notifications and any plans to amend their notification process went unanswered by TechCrunch.