HomeWinBuzzer NewsMicrosoft 365 Not Being Attacked by State Sponsored Hackers Says Microsoft

Microsoft 365 Not Being Attacked by State Sponsored Hackers Says Microsoft

Microsoft has denied reports Microsoft 365 is being attacked by a state-backed Russian group but there are confirms non-state breach.


Over the weekend, claims were made suggesting was breached by threat actors. Reuters reports Russian are using a flaw in 's platform to conduct surveillance on the U.S. Treasury Department.

The attack is said to be perpetrated by the same state-backed Russian group that recently attacked company FireEye.

Microsoft's response to the report was a post featuring a guide for IT admins. In the guide, the company shows how they can “find and mitigate potential malicious activity”. Alongside the helpful guide, the company denies Microsoft 365 has been compromised:

“We also want to reassure our customers that we have not identified any Microsoft product or cloud service vulnerabilities in these investigations.”

Non-Nation Attacks

It's worth pointing out Microsoft's denial is a state-back attack happened. The company does confirm a “nation-state activity at significant scale, aimed at both the government and private sector” is happening.

Microsoft has a good track record of confirming when attacks happen and what type of attack it is. To help organizations thwart an attack, Microsoft is advising they look for the following warning signs:

  • “An intrusion through malicious code in the SolarWinds Orion product. This results in the attacker gaining a foothold in the network, which the attacker can use to gain elevated credentials. Microsoft Defender now has detections for these files. Also, see SolarWinds Security Advisory.
  • An intruder using administrative permissions acquired through an on-premises compromise to gain access to an organization's trusted SAML token- signing certificate. This enables them to forge SAML tokens that impersonate any of the organization's existing users and accounts, including highly privileged accounts.
  • Anomalous logins using the SAML tokens created by a compromised token-signing certificate, which can be used against any on-premises resources (regardless of identity system or vendor) as well as against any cloud environment (regardless of vendor) because they have been configured to trust the certificate. Because the SAML tokens are signed with their own trusted certificate, the anomalies might be missed by the organization.
  • Using highly privileged accounts acquired through the technique above or other means, attackers may add their own credentials to existing application service principals, enabling them to call APIs with the permission assigned to that application.”
Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News