Microsoft Confirms Lapsus Group Attack against Bing and Cortana

Microsoft says Lapsus did infiltrate Bing, Bing Maps, and Cortana following a claim the threat group made earlier.

Earlier this week, the (stylized $) claimed an attack against Microsoft DevOps accounts. In an , Microsoft has confirmed it was targeted by the increasingly high-profile group. According to the company, Lapsus could compromise accounts but only with limited .

“No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited . Our response teams quickly engaged to remediate the compromised account and prevent further activity,” Microsoft says.

“Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.

“Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.”


Lapsus earlier published a torrent file online containing what the group claims is source code for Bing, , and Cortana. According to the threat actor, Bing and Cortana were 45% dumps and was a 90% source code dump.

Microsoft explains how Lapsus was able to gain access to the data:

“Their tactics include phone-based social engineering: SIM-swapping to facilitate account takeover, accessing personal email accounts of employees at target organizations, paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication approval; and intruding in the ongoing crisis-communication calls of their targets,” Microsoft said.

“Tactics and objectives indicate this is a cybercriminal actor motivated by theft and destruction.”

It is worth noting Microsoft does not call the group Lapsus, instead calling it DEV-0537.

“If they successfully gain privileged access to an organization's tenant (either AWS or Azure), DEV-0537 creates Global Admin accounts in the organization's instances, sets an tenant level mail transport rule to send all mail in and out of the organization to the newly-created account, and then removes all other Global Admin accounts, so only the actor has sole control of the cloud resources, effectively locking the organization out of all access,” Microsoft points out.  

“After exfiltration, DEV-0537 often deletes the target's systems and resources. We've observed deletion of resources both on-premises (for example, VMWare vSphere/ESX) and in the cloud to trigger the organization's incident and crisis response process.”

Lapsus has already been responsible for numerous breaches this year, such as against Vodafone and Samsung. Earlier this month, the group leaked a possible source code for the NVIDIA DLSS feature following a week-long .

Tip of the day: Did you know that your data and privacy might be at risk if you run Windows without encryption? A bootable USB with a live-linux distribution is often just enough to gain access to all of your files.

If you want to change that, check out our detailed BitLocker guide where we show you how to turn on encryption for your system disk or any other drive you might be using in your computer.