Emergency directive on Microsoft email breach


The Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive (ED 24-02) that reveals additional and increased fallout from the Midnight Blizzard cyberattack on Microsoft’s corporate email systems.

The directive outlined the fact that the Russian state-sponsored cyber actor has not only exfiltrated email correspondence between Federal Civilian Executive Branch (FCEB) agencies and Microsoft, but that aspects of the intrusion campaign, including password sprays, increased in volume by as much as 10-fold in February, compared to an already large volume seen in January 2024.

The directive lays out specific required mitigation steps that all affected federal agencies must employ, as well as a timeline to report on the successful completion of such activities.

CISA says the “exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies.”

“Unfortunately, it’s not surprising to learn that Midnight Blizzard’s intrusion campaign escalated after initially being discovered. Given Microsoft’s consistent track record of partial disclosure, misleading statements and downplaying security incidents, it was only a matter of when the other shoe would drop. Microsoft’s lackadaisical security practices and negligent approach to disclosure have national security implications, and should alarm their commercial clients, which don’t necessarily have the voice or get the attention that the U.S. government might” said Amit Yoran, Chairman and CEO, Tenable.

CISA also adds it, “is treating this threat with the intense scrutiny it deserves. Bad cyber hygiene leads to worse outcomes.”