SAN FRANCISCO, June 25 (Reuters) – Microsoft (MSFT.O) said on Friday that an attacker gained access to one of its customer service agents, then used information from that person to initiate attempts of hacking against customers.
The company said it found the compromise when responding to hacks from a team it identifies as responsible for previous major breaches at SolarWinds (SWI.N) and Microsoft.
Microsoft said it warned affected customers. A copy of a warning seen by Reuters said the attacker belonged to the group Microsoft calls Nobelium and had access to it during the second half of May.
“A sophisticated actor associated with the nation-state that Microsoft identifies as NOBELLIUM has accessed Microsoft customer support tools to review information regarding your Microsoft service subscriptions,” the warning reads in part. The US government has publicly attributed the previous attacks to the Russian government, which denies any involvement.
When Reuters asked about the warning, Microsoft publicly announced the violation.
After commenting on a larger phishing campaign that it said compromised a small number of entities, Microsoft said it also discovered the breach of its own agent, who it said had limited powers.
The agent could see billing details and services customers are paying for, among other things.
“The actor has used this information in some instances to launch very targeted attacks as part of their larger campaign,” Microsoft said.
Microsoft has warned affected customers to be careful with communications with their billing contacts and to consider changing those usernames and email addresses, as well as prohibiting old usernames from signing in.
Microsoft said it was aware of three entities that had been compromised in the phishing campaign.
He did not immediately say if there were any among those whose data was viewed through the support agent, or if the agent had been fooled by the larger campaign.
Microsoft did not say whether the agent was with a subcontractor or a direct employee.
A spokesperson said the latest breach by the threatening actor was not part of Nobelium’s previous successful attack on Microsoft, in which he obtained source code.
In the SolarWinds attack, the group changed that company’s code to access SolarWinds customers, including nine US federal agencies.
Among customers of SolarWinds et al., Attackers also took advantage of weaknesses in Microsoft program configuration, according to the Department of Homeland Security.
Microsoft later said the group had compromised its own employee accounts and taken software instructions governing how Microsoft verifies user identities.
DHS’s cybersecurity and infrastructure security agency did not respond to a request for comment.
Reporting by Peter Henderson Editing by Chris Reese
Our Standards: The Thomson Reuters Trust Principles.