Hackers used credentials of a Microsoft Support worker to access users’ webmail

On Friday, an unknown number of customers of Microsoft’s webmail services (Outlook.com, Hotmail, MSN Mail) received a notice from the company telling them that attackers had access to their email account for three months.

microsoft webmail services unauthorized access

“We have identified that a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account,” Microsoft told the victims.

“This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your e-mail address, folder names, the subject lines of e-mails, and the names of the other e-mail addresses you communicate with), but not eh content of any e-mails or attachments, between January 1st 2019 and March 28th 2019.”

Even though the affected users’ login credentials weren’t compromise, Microsoft advised them to reset their account password just in case.

On Saturday, Microsoft confirmed to TechCrunch that a “limited” number of users were affected, that it didn’t known what data was viewed by hackers or why, and that no enterprise customers were affected.

New developments

But, according to a Motherboard source who purportedly witnessed the attack and screenshots he or she provided, the attackers were able to see the content of some of the affected customers’ emails. Also, that the attackers gained and kept access to the abused Microsoft’s internal customer support portal for at least 6 months.

Microsoft has confirmed to the publication that the attackers did have access to the emails of some 6 percent of the impacted customers (the total number has not been shared) and that those customers were notified of this. But the company still maintains that the attackers had access only since January 1st.

Motherboard’s source said that the attackers could access free, but not paid user accounts, and that the hackers were after accounts of iPhone owners whose devices were stolen and had to be de-coupled from iCloud accounts in order to be reset and sold on. They used these targets’ compromised email account to send and confirm password reset requests for iCloud accounts.

ImmuniWeb CEO Ilia Kolochenko advised all Outlook account owners to change their passwords and secret questions, as well as passwords for any other accounts that sent, or could have sent, a password recovery link to their Outlook email.

“Compromise of privileged accounts is a widespread and effective method among cybercriminals to get to the crown jewels at high speed and low cost. It is, however, quite surprising that such a reputable company as Microsoft reportedly has not reacted to the anomalies for as long as three months,” he added.

“Continuous monitoring of privileged accounts is quintessential to ensure data security and compliance. Moreover, nowadays, with emerging machine learning technologies it has become a pretty easy task is properly implemented.”

Don't miss