A suspected Russian intrusion into Microsoft's corporate systems, which was disclosed in January, also affected US federal government systems, according to the US Cybersecurity and Infrastructure Security Agency.
An emergency directive was issued last week to federal agencies advising them how to deal with the fallout from the attack, according to the tech site Cyberscoop.
When Microsoft disclosed the incident, it said the attackers, had been identified as Midnight Blizzard aka Nobelium, the same group that attacked security firm FireEye in 2020 using a supply chain through the Orion network monitoring product sold by SolarWinds.
The attacker was said to have used password-spraying — or random guesses — to compromise what Microsoft called "a legacy non-production test tenant account" and then used this access to enter "a very small percentage of Microsoft corporate email accounts".
There was no explanation as to how a non-production test account provided a path to corporate email accounts.
This disclosure came just six months after an intrusion into Microsoft's Azure cloud led to the breaching of email accounts belonging to American envoy to Beijing, Nicholas Burns, assistant secretary of state for East Asia, Daniel Kritenbrink and also US Commerce Secretary Gina Raimondo among others.
A review into the latter incident concluded that Microsoft was guilty of a cascade of security failures that made the intrusion possible.
Commenting on the review, Cory Simpson, senior adviser to the Cyberspace Solarium Commission, said: "The Federal Civilian Executive Branch is the primary interface with the American people for most of the critical services the US Government provides including Medicaid, Medicare, Social Security, Supplemental Nutrition Assistance Program, Veterans Benefits, and Small Business Financing.
"CISA is responsible for the cyber security of the 102 departments and agencies that comprise the FCEB — and their closest and largest partner in this effort — Microsoft — continues to be plagued with security issues. The American people deserve better.”
Following the disclosure of the Russian intrusion, Microsoft released a blog post last November claiming it had put in place what it called a Secure Future Initiative which it described as a "new initiative to pursue our next generation of cyber security protection".