Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Free Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber Issue

Cybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and ResilienceCybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and Resilience
CISA Logo

Search

 

America's Cyber Defense Agency
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutivesHigh-Risk Communities
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
    CISA Conferences
    CISA Live!
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
  • About
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Site Links
    CISA GitHub
    CISA Central
    Contact Us
    Subscribe
    Transparency and Accountability
    Policies & Plans

Free Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber Issue

Breadcrumb
  1. Home
  2. News & Events
  3. Cybersecurity Directives
  4. ED 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System
Share:

News & Events

  • News
  • Events
  • Cybersecurity Alerts & Advisories
  • Directives
  • Request a CISA Speaker
  • Congressional Testimony
  • CISA Conferences
  • CISA Live!
Emergency Directives

ED 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System

April 02, 2024
Related topics:
Cybersecurity Best Practices
Emergency Directive: ED 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System

This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System. 

Section 3553(h) of title 44, U.S. Code, authorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, to “issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.” 44 U.S.C. § 3553(h)(1)–(2). Section 2205(3) of the Homeland Security Act of 2002, as amended, delegates this authority to the Director of the Cybersecurity and Infrastructure Security Agency. 6 U.S.C. § 655(3). Federal agencies are required to comply with these directives. 44 U.S.C. § 3554 (a)(1)(B)(v). These directives do not apply to statutorily defined “national security systems” nor to systems operated by the Department of Defense or the Intelligence Community. 44 U.S.C. § 3553(d), (e)(2), (e)(3), (h)(1)(B).

Background

The Russian state-sponsored cyber actor known as Midnight Blizzard has exfiltrated email correspondence between Federal Civilian Executive Branch (FCEB) agencies and Microsoft through a successful compromise of Microsoft corporate email accounts. Microsoft has disclosed the incident and follow on updates through multiple communications, beginning in January 2024: Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard | MSRC Blog | Microsoft Security Response Center and Update on Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard | MSRC Blog | Microsoft Security Response Center

The threat actor is using information initially exfiltrated from the corporate email systems, including authentication details shared between Microsoft customers and Microsoft by email, to gain, or attempt to gain, additional access to Microsoft customer systems. According to Microsoft, Midnight Blizzard has increased the volume of some aspects of the intrusion campaign, such as password sprays, by as much as 10-fold in February, compared to an already large volume seen in January 2024.

Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies. This Emergency Directive requires agencies to analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure. CISA has assessed that the below required actions are most appropriate to understand and mitigate the risk posed by Midnight Blizzard’s possession of the exfiltrated correspondence between FCEB agencies and Microsoft.

Microsoft and CISA have notified all federal agencies whose email correspondence with Microsoft was identified as exfiltrated by Midnight Blizzard. This Directive will refer to that group of agencies as “affected agencies.”

In addition, Microsoft has represented to CISA that for the subset of affected agencies whose exfiltrated emails contain authentication secrets, such as credentials or passwords, Microsoft will provide metadata for such emails to those agencies.

Finally, Microsoft has agreed to provide metadata for all exfiltrated federal agency correspondence—regardless of the presence of authentication secrets—upon the request of the National Cyber Investigative Joint Task Force (NCIJTF), which has volunteered to be the single federal point of contact for this incident.

Required Actions

Affected agencies that receive from Microsoft email metadata corresponding to known or suspected authentication compromises or become aware of specific details of such compromises shall take the following actions:

  1. Take immediate remediation action for tokens, passwords, API keys, or other authentication credentials known or suspected to be compromised.
  2. For any known or suspected authentication compromises identified through action 1, by April 30, 2024:
    1. Reset credentials in associated applications and deactivate associated applications that are no longer of use to the agency.
    2. Review sign in, token issuance, and other account activity logs for users and services whose credentials were suspected or observed as compromised for potential malicious activity.

All affected agencies shall take the following actions:

  1. Take steps to identify the full content of the agency correspondence with compromised Microsoft accounts and perform a cybersecurity impact analysis, pursuant to details identified in the Annex to this Directive. This action shall be completed by April 30, 2024.
  2. For known or suspected authentication compromises identified through agency analysis, provide notification to CISA and follow steps 1 and 2. CISA will work with agencies on an updated timeline for completing these required actions.

Reporting

Agencies shall report status to CISA across all required actions by 11:59PM April 8, 2024, provide a status update to CISA by 11:59PM May 1, 2024, and, as applicable, provide weekly updates on remediation actions for authentication compromises until completion. CISA will provide agencies with a reporting template and reporting instructions.

CISA Actions

  1. CISA will provide agencies with instructions for accessing the content of agency emails and analyzing the content of the email.
  2. CISA will continue efforts to identify instances and potential compromises associated with this threat activity, provide partner notifications, and will issue additional guidance and direction, as appropriate.
  3. CISA will provide technical assistance to agencies that are without internal capabilities sufficient to comply with this Directive.
  4. By September 1, 2024, CISA will provide a report to the Secretary of Homeland Security and the Director of the Office of Management and Budget identifying cross-agency status and outstanding issues. CISA will also provide a copy of the report to the National Cyber Director.

Duration

This Emergency Directive remains in effect until CISA determines that agencies have performed all required actions from this Directive, or the Directive is terminated through other appropriate action.

Additional Information

Visit https://www.cisa.gov/news-events/directives or contact the following for:

  • General information, assistance, and reporting – CyberDirectives@cisa.dhs.gov
  • Reporting indications of compromise – central@cisa.dhs.gov

Tags

Topics: Cybersecurity Best Practices

Related Directives

Feb 09, 2024

Supplemental Direction V2: ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities

Jan 31, 2024

Supplemental Direction V1: ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities

Jan 19, 2024

ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities

Mar 03, 2021

ED 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities

Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • X
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 1-844-Say-CISA SayCISA@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • Subscribe
  • The White House
  • USA.gov
  • Website Feedback