Update Oct 29: 230 thousand records of Microsoft employees are for sale
As for today, we didn’t receive any official information from Microsoft. We decided to investigate the statements about the public character of the information for sale with available methods.
We see the same contradictions in the number of employees registered on LinkedIn and official Microsoft data about the staff. It is still almost 20k people are missing from the scope of LinkedIn.
They are most likely to be shared only during private meetings or business events through visit cards or by mutually initiating email communication.
We also did receive a few answers to our questions from the seller.
We did ask him the following:
- What is the role of an identifier, and if he knows any advantage of having it?
- Is the data-set is a scrap of any website or multiple websites?
It is good for Microsoft to know that the seller doesn't have any idea of the use of identifiers for the time being.
Alt: "Screenshot of contacting seller"
On the other hand, it seems to be a pure insider leak, which means more valuable data can leak or already potentially leaked from the company and wait for its time to appear online.
After initial contact with Microsoft Support, they directed us to another department dealing with privacy and support issues.
We contacted provided department immediately but still didn't receive any official statements from it.
Meanwhile, we received the information provided to us on background:
We are already aware of this online post and through our investigation we’ve determined that some of the data is not credible. Most of the data contains information that could be found publicly.
While it remains unclear which data is not credible, since provided sample data was thoroughly checked and valid, we can only assume that it will be impossible to collect all this data by crawling Internet webpages.
We have contacted the seller and received additional information about his lot, price proposal as well a file sample with another 1000 records. The source of data for sale remains uncovered.
Looking closely at the provided data, we can identify interesting persons and especially their positions and attribution within the company.
There are at least 68 entries directly related to security positions, and a few of them very high ones as follows:
- "Director- Cybersecurity Policy","6","Cybersecurity policy Korea"
- "Director- Security Technology","6","CPP China"
- "Dir- Federal GOV Compliance","5","DTS National Security"
- "VP- Security Policy","4","LENS Policy & Strategy"
According to seller messages, the price depends on one of the options to choose from.
Even though the price seems to be not that high, as we expected to see, provided data is relevant and consolidated within one file.
It can be used for many potential attack scenarios, including but not limited to:
- Social Engineering attacks. Whether it is a SPAM campaign or focused spear-phishing, only imagine the success rate when reaching 230 thousand emails within the same company.
- Azure accounts attacks. Knocking to Azure targets can be very successful, especially if an actor has enough potential targets for enumeration, as it is in our case.
An anonymous person published a message on the sale of 230 thousand data lines from Microsoft employees on one of the popular Russian-language forums.
We have translated original forum thread with Google Translate here:
There are four interesting attributes here, which give us a first picture of the actor:
1. The title seems to be translated somewhere, which seems to be a trend around non-Russian-peaking actors looking for new markets.
I honestly tried to get a pattern of the language to match in on Google Translate, but Google didn't act expectedly with words – so it could be any non-English text translated into Russian.
2. The same applies to information about leaks provided in the body of the forum message. But here we can clearly understand what we can expect to receive:
- External identifier
- E-mail address
- Reporting line level
The whole text of the message is translated here:
" Identifier "," External identifier "," Name "," E-mail address "," Position "," Subordination level "," Department "
If anyone is interested, you can also write to me, let's discuss.
Serious Buyers Only
3. The seller did not name a specific price for his catch, only indicating that he would discuss the price with a potential buyer in a personal conversation.
Since this is against the forum rules, the seller received a ban warning to post any sales without the price.
4. It looks like the actor was already familiar with the forum and even got some 50 publications threshold since the registration on Feb 19, 2021.
The sale was supposed to be more successful than it is
After publication on October 16, the seller has provided the update to the forum thread with a screenshot sample to prove his words. He updated the thread last time with another post on October 19, about the sell is still waiting for a buyer.
We checked some names for authenticity through LinkedIn; also, some emails from the sample were valid.
We decided to analyze the number of full-time employees of Microsoft Corporation to verify or doubt the authenticity of the data published by the actor.
Image source – statista.com
Microsoft Corporation is a major international technology company, with around 103,000 full-time employees in the United States in fiscal year 2021. Another 78,000 of Microsoft's full-time employees are located outside the company's home market bringing the total number of full-time employees worldwide to around 181,000.
The hacker also did not indicate to what period the compromised information belongs, so it may well be that employees of different years are stored in the leaked database. Some of them may have changed their line of business and no longer have a relationship with Microsoft.
The hacker provided information about 230,000 Microsoft employees, which does not fit into the official statistics for 2021, but still could be valid if all previously employed personnel were to count.
Even though the data sample presented reveals not that much data; still, some internal identificators and official email addresses aggregated in one document can be used to support planned social engineering campaigns.
We are looking for official comments from Microsoft and will update the publication accordingly.
Disclaimer: The main goal of our team is to protect user data and respond on time to possible threats to prevent negative consequences. We do not in any way imply any wrongdoing on the part of Microsoft Corporation or its partners or affiliates. We are only focusing the readers' attention on our findings to increase the awareness and safety of users on the Internet.
Cooltechzone leaks team