CISA emergency directive tells agencies to fix credentials after Microsoft breach | CyberScoop<\/title> <meta name=\"description\" content=\"CyberScoop first reported on the existence of the directive, which calls the pilfered emails \u201ca grave and unacceptable risk to agencies.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/cisa-emergency-directive-tells-agencies-to-fix-credentials-after-microsoft-breach\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"CISA emergency directive tells agencies to fix credentials after Microsoft breach\"> <meta property=\"og:description\" content=\"CyberScoop first reported on the existence of the directive, which calls the pilfered emails \u201ca grave and unacceptable risk to agencies.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/cisa-emergency-directive-tells-agencies-to-fix-credentials-after-microsoft-breach\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-04-11T17:36:38+00:00\"> <meta property=\"article:modified_time\" content=\"2024-04-11T18:07:36+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/cisa-emergency-directive-tells-agencies-to-fix-credentials-after-microsoft-breach-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1278\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Tim Starks\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@timstarks\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1712700738g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1712258582g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1711866546g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=74528d75ce0daeb8628a\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/80104\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.5.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=80104\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisa-emergency-directive-tells-agencies-to-fix-credentials-after-microsoft-breach%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisa-emergency-directive-tells-agencies-to-fix-credentials-after-microsoft-breach%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-80104 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/cisa-emergency-directive-tells-agencies-to-fix-credentials-after-microsoft-breach\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.722222222222\">\n<div class=\"single-article__header-content\" readability=\"31.037878787879\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/cybersecurity\/\"> <span>Cybersecurity<\/span> <\/a> <\/li>\n<\/ul>\n<p> CyberScoop first reported on the existence of the directive, which calls the pilfered emails \u201ca grave and unacceptable risk to agencies.” <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/cisa-emergency-directive-tells-agencies-to-fix-credentials-after-microsoft-breach.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/cisa-emergency-directive-tells-agencies-to-fix-credentials-after-microsoft-breach-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/cisa-emergency-directive-tells-agencies-to-fix-credentials-after-microsoft-breach-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/cisa-emergency-directive-tells-agencies-to-fix-credentials-after-microsoft-breach-2.jpg?resize=768,511 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/cisa-emergency-directive-tells-agencies-to-fix-credentials-after-microsoft-breach-2.jpg?resize=1024,682 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/cisa-emergency-directive-tells-agencies-to-fix-credentials-after-microsoft-breach-2.jpg?resize=1536,1022 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/cisa-emergency-directive-tells-agencies-to-fix-credentials-after-microsoft-breach-2.jpg?resize=600,399 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/cisa-emergency-directive-tells-agencies-to-fix-credentials-after-microsoft-breach-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/cisa-emergency-directive-tells-agencies-to-fix-credentials-after-microsoft-breach-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/cisa-emergency-directive-tells-agencies-to-fix-credentials-after-microsoft-breach-2.jpg?resize=1014,675 1014w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/cisa-emergency-directive-tells-agencies-to-fix-credentials-after-microsoft-breach-2.jpg?resize=1266,843 1266w\" sizes=\"(max-width: 1014px) 100vw, 1014px\"><figcaption> Cybersecurity and Infrastructure Security Agency Director Jen Easterly testified before a House Homeland Security Subcommittee, at the Rayburn House Office Building on April 28, 2022. (Photo by Kevin Dietsch\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"31.714665249734\"><body readability=\"65.836455545644\"><\/p>\n<p>The Cybersecurity and Infrastructure Security Agency published an emergency directive Thursday in response to a Russian intelligence-linked hacking campaign that breached Microsoft, telling affected federal civilian agencies whose emails were stolen or passwords accessed to reset authentication credentials.<\/p>\n<p><a href=\"https:\/\/www.cisa.gov\/news-events\/directives\/ed-24-02-mitigating-significant-risk-nation-state-compromise-microsoft-corporate-email-system\">CISA\u2019s directive<\/a> comes in the week after CyberScoop <a href=\"https:\/\/cyberscoop.com\/federal-government-russian-breach-microsoft\/\">first reported<\/a> its existence.<\/p>\n<p>\u201cMicrosoft and CISA have notified all federal agencies whose email correspondence with Microsoft was identified as exfiltrated by Midnight Blizzard,\u201d the directive reads, referring to Microsoft\u2019s name for the hacking group. \u201cIn addition, Microsoft has represented to CISA that for the subset of affected agencies whose exfiltrated emails contain authentication secrets, such as credentials or passwords, Microsoft will provide metadata for such emails to those agencies.<\/p>\n<p>\u201cMidnight Blizzard\u2019s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,\u201d it continues.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The directive, dated April 2, tells affected agencies to \u201ctake immediate remediation action\u201d on authentication credentials if those credentials are known or suspected to have been compromised. It gives them until April 30 to reset credentials for related applications, and by the same deadline orders them to identify affected email correspondence.<\/p>\n<p>The agencies also must report to CISA on their activities in response to the directive. The first deadline of April 8 has already passed; the next is May 1.<\/p>\n<p>Midnight Blizzard is alternately known as Cozy Bear and APT29. Among the highest-profile attacks that governments and cyber companies have attributed to the group was the attack on the firm SolarWinds that surfaced in 2020 \u2014 an attack that the federal government said impacted nine federal agencies.<\/p>\n<p>\u201cThe threat actor is using information initially exfiltrated from the corporate email systems, including authentication details shared between Microsoft customers and Microsoft by email, to gain, or attempt to gain, additional access to Microsoft customer systems,\u201d the directive states. \u201cAccording to Microsoft, Midnight Blizzard has increased the volume of some aspects of the intrusion campaign, such as password sprays, by as much as 10-fold in February, compared to an already large volume seen in January 2024.\u201d<\/p>\n<p>CISA has published one full <a href=\"https:\/\/www.cisa.gov\/news-events\/directives\">emergency directive<\/a> in 2024 and added to it twice with supplemental material; all of those documents deal with <a href=\"https:\/\/cyberscoop.com\/cisa-ivanti-vulnerability-emergency-directive\/\">Ivanti product vulnerabilities<\/a>.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>While CISA\u2019s emergency directives and less-urgent binding operational directives apply only to federal agencies, the private sector <a href=\"https:\/\/www.washingtonpost.com\/politics\/2022\/12\/06\/bods-hot-or-not\/\">often watches them closely<\/a> to take cues on security steps that industry should also follow.<\/p>\n<p>\u201cThis Emergency Directive requires immediate action by agencies to reduce risk to our federal systems,\u201d CISA Director Jen Easterly said in a statement. \u201cFor several years, the U.S. government has documented malicious cyber activity as a standard part of the Russian playbook; this latest compromise of Microsoft adds to their long list. We will continue efforts in collaboration with our federal government and private sector partners to protect and defend our systems from such threat activity.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"2.2225\">\n<div class=\"author-card\" readability=\"12\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/cisa-emergency-directive-tells-agencies-to-fix-credentials-after-microsoft-breach-1.jpg?w=640&ssl=1\" alt=\"Tim Starks\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Tim Starks<\/h4>\n<p> Tim Starks is senior reporter at CyberScoop. His previous stops include working at The Washington Post, POLITICO and Congressional Quarterly. An Evansville, Ind. native, he’s covered cybersecurity since 2003. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/cisa-emergency-directive-tells-agencies-to-fix-credentials-after-microsoft-breach\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CISA emergency directive tells agencies to fix credentials after Microsoft<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1808,1209,1732,78,452,1861,117,722,625,1809,270,626],"tags":[1811,668,1734,86,454,1862,119,723,630,1812,276,631],"class_list":["post-3045","post","type-post","status-publish","format-standard","hentry","category-apt29","category-cisa","category-cozy-bear","category-cybersecurity","category-cybersecurity-and-infrastructure-security-agency-cisa","category-emergency-directive","category-government","category-jen-easterly","category-microsoft","category-midnight-blizzard","category-russia","category-solarwinds","tag-apt29","tag-cisa","tag-cozy-bear","tag-cybersecurity","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-emergency-directive","tag-government","tag-jen-easterly","tag-microsoft","tag-midnight-blizzard","tag-russia","tag-solarwinds"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/apt29\/\" rel=\"category tag\">APT29<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cisa\/\" rel=\"category tag\">CISA<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cozy-bear\/\" rel=\"category tag\">Cozy Bear<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/emergency-directive\/\" rel=\"category tag\">emergency directive<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/jen-easterly\/\" rel=\"category tag\">Jen Easterly<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/microsoft\/\" rel=\"category tag\">Microsoft<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/midnight-blizzard\/\" rel=\"category tag\">Midnight Blizzard<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/russia\/\" rel=\"category tag\">Russia<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/solarwinds\/\" rel=\"category tag\">SolarWinds<\/a>","tag_info":"SolarWinds","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3045","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=3045"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3045\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=3045"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=3045"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=3045"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":3045,"date":"2024-04-11T12:36:38","date_gmt":"2024-04-11T17:36:38","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=80104"},"modified":"2024-04-11T12:36:38","modified_gmt":"2024-04-11T17:36:38","slug":"cisa-emergency-directive-tells-agencies-to-fix-credentials-after-microsoft-breach","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/04\/11\/cisa-emergency-directive-tells-agencies-to-fix-credentials-after-microsoft-breach\/","title":{"rendered":"CISA emergency directive tells agencies to fix credentials after Microsoft breach"},"content":{"rendered":"