{ "id": "6f492d72-bab0-4982-93a7-2da1bee66e8f", "created_at": "2026-04-06T01:31:28.91504Z", "updated_at": "2026-04-10T13:11:54.846136Z", "deleted_at": null, "sha1_hash": "53ba94b4737900389412bfc45515d0d273bc7da2", "title": "It’s official, Lapsus$ gang compromised a Microsoft employee’s account", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1192792, "plain_text": "It’s official, Lapsus$ gang compromised a Microsoft employee’s\r\naccount\r\nBy Pierluigi Paganini\r\nPublished: 2022-03-23 · Archived: 2026-04-06 01:07:54 UTC\r\nhttps://securityaffairs.co/wordpress/129391/hacking/lapsus-gang-compromised-microsoft-employees-account.html\r\nPage 1 of 6\n\nMicrosoft confirmed that Lapsus$ extortion group has hacked one of its employees\r\nto access and steal the source code of some projects.\r\nhttps://securityaffairs.co/wordpress/129391/hacking/lapsus-gang-compromised-microsoft-employees-account.html\r\nPage 2 of 6\n\nMicrosoft confirmed that Lapsus$ extortion group has hacked one of its employees to access and steal the source\r\ncode of some projects.\r\nYesterday the cybercrime gang leaked 37GB of source code stolen from Microsoft’s Azure DevOps server.\r\nOn Sunday, the Lapsus$ gang announced to have compromised Microsoft’s Azure DevOps server and shared a\r\nscreenshot of alleged internal source code repositories.\r\nThe gang claims to have leaked the source code for some Microsoft projects, including Bing and Cortana.\r\nOn March 22, 2022 night the group shared a torrent for a 7zip archive containing 9 GB of Microsoft source code.\r\nThe uncompressed archive contains 37GB of source code allegedly belonging to hundreds of Microsoft projects,\r\nincluding for Bing, Cortana, and Bing Maps.\r\nhttps://securityaffairs.co/wordpress/129391/hacking/lapsus-gang-compromised-microsoft-employees-account.html\r\nPage 3 of 6\n\nMicrosoft has now confirmed that the attackers have compromised the account of one of its employees gaining\r\nlimited access to source code repositories. The company pointed out that customer code or data was not\r\ncompromised as a result of unauthorized access.\r\n“This week, the actor made public claims that they had gained access to Microsoft and exfiltrated portions of\r\nsource code. No customer code or data was involved in the observed activities. Our investigation has found a\r\nsingle account had been compromised, granting limited access. Our cybersecurity response teams quickly\r\nengaged to remediate the compromised account and prevent further activity.” reads the post published by\r\nMicrosoft. “Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not\r\nlead to elevation of risk.”\r\nhttps://securityaffairs.co/wordpress/129391/hacking/lapsus-gang-compromised-microsoft-employees-account.html\r\nPage 4 of 6\n\nMicrosoft team launched an investigation immediately after the Lapsus$ gang, tracked by the company as DEV-0537, claimed to have hacked the company.\r\nMicrosoft’s post detailed the Lapsus gang’s tactics, techniques, and procedures (TTPs), below are some of the\r\nmethods that they used to compromise user identities to gain initial access to an organization:\r\nDeploying the malicious Redline password stealer to obtain passwords and session tokens\r\nPurchasing credentials and session tokens from criminal underground forums\r\nPaying employees at targeted organizations (or suppliers/business partners) for access to credentials and\r\nMFA approval\r\nSearching public code repositories for exposed credentials\r\nThe threat actors used the compromised credentials and/or session tokens to access the target networks through\r\ninternet-facing systems and applications (i.e. virtual private network (VPN), remote desktop protocol (RDP),\r\nvirtual desktop infrastructure (VDI) including Citrix, or Identity providers (including Azure Active Directory,\r\nOkta)).\r\nThe gang also uses session replay attacks to compromise the accounts that are protected with MFA, in some cases,\r\nthey also continuously trigger MFA notifications until the user allowed them to log in. In at least one attack, the\r\ngroup also used a SIM swap attack to bypass 2FA.\r\n“Once DEV-0537 obtained access to the target network using the compromised account, they used multiple tactics\r\nto discover additional credentials or intrusion points to extend their access including:\r\nExploiting unpatched vulnerabilities on internally accessible servers including JIRA, Gitlab, and\r\nConfluence\r\nSearching code repositories and collaboration platforms for exposed credentials and secrets.\r\nThey have been consistently observed to use AD Explorer, a publicly available tool, to enumerate all users and\r\ngroups in the said network.” continues the analysis.\r\nLapsus$ gang set up a dedicated infrastructure in known virtual private server (VPS) providers and leverages\r\nNordVPN for data exfiltration using VPN egress points that were geographically like their targets to avoid\r\ndetection. Data stolen from the targeted organization were also used for future extortion or public release.\r\nMicrosoft provides the following recommendations to protect against threat actors:\r\nStrengthen MFA implementation\r\nRequire Healthy and Trusted Endpoints\r\nLeverage modern authentication options for VPNs\r\nStrengthen and monitor your cloud security posture\r\nImprove awareness of social engineering attacks\r\nEstablish operational security processes in response to DEV-0537 intrusions\r\nOver the last months, the Lapsus$ gang compromised other prominent companies such\r\nas NVIDIA, Samsung, Ubisoft, Mercado Libre, and Vodafone.\r\nhttps://securityaffairs.co/wordpress/129391/hacking/lapsus-gang-compromised-microsoft-employees-account.html\r\nPage 5 of 6\n\nOn Thursday, March 10, the group announced they’re starting to recruit insiders employed within major\r\ntechnology giants and ISPs, such companies include Microsoft, Apple, EA Games and IBM. Their scope of\r\ninterests includes – major telecommunications companies such as Claro, Telefonica and AT\u0026T.\r\nNotably, the actors are looking to buy remote VPN access and asking potential insiders to contact them privately\r\nvia Telegram, they then reward them by paying for the access granted.\r\nFollow me on Twitter: @securityaffairs and Facebook\r\n[adrotate banner=”9″] [adrotate banner=”12″]\r\nPierluigi Paganini\r\n(SecurityAffairs – hacking, Microsoft)\r\n[adrotate banner=”5″]\r\n[adrotate banner=”13″]\r\nSource: https://securityaffairs.co/wordpress/129391/hacking/lapsus-gang-compromised-microsoft-employees-account.html\r\nhttps://securityaffairs.co/wordpress/129391/hacking/lapsus-gang-compromised-microsoft-employees-account.html\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://securityaffairs.co/wordpress/129391/hacking/lapsus-gang-compromised-microsoft-employees-account.html" ], "report_names": [ "lapsus-gang-compromised-microsoft-employees-account.html" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439088, "ts_updated_at": 1775826714, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/53ba94b4737900389412bfc45515d0d273bc7da2.pdf", "text": "https://archive.orkl.eu/53ba94b4737900389412bfc45515d0d273bc7da2.txt", "img": "https://archive.orkl.eu/53ba94b4737900389412bfc45515d0d273bc7da2.jpg" } }