{
	"id": "b3ddf760-697b-4fc1-a47b-1607a0339724",
	"created_at": "2026-04-06T00:10:59.894445Z",
	"updated_at": "2026-04-10T13:12:48.827007Z",
	"deleted_at": null,
	"sha1_hash": "713f20e194e57090652e4857c919e76aa258d39d",
	"title": "Microsoft confirms they were hacked by Lapsus$ extortion group",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1116672,
	"plain_text": "Microsoft confirms they were hacked by Lapsus$ extortion group\r\nBy Lawrence Abrams\r\nPublished: 2022-03-23 · Archived: 2026-04-05 23:01:31 UTC\r\nMicrosoft has confirmed that one of their employees was compromised by the Lapsus$ hacking group, allowing the threat\r\nactors to access and steal portions of their source code.\r\nLast night, the Lapsus$ gang released 37GB of source code stolen from Microsoft's Azure DevOps server. The source code\r\nis for various internal Microsoft projects, including for Bing, Cortana, and Bing Maps.\r\nLeaked source code projects\r\nIn a new blog post published tonight, Microsoft has confirmed that one of their employee's accounts was compromised by\r\nLapsus$, providing limited access to source code repositories.\r\nhttps://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-they-were-hacked-by-lapsus-extortion-group/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-they-were-hacked-by-lapsus-extortion-group/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"No customer code or data was involved in the observed activities. Our investigation has found a single account had been\r\ncompromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised\r\naccount and prevent further activity,\" explained Microsoft in an advisory about the Lapsus$ threat actors.\r\n\"Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of\r\nrisk. The tactics DEV-0537 used in this intrusion reflect the tactics and techniques discussed in this blog.\"\r\n\"Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed\r\ntheir intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.\"\r\nWhile Microsoft has not shared how the account was compromised, they provided a general overview of the Lapsus gang's\r\ntactics, techniques, and procedures (TTPs) observed across multiple attacks.\r\nFocusing on compromised credentials\r\nMicrosoft is tracking the Lapsus$ data extortion group as 'DEV-0537' and says they primarily focus on obtaining\r\ncompromised credentials for initial access to corporate networks.\r\nThese credentials are obtained using the following methods:\r\nDeploying the malicious Redline password stealer to obtain passwords and session tokens\r\nPurchasing credentials and session tokens on criminal underground forums\r\nPaying employees at targeted organizations (or suppliers/business partners) for access to credentials and multi-factor\r\nauthentication (MFA) approval\r\nSearching public code repositories for exposed credentials\r\nRedline password stealer has become the malware of choice for stealing credentials and is commonly distributed through\r\nphishing emails, watering holes, warez sites, and YouTube videos.\r\nOnce Laspsus$ gains access to compromised credentials, they use it to log in to a company's public-facing devices and\r\nsystems, including VPNs, Virtual Desktop infrastructure, or identity management services, such as Okta, which they\r\nbreached in January.\r\nMicrosoft says they use session replay attacks for accounts that utilize MFA, or continuously trigger MFA notifications until\r\nthe user becomes tired of them and confirms that the user should be allowed to log in.\r\nMicrosoft says that in at least one attack, Lapsus$ performed a SIM swap attack to gain control of the user's phone numbers\r\nand SMS texts to gain access to MFA codes needed to log in to an account.\r\nOnce they gain access to a network, the threat actors use AD Explorer to find accounts with higher privileges and then target\r\ndevelopment and collaboration platforms, such as SharePoint, Confluence, JIRA, Slack, and Microsoft Teams, where other\r\ncredentials are stolen. \r\nThe hacking group also uses these credentials to gain access to source code repositories on GitLab, GitHub, and Azure\r\nDevOps, as we saw with the attack on Microsoft.\r\n\"DEV-0537 is also known to exploit vulnerabilities in Confluence, JIRA, and GitLab for privilege escalation,\" Microsoft\r\nexplains in their report.\r\n\"The group compromised the servers running these applications to get the credentials of a privileged account or run in the\r\ncontext of the said account and dump credentials from there.\"\r\nThe threat actors will then harvest valuable data and exfiltrate it over NordVPN connections to hide their locations while\r\nperforming destructive attacks on the victims' infrastructure to trigger incident response procedures. \r\nThe threat actors then monitor these procedures through the victim's Slack or Microsoft Teams channels.\r\nhttps://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-they-were-hacked-by-lapsus-extortion-group/\r\nPage 3 of 4\n\nProtecting against Lapsus$\r\nMicrosoft recommends that corporate entities perform the following steps to protect against threat actors like Lapsus$:\r\nStrengthen MFA implementation\r\nRequire Healthy and Trusted Endpoints\r\nLeverage modern authentication options for VPNs\r\nStrengthen and monitor your cloud security posture\r\nImprove awareness of social engineering attacks\r\nEstablish operational security processes in response to DEV-0537 intrusions\r\nLapsus$ has recently conducted numerous attacks against the enterprise, including those\r\nagainst NVIDIA, Samsung, Vodafone, Ubisoft, Mercado Libre, and now Microsoft.\r\nTherefore, it is strongly advised that security and network admins become familiar with the tactics used by this group by\r\nreading Microsoft's report.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-they-were-hacked-by-lapsus-extortion-group/\r\nhttps://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-they-were-hacked-by-lapsus-extortion-group/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-they-were-hacked-by-lapsus-extortion-group/"
	],
	"report_names": [
		"microsoft-confirms-they-were-hacked-by-lapsus-extortion-group"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "be5097b2-a70f-490f-8c06-250773692fae",
			"created_at": "2022-10-27T08:27:13.22631Z",
			"updated_at": "2026-04-10T02:00:05.311385Z",
			"deleted_at": null,
			"main_name": "LAPSUS$",
			"aliases": [
				"LAPSUS$",
				"DEV-0537",
				"Strawberry Tempest"
			],
			"source_name": "MITRE:LAPSUS$",
			"tools": [
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d4b9608d-af69-43bc-a08a-38167ac6306a",
			"created_at": "2023-01-06T13:46:39.335061Z",
			"updated_at": "2026-04-10T02:00:03.291149Z",
			"deleted_at": null,
			"main_name": "LAPSUS",
			"aliases": [
				"Lapsus",
				"LAPSUS$",
				"DEV-0537",
				"SLIPPY SPIDER",
				"Strawberry Tempest",
				"UNC3661"
			],
			"source_name": "MISPGALAXY:LAPSUS",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2347282d-6b88-4fbe-b816-16b156c285ac",
			"created_at": "2024-06-19T02:03:08.099397Z",
			"updated_at": "2026-04-10T02:00:03.663831Z",
			"deleted_at": null,
			"main_name": "GOLD RAINFOREST",
			"aliases": [
				"Lapsus$",
				"Slippy Spider ",
				"Strawberry Tempest "
			],
			"source_name": "Secureworks:GOLD RAINFOREST",
			"tools": [
				"Mimikatz"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b",
			"created_at": "2022-10-25T16:07:24.503878Z",
			"updated_at": "2026-04-10T02:00:05.014316Z",
			"deleted_at": null,
			"main_name": "Lapsus$",
			"aliases": [
				"DEV-0537",
				"G1004",
				"Slippy Spider",
				"Strawberry Tempest"
			],
			"source_name": "ETDA:Lapsus$",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434259,
	"ts_updated_at": 1775826768,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/713f20e194e57090652e4857c919e76aa258d39d.pdf",
		"text": "https://archive.orkl.eu/713f20e194e57090652e4857c919e76aa258d39d.txt",
		"img": "https://archive.orkl.eu/713f20e194e57090652e4857c919e76aa258d39d.jpg"
	}
}