The International Monetary Fund (IMF), the biggest lender to governments in the world, reported that 11 of its email accounts were hacked in February 2024. The hack adds to a growing list of large organizations that have seen their Microsoft email accounts compromised in the last year.
The IMF said it brought in cybersecurity experts to conduct remediation efforts and re-secure the accounts, but it did not disclose the nature of the compromised accounts or the impact of the breach on its operations.
“The IMF takes prevention of, and defense against, cyber incidents very seriously and, like all organizations, operates under the assumption that cyber incidents will unfortunately occur. The IMF has a robust cybersecurity program in place to respond quickly and effectively to such incidents,” the organization said in a press release.
The IMF added, “We have no indication of further compromise beyond these email accounts at this point in time. The investigation into this incident is continuing.”
The IMF is a cornerstone of the global financial system with 189 countries as members. It has loaned nearly $1 trillion to mostly developing countries that have faced financial crises since the Fund was established in 1944.
IMF officials confirmed to the BleepingComputer cybersecurity website that it uses Microsoft 365 cloud-based software for its email accounts. The email breach at the IMF follows a similar breach at Hewlett Packard Enterprise, revealed in January, in which the state-sponsored Russian hacking group Midnight Blizzard gained access to some HPE email accounts using Microsoft 365 and stole corporate information using them.
Security vulnerabilities at Microsoft extend well beyond its corporate customers using cloud-based Microsoft 365. The same Midnight Blizzard group hacked Microsoft itself in January through its own on-premises Exchange Online system, gaining access to corporate emails.
This follows a 2023 breach in which Chinese threat actors hacked the email accounts of 25 organizations using Microsoft Exchange Online and stole corporate data using the accounts.