Skip to content

Microsoft sues cybercriminals abusing its AI services

  • by
  • 2 min read

Microsoft has filed a lawsuit with the Eastern District Court of Virginia against ten individuals it claims stole credentials and custom software, resulting in a breach of Microsoft systems running its Azure OpenAI services to generate content for “harmful purposes.”

Redmond didn’t share details on what content was generated and where it was used. However, it did state that the attack was discovered in July 2024, when the company discovered that stolen API keys from paying Azure OpenAI customers were used to generate content, violating its content policies. The method used for stealing the API keys also remains unknown.

Upon further investigation, it was revealed that attackers first compromised customer credentials and then used them to gain access to Microsoft servers and computers. The intruders then exploited “their unauthorized access to Microsoft’s software and computers to create harmful content in violation of Microsoft’s policies and through circumvention of Microsoft’s technical protective measures.”

Photo: Camilo Concha/Shutterstock.com
Photo: Camilo Concha/Shutterstock.com

The company has since received authorisation to take down a website important to the intruders’ operations and any further infrastructure it discovers. It has also revoked the cybercriminals’ access to its systems and implemented new countermeasures to combat any future abuse of its offerings.

Not a lot of information has been shared about the accused either, but Microsoft’s Digital Crimes Unit (DCU) is pursuing action to “disrupt cybercriminals who intentionally develop tools specifically designed to bypass the safety guardrails of generative AI services, including Microsoft’s, to create offensive and harmful content.” It seems the intruders are operating a hacking-as-a-service operation that steals API keys from legitimate customers and then either sells them on cybercrime forums or uses them to generate harmful AI content and exploit AI tools for malicious purposes without setting off alarms or leaving traces.

In the News: Bareilly doctor escapes digital arrest scam after police intervention

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>