Microsoft Sues Cybercriminals Over Azure OpenAI Breach
Cybercrooks compromised one of Microsoft's generative AI services to create harmful and insulting content and bypassed safety measures on the service.
Subsequently, in December 2024, Microsoft filed a complaint in the US District Court for the Eastern District of Virginia against ten unknown individuals in the United States.
The complaint is that a foreign-based cybercrime group stole customer credentials to access the service for Azure OpenAI from some application, without permission.
Azure OpenAI lets businesses use its tools, such as ChatGPT and DALL-E in any cloud application. The company, in a way, exploits the service to make GitHub Copilot, an AI-based coding assistant that helps developers by suggesting lines of code.
Microsoft claims that the cybercrooks accessed the credentials of Azure OpenAI accounts by scraping public websites.
They targeted accounts using generative AI services, manipulated those services to create harmful and illicit content, and resold access to the modified tools along with instructions for others to use them to create offensive material.
According to a January 10 blog post by Microsoft, the criminals did this.
Although the nature of the harmful content is not clear, Microsoft confirmed that it violated the company's policies.
The lawsuit claims that the defendants intentionally accessed protected Azure OpenAI accounts without authorization, causing significant damage and loss.
According to the complaint, the defendants allegedly violated several U.S. laws, including the Computer Fraud and Abuse Act, Digital Millennium Copyright Act, and federal racketeering laws.
Microsoft is seeking an injunction as well as an action for compensatory damages.
Apart from the lawsuit, Microsoft said that the court had granted it permission to seize a website critical to the criminal operation.
It will now enable Microsoft to gather evidence, understand how these services were monetized, and dismantle the technical infrastructure that supported the illicit activities.
As a response to the breach, Microsoft strengthened security measures around Azure OpenAI in order to avoid future similar incidents.