Microsoft on Friday announced that it was a victim of a nation-state attack carried out by a Russian hacker group wherein its corporate email system was targeted.

In a blog post, Microsoft said that Russian hackers gained access to a “small percentage” of employee email accounts, including members of several senior executives as well as employees in the company’s cybersecurity, legal, and other functions. It also added that some emails and attached documents were stolen.

The company further said that the hacker group used a password spray attack to compromise a legacy non-production test tenant account, thereby successfully gaining access to a number of corporate email accounts.

As soon as the activity was detected, Microsoft immediately activated its response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access. The company is also in the process of notifying employees whose email was accessed.

In a regulatory filing Friday with the U.S. Securities and Exchange, Microsoft said it was able to remove the threat actor’s access to the email accounts on or about January 13, 2024.

“We are examining the information accessed to determine the impact of the incident. We also continue to investigate the extent of the incident. We have notified and are working with law enforcement. We are also notifying relevant regulatory authorities with respect to unauthorized access to personal information. As of the date of this filing, the incident has not had a material impact on the Company’s operations,” it wrote in its regulatory filing.

According to Microsoft, the attack was not the result of a vulnerability in Microsoft products or services. It further added that the company has so far no evidence of the threat actor having any access to customer environments, production systems, source code, or AI (artificial intelligence) systems.

However, it is taking steps to act immediately to apply its current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes, it added.