Chinese hackers spent 18 months inside Microsoft 365 before anyone noticed

For roughly a year and a half, a group of state-linked Chinese hackers read corporate email, opened internal files, and moved through company networks while looking, to every monitoring tool watching, like ordinary employees signing in to work. The intrusion, detailed by the security firm Volexity, did not crack Microsoft 365. It impersonated the people who already had the keys.

That distinction is the whole story, and it is why the breach matters to anyone whose job lives inside a cloud account. Microsoft 365 is where most companies now keep their mail, their documents, and the single sign-on identity that unlocks everything else. The attackers never had to defeat that system. They borrowed a valid login and arrived through the front door, and the defenses designed to ask “is this really you?” decided that it was.

The group is tracked as UNC5221, also known as VerdantBamboo, a China-nexus operation that researchers have followed for years as it targets the network devices sitting at the edge of corporate systems. Its recent campaign hit legal-services firms, software companies, business-process outsourcers, and technology vendors. These are not random targets. They are organizations that hold other organizations’ secrets, from client files to source code to the keys that reach downstream customers.

The toolkit explains how the access stayed invisible for so long. The centerpiece is a backdoor called Brickstorm, first written in the Go programming language and later rebuilt in Rust, planted on network appliances that rarely run security software and almost never get inspected. In one case the attackers slipped in through an Egnyte file-sync system reachable over the company’s VPN. From that quiet foothold, Brickstorm’s built-in proxying let them route their activity through the victim’s own network, so that when they reached Microsoft 365 with stolen credentials, the connection looked local and legitimate. Volexity assessed with high confidence that this was deliberate, a way to blend into normal traffic and slip past the conditional-access rules that would otherwise have flagged a sign-in from the wrong place. Two more pieces kept the door open: a .NET backdoor the researchers named Plenet, which gave the operators an interactive shell and file control, and a Python reverse shell called AgentPSD held in reserve as a fallback. The redundancy was the point. This was built to survive discovery, not to avoid it forever.

The appliances at the center of the breach are the uncomfortable part. The VPN gateways, file-sync boxes, and firewalls that companies trust to guard the perimeter are the same machines that cannot run the detection software watching everything else. They ship as sealed units, get patched late, and sit unmonitored for years. UNC5221 did not pick them by accident. They are the one place in a modern network where a backdoor can live in the open.

The most uncomfortable detail is the math on time. Detection came around eighteen months after the intruders first got in. Across this style of campaign, investigators have measured an average dwell time of well over a year, long enough in many cases that the logs recording the original break-in had already been deleted under routine retention policies before anyone knew to look. The attackers did not just hide. They outlasted the evidence.

The reach extended beyond the first victim. In at least one case the group compromised a managed-services provider, the outside IT company that runs technology for dozens of smaller clients, and planted a version of Brickstorm on its firewall. A single break-in there becomes a master key to every customer behind it. That is the part of the story that travels past the United States, where most of the named targets sit. Any company that outsources its IT, which is to say most companies, inherits the security of a provider it cannot see inside.

None of this is a flaw in Microsoft 365 that a patch will close. The entry points were third-party appliances and stolen credentials, and the cloud behaved exactly as designed once a trusted login arrived. That is the hard problem the disclosure leaves open. Organizations without endpoint-detection software on their servers and appliances had almost no chance of seeing the activity, and even those that had it faced a campaign engineered to look like business as usual. Because this was espionage rather than ransomware, there was no locked screen or extortion note to force the issue, only data quietly leaving for as long as the operators chose to keep watching.

The break-ins came to light around March 2025, and the warnings have multiplied since. Between August 2025 and January 2026 the FBI, the NSA, and the US cybersecurity agency CISA issued a run of advisories on Chinese state-sponsored intrusions, and CISA has separately flagged Brickstorm targeting VMware servers. The practical guidance from investigators is narrow and unglamorous. Keep logs longer than the attackers can hide, and put detection on the quiet devices at the edge of the network, the ones, it turns out, where the ghosts prefer to live.

Tags: Cybersecurity