Contrary to previous reports that indicated hackers had extensive access inside the company for as long as three months, the period was more likely shorter than four to five weeks, sources familiar with the matter said.
The hackers apparently spent much of their time probing one computer but did access other PCs on Microsoft's internal network, the sources said.
Microsoft offered little comment on the news because of an ongoing criminal investigation the FBI is conducting. But CEO Steve Ballmer on Friday said the hackers who broke into the company's computer systems had gained access to some of its source code, but had not changed it. Earlier in the day he had described the attack as "not very damaging."
FBI spokeswoman Debbie Weierman said the agency is investigating the attack but would give no further details. The FBI apparently would like to limit how much the hacker or hackers learn about what Microsoft and law enforcement know about the security breach.
Microsoft evidently got wind of the break-in soon after the hacker ventured beyond the one compromised computer and started probing for passwords that would open access to other systems on the company's network, according to sources.
The investigation is focusing on a Trojan horse program that may have come in through Microsoft's email system or another means, such as a laptop taken home or on the road, sources said.
"My suspicion is it came in through Web-based mail or an employee who had a laptop connected to DSL or cable and downloaded this attachment or other means and got on the network when they hooked up," said Gartner security analyst John Pescatore.
Microsoft spokesman Mark Murray would not comment on the Trojan horse theory, nor on reports identifying the program as Qaz.
"Because of the ongoing investigation, there is really nothing I can say about that," he said.
Symantec's Antivirus Research Center reports that Qaz first appeared in China about four months ago.
Qaz, a variation of Kakworm, is typically delivered as an email attachment launched when the message is opened. Like other Trojan Horse programs, it then sends information back to a hacker, attempting to cover its trail in the process.
Murray emphasized that Microsoft "takes security issues very seriously. We (believe in) very hard-core security for our customers and our internal operations."
The investigation is also focusing on how the attack was executed to determine whether an amateur hacker was at work or if this was an internatinal attempt to steal trade secrets or software source code from Microsoft.
The attack tentatively has been traced back to St. Petersburg, Russia, sources said, fueling speculation the break-in was an act of industrial espionage.
Security experts were not surprised, given the confined space of the attack, that it would take Microsoft so long to detect the intrusion.
"It's not unusual for large companies to be hacked and not detect it right away," Pescatore said.
One issue is how well "these programs can hide themselves when they begin transmitting data out to the Internet in such a way so it's hard to distinguish from their traffic and the normal traffic of the corporation," said Richard Smith, chief technology officer for The Privacy Foundation.
Given Microsoft's size and the amount of Internet traffic it handles, "it would be hard to distinguish whether (traffic) is talking to a legitimate Web server in St. Petersburg, Russia, or a hacker," he said.