Microsoft Provides Details About eMail Breach
Microsoft has released additional information about the breach that compromised executives’ emails. The intruders accessed the corporate email system through an old test account that had admin privileges but was not protected by multifactor authentication.
The lack of MFA was obvious, even if not originally admitted by Microsoft. So, repeating part of my comment from the original news item: In Microsoft's recent “Secure Future Initiative” announcement, Microsoft President Brad Smith promised that “…over the next year we will enable customers with more secure default settings for multifactor authentication (MFA) out-of-the-box.” Replacing passwords with strong authentication has been done by many (though in this case, apparently not Microsoft) but needs the major IT platforms to make it easier to do and harder NOT to do. Additional lesson learned here: as an absolute minimum, require *all* privileged accounts to use phishing resistant authentication which means *denying* elevated privileges to all accounts relying on reusable passwords. And, remember your own policy probably already requires MFA for *all* remote access.
First, this has several facets: password spraying as the initial compromise and persistence through OAuth applications. It's very nasty stuff for most students, I find. We discuss these attacks at length in the SEC588 class. The other component, the use of “residential proxy infrastructure,” was discussed a few years ago when Dr. Roberto Bamberger and I released a whitepaper at the Cloud Security Exchange for 2022. Get the whitepaper at the SANS Website. So, what can you do? First, turn on MFA, and use a powerful MFA like a Passkey or FIDO2 Token. Use a CASB or other product type to look at OAuth applications; finally, don’t allow your employees or non-admins to add OAuth applications. This is a nasty, hard-to-find hack from a state actor. Many people say Microsoft can do better, but this isn’t a 100-person company. This is a 250,000-person company with an extensive infrastructure. If they could solve it, we could move on and do other things.
We have known for more than a decade, since the early DBIRs, the contribution of orphan systems to enterprise breaches and longer than that the contribution of reusable credentials. Microsoft is not alone among major enterprises that tolerate these risks. Do not be among them.