back to article White-listing Azure cloud connections to grease your Office 365 wheels? About that...

Microsoft has been accused of ignoring an IT security risk that could be exploited to create legit-looking malware-laden webpages that sport seemingly trusted Azure and Office 365 domain names. Alternatively, the domains potentially could be used to stealthily leak stolen data from networks. It's not a world-shattering threat …

  1. Hans 1
    Windows

    Do the official Office 321 and Azure sites not already leak information to Microsoft on your every move, safely stored along with your Microsoft account (user-identifiable for GDPR non-compliance) ?

    BTW: I finally managed to install 1809, apparently, it did not like Developer mode. To get an error that made sense, I had to download SetupDiag.exe... just sayin'

  2. Anonymous Coward
    Anonymous Coward

    If you're not already blocking *.windows.net ...

    In your business systems you're not paying attention to the links in phishing emails. That turd got flushed years ago yet we still see them every couple of weeks. No one has ever complained.

  3. GnuTzu
    Mushroom

    When Marketing Determines Security Policy

    Beware, they've got some kind of secret strategy to get buyers to sign up for their crap--without security reviews, feasibility studies, or risk assessment. And, it seriously sucks when that happens because then you're forced to implement things that you know are just plain wrong.

  4. Anonymous Coward
    Anonymous Coward

    Already exploited

    A few months ago someone tried a day zero spearfishing attack against our systems.

    They hacked a trusted third party contractor that used azure and office365. Generated a new subdomain in their name under azure und hosted malware.

    Then they used the office365 contact list to send some of our users genuine looking emails with links to the new nasties (in most cases replys to requests).

    They breached two defense layers and one internal user clicked. The other defense layers did prevent any access to the nasties. An no, we do not trust office365 or azure domains more than we can throw them.

    MS enterprise shills are constantly trying to move us off premise. The last presentation had our data protection officer and our legal compliance office leaving the room laughing like the BOFH after the second ambulance.

    Lessening the defense for MS clouds? If you do it, then rember: Down, not across when you try to end the misery.

    Anon, because

    1. sgrier23

      Re: Already exploited

      Hi

      We have had many problems with Office365 and its attempt to send emails through our MX redirect to our Mail Filtering System, from emails not arriving at all or arriving very late. Our security company is adamant its not them - They answer my calls quickly, and they come to our office to check our systems. But, speaking to an MS Operative is like talking to a brick - "Why are you doing this?" is a common question I get asked.

      "Because I like my life to be difficult" I think to myself, but I answer, "Because we need this MX record redirect because we have been hit a few times with bad emails and this system works well for us, so can you redirect the emails to our MS redirect?"

      "Eh, I'll need to pass it up..."

      Okay, if I was by myself and make the decisions I would dump Office365 and return to on-premises email system, but I am not and I don't

      Hopefully, one day, MS will actually think that they are not the only IT business out there, and everything which is not MS security is "BAD".

      But, I doubt that will happen anytime soon.

    2. Anonymous Coward
      Anonymous Coward

      Re: Already exploited

      At least you had a data protection officer that saw the bullshit. Our last one would of fallen for all the sales shit. Like they did with GSuite and a certain reseller called CloudSolutions. Who pimped the idea of "Sending a Google bus. All your staff can get more information on the service & Google". The DPO thought it was going to be a great advert for Google to motivate the staff etc. It turned out to be a CloudSolutions bus, with a small print of Google printed on it. They just basically wanted to advertise themselves, not Google :) in the hope other companies in the area would visit and sign up.

      Was very funny. Especially when no staff member wanted to set foot on the bus so was eventually forced on the bus.

  5. Doctor Syntax Silver badge

    Repeat after me - it's not a cloud it's somebody else's computer.

  6. Anonymous Coward
    Anonymous Coward

    Security based on IP addresses is no security...

    Anon because I work in Infosec...

    Quite a few customers trust the MS IP ranges and accept the risk, as either:

    1. They don't understand the risk

    2. They can't afford to implement L4-7 inspection with an HTTPS middlebox

    3. It is cheaper to insure against it.

    4. They have to make it work, regardless, or get fired.

    5. Their consultants don't know either.

    One customer argued that L4-7 inspection would break GDPR and therefore IP addresses were the maximum allowable security...

    This is a huge vector for malware to get in and data to exfiltrate... It is not just Azure, but any cloud provider / SaaS provider.

    Talking about this to customers is an education for them, and sometimes a demonstration of PHB-ness...

    Good luck...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021