back to article What Microsoft's latest email breach says about this IT security heavyweight

For most organizations – especially security vendors – disclosing a corporate email breach, in which executives' internal messages and attachments were stolen, would noticeably ding their stock prices. But Microsoft apparently doesn't operate by the laws of Wall Street. Late Friday afternoon, Redmond revealed that Russia's …

  1. Mike 137 Silver badge

    "a password spray attack to compromise a legacy non-production test tenant account"

    So [a] there was a redundant account left active, and [b] there was no password retry lockout in place. Just about the most basic laxity imaginable. And these guys profess to (obligatorily these days via enforced updates) manage our security?

    1. trindflo Silver badge

      Re: "a password spray attack to compromise a legacy non-production test tenant account"

      With connectivity to bridge the non-production test systems to the production systems because segmenting networks is so hard.

      And where they somehow got hold of a private key? That means the people with that key can publish software as Microsoft and nobody will be the wiser!

      1. sfcfsbcn

        Re: "a password spray attack to compromise a legacy non-production test tenant account"

        We are to believe that the hackers went from a legacy test system to accessing the email accounts of top executives and security employees at Microsoft, plus also accessing customer accounts - check the HPE news. Somebody needs to explain how is that possible? Did the test system have a direct connection and trust relationship with the production system? Did the hackers gain SysAdmin access to the test system through a password spray attack? That is like a bank leaving the door of an office unlocked overnight, without security, and then also leaving a pile of cash in a plastic bag under a desk. It is more than carelessness; it would look like either supreme stupidity or an inside job... Never underestimate the amount of stupidity in the world, though.

      2. veti Silver badge

        Re: "a password spray attack to compromise a legacy non-production test tenant account"

        It means they could have done that, until the key was revoked. Which in practice probably means they could only do it once.

        It would be interesting to know what, if anything, they used that power to do.

  2. Empire of the Pussycat

    Why give the scumbags these code names?

    "...Midnight Blizzard, used to track as Nobelium, and most call Cozy Bear..."

    Scumbags-1, scumbags-2, etc. would surely be more appropriate.

    1. Evil Scot Bronze badge

      Re: Why give the scumbags these code names?

      Scumba~1 shirley.

  3. alain williams Silver badge

    "Microsoft makes a good operating system"

    Meyers then talks about applications (eg Powerpoint).

    Microsoft seems to approach security just as it does testing of software updates: toss it over the wall and let customers do the QA for them.

    This approach is bad enough for updates but criminal for security.

    1. Zippy´s Sausage Factory

      Re: "Microsoft makes a good operating system"

      Give the recent upgrades to Outlook and Teams, they don't make good applications any more.

      1. Robin

        Re: "Microsoft makes a good operating system"

        When they roll out new functionality (that nobody asked for) Teams really does have vibes of "lone developer working in their bedroom". Except an actual lone developer would probably take more care over the product.

        1. Zippy´s Sausage Factory

          Re: "Microsoft makes a good operating system"

          The thing the Teams and Outlook are not just "new functionality", it's a full blown "rewrite as a Windows Store app, remove some functionality, remove a load of power user functions, break a few bits and pieces along the way and make the interface less professional and more Fisher Price"

      2. TonyJ

        Re: "Microsoft makes a good operating system"

        Tried "New" Teams when it first came out. Had to go back to the "Old" Teams because if anyone started their camera or tried to share their screen it resulted in a black screen or frozen image on the screen.

        Ok.. fair enough...it's still not really GA, so rolled back.

        Then a shortish time later I was forced onto it.

        About the only plus at that point was that the black/frozen screen seemed to have been fixed.

        But synchronising statuses is right out of the window. I have it showing me/others out of office when the status is actually available. But of course, others will see available. Or maybe not. It's random.

        Teams is an abomination. Updated outside of Office with little to no controls. Trying to do far too many things. Skype for Business did communications and tended to do it well. All they needed to do was add some form of persistent chat and it would be absolutely fine. But oh no...let's fuck around with OneDrive and SharePoint integrations and make a dogs dinner out of it.

    2. Mike 137 Silver badge

      Re: "Microsoft makes a good operating system"

      "This approach is bad enough for updates but criminal for security"

      The reality is that updates and security are inseparable unless we just don't give a damn. But, fundamentally, so is code quality to start with. If security were taken seriously at dev time, we wouldn't need so many darned 'updates'.

      1. TonyJ

        Re: "Microsoft makes a good operating system"

        "...The reality is that updates and security are inseparable unless we just don't give a damn. But, fundamentally, so is code quality to start with. If security were taken seriously at dev time, we wouldn't need so many darned 'updates'..."

        I think that is only partly fair - some of the exploits we see are incredibly clever.

        Where it is more than fair though is when we see the same kind of exploit being used over and over and over again.

      2. Wayland

        Re: "Microsoft makes a good operating system"

        Why delay rollout of features for security when you can fix it later with an update. 98% of people love updates so the bigger and more frequent the updates the happier people are.

  4. Pascal Monett Silver badge

    "The attack was not the result of a vulnerability in Microsoft products or services"

    Hmm, that is subject to discussion. You let a test ID get password spammed. That's a service, is it not ?

    Because if there was no human who mistakenly clicked a link, then it's your products or procedures that are at fault.

    And we all remember Borkzilla's zeal at renewing its own domain names, right ?

    I hope there will be a bit more fallout on this, but hey, Windows is unavoidable, so . . .

  5. Anonymous Coward
    Anonymous Coward

    Wonderful............................

    ..............test systems exposed to the internet...............

    ..............or maybe ALL systems exposed to the internet...........

    I think we should be told!

    1. Stuart Castle Silver badge

      Re: Wonderful............................

      They mention that an account was used to access a test tenant. This suggests the system was hosted on the cloud. This makes it difficult to totally isolate the system from the Internet, but they should have put things like IP restrictions, and account lockouts on the system. At least MFA..

  6. Blazde Silver badge

    'It's kind of like the mafia'

    Nice head orfice. Shame if somebody broke all your windows. We can help you with that..

  7. captain veg Silver badge

    do they?

    "Meyers conceded that Microsoft makes a good operating system."

    Has anyone ever seen it? Perhaps they ought to make it available to the public.

    -A.

    1. MrDamage

      Re: do they?

      Did Xenix count?

      https://en.wikipedia.org/wiki/Xenix

      1. captain veg Silver badge

        Re: do they?

        Ah yes. IIRC there was a time when BillG claimed to be the worlds greatest expert on Unix.

        -A.

    2. ecofeco Silver badge

      Re: do they?

      Underrated comment of the century.

    3. wiseguy

      Re: do they?

      Given that “China's snoops have also busted through Redmond's digital perimeter and stolen source code”, maybe it has already been made available to the public?

      1. MrDamage

        Re: do they?

        "Stole" source code? I'd believe it, if BillG hadn't given China the source code to start with.

        https://www.infoworld.com/article/2681548/china-gets-access-to-microsoft-source-code.html

        You think the CCCP's demands would have stopped at WinXP?

    4. Wayland

      Re: do they?

      I thought MS DOS 3.20 was pretty good.

  8. Anonymous Coward
    Anonymous Coward

    The technology is fundementally flawed

    What Microsoft's latest email breach says about this IT security heavyweight

  9. mikus

    Same as it ever was

    When will people stop being surprised Microsoft is this inept? Have we not seen almost 30 years of security ineptitude from them from the operating system to things like internet explorer as the best malware delivery engine of all time? If anyone gets into your network, it's 99% of the time going to be via a windows box, active directory, or crappy 3rd party application built for them.

    These reports going public are now only since they "have to" report these sorts of breaches, as they can't trust their secret won't be leaked by the instigating hacking crew to shame them and put them in a compliance situation. They will however downplay the severity as much as they can to placate the user base back to blissful ignorance, and hide any unnecessarily embarrassing details.

    Just imagine how often this has happened over the past 30 years they haven't told you about publicly since ransomware and exfiltration has become more common that they have to?

    1. gr00001000

      Re: Same as it ever was so beware Defender APT

      Beware dealing with security and Microsoft. Defaults are a failure, logging until recent years a failure, features and updates an issue.

  10. Someone Else Silver badge

    Uhhh, wha'?

    From the article:

    Once, such a privacy breach might be enough to sink a software maker – or at the very least render its name synonymous with a cyber intrusion. But Microsoft seemingly remains immune.

    Not really, Everyone on the face of the planet (some dolts in Congress notwithstanding) knows that Micros~1 is to security as fish is to bicycle.1 It's not that Micros~1 is immune, but rather that those that would react are so inured to their utter lack of security prowess, that this is just another case of "same shit, different day" for them.

    1 Yeah, I know I used this in a recent previous post, but it fit here, too. Reuse is a thing, innit?

    1. HereIAmJH Silver badge

      Re: Uhhh, wha'?

      Flash back to the past...

      Adobe has always been synonymous with buggy, insecure apps. Doesn't seem to hurt their business any.

    2. Wayland

      Re: Uhhh, wha'?

      Microsoft has a pretty good Out Of Office feature in their email plus people know that Microsoft invented the Internet and are the only company who can provide email.

  11. Diogenes8080

    Incompetent or overly siloed?

    The horrifying thing here is how a compromise of a non-product test tenant account can turn into access to "senior leadership" accounts in Microsoft's own tenancy. The best case (which is still fairly damning) is that this "test tenant" was testing some sort of internal super-partner access for licence auditing or something similar. Unforgivable that it was not on MFA and left open after it was no longer needed.

  12. ldo

    Trapped In An Abusive Relationship?

    There seems to be this mentality among people who would rather complain about something that troubles them, rather than make the effective decision to remove the trouble from their lives.

    1. ecofeco Silver badge

      Re: Trapped In An Abusive Relationship?

      There is that, but also, many corporations' investment portfolios have MS stock in the mix so of course, what is mandated as employee kit?

      Nope, no conflict of interest there!

      (no I don't see the logic in it either, but nobody ever accused the psychopathic, inbred* money grubbing boards of directors of being logical, now have they? Uber scooters anyone?)

      s

      ((*many director members are also members of other boards of directors))

  13. Alan W. Rateliff, II

    The "dead leg" hazard exists in IT.

  14. Kevin McMurtrie Silver badge
    Devil

    Microsoft e-mails?

    Microsoft is aware that a large quantity of e-mails were stolen from leadership team, cybersecurity, and legal employees in a breach. This is a serious incident and work has already begun to prevent this from happening again. Surviving of Midnight Blizzard who read through these e-mails are being offered counselling for the trauma, depression, and overwhelming despair now afflicting them. Sincerest condolences go out to these hackers, their friends, and their families who suffered losses as a result of being exposed to this breach.

  15. Kev99 Silver badge

    Considering the umpteen dozen CVE patches mictosoft has issued just for win11, I'm not at all surprised.

  16. Dixx

    Lessons Learnt

    By now we should be considering using alternative storage and messaging systems for sensitive data. The internet and email are too easy to exploit.

    1. Wayland

      Re: Lessons Learnt

      We never used to use MS for email but they have proved themselves to be the very best.

  17. Marty McFly Silver badge
    FAIL

    Article title

    "What Microsoft's latest email breach says about this IT security heavyweight"

    Have you read the article you published before assigning this title?

    Microsoft is a "security heavyweight" like concrete shoes are to swim flippers.

  18. steviebuk Silver badge

    Sometimes

    it can't be helped

    "It is inexcusable that Microsoft still hasn't required multi-factor authentication, which is cybersecurity 101 and would have prevented this latest attack," Wyden told The Register.

    You might have accounts 3rd party apps require that don't support MFA. Nothing can be done. You can't just stop using the 3rd party app, the execs paid for it to be put in. You might also have stuff that struggle to understand new tech with no training budget to change this.

    Its not always easy. Its always easy for someone in Congress to comment though.

  19. Wayland

    No one ever got fired...

    ...because they put the company's email on Microsoft and it was hacked.

    It's all part and parcel of living in the Internet. At least you're not alone when the hackers are reading your emails, other people made the same mistake.

  20. Wayland

    The Government liked Fujitsu but now prefers Microsoft

    You need your IT run by a large company who you can blame when it goes wrong. You need to be fairly sure it will go wrong or else you won't have anyone to blame.

  21. Anonymous Coward
    Anonymous Coward

    "what are you going to so, switch to Linux?"

    Well, yes.

  22. Anonymous Coward
    Anonymous Coward

    IT security heavyweight????

    The company that gave us hidden file extensions for zero perceivable benefit, and created a whole attack vector for no reason.

    That company?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like