Microsoft sheds some light on Russian email heist – and how to learn from Redmond's mistakes Microsoft, a week after disclosing that Kremlin-backed spies broke into its network and stole internal emails and files from its executives and staff, has now confirmed the compromised corporate account used in the genesis of the heist didn't even have multi-factor authentication (MFA) enabled. On Thursday, Redmond admitted …
"Indeed Redmond itself admitted: "If the same team were to deploy the legacy tenant today, mandatory Microsoft policy and workflows would ensure MFA and our active protections are enabled to comply with current policies and guidance, resulting in better protection against these sorts of attacks.""
I guess I don't understand how a MFA challenge/response test framework works that doesn't allow some automation of the MFA. I mean, if the bot is performing the test, the bot can answer the second/third/etc. request. CAPTCHA?
A Non e-mouse: “how on earth did a single app registration in the test tenant pivot to having enough permissions in the live tenant to manage app registrations.”
Directory Traversal .. see also Active Directory Attacks.
Oh, so that's your excuse. You, a multi-trillion-dollar company, got targeted at the same time as other, insignificant entities, so it's not your fault ?
Really ?
How's about your internal network is an open invitation to attack ? Why was your test account able to create admin-level access and why was that server allowed admin-level access to production servers ?
Because I suppose that high-level corporate email servers (dare I say, Exchange ?) are production ?
I understand though. Some developer in your group (a "rogue developer" maybe ?) needed to test something, gave himself all the permissions (because really, security is for everyone else, I need to work here), and left the account as is.
And the developer is not necessarily the one to blame. No, the network administrator is. You want admin on a test server ? Fine. You want that test account to access production servers ? Why ? For how long ? To do what ? You get that window, then your access is shut down.
It's called security. It's difficult.
It's necessary.
"Some developer in your group (a "rogue developer" maybe ?) needed to test something, gave himself all the permissions"
There is your fail, no admins any more so devs can f**k up permissions.
" You want that test account to access production servers ? Why ? For how long ? To do what ? You get that window, then your access is shut down."
No! Prod is higher up the permissions heirarchy and can pull from test, that is how you get new reference data into prod.
Test CANNOT EVER acess prod, dumbass! Prod copys for final validation ARE INDENTICIAL TO PROD SO ARE STILL PROD AND NEED TO BE TREATED AS SUCH.
The relevant paragraph actually reads:
Using the information gained from Microsoft’s investigation into Midnight Blizzard, Microsoft Threat Intelligence has identified that the same actor has been targeting other organizations and, as part of our usual notification processes, we have begun notifying these targeted organizations.
To me that says they had telemetry which identifies the same TTPs in other companies.
I don't see anything that suggests they were making excuses for what happened, or trying to deflect blame.
".... So, what was the password?"
And isn't there something which sends an email to the admin if login attempts to *any* given account fail more than N consecutive times - and disables logins after M consecutive failures?
(N being a rather small integer, and M being a slightly less small integer.)
Maybe I have missed something here but are we not being told about how all this AI shite can detect stuff like this?
It will have all been logged as they know what happened. Could it be that all this funky monitoring is actually just a large bucket of characters that is only investigated when it is too late?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
