back to article Microsoft sheds some light on Russian email heist – and how to learn from Redmond's mistakes

Microsoft, a week after disclosing that Kremlin-backed spies broke into its network and stole internal emails and files from its executives and staff, has now confirmed the compromised corporate account used in the genesis of the heist didn't even have multi-factor authentication (MFA) enabled.  On Thursday, Redmond admitted …

  1. elDog

    I'll take their word for it. Won't you?

    "Indeed Redmond itself admitted: "If the same team were to deploy the legacy tenant today, mandatory Microsoft policy and workflows would ensure MFA and our active protections are enabled to comply with current policies and guidance, resulting in better protection against these sorts of attacks.""

    I guess I don't understand how a MFA challenge/response test framework works that doesn't allow some automation of the MFA. I mean, if the bot is performing the test, the bot can answer the second/third/etc. request. CAPTCHA?

  2. doublerot13

    Trump, Boris,... Microsoft

    Microsoft - like Trump and Boris - have lowered everyone's expectations so much that they aren't called to account. Security breaches, executive emails read, outages... we read the article then carry on as normal.

  3. A Non e-mouse Silver badge
    FAIL

    Something smells wrong here. Having no MFA on a test tenant is fine. But how on earth did a single app registration in the test tenant pivot to having enough permissions in the live tenant to manage app registrations.

    1. Anonymous Coward
      Boffin

      How a single app pivot to having enough permissions in the live tenant ö

      A Non e-mouse: “how on earth did a single app registration in the test tenant pivot to having enough permissions in the live tenant to manage app registrations.

      Directory Traversal .. see also Active Directory Attacks.

      1. martinusher Silver badge

        Re: How a single app pivot to having enough permissions in the live tenant ö

        You know that you're supposed to set the top of the file tree for a particular website so traversal doesn't happen? (Hint -- chroot)

  4. Pascal Monett Silver badge
    FAIL

    "Midnight Blizzard targeted other organisations"

    Oh, so that's your excuse. You, a multi-trillion-dollar company, got targeted at the same time as other, insignificant entities, so it's not your fault ?

    Really ?

    How's about your internal network is an open invitation to attack ? Why was your test account able to create admin-level access and why was that server allowed admin-level access to production servers ?

    Because I suppose that high-level corporate email servers (dare I say, Exchange ?) are production ?

    I understand though. Some developer in your group (a "rogue developer" maybe ?) needed to test something, gave himself all the permissions (because really, security is for everyone else, I need to work here), and left the account as is.

    And the developer is not necessarily the one to blame. No, the network administrator is. You want admin on a test server ? Fine. You want that test account to access production servers ? Why ? For how long ? To do what ? You get that window, then your access is shut down.

    It's called security. It's difficult.

    It's necessary.

    1. donk1

      Re: "Midnight Blizzard targeted other organisations"

      "Some developer in your group (a "rogue developer" maybe ?) needed to test something, gave himself all the permissions"

      There is your fail, no admins any more so devs can f**k up permissions.

      " You want that test account to access production servers ? Why ? For how long ? To do what ? You get that window, then your access is shut down."

      No! Prod is higher up the permissions heirarchy and can pull from test, that is how you get new reference data into prod.

      Test CANNOT EVER acess prod, dumbass! Prod copys for final validation ARE INDENTICIAL TO PROD SO ARE STILL PROD AND NEED TO BE TREATED AS SUCH.

    2. Necrohamster Silver badge

      Re: "Midnight Blizzard targeted other organisations"

      The relevant paragraph actually reads:

      Using the information gained from Microsoft’s investigation into Midnight Blizzard, Microsoft Threat Intelligence has identified that the same actor has been targeting other organizations and, as part of our usual notification processes, we have begun notifying these targeted organizations.

      To me that says they had telemetry which identifies the same TTPs in other companies.

      I don't see anything that suggests they were making excuses for what happened, or trying to deflect blame.

  5. Omnipresent Silver badge

    give us more data

    Dude said "the account didn't have finger print and facial recognition on it."

    LMAO! Be sure to give micro$oft your biometrics everybody.

  6. RedGreen925

    "and how to learn from Redmond's mistakes"

    Someone may as well, because they certainly have learned absolutely nothing from the from the going on forty plus years of making them.

  7. Bitsminer Silver badge

    weak password

    Despite all the flim-flam about "password spraying" it was basically a successful guess of the test account and password spelling.

    So, what was the password?

    1. sitta_europea Silver badge

      Re: weak password

      ".... So, what was the password?"

      And isn't there something which sends an email to the admin if login attempts to *any* given account fail more than N consecutive times - and disables logins after M consecutive failures?

      (N being a rather small integer, and M being a slightly less small integer.)

    2. hoola Silver badge

      Re: weak password

      Maybe I have missed something here but are we not being told about how all this AI shite can detect stuff like this?

      It will have all been logged as they know what happened. Could it be that all this funky monitoring is actually just a large bucket of characters that is only investigated when it is too late?

    3. Anonymous Coward
      Anonymous Coward

      Re: weak password

      > Despite all the flim-flam about "password spraying" it was basically a successful guess of the test account and password spelling. So, what was the password?

      “Little·Saint·James” ?

    4. doublerot13

      Re: weak password

      > So, what was the password?

      London1

    5. mobailey

      Re: weak password

      Re: "So, what was the password?"

      I suspect the answer is in your question.

  8. simkin

    O365 security?

    So, someone can leverage a test account to gain full access to execs' email, and your takeaway is that they should have used MFA? How many employees does MS have again? How many of those should be able to get access to execs' email?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like