One week after it disclosed that a state-sponsored Russian hacking group infiltrated its corporate systems, Microsoft today provided more details.
“If the same team were to deploy the legacy tenant today, mandatory Microsoft policy and workflows would ensure MFA and our active protections are enabled to comply with current policies and guidance, resulting in better protection against these sorts of attacks,” the Microsoft Threat Intelligence team writes in the new post, confirming the suspicion I raised last week. “Given the reality of threat actors that are well resourced and funded by nation states, we are shifting the balance we need to strike between security and business risk – the traditional sort of calculus is simply no longer sufficient. For Microsoft, this incident has highlighted the urgent need to move even faster.”
Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!
"*" indicates required fields
Last week, Microsoft noted that Midnight Blizzard, a threat actor sponsored by the government of Russia, had infiltrated its corporate systems and was able to read and download some internal emails from members of its senior leadership team and employees in its cybersecurity, legal, and other groups. Today, it provided the following additional information:
Microsoft recommends that its customers defend themselves against malicious OAuth apps by auditing the privilege levels of all user and service identities in their organizations, paying particularly attention to unknown identities and apps with app-only permissions, as those have privileged access levels. Identities with ApplicationImpersonation privileges in Exchange Online can impersonate users and gain broad access to all mailboxes in an environment if not configured correctly. The post also offers guidelines on protecting against password spray attacks.