"We were pwned by the Russians (again) and they were reading all of Satya's emails, but it's okay, they were just looking for shout-outs to post in their interoffice Telegram channel for the lulz."<p>I understand that the company has to minimize every breach but this frankly looks a lot more serious than Microsoft suggests here.
Microsoft filed this late today with the SEC[1] just before they stopped accepting new filings for the day under their new Cybersecurity Incident disclosure rule[2]. FWIW, two other publicly traded companies disclosed[3] their breaches since the rule went into affect last month.<p>[1] <a href="https://www.sec.gov/Archives/edgar/data/789019/000119312524011295/d708866d8k.htm" rel="nofollow">https://www.sec.gov/Archives/edgar/data/789019/0001193125240...</a><p>[2] <a href="https://www.sec.gov/news/press-release/2023-139" rel="nofollow">https://www.sec.gov/news/press-release/2023-139</a><p>[3] <a href="https://last10k.com/stock-screeners/cybersecurity" rel="nofollow">https://last10k.com/stock-screeners/cybersecurity</a>
> Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts [...]<p>> The attack was not the result of a vulnerability in Microsoft products or services.<p>Hmm...
Haha "...access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents."<p>Seems like a big deal. Also, this may be why I've been getting massive amounts of "unusual account sign-in activity" emails for Microsoft about an old outlook account i no longer use...<p>Hopefully these state actors can get access to my vsts server i no longer can find and deploy an old app for me ;)
Interesting that they seem to suggest that applying security is now more important than avoiding service disruptions. This may be the hopeful dawn of a new era.
Did they release this late on a friday to downplay the scope of the attack?<p>If they had top leadership accounts and service accounts hacked just by password protection sounds like a major security fubar.
> access a very small percentage of Microsoft corporate email accounts<p>Ok, so far so good.<p>> including members of our senior leadership team<p>Ahhh, so maybe the attackers were after the senior leadership team and therefore stopped at the "very small percentage".
>Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts<p>I have so many questions from this sentence alone. What did they password spray? Microsoft's internal identity provider? Was the non-prod system internet facing? Why isn't MFA enforced?
I wonder which mail client the execs were using. If Outlook, their messages would be already harvested by 700+ companies[0] and another leak wouldn't be an issue.<p>[0] <a href="https://news.ycombinator.com/item?id=38441710">https://news.ycombinator.com/item?id=38441710</a><p>[0] <a href="https://news.ycombinator.com/item?id=38953618">https://news.ycombinator.com/item?id=38953618</a>
Um. Why does "a legacy non-production test tenant account" have "permissions" for "email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions"?
Why do they say "nation state actor", isn't "state actor" the correct term? I thought Russia, like the UK and many other states, is a multinational state, including numerous languages and cultures.
„compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents.“<p>Does a non-production test account usually have permission to access email accounts of the senior leadership team? Is that a security best practice?
I'm wondering how many hacks like this must occur before companies start caring about hiring good developers with a proven individual record instead of those who can solve the most gimmicky puzzles in 30 minutes.<p>There are developers out there with excellent track records who have built bug-free solo projects which prove their excellence and yet can't find a job in this economy. Some of these developers have also proven themselves to work well in a team so there is no excuse to ignore them. They are excellent both as lone wolf and team player. Companies should desperately look for them and recruit them. Only such developers can save companies from technical decay.
>Microsoft has identified the threat actor as Midnight Blizzard, the Russian state-sponsored actor also known as Nobelium<p>How do they identify those groups?
Why does the data security industry seem to be so into obfuscated jargon? It’s like a new industry microcosm corporatespeak.<p>It’s ok to call them countries, hackers, and intrusions.<p>Microsoft got hacked by Russian government hackers.
From the same company that charges you to access your logfiles.<p><a href="https://www.theregister.com/2023/07/20/under_cisa_spressures_collaboration_microsoft/" rel="nofollow">https://www.theregister.com/2023/07/20/under_cisa_spressures...</a>
Seriously? This reads like a joke. They brute forced some tenant test systems.<p>Fine, I bet the password was Password123!, but then "they used account's permissions" to access various corporate emails. How is that even possible? What does it mean "they used the account's permissions"? Are you telling me there was no privilege separation between a tenant test environment and the internal domain? That the tenant system was not in its own isolated network? This is absolutely insane. Whenever I read stuff like that I wonder if some junior IT employee didn't just buy a new home for cash few months ago. I'm all for "don't look for malice where incompetence is a sufficient explanation", but that's just a little too much incompetence to be believable.
"Microsoft took advantage of news of this hack to talk about how they are going to move forward to make itself more secure."<p><a href="https://techcrunch.com/2024/01/19/hackers-breached-microsoft-to-find-out-what-microsoft-knows-about-them/" rel="nofollow">https://techcrunch.com/2024/01/19/hackers-breached-microsoft...</a>
>Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold<p>If people at Microsoft reuse passwords than what we can expect from casual PC users?!
i found $ signs $ in my AI prompt text-box suggesting shell interference while also experiencing buffer overflow in my local windows pc. just a random Dalle3 user in Bing's image creator
“it was Russia, they went thata way!”<p>this presents no proof, but I’ve read lots of krebs security proof on other exploits and I think it is all very weak<p>nothing is stopping anybody here from putting breadcrumbs in a payload to point the finger at North Korea or a former Soviet state<p>This is kind of a silly standard that allows hackers to operate with impunity and companies to avoid accountability and the fbi from not bothering