Adrian Sanabria

Super-long CSRB/Microsoft breach thread continues

If it wasn't clear already, Microsoft hasn't concluded this investigation. They continue to explore the 46 hypotheses they originally came up with 9 months ago.

That also unfortunately means that there could have been more stuff compromised that Microsoft doesn't know about. Storm-0558 could still have access to systems, individual assets/identities, or the ability to generate access keys we don't know about.

Additionally, the M&A employee could also be a scapegoat - everything Microsoft has published concerning root cause analysis is a theory. It has no evidence linking this compromised employee's laptop and the MSA key theft.

Apr 5, 2024 at 5:11pmWeb
Show threadAdrian SanabriaApr 5, 2024

Super-long CSRB/Microsoft breach thread continues

Another point the review board makes in this report that has been echoed by the White House, is that far too much onus is put on the customer to secure their accounts and data - the providers and CSPs should shoulder more of the work here.

Just look at Microsoft's most recent breach (Jan 2024 by Russia's "Midnight Blizzard"). Microsoft insists there were no vulnerabilities here, it was just cred stuffing, but then look at all the madness they recommend customers do to detect and/or prevent this kind of attack!

Is this reasonable to expect of the average M365 customer? What about personal accounts? Is there nothing Microsoft can do to ease this burden?

Not only did the State Department need some series Detection Engineering skill to discover this attack, they needed sharp SOC analysts, AND the premium audit package to get access to the necessary logs to begin with!

Figuring out how Microsoft's licensing works, understanding their products, and securing their products is a complex maze that makes the defender's job an utter nightmare, IMO.

Midnight Blizzard: Guidance for responders on nation-state attack | Microsoft Security Blog

Microsoft detected a nation-state attack on our corporate systems and immediately activated response process to disrupt and mitigate.

Microsoft Security Blog