A recently revealed bug in Microsoft’s login systems shows how dangerous trusting known vendors can be for enterprise cybersecurity. Though many employees are wary of emails from unfamiliar sources, hackers can just as easily create fake websites or emails that imitate trusted apps or companies. Combined with single sign-ons for third party websites, victims can reveal confidential information without any idea of the danger.
Vulnerabilities such as the Microsoft login bug illustrate the need to advance Zero Trust access capabilities in the enterprise. While companies have attempted to inform employees not to click on suspicious emails, hackers are circumventing this awareness by exploiting flaws in trusted apps or by creating fraudulent websites that mimic trusted entities. Victims can expose their login credentials simply by visiting a fake website or clicking a seemingly innocuous link from a trusted source, allowing hackers to access their accounts without them ever realizing – in this case, capturing Microsoft access tokens. With Zero Trust, the enterprise can increase user and the device verification, and add additional authentication factors depending on the context of the request, to prevent hackers with stolen credentials from accessing secured systems even with a credible login. Zero Trust also requires continuous re-verification of all users, applications and devices, so even “trusted” sources are consistently vetted, thereby making it significantly more difficult for hackers to successfully imitate an app or user.”