Over the weekend, Microsoft confirmed that a certain limited number of people that use Outlook, Hotmail and MSN email systems had their accounts compromised. Hackers were able to access users’ email addresses, folder names and the subject lines of emails but not the content of any emails or attachments, or any login credentials and passwords either. The breach occurred between January 1 and March 28 and the hackers were able to get into Microsoft’s system by compromising a customer support agent’s credentials.
Some users of Microsoft's Hotmail, Outlook and MSN services were left exposed due to a data breach after hackers broke into a customer service account. https://t.co/gpzoyCqyoE
— PCM Systems Ltd (@pcmsystemsltd) April 15, 2019
And the solution is to move to more secure email provider that can guarantee privacy.
This is one of the reasons I am considering moving everything to a service like @ProtonMail. https://t.co/qYhdRhMmiM
— Daniel Montecillo (@leggendario12) April 13, 2019
Experts Comments:
Robert Vamosi, Senior Product Marketing Manager at ForgeRock:
“When large corporations like Microsoft are compromised by malicious third parties, it should serve as an example to organizations everywhere that no one is safe from cyberattacks. Criminal hackers were able to access users’ email addresses, folder names, the subject lines, and contents of emails between January 1 and March 28, and affected users are now susceptible to highly targeted spear phishing attacks. For example, a phisher could use the same subject line as a recently sent or received email and add “Re:” before to trick users into opening the email and possibly malicious documents that contain malware. Even though login credentials were not affected, users should consider changing their passwords and enabling multi-factor authentication features if they have not already. All users should make sure to check the sender’s email addresses of emails they receive to make sure they are legitimate.
Companies that suffer data breaches due to compromised employee accounts should consider implementing single sign on (SSO) capabilities within their organization, as SSO also allows for improved security, especially when coupled with multi-factor authentication. SSO prevents unauthorized access by keeping employee credentials in a more secure corporate IT environment, and multi-factor authentication prompts users to verify their identity in case the SSO credentials happened to be compromised.”
Lamar Bailey, Director of Security Research and Development at Tripwire:
“These kinds of breaches are particularly worrying for those affected, because they provide cybercriminals with potentially sensitive personal information that can be used for attacks of against private individuals and enterprises. Although password do not appear to have been compromised, items seemingly trivial such as the subject lines of emails in one’s inbox and email content can be exploited to devise a sophisticated socially engineered phishing campaign.
Users whose emails were compromised should change their passwords – which in the aftermath of a breach is always a good step, no matter which and how much information was compromised – and enable two-factor authentication wherever possible. Cyber hygiene best practices should also be the priority of those compromised: applying security patches, keeping software up to date and looking out for potentially malicious emails can help them prevent falling victim of further attacks.”
Ilia Kolochenko, Founder and CEO at ImmuniWeb:
“The data breach seems to be insignificant compared to recent security incidents involving such companies as Facebook, for example. Compromise of privileged accounts is a widespread and effective method among cybercriminals to get to the crown jewels at high speed and low cost. It is, however, quite surprising that such a reputable company as Microsoft reportedly has not reacted to the anomalies for as long as three months. Continuous monitoring of privileged accounts is quintessential to ensure data security and compliance. Moreover, nowadays, with emerging machine learning technologies it has become a pretty easy task is properly implemented.
It is too early to attribute the attack due to lack of the information available. It can well be a group of beginners who publicly sell email hacking services, as well as a nation-state hacking group targeting political activists or western companies. As a precaution, all Outlook users should change their passwords and secret questions, as well as passwords for any other accounts that sent, or could have sent, a password recovery link to their Outlook email.”
Dan Pitman, Principal Security Architect at Alert Logic:
“It’s good that access to the information in emails and account passwords was apparently not accessed, this is likely due to Microsoft’s own restrictions on support account’s visibility into personal data and passwords, however the amount of time that the breach went on is disappointing. This kind of event should trigger a review of support access restrictions, you would hope they would require multiple factors of authentication to login as advised to end users.
We don’t know how Microsoft’s systems work but uncertainty about the activities during a breach is much more common that it should be; often log data is not kept for significant periods or logging is reduced to save resources, monitoring of activity of “back office” users is not always perceived as important as end-user accesses.
Users should be conscious of what information they store in accounts that is not required for it to operate – those people who have telephone numbers and physical addresses and receive banking or other account notifications into their Outlook accounts should have a heightened awareness. Without access to the emails the attacker’s ability to action resets is reduced but verify transactions and look out for unexpected communications and notifications from other organisations, be sure to have banking mobile notifications turned on where possible and always enable 2 factor authentication for important systems.”
Martin Jartelius, CSO at Outpost24
“Microsoft has reached out to users that could be affected with advice for unauthorized access to information such as folder name, subject lines of emails and communication between two email addresses, and potentially the content of emails.
With this in mind, it is important to review your emails in the current period, especially those contain sensitive information that could compromise your security and business confidentiality. For example this could be tender submissions, mergers and acquisitions and other internal information that could cause harm externally. If such information is leaked, ensure you establish a crisis plan for damage control arising from its disclosure.
A general advice regardless if you were affected or not is to enable two factor authentication wherever possible, which ensures that access to your email do not constitute the potential access to other systems as well.”
Javvad Malik, Security Advocate at AT&T Cybersecurity:
“Sensitive accounts such as admin accounts, support accounts, or even social media accounts are attractive targets for criminals, which is why it is important to monitor these accounts to detect not only if compromised externally, but also if an insider decides to go rogue. As this incident shows, when a legitimate account undertakes malicious activity, unless specific controls are put in place, such as behavioural monitoring, it can take a long time to pick up that something is amiss, and even longer to unpick what damage has been done.
Details on what was accessed and how users are impacted are low, but as a precaution, users should change their passwords. The other actions will depend upon the nature of businesses. While the actual content of the emails weren’t disclosed, simply knowing the folder structure, the email headers, and times of emails can be quite telling – for example – it could indicate companies are planning a merger, or annual accounts are not promising. Or learn about company partners and use the information to launch phishing or business email compromise (BEC) attacks”
Felix Rosbach, Product Manager at comforte AG:
“As a company, it’s always hard to make statements about the details of a breach. Proper investigations take time.
One important question here is: What did Microsoft do to monitor user behaviour?
You can get a very detailed picture of what hackers had access to and what data and accounts were compromised if you pseudonymize personally identifiable information. When hackers get access to pseudonymized data sets, these data sets are useless to them. If they want to see it in the clear, they have to request that on a case by case basis, which wouldn’t harm a support-employee as they usually don’t request a massive amount of data sets at once. These requests are easy to manage and to monitor – and therefore give you not only control but also a very detailed breach history.
Users can’t do much about it. Not sharing your data is not possible these days, if you want to use these services. You can never be sure that the service of your choice won’t be hacked – there is no 100% security, there is no silver bullet. With insider attacks, an increasing attack surface and more and more vulnerabilities, the question is not if a breach will happen – but when.
Of course, you could set up your own mail server – but are you sure you can do a better job than Microsoft in terms of cybersecurity? If so, go for it.”
Anjola Adeniyi, Technical Leader at Securonix:
“This is another case of insider threat, which often gets a lower level of attention and priority. Organisations should understand that while the likelihood may be lower than other forms of cyber risk, it’s impact can be much greater and therefore should give it a bigger focus. Insider threat is not only about malicious users as we see in this case of a compromised user.
A big part of this mess, is the inconsistency around what the hackers would have had access to. Did they have access to the content of emails or not? This isn’t quite clear at the moment, as Microsoft says one thing, and only to retract it to say they had access to some email content. Hopefully the affected users can get some clarity on this, and take any necessary steps in securing their organisations.”
Martin Jartelius, CSO at Outpost24:
“Microsoft has reached out to users that could be affected with advice for unauthorized access to information such as folder name, subject lines of emails and communication between two email addresses, and potentially the content of emails.
With this in mind, it is important to review your emails in the current period, especially those containing sensitive information that could compromise your security and business confidentiality. For example, this could be tender submissions, mergers and acquisitions and other internal information that could cause harm externally. If such information is leaked, ensure you establish a crisis plan for damage control arising from its disclosure.
General advice, regardless of whether you were affected or not, is to enable two factor authentication wherever possible, which ensures that access to your email does not constitute the potential access to other systems as well.”
Brian Higgins, Security Specialist at Comparitech.com:
“On the face of it there doesn’t seem to be too much for current users of Microsoft products and services to be worried about. If the comments and responses to the discovery of the breach from theMicrosoft management team are to be believed, then the most immediate threat is to their reputation. The fact that they appear uncertain about the methodology is, in all likelihood, an incident response protocol designed to allow the FBI to conduct an uncompromised investigation with the best chance of identifying any perpetrators.
What worries me most is that Microsoft, on the one hand, say, “We consistently monitor our networks looking for any irregularities on the network” yet admit that “the attackers may have had access to Microsoft systems for a considerable period of time — something under three months.” As a customer, that doesn’t fill me with confidence in their intrusion monitoring capabilities and makes me wonder who else is casually sitting on their network waiting to strike!
Whilst the stolen source code is probably being traded around on the Dark Web, from a consumer’s perspective the largest threat appears to be from ‘yet to be launched’ products and services. However, since most tech firms subscribe to the ‘launch it first and patch it later’ business model, any affected products will most likely already be vulnerable somehow anyway. The best thing any individual can do to protect themselves is to make sure they install patches and software updates as soon as they become available. It has long been known that the ‘golden hour’ between a vulnerability’s discovery and the launch of the subsequent solution is where hackers cause most harm. My advice in any instance is to lay off the ‘Remind me later’ button and UPDATE NOW!”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.