Security executives slam Microsoft over latest breach

Cybersecurity vendors and executives criticized Microsoft on a variety of fronts over the breach it suffered earlier this month.

Microsoft on Jan. 19 disclosed a data breach it suffered when a Russian state-affiliated threat actor, tracked as Midnight Blizzard, used a password spray attack to compromise a legacy non-production test tenant account. The actor -- also known as Nobelium, Cozy Bear and APT29 -- then escalated privileges through malicious Oauth applications and accessed a number of Microsoft corporate email accounts, including a number belonging to senior leadership. The actor first gained an initial foothold in November of last year.

Additionally, the tech giant last week said Midnight Blizzard likely compromised other organizations. HPE disclosed an attack it attributed to the threat actor last week. More importantly, Microsoft revealed that the test tenant account had no multifactor authentication enabled.

"If the same team were to deploy the legacy tenant today, mandatory Microsoft policy and workflows would ensure MFA and our active protections are enabled to comply with current policies and guidance, resulting in better protection against these sorts of attacks," the blog post disclosing this update read.

Tenable chairman and CEO Amit Yoran told TechTarget Editorial that MFA could have prevented the breach Microsoft suffered and that the company should be held to a higher standard due to its role in the security ecosystem.

"While it's true that Microsoft is often targeted because of its size and impact within IT infrastructure, we have seen a lot of successful attacks recently on their products and now on their company systems as well," Yoran said. "Breaches like the one disclosed last week, which involved password-spraying, can be prevented with multi-factor authentication, which apparently wasn't in place. Microsoft itself touts MFA as an important element to good cyber hygiene. And the fact of the matter is that their status in the security supply chain means they need to be held to a higher standard."

SentinelOne chief trust officer Alex Stamos published a blog post on LinkedIn last week in which he admonished Microsoft for downplaying and obscuring details surrounding the attack in its most recent blog post. Stamos said Microsoft "abused" the use of the term "legacy" to describe the test tenant account, as he said the tenant was "clearly configured to allow for production access as of a couple of weeks ago." He added that Microsoft was obligated to secure its legacy products just as well as more current ones.

Moreover, Stamos argued Microsoft was using its security flaws to upsell its own security products. In one of several examples, Microsoft said defenders could "detect, investigate, and remediate identity-based attacks using solutions like Microsoft Entra ID Protection" despite the post being about an identity attack that Microsoft suffered.

"This is morally indefensible, just as it would be for car companies to charge for seat belts or airplane manufacturers to charge for properly tightened bolts," Stamos said. "It has become clear over the past few years that Microsoft's addiction to security product revenue has seriously warped their product design decisions, where they hold back completely necessary functionality for the most expensive license packs or as add-on purchases."

Karan Sondhi, CTO of Trellix's public sector segment, similarly emphasized this focus on upselling in an email to TechTarget Editorial.

"Microsoft's focus on selling 'security monitoring' tools raises questions about why they aren't prioritizing the security of their infrastructure and products," he said. "Despite best practices like Zero Trust and 'secure by design,' recent incidents imply Microsoft isn't directing enough efforts toward implementing these principles internally and securing its internal infrastructure."

A Microsoft spokesperson shared the following statement with TechTarget Editorial.

Security is a team sport and success is achieved through industry cooperation and information sharing. We are committed to transparency, as we demonstrated by public disclosing this attack just days after we became aware, and then following up with the results of our ongoing investigation days later with more guidance to help our customers protect themselves from a similar attack. This attack does highlight the continued risk posed to all organizations from well-resourced nation-state threat actors. No organization is immune to these persistent attacks.