CISA Warns of Compromised Microsoft Accounts

CISA issued a fresh CISA emergency directive in early April instructing U.S. federal agencies to mitigate risks stemming from the breach of numerous Microsoft corporate email accounts by the Russian APT29 hacking group. The directive is known as Emergency Directive 24-02 and it addresses the risk of compromised Microsoft accounts for federal agencies and corporations.

The directive mandates agencies to probe potentially impacted emails, reset any compromised credentials and implement safeguards to fortify privileged Microsoft accounts.CISA reports that operatives from Russia are utilizing information pilfered from Microsoft’s corporate email systems, including authentication details exchanged between Microsoft and its clientele via email, to infiltrate certain customer systems.

Federal Agency Handling of Compromised Microsoft Accounts

Microsoft and the U.S. cybersecurity agency have already alerted all federal agencies whose email exchanges with Microsoft were identified as exfiltrated by the Russian hackers. CISA’s latest emergency directive marks the first acknowledgment by the U.S. government that federal agency emails were exfiltrated during the January Microsoft Exchange breaches.

CISA has now directed affected agencies to ascertain the complete content of their correspondence with compromised Microsoft accounts and conduct a cybersecurity impact assessment by April 30, 2024.

Agencies detecting indications of authentication compromises are instructed to:

1. Remediate exposed passwords, tokens, API keys, or other authentication credentials known or suspected to be compromised.
2. For any known or suspected authentication compromises, reset credentials and deactivate any associated applications no longer in use.
3. For any compromised accounts; review sign-in, token issuance, and other account activity logs for potential malicious activity.

While the requirements of ED 24-02 pertain exclusively to Federal Civilian Executive Branch (FCEB) agencies, the exfiltration of Microsoft corporate accounts may affect other organizations and corporations. It is also imperative for all organizations, regardless of the impact, to adopt stringent security measures, such as utilizing strong passwords and implementing multi-factor authentication (MFA).

APT29, SolarWinds & Compromised Microsoft Accounts

APT29 was responsible for the 2020 SolarWinds supply chain attack, which resulted in breaches affecting several U.S. federal agencies and numerous companies, including Microsoft. Microsoft verified that the breach facilitated the Russian hacking group in pilfering source code for certain Azure, Intune, and Exchange components. In 2021, the APT29 hackers once more penetrated a Microsoft corporate account, granting them access to customer support tools.

Earlier this year, Microsoft disclosed that APT29 hackers had infiltrated its corporate email servers through a password spray attack, compromising a legacy non-production test tenant account. The compromised account possessed authorization to an application with elevated privileges within Microsoft’s corporate environment, enabling the attackers to infiltrate and extract data from corporate mailboxes. These compromised email accounts included those belonging to members of Microsoft’s leadership team and an undisclosed number of employees in the company’s cybersecurity and legal departments.

How to Detect Compromised Accounts and Maintaining Security

Detecting compromised Microsoft accounts is crucial for maintaining the security of your organization’s data and systems. Here are some key indicators to watch out for:

• Monitor Account Activity: Regularly monitor the activity logs of Microsoft accounts for any suspicious or unauthorized activities. Look for signs such as unusual login times or locations, multiple failed login attempts, or access to sensitive data by unauthorized users.
• Screen Accounts for Compromised Credentials: Prioritize screening of accounts for compromised credentials. Tools like Enzoic for Active Directory automate this process against a backend database of billions of compromised credentials. Implementing unsafe password screening and compromised password monitoring can help organizations safeguard their sensitive data and prevent unauthorized access to their systems and networks.
• Implement Multi-Factor Authentication (MFA): Enable MFA for all Microsoft accounts to add an extra layer of security. MFA requires users to provide additional verification, such as a code sent to their phone, in addition to their password, making it harder for unauthorized users to access accounts even if passwords are compromised. But remember, MFA only works well when the first factor, the password, is secure.
• Regularly Review Permissions and Access: Conduct regular audits of permissions and access levels assigned to Microsoft accounts. Remove any unnecessary permissions or roles and ensure that access is only granted to individuals who require it for their job responsibilities.
• Set up Alerts and Notifications: Configure alerts and notifications for suspicious activities or security events within Microsoft accounts. This can help you quickly detect and respond to potential compromises or security breaches.
• Educate Users on Phishing and Social Engineering: Train employees to recognize phishing attempts and social engineering tactics used by attackers to steal account credentials. Encourage them to report any suspicious emails or messages and avoid clicking on links or providing personal information unless they are certain of the sender’s authenticity.

By following these proactive measures and staying vigilant, organizations can enhance their ability to detect compromised Microsoft accounts and mitigate the risks associated with unauthorized access to sensitive data and systems.

To learn more about CISA Emergency Directive 24-02, please visit:

https://www.cisa.gov/news-events/directives/ed-24-02-mitigating-significant-risk-nation-state-compromise-microsoft-corporate-email-system