Linked – In major gaffe, hacked Microsoft test account was assigned admin privileges

This is a pretty big “oops.”

How does a legacy test account grant access to read every Office 365 account?

In Thursday’s post updating customers on findings from its ongoing investigation, Microsoft provided more details on how the hackers achieved this monumental escalation of access. The hackers, part of a group Microsoft tracks as Midnight Blizzard, gained persistent access to the privileged email accounts by abusing the OAuth authorization protcol, which is used industry-wide to allow an array of apps to access resources on a network. After compromising the test tenant, Midnight Blizzard used it to create a malicious app and assign it rights to access every email address on Microsoft’s Office 365 email service.

The thing is, I can see where this happened. Sometimes, you need real “stuff” to test against, and the production tenant has all the real stuff. It’s very tempting to create the test tenant connected to the production tenant and get lazy about protecting the accounts because it’s for testing and likely temporary. Then things get busy, and you forget to disable it. (Or did someone get laid off or leave, and no one else realized it was still connected?)

As the article below points out, I bet this wasn’t a technical issue. It’s not a bug. It’s a poor configuration choice, yes, likely made worse by a poor change management process. Somewhere along the way, you’d think someone would have it written down that this existed, and someone would see it written down and act on it. That didn’t happen. You’d also like to think there would be a hard rule to enable MFA in any environment, including testing ones.

Hopefully, they’ve learned a valuable lesson and are implementing better change management processes to track these things.

Similar Posts

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.