Hackers piggybacked onto a Microsoft customer support portal between Jan. 1 and March 28 to gain access to the emails of noncorporate account holders on webmail services Microsoft manages, including MSN.com, Hotmail.com and Outlook.com.
Microsoft has confirmed that a “limited” number of customers who use its Web service had their accounts compromised. However, as more details have surfaced, it appears the intrusion may have been more widespread than implied.
“We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access,” Microsoft spokesperson Elissa Brown told the E-Commerce Times.
Microsoft sent email notices to affected users over the weekend reporting that “bad actors” potentially had been able to access their email addresses, folder names, the subject lines of emails and the names of email addresses the user contacted.
“Out of an abundance of caution, we also increased detection and monitoring for the affected accounts,” Brown said.
The hackers could not see the content of any emails or attachments, or login credentials like passwords, according to Microsoft.
The hackers got into the system by compromising a customer support agent’s credentials, according to Microsoft’s letter to hacked account holders.
It remains unclear how many people, accounts and geographic regions were affected. Whether the employee was a Microsoft employee or someone working for a third-party support services provider was not disclosed. Nor has Microsoft explained how the agent’s credentials were obtained or how it discovered the breach.
However the level of information Microsoft has disclosed suggests that this breach was significant, observed Adnan Raja, vice president of marketing for Atlantic.Net.
“It’s significant because it has slowly gotten more serious,” he told the E-Commerce Times.
Microsoft acknowledged it only after it was confronted with screenshots, he pointed out.
The company still has not said how many accounts were affected, “so this suggests it is worse than what has been disclosed,” Raja maintained.
Worrisome Details Emerge
In a limited number of cases, email content including calendars, dates of birth, and login histories reportedly also were compromised, noted Steve Sanders, vice president of internal audit for CSI.
“The attack took place over almost the entire first quarter of 2019. An outside source claims this time frame may have actually been as long as six months. There are likely more details to this compromise that haven’t been released yet,” he told the E-Commerce Times.
Another factor that makes this email breach troubling is the access attackers gained, even if it involved a relatively small percentage of user accounts, noted Marc Laliberte, senior security analyst at WatchGuard Technologies.
“While the number of affected accounts may be limited, the attacker basically had full viewing access, which is very serious,” he told the E-Commerce Times.
While the attackers only had read-only access to victim accounts, they could have viewed any recent password reset links and tokens for other websites. These links are usually short-lived, but if a user has recently reset their password somewhere, they should do it again, Laliberte advised.
If the compromised Microsoft agent in fact was affiliated with a support vendor, that could indicate more serious security holes. Third-party vendors pose security risks for network safety.
“It has been shown time after time that customer support is one of the weakest links in authentication practices,” said Aaron Zander, Head of IT at HackerOne.
“This is a huge problem affecting the industry as a whole, not just Microsoft,” he told the E-Commerce Times.
Companies often hire contractors, agencies and third-party companies to limit liability. However, customer support operations often are treated as burdensome and may be left completely overlooked in terms of security, according to Zander.
“Customer support teams are frequently less secure than other teams in an organization,” he said. “Companies need to make sure that they extend identity management and security best practices to the third-party agencies that they work with.”
More than half of recent cyberbreaches have been due to third-party attacks, noted Vidisha Suman, principal in the digital transformation practice at A.T. Kearney.
It will be interesting to find out how the Microsoft Customer Service Portal/ Account credentials got hacked, she told the E-Commerce Times.
“Based on my experiences defining cyberstrategies for firms, only around one-third of companies know which vendors have access to sensitive data, and less than 20 percent actually know if the vendor is sharing the data with other providers,” Suman said.
“This chain of access is very easy to be compromised, and the impact could be cross-enterprise wide,” she pointed out. “If the Microsoft customer service portal was indeed compromised by a third-party access/plug-in, this may be one of the many such attacks that happened last year compromising millions of customer data.”
Major regulatory bodies across the globe are already reviewing third-party risks and finding ways to ensure accountability, Suman added.
In its letter to affected email account holders, Microsoft recommended they change their login passwords. The company also warned they could expect to see more phishing or spam emails as a result of the breach.
The company suggested that email users be careful with emails received from misleading domain names, or any email requesting personal information or payment, as well as any unsolicited request from an untrusted source.
Users directly impacted also should regard any confidential information sent through Outlook, for example, as compromised and consider taking appropriate steps, advised CSI’s Sanders.
“This incident is a good reminder that no confidential data should be sent through unencrypted email,” he said. “Though two-factor authentication would likely not have prevented users from being compromised in this incident, it is also a good reminder that every user should enable this feature.”
This attack went after the back-end system infrastructure versus the actual end-user experience. That scenario is different from other attack vectors, noted Phil Cardone, CEO of Radius.
While a typical breach might affect day-to-day interactions between people and organizations, this attack could have affected the structural integrity of the Microsoft Office 365 system infrastructure, he explained.
Still, “this could have been much worse than it was,” Cardone told the E-Commerce Times. “Microsoft may be looking to further examine their credentialing and self-auditing to ensure a breach along this line does not happen again and to ensure the safety of their platform.”