Tuesday, June 24, 2025

Security Boulevard Logo

Security Boulevard

The Home of the Security Bloggers Network

Community Chats Webinars Library
  • Home
    • Cybersecurity News
    • Features
    • Industry Spotlight
    • News Releases
  • Security Creators Network
    • Latest Posts
    • Syndicate Your Blog
    • Write for Security Boulevard
  • Webinars
    • Upcoming Webinars
    • Calendar View
    • On-Demand Webinars
  • Events
    • Upcoming Events
    • On-Demand Events
  • Sponsored Content
  • Chat
    • Security Boulevard Chat
    • Marketing InSecurity Podcast
    • Techstrong.tv Podcast
    • TechstrongTV - Twitch
  • Library
  • Related Sites
    • Techstrong Group
    • Cloud Native Now
    • DevOps.com
    • Security Boulevard
    • Techstrong Research
    • Techstrong TV
    • Techstrong.tv Podcast
    • Techstrong.tv - Twitch
    • Devops Chat
    • DevOps Dozen
    • DevOps TV
  • Media Kit
  • About
  • Sponsor

  • Analytics
  • AppSec
  • CISO
  • Cloud
  • DevOps
  • GRC
  • Identity
  • Incident Response
  • IoT / ICS
  • Threats / Breaches
  • More
    • Blockchain / Digital Currencies
    • Careers
    • Cyberlaw
    • Mobile
    • Social Engineering
  • Humor
Data Security Security Bloggers Network Threats & Breaches 

Home » Promo » Cybersecurity » CISA Warns of Compromised Microsoft Accounts

SBN

CISA Warns of Compromised Microsoft Accounts

by Enzoic on April 12, 2024

CISA issued a fresh CISA emergency directive in early April instructing U.S. federal agencies to mitigate risks stemming from the breach of numerous Microsoft corporate email accounts by the Russian APT29 hacking group. The directive is known as Emergency Directive 24-02 and it addresses the risk of compromised Microsoft accounts for federal agencies and corporations.

The directive mandates agencies to probe potentially impacted emails, reset any compromised credentials and implement safeguards to fortify privileged Microsoft accounts.CISA reports that operatives from Russia are utilizing information pilfered from Microsoft’s corporate email systems, including authentication details exchanged between Microsoft and its clientele via email, to infiltrate certain customer systems.

Federal Agency Handling of Compromised Microsoft Accounts

Microsoft and the U.S. cybersecurity agency have already alerted all federal agencies whose email exchanges with Microsoft were identified as exfiltrated by the Russian hackers. CISA’s latest emergency directive marks the first acknowledgment by the U.S. government that federal agency emails were exfiltrated during the January Microsoft Exchange breaches.

Techstrong Gang Youtube
AWS Hub

CISA has now directed affected agencies to ascertain the complete content of their correspondence with compromised Microsoft accounts and conduct a cybersecurity impact assessment by April 30, 2024.

Agencies detecting indications of authentication compromises are instructed to:

  1. Remediate exposed passwords, tokens, API keys, or other authentication credentials known or suspected to be compromised.
  2. For any known or suspected authentication compromises, reset credentials and deactivate any associated applications no longer in use.
  3. For any compromised accounts; review sign-in, token issuance, and other account activity logs for potential malicious activity.

While the requirements of ED 24-02 pertain exclusively to Federal Civilian Executive Branch (FCEB) agencies, the exfiltration of Microsoft corporate accounts may affect other organizations and corporations. It is also imperative for all organizations, regardless of the impact, to adopt stringent security measures, such as utilizing strong passwords and implementing multi-factor authentication (MFA).

APT29, SolarWinds & Compromised Microsoft Accounts

APT29 was responsible for the 2020 SolarWinds supply chain attack, which resulted in breaches affecting several U.S. federal agencies and numerous companies, including Microsoft. Microsoft verified that the breach facilitated the Russian hacking group in pilfering source code for certain Azure, Intune, and Exchange components. In 2021, the APT29 hackers once more penetrated a Microsoft corporate account, granting them access to customer support tools.

Earlier this year, Microsoft disclosed that APT29 hackers had infiltrated its corporate email servers through a password spray attack, compromising a legacy non-production test tenant account. The compromised account possessed authorization to an application with elevated privileges within Microsoft’s corporate environment, enabling the attackers to infiltrate and extract data from corporate mailboxes. These compromised email accounts included those belonging to members of Microsoft’s leadership team and an undisclosed number of employees in the company’s cybersecurity and legal departments.

How to Detect Compromised Microsoft Accounts

Detecting compromised Microsoft accounts is crucial for maintaining the security of your organization’s data and systems. Here are some key indicators to watch out for:

  • Monitor Account Activity: Regularly monitor the activity logs of Microsoft accounts for any suspicious or unauthorized activities. Look for signs such as unusual login times or locations, multiple failed login attempts, or access to sensitive data by unauthorized users.
  • Screen Accounts for Compromised Credentials: Prioritize screening of accounts for compromised credentials. Tools like Enzoic for Active Directory automate this process against a backend database of billions of compromised credentials. Implementing unsafe password screening and compromised password monitoring can help organizations safeguard their sensitive data and prevent unauthorized access to their systems and networks.
  • Implement Multi-Factor Authentication (MFA): Enable MFA for all Microsoft accounts to add an extra layer of security. MFA requires users to provide additional verification, such as a code sent to their phone, in addition to their password, making it harder for unauthorized users to access accounts even if passwords are compromised. But remember, MFA only works well when the first factor, the password, is secure.
  • Regularly Review Permissions and Access: Conduct regular audits of permissions and access levels assigned to Microsoft accounts. Remove any unnecessary permissions or roles and ensure that access is only granted to individuals who require it for their job responsibilities.
  • Set up Alerts and Notifications: Configure alerts and notifications for suspicious activities or security events within Microsoft accounts. This can help you quickly detect and respond to potential compromises or security breaches.
  • Educate Users on Phishing and Social Engineering: Train employees to recognize phishing attempts and social engineering tactics used by attackers to steal account credentials. Encourage them to report any suspicious emails or messages and avoid clicking on links or providing personal information unless they are certain of the sender’s authenticity.

By following these proactive measures and staying vigilant, organizations can enhance their ability to detect compromised Microsoft accounts and mitigate the risks associated with unauthorized access to sensitive data and systems.

To learn more about CISA Emergency Directive 24-02, please visit: https://www.cisa.gov/news-events/directives/ed-24-02-mitigating-significant-risk-nation-state-compromise-microsoft-corporate-email-system

The post CISA Warns of Compromised Microsoft Accounts appeared first on Enzoic.

*** This is a Security Bloggers Network syndicated blog from Blog | Enzoic authored by Enzoic. Read the original post at: https://www.enzoic.com/blog/compromised-microsoft-accounts/

April 12, 2024April 12, 2024 Enzoic account takeover, Active Directory, Cybersecurity, Data breaches, Regulation and Compliance
  • ← Balbix Guide to XZ Utils Backdoor
  • Another CVE (PAN-OS Zero-Day), Another Reason to Consider Zero Trust →

Techstrong TV

Click full-screen to enable volume control
Watch latest episodes and shows

Tech Field Day Events

Upcoming Webinars

How to Spot and Stop Security Risks From Unmanaged AI Tools

Podcast

Listen to all of our podcasts

Press Releases

GoPlus's Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

Zama Raises $73M in Series A Lead by Multicoin Capital and Protocol Labs to Commercialize Fully Homomorphic Encryption

Zama Raises $73M in Series A Lead by Multicoin Capital and Protocol Labs to Commercialize Fully Homomorphic Encryption

RSM US Deploys Stellar Cyber Open XDR Platform to Secure Clients

RSM US Deploys Stellar Cyber Open XDR Platform to Secure Clients

ThreatHunter.ai Halts Hundreds of Attacks in the past 48 hours: Combating Ransomware and Nation-State Cyber Threats Head-On

ThreatHunter.ai Halts Hundreds of Attacks in the past 48 hours: Combating Ransomware and Nation-State Cyber Threats Head-On

Subscribe to our Newsletters

ThreatLocker

Most Read on the Boulevard

Google’s $32 Billion Acquisition of Wiz Draws DoJ Antitrust Probe: Report
US Pig Butchering Victims ‘Will’ Get Refunds — Feds Seize $225M Cryptocurrency
16 Billion Leaked Records May Not Be a New Breach, But They’re a Threat
Is Your CISO Ready to Flee? 
Scattered Spider Targets Aflac, Other Insurance Companies
Your passwords are everywhere: What the massive 16 billion login leak means for you
Understanding EchoLeak: What This Vulnerability Teaches Us About Application Security | Impart Security
The $4.88 Million Question: Why Password-Based Breaches Are Getting More Expensive
Cybersecurity Snapshot: Tenable Report Spotlights Cloud Exposures, as Google Catches Pro-Russia Hackers Impersonating Feds
Unpacking the Verizon 2025 Data Breach Investigations Report

Industry Spotlight

Scattered Spider Targets Aflac, Other Insurance Companies
Cloud Security Cybersecurity Data Privacy Data Security Featured Identity & Access Industry Spotlight Mobile Security Network Security News Security Awareness Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Social Engineering Spotlight Threat Intelligence 

Scattered Spider Targets Aflac, Other Insurance Companies

June 22, 2025 Jeffrey Burt | 1 day ago 0
US Pig Butchering Victims ‘Will’ Get Refunds — Feds Seize $225M Cryptocurrency
Analytics & Intelligence Blockchain Cyberlaw Cybersecurity Data Privacy Digital Currency Featured Governance, Risk & Compliance Humor Incident Response Industry Spotlight Mobile Security Most Read This Week Network Security News Popular Post Security Awareness Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Social Engineering Spotlight Threat Intelligence Threats & Breaches 

US Pig Butchering Victims ‘Will’ Get Refunds — Feds Seize $225M Cryptocurrency

June 20, 2025 Richi Jennings | 3 days ago 0
Iran Reduces Internet Access After Israeli Airstrikes, Cyberattacks
Blockchain Cloud Security Cybersecurity Data Security Digital Currency Featured Identity & Access Incident Response Industry Spotlight Network Security News Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Spotlight Threat Intelligence Threats & Breaches 

Iran Reduces Internet Access After Israeli Airstrikes, Cyberattacks

June 18, 2025 Jeffrey Burt | Jun 18 0

Top Stories

DataKrypto and Tumeryk Join Forces to Deliver World’s First Secure Encrypted Guardrails for AI LLMs and SLMs
AI and Machine Learning in Security AI and ML in Security Cybersecurity Featured Governance, Risk & Compliance News Security Awareness Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Spotlight 

DataKrypto and Tumeryk Join Forces to Deliver World’s First Secure Encrypted Guardrails for AI LLMs and SLMs

June 24, 2025 John D. Boyle | 3 hours ago 0
16 Billion Leaked Records May Not Be a New Breach, But They’re a Threat
Cloud Security Cybersecurity Data Privacy Data Security Endpoint Featured Identity & Access Malware Mobile Security Network Security News Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Social Engineering Spotlight Threat Intelligence Threats & Breaches 

16 Billion Leaked Records May Not Be a New Breach, But They’re a Threat

June 22, 2025 Jeffrey Burt | 2 days ago 0
AWS Raises Expertise Bar for MSSP Partners
AI and Machine Learning in Security Cybersecurity Featured News Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Spotlight 

AWS Raises Expertise Bar for MSSP Partners

June 22, 2025 Michael Vizard | 2 days ago 0

Security Humor

Randall Munroe’s XKCD ‘Exoplanet System’

Randall Munroe’s XKCD ‘Exoplanet System’

Download Free eBook

Managing the AppSec Toolstack

Security Boulevard Logo White

DMCA

Join the Community

  • Add your blog to Security Creators Network
  • Write for Security Boulevard
  • Bloggers Meetup and Awards
  • Ask a Question
  • Email: [email protected]

Useful Links

  • About
  • Media Kit
  • Sponsor Info
  • Copyright
  • TOS
  • DMCA Compliance Statement
  • Privacy Policy

Related Sites

  • Techstrong Group
  • Cloud Native Now
  • DevOps.com
  • Digital CxO
  • Techstrong Research
  • Techstrong TV
  • Techstrong.tv Podcast
  • DevOps Chat
  • DevOps Dozen
  • DevOps TV
Powered by Techstrong Group
Copyright © 2025 Techstrong Group Inc. All rights reserved.
×