Microsoft Informs Customers that Russian Hackers Spied on Emails

Russian hackers who broke into Microsoft's systems and spied on staff inboxes earlier this year also stole emails from its customers, the tech giant said on Thursday, around six months after it first disclosed the intrusion. Reuters: The disclosure underscores the breadth of the breach as Microsoft faces increasing regulatory scrutiny over the security of its software and systems against foreign threats. An allegedly Chinese hacking group that separately breached Microsoft last year stole thousands of U.S. government emails. Microsoft said it was also sharing the compromised emails with its customers, but did not say how many customers had been impacted, nor how many emails may have been stolen.

Ladies and gents, I present to you: The Cloud!

[Kokuyo]

I don't even know what more to say :D.

Re:

[awwshit]

If you allow web access, on prem Exchange isn't any better.

Re:

[olmsfam]

This. Over my career as a sysadmin I have been hit with so many zero days for exim, exchange, zimbra, et al I just assume all your emails belong to russia.

There is no such thing as a secure computer unless it is turned off.

Re:

[ctilsie242]

The ironic thing is that this was something discussed and "solved" in the early 1990s. Insecure email is one of the reasons why PGP was created, because way back when, if one had shell access (back when many users were on one system), you could just read /var/spool/mail/* because there was a high chance permissions were bad.

Maybe we need to go back to having message encryption be separate from transport encryption. That way, even if a E2EE service gets compromised, someone pushes out a client with a backd

Re:

[gweihir]

Got any for Postfix? Because that is what I selected for my own infrastructure after maybe half a day of research.

Re:

[olmsfam]

lol yes. that was the zimbra issue:

https://blog.zimbra.com/2023/1... [zimbra.com]

Re:

[gweihir]

Ah, yes. Really scary. I am not even affected.

Re:

[BardBollocks]

KIND of agree - if you leave it completely open without geofencing, if you don't have complex password requirements, if you don't force frequent password changes, and if you don't have 2fa, and if you don't keep up with patching..

I would argue that if you take proper precautions on premises is more secure, and more importantly, you can SEE YOURSELF what is going on.

Cloud is putting all your eggs and trust into someone else's basket - and it has been shown over and over and over again that trust is misplaced

Re:

[Baron_Yam]

Password changes on an MFA-protected account really only need be required if there is suspicious activity detected on the account.

Otherwise you get sticky notes or password managers (individual keys are pointless if they're all protected by a single key).

If you lock down devices to have an always-on VPN that helps a lot, too. As far as I am aware, 365 is still vulnerable to token interception if you use untrusted WiFi.

Re:

[Shakrai]

if you leave it completely open without geofencing

Geofencing certainly doesn't hurt but if you think it's a meaningful defense against modern day threats you're kind of deluding yourself. It's also not really relevant in a discussion of Cloud vs. On-Prem. You can (and should) use Conditional Access policies to geofence your 365 tenant(s).

I would argue that if you take proper precautions on premises is more secure

Not true for the vast majority of small to medium sized businesses that cannot afford a 24/7 SecOps team. If you work for a small business like mine, you're probably THE SecOps team. Cloud anything (be it Microsoft, G

Re:

[DarkOx]

you're probably THE SecOps team. Cloud anything (be it Microsoft, Google, AWS, etc.) is going to give you more than that.

That is a resounding 'maybe' it certainly can give you more than that. o365 can be great in that respect. However get compromised and finding out you havn't got jack-or-shit in the way of forensic evidence to pursue the bad actors with or even limit the number of disclosures and compromise notifications you need to make because ooops you didn't pay for e5 licenses so no logs for you - is a bad day.

Cloud gives you all the tools to run what is going to be probably an effective security program against anyone

Re:

[Shakrai]

you havn't got jack-or-shit in the way of forensic evidence to pursue the bad actors with or even limit the number of disclosures and compromise notifications you need to make because ooops you didn't pay for e5 licenses so no logs for you

Base 365 licenses include 180 days of audit logs. If you're so inclined you can hook it to a SIEM and have -- in theory -- unlimited logs and ways to review them. It's far from perfect but it's still arguably better than on-prem, where you may find you have no logs at all if the compromise is bad enough and/or the admin team incompetent enough.

doing it correctly having all your i(s) dotted and t(s) crossed, does NOT require less knowledge than traditional IT solutions

Agreed on this part. I never said it requires LESS knowledge. It does require DIFFERENT knowledge. The cloud can make it easy to hang yourself if you don't take

Re:

[fahrbot-bot]

I don't even know what more to say :D.

How about a thank you to MS for pushing Windows users to have cloud accounts, with your local data sync'ed, so hackers can steal your info w/o having to break into your local PC. Sure, it makes it way easier to steal everyone's info all at once, but your local PC is safe. It's also way more efficient, not just for the hackers, but energy efficient. Think of all power saved by not having to try, and sometimes failing, to break into millions of PCs all over the World.

Re: Ladies and gents, I present to you: The Cloud!

[See Attached]

And for our next event: GitHub on a stick ! Feast mightily my well seasoned crackers!! Enjoy the exploits.

Microsoft, when reached for comment:

[PessimysticRaven]

"Oh hay. By the way. 'OOPSIE POOPSIE!'" -- Microsoft, probably.

no worries

[zlives]

Security is now MS's top priority according to chatGPT

Re:

[gweihir]

It has always been! Of course. the "top priorities" are what MS classifies as "maybe do later". They are busy putting ads in Win11 and trying to force users onto it.

broke into Microsoft

[oldgraybeard]

duh! not really real news! Anyone using Microsoft products or services does so at their own peril!

Which cloud(s) exactly

[awwshit]

I'd like to know which environments exactly were accessed. Microsoft has several different clouds that are at least somewhat separated, Commercial cloud, Government cloud, Government cloud high security, Government cloud DoD, there is one in China, one in Germany, maybe others.

Re:

[Ol Olsoc]

I'd like to know which environments exactly were accessed. Microsoft has several different clouds that are at least somewhat separated, Commercial cloud, Government cloud, Government cloud high security, Government cloud DoD, there is one in China, one in Germany, maybe others.

Remember when the cloud was 100 percent secure? When if anyone questioned its security, they were scoffed at?

Re:

[HiThere]

No. The cloud has always been "storing your data on someone else's hardware...and you can't guarantee whose hardware or who has access." That goes bad to the day the term was invented.

Re:

[Ol Olsoc]

No. The cloud has always been "storing your data on someone else's hardware...and you can't guarantee whose hardware or who has access." That goes bad to the day the term was invented.

Of course it was non-secure, which is what I meant. Should use a /s tag. Storing your data on someone else's computer was just a re-invention of the ancient hard drive rental space from the 70's, where you modemed into someone's computer with bigger storage. That failed then, and it was reinvented as a way to get rid of most of your IT department, so the CFO's orgasmed on how they could get rid of people.

So reality or not, we were told that it was perfectly secure, and when the obvious questions come up

Re:

[gtall]

Government cloud high security? From Microsoft? Bwahahahahaha....

Re:

[awwshit]

YMMV

https://learn.microsoft.com/en... [microsoft.com]

Re:

[gweihir]

All of them? Unless they think their own internal email does not merit high security, that is. In the 2023 Outlook online, at least, all customers were affected, but apparently not internal email.

Re:

[awwshit]

Outlook Online is in the Commercial cloud.

If these clouds are all truly separate then "all of them" would be unexpected.

Re:

[gweihir]

I really do not know. But MS is greedy like never before and incompetent like never before, so assuming the worst seems appropriate. Well, they got a bit more competent and the attackers got a ton more competent.

Microsoft is the

[Tablizer]

...Boeing of security.

Re:Microsoft is the

[awwshit]

I always thought Microsoft was the swiss cheese of security. Full of holes, nutty flavor, not particularly hard.

Re:

[gweihir]

I would say Boeing is still doing a lot better on quality (dying as they are), it is just that the customers of Boeing have far, far higher standards than those of Microsoft.

The teeniest tinyiest bit of sarcasm corp Ltd.

[unfriendlyLLM]

I represent the ttbosc Ltd. . and we'd like to thank you for your diligence and unwavering professionalism.....

Re:

[gweihir]

Well, Trump is a no-honor, no-clue, serial-lying criminal and traitorous moron, but at least he is still mostly alive. After that recent TV "battle" with Biden, I am beginning to see why some people think Trump is the better one of the two.

Insecurity. It's the MS way.

[gweihir]

At least they are consistent.

Coming clean

[JThundley]

It's easy to come clean after you've been caught red-handed.