The Microsoft hack that saw Outlook.com accounts accessed between 1 January and 28 March 2019 is the latest example of insider threat, a lesser known area of cybersecurity businesses should be paying attention to, according to cybersecurity experts.
Microsoft yesterday alerted users that credentials of a support agent working on its webmail service had been compromised, given the unknown hacker access to an unknown number of accounts.
While the attacker could not access passwords or other personal information, according to Microsoft, they could see email addresses, folder names and email subject lines.
“Our data indicates that account-related information (but not the content of any e-mails) could have been viewed, but Microsoft has no indication why that information was viewed or how it may have been used,” said Microsoft in an email to users.
Insider threat at the heart of the Microsoft hack
For cybersecurity experts, the attack highlights the risk posed by insider threats – where people inside the organisation, such as former employees or contractors, present a security risk.
“This is another case of insider threat, which often gets a lower level of attention and priority,” said Anjola Adeniyi, technical leader at Securonix.
“Organisations should understand that while the likelihood may be lower than other forms of cyber risk, its impact can be much greater and therefore should give it a bigger focus. Insider threat is not only about malicious users, as we see in this case of a compromised user.”
“Sensitive accounts such as admin accounts, support accounts, or even social media accounts are attractive targets for criminals, which is why it is important to monitor these accounts to detect not only if compromised externally, but also if an insider decides to go rogue,” added Javvad Malik, security advocate at AT&T Cybersecurity.
“As this incident shows, when a legitimate account undertakes malicious activity, unless specific controls are put in place, such as behavioural monitoring, it can take a long time to pick up that something is amiss, and even longer to unpick what damage has been done.”
Questions over timescale of Microsoft hack
The Microsoft hack took a considerable amount of time for the software giant to identify – which has led to criticism from some cybersecurity experts.
“It’s good that access to the information in emails and account passwords was apparently not accessed, this is likely due to Microsoft’s own restrictions on support account’s visibility into personal data and passwords, however the amount of time that the breach went on is disappointing,” said Dan Pitman, principal security architect at Alert Logic.
“This kind of event should trigger a review of support access restrictions, you would hope they would require multiple factors of authentication to login as advised to end users.”
“What worries me most is that Microsoft, on the one hand, say, ‘We consistently monitor our networks looking for any irregularities on the network’ yet admit that ‘the attackers may have had access to Microsoft systems for a considerable period of time — something under three months’,” agreed Brian Higgins, security specialist, Comparitech.com.
“As a customer, that doesn’t fill me with confidence in their intrusion monitoring capabilities and makes me wonder who else is casually sitting on their network waiting to strike!”
What action should users take?
The affected users in the Microsoft hack are likely to be a mixture of individuals and businesses, however for both there is little realistic action to take other the standard post-breach password change.
“Users can’t do much about it. Not sharing your data is not possible these days, if you want to use these services. You can never be sure that the service of your choice won’t be hacked – there is no 100% security, there is no silver bullet. With insider attacks, an increasing attack surface and more and more vulnerabilities, the question is not if a breach will happen – but when,” said Felix Rosbach, product manager at comforte AG.
“Of course, you could set up your own mail server – but are you sure you can do a better job than Microsoft in terms of cybersecurity? If so, go for it.”