Conversation

Notices

1. Embed this notice
   Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 06-Jul-2024 02:54:54 JST Kevin Beaumont

   PSA to orgs: if you use Microsoft 365, check your email logs for an email from mbsupport@microsoft.com
   
   Microsoft are emailing tenant admin email addresses about a breach by Midnight Blizzard - you might not get the emails due to spam filtering etc.

   https://www.reddit.com/r/microsoft/comments/1dowpf9/midnight_blizzard_microsoft_email_data_sharing/ #threatintel

   • Embed this notice
     ian spence :yikes: (ecn@mastodon.social)'s status on Saturday, 06-Jul-2024 02:59:23 JST ian spence :yikes:

     in reply to

     @GossiTheDog "Customer Success Account Manager (CSAM)"

     NO. WHO APPROVED THIS.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 06-Jul-2024 05:05:47 JST Kevin Beaumont

     in reply to

     I would suggest orgs who use M365 want to check their Exchange Online logs for that email address.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 06-Jul-2024 19:55:27 JST Kevin Beaumont

     in reply to

     Just to be super clear, these are legit emails. Microsoft didn’t follow their M365 customer data breach notification process.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 06-Jul-2024 20:01:52 JST Kevin Beaumont

     in reply to

     Also, if you don’t use M365, check your email logs anyway.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 07-Jul-2024 08:16:39 JST Kevin Beaumont

     in reply to

     I’ve blown this up on LinkedIn now as it’s clear from talking to lots of impacted orgs they’ve found out about their breach from me.

     The emails in the MS notification flow don’t even pass SPF, DKIM. It’s great that MS are being transparent — but they need to get down how to notify orgs.

     https://www.linkedin.com/posts/kevin-beaumont-security_check-your-email-logs-including-exchange-activity-7215355395878305793-K8n_?utm_source=share&utm_medium=member_ios

   • Embed this notice
     faebudo (faebudo@ioc.exchange)'s status on Sunday, 07-Jul-2024 14:06:27 JST faebudo

     in reply to

     @GossiTheDog I'vejust read that mail. Didn't we learn from Qualys a few days ago that CSAM is not a good acronym in cybersecurity?
     Also according to Microsoft itself that role doesn't exist but a CSM does.

   • Embed this notice
     fthy (fthy@mastodon.green)'s status on Tuesday, 09-Jul-2024 02:49:45 JST fthy

     in reply to

     @GossiTheDog

     Over 100 of those secret URLs: https://urlscan.io/search/#page.domain%3Apurviewcustomer.powerappsportals.com

     #microsoft #infosec

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 09-Jul-2024 02:58:57 JST Kevin Beaumont

     in reply to

     I know Mastodon didn’t look at the screenshot in this thread as they haven’t freaked out about CSAM being used as a job title 🤣

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 09-Jul-2024 06:42:06 JST Kevin Beaumont

     in reply to

     Gonna start replying to these saying it’s legit since nobody else is. https://answers.microsoft.com/en-us/msoffice/forum/all/midnight-blizzard-data-sharing-request-email/1c1e90f6-43fc-4c91-ac77-3127fb6a340c

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 09-Jul-2024 07:12:26 JST Kevin Beaumont

     in reply to

     My favourite part of this saga is aside from the MS breach notification emails not having valid DKIM signing nor SPF, the emails are getting flagged as phishing and submitted to sandboxes.

     Each tenant has a unique URL, and I’m tracking over 500 so far - so there’s at least 500 victim orgs.

   • Embed this notice
     Dźwiedziu (dzwiedziu@mastodon.social)'s status on Tuesday, 09-Jul-2024 07:19:44 JST Dźwiedziu

     in reply to

     @GossiTheDog
     * I would suggest orgs who use M365 to stop.

     FTFY ^_^J

   • Embed this notice
     Dan Kletter 🥑 (soundclamp@mastodon.xyz)'s status on Wednesday, 10-Jul-2024 00:34:34 JST Dan Kletter 🥑

     in reply to

     • Ben Haylock :mastodon:

     @GossiTheDog @zbender Sounds like you’re saying small companies are just now finding out about the breach? https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 10-Jul-2024 02:18:36 JST Kevin Beaumont

     in reply to

     I’ve had multiple people reach out to me to say Microsoft support have told them the email in the screenshot isn’t legit. It is.

     Get the MS support team to talk to Redmond security team if you get caught in that loop.

     Also, everybody dealing with this, drink.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 10-Jul-2024 05:54:44 JST Kevin Beaumont

     in reply to

     Is there any interest in a Signal group for people dealing with the Midnight Blizzard Microsoft email heist caper?

   • Embed this notice
     petrichor (petrichor@cyberplace.social)'s status on Wednesday, 10-Jul-2024 07:04:00 JST petrichor

     in reply to

     @GossiTheDog yes

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 11-Jul-2024 02:06:46 JST Kevin Beaumont

     in reply to

     A nice summary of where this is up to so far. Transparency from MS = good and much needed, they just need to execute it better.

     https://techcrunch.com/2024/07/10/microsoft-emails-that-warned-customers-of-russian-hacks-criticized-for-looking-like-spam-and-phishing/

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 11-Jul-2024 08:51:58 JST Kevin Beaumont

     in reply to

     When you send out a data breach notification but don’t tell your security staff 😅

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 12-Jul-2024 03:46:27 JST Kevin Beaumont

     in reply to

     Does anybody know if Microsoft has tried to notify *all* impacted orgs in this incident (Microsoft corporate email breach), i.e. every org that has emailed or been emailed by Microsoft and had the email stolen?

     I can see TechCrunch asked them, but they declined to comment.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 18-Jul-2024 06:12:08 JST Kevin Beaumont

     in reply to

     My posts about how to find the Midnight Blizzard Microsoft breach notification have reached over half a million views across social media now (excluding Mastodon, which doesn’t track).

     My phone is still orgs finding out about the notification from my posts.

     The most impacted parties appear to be Microsoft security customers, and most of my Signal messages are from CISOs.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 18-Jul-2024 06:15:45 JST Kevin Beaumont

     in reply to

     Btw one of fave things about it is, after you find the email and follow the instructions, you get invited to a shared tenant at Microsoft for the victims - with ‘this email is not from Microsoft’ written on the email.. from Microsoft.

   • Embed this notice
     Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Thursday, 18-Jul-2024 06:33:11 JST Graham Sutherland / Polynomial

     in reply to

     @GossiTheDog I honestly don't understand how they keep butchering their handling of these situations.