Microsoft warns on SIM Swap… Take it serious

Microsoft on Tuesday advised internet users to embrace multi-factor authentication (MFA)… except where public switched telephone networks are involved.

Multi-factor authentication, for those who haven’t been paying attention, involves adding one or more additional access requirements to password-based authentication. So an online bank, for example, might send a text message to the mobile phone number associated with a given account to make it more likely that the person entering the account password is authorized to access the account.

The technique isn’t foolproof though it offers additional defense against attackers who gain access to, or guess through various techniques, the password for a victim’s online account. MFA can also be used in conjunction with a password manager: think of multi-factor authentication as an additional layer of protection.

Microsoft, says people should definitely use MFA. He claims that accounts using any type of MFA get compromised at a rate that’s less than 0.1 per cent of the general population.null. So users should stop relying on SMS or Voice calls for OTP which are least secure and can be breaker easily

Hacking techniques like SIM swapping – where a miscreant calls a mobile carrier posing as a customer to request the customer’s number be ported to a different SIM card in the attacker’s possesion. Easily a backdoor malware harvested to steal two factor authentication.

The Authenticator uses encrypted communication, allowing bi-directional communication on authentication status, and we’re currently working on adding even more context and control to the app to help users keep themselves safe.

Popular Mobile authenticator apps alternate to Microsoft are Twilio’s Authy, Cisco’s Duo Mobile, Google Authenticator, and password managers like 1Password and LastPass. Any of these would be an improvement over SMS and voice

O365 Phishing with Image inversion

Researchers have spotted a new creative Office 365 phishing campaign that has been inverting images used as backgrounds for landing pages to avoid getting flagged as malicious by security solutions that scans the web for phishing sites and scams

The bot avoidance mechanism has been deployed on multiple phishing websites designed to steal Office 365 credentials. 

phishing Office 365 1.png
phishing Office 365 2.png

The phishing kit that use this trick automatically reverts the backgrounds using Cascading Style Sheets (CSS) to make them look just like the backgrounds of legitimate Office 365 login pages.

While phishing detection web crawlers are served the inverted image, the potential victims are redirected to one of these phishing landing pages that will see the original background instead of the inverted one.

Summarizing, the phishing kit displays different versions of the same phishing landing page to victims and scanning engines.

“However, a victim visiting the website would likely recognize that the inverted picture is illegitimate and exit the website. As a result, the threat actor has stored the inverted image and, within the index.php code, has used a CSS method to revert the color of the image to its original state.” continues the analysis. “This approach results in the final website’s appearing legitimate to users who visit, while crawlers and scanning engines are highly unlikely to detect the image as being an inverted copy of the Office 365 background.”

Azure Outage Post Mortem Report

It’s been a tough week for Microsoft, outage after outage hits it’s clous services results in global outage.

Start of this week , number of Microsoft customers worldwide were impacted by a cascading series of problems resulting in many being unable to access their Microsoft apps and services. Microsoft released a not for this outage.

Customers reported they can’t sign into Microsoft and third-party applications which used Azure Active Directory (Azure AD) for authentication. Microsoft acknowledge this issue is with SDP (Safe Deployment Program) mishaps

Azure AD is designed to be geo-distributed and deployed with multiple partitions across multiple data centers around the world, and is built with isolation boundaries. Microsoft normally applies changes across a validation ring that doesn’t include customer data, followed by four additional rings over the course of several days before they hit production. But this week the SDP didn’t correctly target the validation ring due to a defect and all rings were targeted concurrently causing service availability to degrade.

Microsoft engineering knew within five minutes of the problem that something was wrong. During the next 30 minutes, Microsoft started taking steps to expedite mitigation by scaling out some Azure AD services to handle the load once a mitigation would have been applied and failing over certain workloads into a backup Azure AD authentication system. But there roll back failed due to the corruption in the backup SDP metadata resulted in manual configuration

Microsoft fixed the latent code defect in the Azure AD backend SDP system; fixed the existing rollback system; and expanded the scope and frequency of rollback operation drills. The team still needs to apply more protections to the Azure AD SDP system to prevent these kinds of issues. It also needs to expedite the rollout of the Azure AD backup authentication system to all key services, and to onboard Azure AD scenarios to the automated communications pipeline .

Microsoft’s report also doesn’t mention that the past couple of days customers in various geographies have been reporting problems with Exchange Online and Outlook on their mobile devices. Microsoft attributed that problem to a situation involving Exchange ActiveSync and “a recent configuration update to components that route user requests was the cause of impact.”

On 1st October again an outage of cloud services has been noticed for s shorter period.

Office Application Guard ! Game changing Defender ATP

Virtual Sand boxing

Microsoft announced on Monday that Microsoft Defender Application Guard for Office is now at the public preview stage.

The solution, also called “Application Guard for Office,” adds a virtualized container or “sandbox” for users of Microsoft 365 productivity applications, such as Excel, PowerPoint and Word. It lets end users safely view and open attached Microsoft 365 application files in e-mails. Any scripts (macros or ActiveX controls) or malicious links in those files, when activated, don’t escape the sandbox. The solution will “isolate untrusted documents away from the system,” Microsoft explained in a document on the topic.

Application Guard for Office, while seemingly useful for all Office users, is just aimed at top-tier Microsoft 365 E5 plan subscribers. The licensing requirements for the product, when generally released, will be subscriptions to “Microsoft 365 E5 or Microsoft 365 E5 Security” licensing.

End users get a warning pop-up box when documents get opened using Application Guard for Office. An opened document will show another pop-up notice in the ribbon menu, and there will be a shield icon displayed in the taskbar. However, it’s still possible for end users to remove the Application Guard for Office protection on a document if they trust the source.

In addition, it’s possible for users to save a copy of an untrusted file, which lets them work on it in the container. Untrusted files from outside the organization appear as “read-only” files to end users.

IT pros can set certain policies for Application Guard for Office, such as disabling copy-and-paste actions, restricting printing and turning off app access to a device’s microphone and camera.

When Application Guard for Office reaches general availability, it’ll be turned off by default for Microsoft 365 E5 tenancies, the announcement indicated. A listing in the Microsoft 365 Roadmap showed Application Guard for Office getting a product release in December.

Hardware Requirements

Requirements for testing the preview include having Windows 10 version 2004 (build 19041) Enterprise edition and Office 365 version 2008 (build 16.0.13212 or later). In addition, security update KB4566782 needs to be installed. There’s also hardware requirements for client devices, such as Intel Core i5 or equivalent at minimum, 8GB of RAM and 10GB of storage space.