Fun fact (which is a fact but not fun at all): every org that has SharePoint has enormous critical/sensitive data all over the place. Anything from trade secrets, future plans, passwords, personal data, etc. So compromising 'one account' means that someone can start roaming on the intranet, start searching for keywords ('password:', 'passport ID', 'home address', 'home number', 'driver's license', etc.) and will collect all the data they need for further attacks.
It's a strange combination of leaking the information to those who shouldn't have it, while denying the information to those who should.
(Denying, through non-discoverability, haphazard access controls, buggy application behavior, and often simply being deleted.)
And that's not my only major objection to the current Microsoft dysfunctional-company software suite. I just realized I'm clenching my teeth, from recalling how harmful that load of shit was, the last time I saw it crippling employee effectiveness.
> All authentication and download events came from virtual private server (VPS) and Tor IP addresses, which is not the most subtle way to access an account.
If I login from my computer and a few hours later an attacker logs in from the other side of the planet, most big providers will trigger extra checks/email notifications of unusual events.
I wonder if intentionally using Tor/VPS is a way to bypass those checks, since a Tor/VPS can have a far away geo-IP.
Yes, I've also had this thought. I also wonder how wide the geographic net is for some providers. If it's sufficiently wide, it's not infeasible to brute-force the right geographic location by just looping through a few locations. It also has the adverse affect of locating the victim.
Your whole M$ account and all data behind six digits. People are so used to EVERY service asking them these digits, they don't even think twice before just hitting them in.
The Era of Login/Password Security was much more secure anyway, dunno why we regressed to this. Because printer needs your microsoft account now?
That stands for Microsoft (ie: Micro$oft). The connotation of the dollar sign is derogatory (ie: money-grubbing and obscenely rich).
Now that Microsoft is no longer the wealthiest, most powerful company in tech, fewer people refer to it as 'M$'. Microsoft should thank Google and Facebook for making Microsoft look modest and saintly in comparison.
Yeah, can confirm, there are a lot of targeted emails going out inviting people to dodgy auth flow endpoints.
Disabling device authentication (which is rarely needed anyway) and forcing Microsoft Authenticator (with the yes-this-is-really-me number entry thing) or something like a Yubikey should make your org like 99% less vulnerable. If you're not on a Microsoft-or-similar platform (good for you!), one word of advice: passkeys.
As for the inevitable "who would fall for this" question: prior to 2017, when Google instituted a strict 2FA policy, even members of their elite security team were successfully phished. After that, not so much: https://krebsonsecurity.com/2018/07/google-security-keys-neu...
Honest question when it comes to 2FA like MS Authenticator: why don't they ask for the 2nd factor first, and password second? Sounds like it would make it much harder to spoof.
Currently it's very easy to make a fake MS login prompt, even to customize it with your company name and logo. If you fall for that, they have your PW, which probably at least works without 2FA on some random corpo websites like your time tracking or travel expenses or whatnot.
> why don't they ask for the 2nd factor first, and password second? Sounds like it would make it much harder to spoof.
How? First off if it's a TOTP without a notification the fake website can just ignore the TOTP input and always say it's correct and move to collecting your password. If it's a notification type 2FA, when you go to the fake site it can request a login with your username in the background which will send you a notification, you will enter the 2FA code and then password which the attacker will login with.
> when you go to the fake site it can request a login with your username in the background which will send you a notification, you will enter the 2FA code and then password which the attacker will login with.
You're right, hadn't thought of this. But I wish there was a better way to verify that the login prompt is genuine, today it seems almost arbitrarily hard to be 100% sure of this.
The only way is a two way communication between the computer you're logging in with and the 2FA device. So that the computer can tell the device which website is requesting it, and the 2FA device will respond only if the website matches the website that the 2FA was originally registered with. Or have the totp key encrypted with the correct website url, so only the correct URL can decrypt it.
This is essentially what happens with a YubiKey so it's phishing resistant. It also happens with a passkey but thats just one factor since a unlocked stolen PC can login. For a smartphone as second you can probably have a similar setup by requiring a bluetooth or USB connection between the laptop/pc and the smartphone, but it comes with its own disadvantages. Can also work with QR codes I guess, but with the browser generating it from URL, not the site.
1. You shouldn't be reusing your password anywhere else anyway.
2. Microsoft corporate 2FA doesn't give you three choices, but wants you to enter the number from your keypad, unlike consumer 2FA, preventing flooding attacks and trusting that you'll tap the right one accidentally.
1. In my scenario it is your corp admin reusing password across apps. See sibling comment on SSO tax response.
2. Yes, I know how the MS 2FA flow works. But why doesn't it have you enter number on device first, type password second? Seems like it would give users a better way of knowing the login request is legit?
Database query is cheaper than multiple network calls and maybe even a database write?
If I send the password they need to hash then compare. Only then do they need to generate some form of random number - write to some store - send a notification to the users device - query the store from the users device - likely again hash an compare - send a notification to the endpoint signing in. To do that for millions / billions of users seems like it would be expensive compared to a hash + DB lookup.
This is affecting setups that are using a device-code-only flow that Microsoft recommend against.
> Only allow device code flow where necessary. Microsoft recommends blocking device code flow wherever possible. Where necessary, configure Microsoft Entra ID’s device code flow in your Conditional Access policies.
Because a device code wouldn't be needed if the user could easily login on the device. The user is already fully logged in on the computer where they enter the code.
Yes, I'm what most would call "conservative". So what? You think I love the situation Ukraine finds itself in?
I'm European and simply remember that little fact that both world wars started because of alliance networks and countries taking part in conflicts that were initially local. Which is why I try to temper the blatant war drum beating I see around.
yeah, but for some people no amount of evidence is enough, only if Putin, the Ruzzian minister for Invasions or Fighter Bomber confirms it then and only then they will belive Ruzzia could do a mistake or soemthing bad.
I didn't get how people end up entering paswords into randon places and click on suspicions links until I started to work for a big corp.
You get a lot of stuff in the inbox that doesn't exactly relate to your day to day work from departments you only vaguely heard about.
Then the UX of corporate stuff, especially one from microsoft is designed in a way to randomly jump in your face with a password prompt without you starting it actively. The session timeout here, kerberos prompt for smartcard here, the vpn hickup, teams needs to reconnect after the laptop gets out of sleep state. Then half of it random at some point updates and looks subtly different too.
After some exposure to this kind of stuff you don't even know what's real and what's level of corporate-sanctioned bullshit is above or below the baseline set by The Policy.
And don't forget the "SSO Tax" that some SaaS implement. Ideally, your company login should be your one and only login, and should be strongly tied to your device, a hardware token, and a central directory. Often, Saas providers charge far more to integrate with these directories, so, companies will just use a lower cost "LDAP Authentication" and condition users to enter their staff passwords on multiple sites :(
>"The session timeout here, kerberos prompt for smartcard here, the vpn hickup, teams needs to reconnect after the laptop gets out of sleep state. Then half of it random at some point updates and looks subtly different too."
OMG. Did not consider that. Lucky me. I do software development for clients, include some of decent size but am independent to the point that all my development is done at my own premises (basement of my house;) .
I use a similar filter at work but have it automatically label it as external and remove it from my primary inbox, not completely blocking but I have to go find emails from new people. I do filter external emails from vendors we do use into folders and read them. But the amount of spam I get just because someone managed to find my title and email is insane. I don’t even have my work email listed anywhere publicly that I am aware of.
There are many curriculums where IT security is taught in schools [0]. America does have a problem where their education systems are extremely disparate, but the lack is not universal.
[0] Virginia commonly uses Fortinet's lesson plans, for example.
