For the first time in the history of Microsoft, a cyberattack has left hundreds of executive accounts compromised and caused a major user data leak as Microsoft Azure was attacked.

According to Proofpoint, the hackers use the malicious techniques that were discovered in November 2023. It includes credential theft through phishing methods and cloud account takeover (CTO) which helped the hackers gain access to both Microsoft365 applications as well as OfficeHome.

  • SorteKanin@feddit.dk
    link
    fedilink
    arrow-up
    0
    ·
    9 months ago

    The reason why so many people fell for this attack was because it was carried out through malicious links embedded in documents. These links led to phishing websites but the anchor text of these links was “View Document”. Naturally, no one was suspicious of a text like that.

    On one hand, I know we shouldn’t blame people for falling for this stuff. People are often not educated well enough on the dangers and it’s not reasonable to expect it. We should build things to be systematically secure even in the face of people falling for phishing.

    On the other hand it’s difficult not to be frustrated with this kind of thing… People really should know better than clicking random links and typing their password.

    • valkyre09@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      9 months ago

      I work on service desk.

      Nobody knows their password. It’s always a fucking song and dance when I ask them to type it in.

      Except of course when they click a phishing link. Then they know every single piece of information required.

      Blows my mind

      • deweydecibel@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        9 months ago

        work on service desk.

        Nobody knows their password.

        If they did they wouldn’t be contacting the service desk.

        • OrderedChaos@lemmy.world
          link
          fedilink
          arrow-up
          0
          ·
          9 months ago

          I often get confused at how someone could log into the computer and yet after that is done have no idea what their password is. I sometimes have them lock their computer so they can remember it again. Facepalm.

          • wizardbeard@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            0
            ·
            9 months ago

            Been on both ends of this (IT support and “forget password after entering it correctly”). The secret is muscle memory/subconcious habit.

            Used to have the same issue with the dial combo lock on my locker at school. If I thought about it I could never open it. If I distracted myself just enough then I’d get it open without really knowing what I did.

            That said, at my place we had someone forgetting their password literally minutes after a call to have it reset, multiple times a day. Don’t know what the issue was, but we had to escalate it to HR and the person was out for a good while.

            • just some guy@sh.itjust.works
              link
              fedilink
              arrow-up
              1
              ·
              9 months ago

              Totally agree about the muscle memory. I recall having access to a CO DNR database at a previous job. It was one of three alphanumeric passwords assigned to me with no option to change them. I realized one day after having my hand in the wrong place on the keyboard that I didn’t really remember it, but my subconscious did

    • echo64@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      9 months ago

      Azure products ask you for your identity and signin a lot. Honestly, I’m asked to log in again at least once every 24 hours. That’s assuming I don’t traverse some sort of service wall where I’m now in a different system after clicking a link.

      I do cloud engineering for a living, and I would probably fall for at least some phishing things around Azure, specifically because azure identity management is so obtuse and constantly asking for things.

      It’s absolutely on the system that Microsoft designed , and the practices they encourage, and the mitagations that apparently don’t exist.

      • Sunforged@lemmy.ml
        link
        fedilink
        arrow-up
        0
        arrow-down
        1
        ·
        9 months ago

        Thank you. Security verification has become so cumbersome that people just try to push through without thinking.