borncity.com
Open in
urlscan Pro
178.77.110.222
Public Scan
URL:
https://borncity.com/win/2024/07/09/midnight-blizzard-hack-microsoft-sends-notification-to-customers-by-email-that-en...
Submission: On July 10 via manual from US — Scanned from DE
Submission: On July 10 via manual from US — Scanned from DE
Form analysis 6 forms found in the DOM
POST https://borncity.com/win/wp-comments-post.php
<form action="https://borncity.com/win/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<p class="comment-notes"><span id="email-notes">Your email address will not be published.</span> <span class="required-field-message">Required fields are marked <span class="required">*</span></span></p>
<p class="comment-form-comment"><label for="comment">Comment <span class="required">*</span></label> <textarea autocomplete="new-password" id="comment" name="b0c298a907" cols="45" rows="8" maxlength="65525" required="required"></textarea><textarea
id="a80be2ecf8a711e56f0dca949d2a7a20" aria-label="hp-comment" aria-hidden="true" name="comment" autocomplete="new-password"
style="padding:0 !important;clip:rect(1px, 1px, 1px, 1px) !important;position:absolute !important;white-space:nowrap !important;height:1px !important;width:1px !important;overflow:hidden !important;" tabindex="-1"></textarea>
<script data-noptimize="">
document.getElementById("comment").setAttribute("id", "a80be2ecf8a711e56f0dca949d2a7a20");
document.getElementById("b0c298a907").setAttribute("id", "comment");
</script>
</p>
<p class="comment-form-author"><label for="author">Name</label> <input id="author" name="author" type="text" value="" size="30" maxlength="245" autocomplete="name"></p>
<p class="comment-form-email"><label for="email">Email</label> <input id="email" name="email" type="text" value="" size="30" maxlength="100" aria-describedby="email-notes" autocomplete="email"></p>
<div role="note" class="comment-form-policy-top-copy" style="font-size:80%"></div>
<p class="comment-form-policy">
<label for="policy" style="display:block !important">
<input id="policy" name="policy" value="policy-key" class="comment-form-policy__input" type="checkbox" style="width:auto; margin-right:7px;" aria-required="true">I have read and accepted the <a href="https://borncity.com/win/privacy-statement/" target="_blank" rel="" class="comment-form-policy__see-more-link">Privacy Policy
</a><span class="comment-form-policy__required required"> *</span>
</label>
</p>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="Post Comment"> <input type="hidden" name="comment_post_ID" value="34390" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
</form>GET https://borncity.com/win/
<form role="search" method="get" id="searchform" class="searchform" action="https://borncity.com/win/">
<div>
<label class="screen-reader-text" for="s">Search for:</label>
<input type="text" value="" name="s" id="s">
<input type="submit" id="searchsubmit" value="Search">
</div>
</form>GET https://borncity.com/win
<form action="https://borncity.com/win" method="get"><label class="screen-reader-text" for="cat">Categories</label><select name="cat" id="cat" class="postform">
<option value="-1">Select Category</option>
<option class="level-0" value="1">Allgemein</option>
<option class="level-0" value="6">Android</option>
<option class="level-0" value="872">browser</option>
<option class="level-0" value="63">Cloud</option>
<option class="level-0" value="71">computer</option>
<option class="level-0" value="448">devices</option>
<option class="level-0" value="1319">General</option>
<option class="level-0" value="26">ios</option>
<option class="level-0" value="463">issue</option>
<option class="level-0" value="921">Linux</option>
<option class="level-0" value="923">macOS</option>
<option class="level-0" value="11">Office</option>
<option class="level-0" value="580">Security</option>
<option class="level-0" value="1547">Software</option>
<option class="level-0" value="22">Update</option>
<option class="level-0" value="1218">Virtualization</option>
<option class="level-0" value="2">Windows</option>
</select>
</form>POST https://www.paypal.com/cgi-bin/webscr
<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_blank"><input name="cmd" type="hidden" value="_s-xclick">
<input name="hosted_button_id" type="hidden" value="BWGSYDKM8XEWE"><input alt="Donation with PayPal." name="submit" src="https://www.borncity.com/blog/wp-content/uploads/2018/05/Paypal.jpg" type="image">
</form>GET https://borncity.com/win/
<form role="search" method="get" id="searchform" class="searchform" action="https://borncity.com/win/">
<div>
<label class="screen-reader-text" for="s">Search for:</label>
<input type="text" value="" name="s" id="s">
<input type="submit" id="searchsubmit" value="Search">
</div>
</form>GET https://borncity.com/win
<form action="https://borncity.com/win" method="get"><label class="screen-reader-text" for="categories-dropdown-2">Categories</label><select name="cat" id="categories-dropdown-2" class="postform">
<option value="-1">Select Category</option>
<option class="level-0" value="1">Allgemein</option>
<option class="level-0" value="6">Android</option>
<option class="level-0" value="872">browser</option>
<option class="level-0" value="63">Cloud</option>
<option class="level-0" value="71">computer</option>
<option class="level-0" value="448">devices</option>
<option class="level-0" value="1319">General</option>
<option class="level-0" value="26">ios</option>
<option class="level-0" value="463">issue</option>
<option class="level-0" value="921">Linux</option>
<option class="level-0" value="923">macOS</option>
<option class="level-0" value="11">Office</option>
<option class="level-0" value="580">Security</option>
<option class="level-0" value="1547">Software</option>
<option class="level-0" value="22">Update</option>
<option class="level-0" value="1218">Virtualization</option>
<option class="level-0" value="2">Windows</option>
</select>
</form>Text Content
Was ist symplr? Born's Tech and Windows World Android, Linux, iOS, Windows, Gagdets and more Geek stuff Skip to content * Home * About this Blog * Advertise on this blog * Privacy statement * Win10 Wiki Advertising -------------------------------------------------------------------------------- ← Windows Server 2019: Daily DNS failures with Event ID 404 Microsoft Security Update Summary (July 9, 2024) → MIDNIGHT BLIZZARD HACK: MICROSOFT SENDS NOTIFICATION TO CUSTOMERS BY EMAIL THAT ENDS UP IN SPAM FOLDERS Posted on 2024-07-09 by guenni [German]After Microsoft's e-mail system (Exchange Online, Outlook.com) was compromised by Russian hackers from the state sponsored group Midnight Blizzard Hackers, Microsoft recently had to admit that e-mails to customers were also affected. In an attempt to inform customers, Microsoft made the next blunder. The notifications were sent to the "Global Administrators" of the tenants of the affected companies. Notifications were not retrieved or ended up in the spam folder, or were classified as SPAM because Microsoft made further cardinal errors. -------------------------------------------------------------------------------- Advertising -------------------------------------------------------------------------------- MIDNIGHT BLIZZARD HACK ALSO AFFECTED CUSTOMERS A brief review of what it's all about: In January 2024, it became known that hackers from the state group Midnight Blizzard hackers were able to penetrate Microsoft's email system and read messages from executives or security experts. The hackers had been in the system since November 2023, as I noted in the blog post Microsoft hacked by Russian Midnight Blizzard; emails exfiltrated since Nov. 2023. The hack was allegedly carried out via an old test account without MFA, from where the attackers were able to access Microsoft's email system. The question is how a password spray attack on an old, non-productive test tenant account was possible and no multi-factor authentication (MFA) was used there. And the question arose as to how the attackers were able to gain access to product systems, i.e. Microsoft's email system, from this test account. In the blog post How Midnight Blizzard hackers were able to penetrate Microsoft's email system, I traced the hackers' attack path. It points to a chain of omissions on Microsoft's part. But Redmond played it down and said "danger recognized, danger averted, the hackers from Midnight Blizzard have been successfully locked out". Microsoft later had to admit that the attacks by Midnight Blizzard were continuing – but it remained unclear whether the attackers were still able to access Microsoft's systems. However, it became known that the group was able to extract source code (see Microsoft confirms: Russian spies (Midnight Blizzard) stole source code while accessing systems). The latest information on the case in question can be found in the blog post Microsoft: News from the Midnight Blizzard hack – customers may also be affected, where Microsoft had to admit that customers were also affected by this hack. This is because the attackers were able to read emails from Microsoft employees to customers. There is a risk that the emails could contain information for the attackers that could put customers at risk. It's not a problem, Microsoft wants to inform the customers concerned. In my last blog post, I asked whether any of our readers had received such an email. The response was zero – were there no readers among them? That is currently unclear! What is clear, however, is that Microsoft is failing to secure its cloud infrastructure and is constantly coming up with new errors and omissions. Microsoft doesn't even get customer notifications right. -------------------------------------------------------------------------------- Advertising -------------------------------------------------------------------------------- CUSTOMER NOTIFICATIONS SEND TO NIRVANA A few hours ago, Patrick S. emailed me to draw my attention to the next Microsoft thigh-slapper and suggested that it might make sense to add the relevant information to my article Microsoft: News from the Midnight Blizzard hack – customers may also be affected. Patrick pointed out that Microsoft sent the notification emails to customers that they were affected by the hack to the tenant's global admins. He said that ideally these admins would not have a mailbox. It was uncovered by security researcher Kevin Beaumont in a post on Microsoft's career network LinkedIn. There, he advises Microsoft cloud customers to check their email logs (including Exchange Online) for an email from mbsupport@microsoft.com. Microsoft had communicated a security breach by Russia (specifically Midnight Blizzard) that affected customer data in a somewhat peculiar way. They did not follow the process that is normally used for data protection incidents affecting Microsoft 365 customer data (a status message is then posted in the administrator portal). MAIL TO GLOBAL ADMINS … Microsoft has sent the notification by e-mail to the administrator accounts of the respective tenant (according to Patrick the Global Administrators). The emails may end up in the spam folder. Global Administrator accounts of tenants should also be Breakglass accounts without email. Also, they have not informed the organizations about the account administrators. > Breakglass accounts are emergency accounts in Azure Entra ID that are equipped > with increased rights (Global Admins). Such accounts allow access to resources > if there are problems with availability. Break Glass accounts must therefore > be protected by strict security rules and protocols. This includes ensuring > that these accounts do not have an email address. MAIL WITHOUT SPF AND DKIM, WITH SELF-SIGNED CERTIFICATE On LinkedIn, the comments on Kevin Beaumont's post are full of users. One administrator wrote that several of his customers had received this email. All of these customers were concerned that it was phishing. * According to the email headers, Microsoft did not use SPF and DKIM, * and the URL mentioned in the email message was hosted as a simple (almost fake) Azure PowerApp with a simple DV SSL certificate. You have to let it melt in your mouth: Although the certificate was issued by another trusted certificate authority, it did not contain any information about the organization for which the certificate was issued. All other MS domains have OV/EV certificates issued by Microsoft as a publicly trusted certification authority. The commenting administrator says: "At first glance, this did not inspire confidence in the recipients, who asked in forums or contacted Microsoft customer support to finally confirm that the email was legitimate. In the Microsoft Answers forum, there is a post Midnight Blizzard Data Sharing Request – Email Legitimacy? dated June 25, 2024, where someone asks about the email: > Action Required – Microsoft Email Data Sharing Request > > "This notification is related to the prior attack against Microsoft by the > threat actor known as Midnight Blizzard, as disclosed through our 8-K filings > and our Microsoft blog . > > You are receiving this notification because emails were exchanged between > Microsoft and accounts in your organization, and those emails were accessed by > the threat actor Midnight Blizzard as part of their cyber-attack on Microsoft. > > As part of our commitment to transparency, we are proactively sharing these > emails. We have custom built a secure system to enable the approved members of > your organization to review the exfiltrated emails between Microsoft and your > company. > > In order to grant access to the above-referenced emails, you are required to > identify authorized individuals within your organization who can nominate > reviewers. As needed, please reach out to the appropriate parties in your > organization who have the authority to nominate reviewers to view these > emails. > > At the bottom of this email is a link which will take you to a secure form > where you will be asked to provide the following information: > > * Your organization's TenantID > o If you do not know or are unsure of your TenantID, please follow the > steps outlined here: https://aka.ms/gettenantid > * The access code located at the bottom of this email > * The email addresses for individuals within your organization who can > nominate reviewers who will be granted access to the set of exfiltrated > emails. > Once you complete this form, Microsoft will contact those who have been > identified with instructions on how to identify reviewers. > > Should you or your organization require support during this process please > work with your Customer Success Account Manager (CSAM) or account > representative(s) to open a support case and reference Microsoft Email Data > Sharing. Microsoft continues to prioritize transparency and learnings from > events like these to help protect customers and our own enterprise. > > Our investigation is ongoing, if we discover new information, we will tell you > as soon as practicable." > Secure Link: https://purviewcustomer.powerappsportals.com/?dnaynpyvmule As the administrator notes in his comment: "A strange way for a provider like this to communicate an important problem to potentially affected customers." On Mastodon, Beaumont writes (see screenshot above) that many companies and those affected only became aware of the notification through his post. And in another post on Mastodon, Beaumont writes: > The best part of this story is that the MS notification emails do not have a > valid DKIM signature or SPF, but are flagged as phishing emails and forwarded > to sandboxes. > > Each client has a unique URL, and I've tracked over 500 so far – so there are > at least 500 organizations that have fallen victim to the Midnight Blizzard > hack. And with that, administrators of Microsoft tenants from the readership can start searching for such an email. Maybe someone will find it. I'm just end the story here with: "Another day, another fail by Microsoft". Similar articles: China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud Follow-up to the Storm-0558 cloud hack: Microsoft is still in the dark After CISA report on Storm-0558 hack, Microsoft provides customers with enhanced cloud logging Stolen AAD key allowed (Storm-0558) wide-ranging access to Microsoft cloud services Microsoft's Storm-0558 cloud hack: US senator among the victims Microsoft's Storm-0558 cloud hack: MSA key comes from Windows crash dump of a PC Microsoft extends Purview logging (after Storm-0558 hack) Microsoft hacked by Russian Midnight Blizzard; emails exfiltrated since Nov. 2023 How Midnight Blizzard hackers were able to penetrate Microsoft's email system Microsoft confirms: Russian spies (Midnight Blizzard) stole source code while accessing systems Microsoft: News from the Midnight Blizzard hack – customers may also be affected Hewlett Packard Enterprise (HPE) hacked by Midnight Blizzard since May 2023 Microsoft as a Security Risk? U.S. senator calls for Microsoft to be held accountable over Azure cloud hack– Part 1 Microsoft as a Security Risk? Azure vulnerability unpatched since March 2023, heavy criticism from Tenable – Part 2 Whistleblower: Microsoft ignored warnings about AD bug; was exploited in 2020 SolarWinds hack Microsoft engages in damage limitation at congressional hearing (13.6.2024): Safety takes priority over AI -------------------------------------------------------------------------------- Cookies helps to fund this blog: Cookie settings Advertising -------------------------------------------------------------------------------- This entry was posted in Cloud, Security and tagged Cloud, Hack, Microsoft, Security. Bookmark the permalink. ← Windows Server 2019: Daily DNS failures with Event ID 404 Microsoft Security Update Summary (July 9, 2024) → LEAVE A REPLY CANCEL REPLY Your email address will not be published. Required fields are marked * Comment * Name Email I have read and accepted the Privacy Policy * * Search for: * BLOGS Born IT- und Windows Blog Born's Tech and Windows World Bücher-Blog Günnis Seniorentreff 50+ Mein Reiseblog Mein Japan-Blog E-Scooter-Blog * LINKS Home About Impressum (German) Privacy statement Advertise on this blog Borncity * ARCHIVES Archives Select Month July 2024 June 2024 May 2024 April 2024 March 2024 February 2024 January 2024 December 2023 November 2023 October 2023 September 2023 August 2023 July 2023 June 2023 May 2023 April 2023 March 2023 February 2023 January 2023 December 2022 November 2022 October 2022 September 2022 August 2022 July 2022 June 2022 May 2022 April 2022 March 2022 February 2022 January 2022 December 2021 November 2021 October 2021 September 2021 August 2021 July 2021 June 2021 May 2021 April 2021 March 2021 February 2021 January 2021 December 2020 November 2020 October 2020 September 2020 August 2020 July 2020 June 2020 May 2020 April 2020 March 2020 February 2020 January 2020 December 2019 November 2019 October 2019 September 2019 August 2019 July 2019 June 2019 May 2019 April 2019 March 2019 February 2019 January 2019 December 2018 November 2018 October 2018 September 2018 August 2018 July 2018 June 2018 May 2018 April 2018 March 2018 February 2018 January 2018 December 2017 November 2017 October 2017 September 2017 August 2017 July 2017 June 2017 May 2017 April 2017 March 2017 February 2017 January 2017 December 2016 November 2016 October 2016 September 2016 August 2016 July 2016 June 2016 May 2016 April 2016 March 2016 February 2016 January 2016 December 2015 November 2015 October 2015 September 2015 August 2015 July 2015 June 2015 May 2015 March 2015 February 2015 January 2015 December 2014 November 2014 June 2014 April 2014 September 2013 March 2013 February 2013 November 2012 July 2012 December 2011 November 2011 * CATEGORIES Categories Select Category Allgemein Android browser Cloud computer devices General ios issue Linux macOS Office Security Software Update Virtualization Windows * Advertising - Amazon prime * SOCIAL NETWORKS -------------------------------------------------------------------------------- * AWARDS MVP: 2013 – 2016 WIMVP: 2017 – 2020 -------------------------------------------------------------------------------- * SPONSORS (Paypal-Donations) * RECENT COMMENTS * EP on Windows 7/8.1: Firefox will be support until 3. Q. 2024 at least * NR on Stop: Domain name scam from chinanameregistry * Arno Nyhm on Microsoft Security Update Summary (June 11, 2024) * Sigma on Windows temp folder flooded with Aria-debug-xxx.log files * guenni on Outlook: Old clients will be deactivated in mid-July 2024 * META * Log in * Entries feed * Comments feed * WordPress.org * Search for: * RECENT COMMENTS * EP on Windows 7/8.1: Firefox will be support until 3. Q. 2024 at least * NR on Stop: Domain name scam from chinanameregistry * Arno Nyhm on Microsoft Security Update Summary (June 11, 2024) * Sigma on Windows temp folder flooded with Aria-debug-xxx.log files * guenni on Outlook: Old clients will be deactivated in mid-July 2024 * ARCHIVES Archives Select Month July 2024 June 2024 May 2024 April 2024 March 2024 February 2024 January 2024 December 2023 November 2023 October 2023 September 2023 August 2023 July 2023 June 2023 May 2023 April 2023 March 2023 February 2023 January 2023 December 2022 November 2022 October 2022 September 2022 August 2022 July 2022 June 2022 May 2022 April 2022 March 2022 February 2022 January 2022 December 2021 November 2021 October 2021 September 2021 August 2021 July 2021 June 2021 May 2021 April 2021 March 2021 February 2021 January 2021 December 2020 November 2020 October 2020 September 2020 August 2020 July 2020 June 2020 May 2020 April 2020 March 2020 February 2020 January 2020 December 2019 November 2019 October 2019 September 2019 August 2019 July 2019 June 2019 May 2019 April 2019 March 2019 February 2019 January 2019 December 2018 November 2018 October 2018 September 2018 August 2018 July 2018 June 2018 May 2018 April 2018 March 2018 February 2018 January 2018 December 2017 November 2017 October 2017 September 2017 August 2017 July 2017 June 2017 May 2017 April 2017 March 2017 February 2017 January 2017 December 2016 November 2016 October 2016 September 2016 August 2016 July 2016 June 2016 May 2016 April 2016 March 2016 February 2016 January 2016 December 2015 November 2015 October 2015 September 2015 August 2015 July 2015 June 2015 May 2015 March 2015 February 2015 January 2015 December 2014 November 2014 June 2014 April 2014 September 2013 March 2013 February 2013 November 2012 July 2012 December 2011 November 2011 * CATEGORIES Categories Select Category Allgemein Android browser Cloud computer devices General ios issue Linux macOS Office Security Software Update Virtualization Windows * META * Log in * Entries feed * Comments feed * WordPress.org Born's Tech and Windows World Proudly powered by WordPress.