The recent Practical 365 Podcast
I often listen to podcasts while driving or at the gym. Yesterday I listened to the following fantastic podcast from Practical 365 with Steve Goodman and Paul Robichaux:
https://spotify.link/7Y7fz0yQfDb
Here is a brief overview of the topics covered in the podcast:
- Storm-0558 – a recent China-orginated cyber attack against Exchange Online
- an explanation of the current hacking thechnique Cryptojacking and why it is important to monitor your Azure environment
- The new Outlook and why it is important in connection to Microsoft Copilot
- The current major cyber attack in Las Vegas targeting the casino and hotel company MGM Resort
If you want to learn more about the Storm-0558 breach, you can read a detailed article on the Practical 365 blog:
Microsoft recently released the results of their investigation into the security breach:
My key takeaways on the security topics discussed in the podcast
For me, it was very interesting that the source of the recent Microsoft breach through Storm-0558 had it’s original source in 2018. Looking at the current default login and audit log retention in Entra ID of 30 days, it seems to me very important to implement solutions that (of course in addition to analyzing them) store these logs where they are retained for a longer period. In addition, reviewing the above article by Paul Robichaux, it is an important action to extend your auditing to include the MailItemsAccessed event. In the Storm-0558 breach, one company did this and was able to detect the breach.
Another takeaway is thinking about the security threat Cryptojacking where hackers get access to your Azure subscription. After that they open a support ticket at Microsoft to remove the quotas for rolling out high performance compute resources. Finally they deploy high performance virtual machines with Nvidia GPUs and start to mine cryptucurrency. Microsoft gives some recommendations how to protect yourself from being attacked and how to monitor your environment:
Again, there are basic countermeasures that every administrator should consider. Separating normal and admin accounts and implementing MFA and conditional access policies. In addition, it is recommended that you limit quotas in your Azure subscription to your needs and monitor for unexpected quota increases.
In the recent Las Vegas cyber attack, hackers obtained personal information about an employee from LinkedIn. As a second step, they gained access to the employee’s work account with a simple phone call to the company’s help desk. This demonstrates the importance of security awareness in every organization. There are many solutions for companies to start training their employees and raising their awareness of security risks. This is not a one-time action – companies need to make this a recurring task in their security strategy and prioritize it. I am now considering SMS or phone calls as an additional phishing simulation path to follow if you want to prepare for the current attack landscape.