Microsoft takes pains to obscure role in 0-days that caused email breach

BrikoX · 1 year ago

Microsoft takes pains to obscure role in 0-days that caused email breach

@phase_change · edit-2 1 year ago

As a guy responsible for a 1,000 employee O365 tenant, I’ve been watching this with concern.

I don’t think I’m a target of state actors. I also don’t have any E5 licenses.

I’m disturbed at the opaqueness of MS’ response. From what they have explained, it sounds like the bad actors could self-sign a valid token to access cloud resources. That’s obviously a huge concern. It also sounds like the bad actors only accessed Exchange Online resources. My understanding is they could have done more, if they had a valid token. I feel like the fact that they didn’t means something’s not yet public.

I’m very disturbed by the fact that it sounds like I’d have no way to know this sort of breach was even occurring.

Compared to decades ago, I have a generally positive view of MS and security. It bothers me that this breach was a month in before the US government notified MS of it. It also bothers me that MS hasn’t been terribly forthcoming about what happened. Likely, there’s no need to mention I’m bothered that I’m so deep into the O365 environment that I can’t pull out.

@[email protected] · 1 year ago

Vendor lock-in is 100 times worse today than it was 20 years ago. It’s vile, insidious and borderline cruel. Microsoft doesn’t want to work with anyone, they never have and they never will.

Any feelings of openness and cooperation you get from them is engineered, from the ground up, to ensure that they are in a position of control over you.

Their crack security team is not the result of some spontaneous and sudden desire to protect their customers. It’s a consequence of having to constantly triage the financial impacts of a never-ending stream of critical vulnerabilities.

Labelling this proprietary shit “ecosystems” is insulting to ecosystems. They mere notion that you should be using Microsoft software to monitor, secure and protect your Microsoft software is downright ridiculous.

Microsoft is not the only, and maybe not even the worst, in a long list of hand-wringing, life-sucking, progress-hindering companies who people will willingly defend because these companies have forced their way into becoming a part of our identities.