Email security breaches in state services

‘A recent Wall Street Journal report has updated that account. The report cites sources “familiar with the matter” in claiming that the number of compromised email accounts is in the hundreds of thousands, and that at least two more high-level officials were among those breached by the cyber espionage campaign: assistant secretary of state for East Asia Daniel Daniel Kritenbrink, and Ambassador to China Nicholas Burns. The cyber espionage campaign began with the Chinese hackers somehow getting their hands on a Microsoft signing key, which was then used to forge authentication tokens to slip into email accounts via Outlook.com and Outlook OWA. At least 25 organizations were thought to be impacted, including an unspecified number of federal agencies. The Commerce and State Departments were confirmed to be hit by the breach… …Microsoft said that a “flaw in code” was what led to the theft of the key that enabled the cyber espionage campaign, but cybersecurity professionals have noted that the attack is also something that can readily be spotted if an included Microsoft logging feature is enabled. The trouble is, that feature is only available at a higher paid tier of its Purview Audit service that not all of the government agencies are subscribed to. This immediately led to government calls to make this feature freely available to all customers. Microsoft and CISA have since agreed to an expansion of the company’s cloud logging capability, making it available to a broader range of customers for free in an initiative that will roll out “over the coming months.”’ https://lnkd.in/gqhs-x8y

UK Ministry of Defence Mail Servers Left Critically Exposed for Years: A Catastrophic Security Oversight. While the Defence Secretary hailed yesterday as the “first day of accountability” following a highly publicised email breach, the reality tells a much darker story. The notion that a single email error triggered a global security failure is possibly dangerously misleading. According to research shared today with both the UK Home Office and the UK Ministry of Defence, the UK Ministry of Defence’s critical Mail Exchange (MX) servers—handling all inbound and outbound email traffic—have been catastrophically insecure and exposed since at least February 2021. This scandal is far from an isolated human error. This is systemic negligence of the most basic cybersecurity principles. For over four years, long before the 'rogue email' was sent in 2022, the UK Ministry of Defence communications—potentially including military strategies, intelligence, personnel data, and international correspondence—have been traversing insecure infrastructure, easily intercept able by hostile states or cybercriminals. The UK Ministry of Defence have unsurprisingly suffered several cyber incidents over the last several years. Rather than owning this critical exposure, a single, unnamed individual has seemingly been scapegoated to divert attention from this continued catastrophic institutional failure. This is not accountability; it’s damage control and limitation. Meanwhile, the vulnerable MX servers remain exposed, perpetuating unacceptable risk. The implications are staggering: operational compromise, intelligence leaks, and reputational damage costing the UK taxpayer tens of billions. The real story here and threat isn’t a rogue email—it’s the ongoing failure to secure the nation's most sensitive digital communications.

𝗢𝗳𝗳𝗶𝗰𝗲 𝗼𝗳 𝘁𝗵𝗲 𝗖𝗼𝗺𝗽𝘁𝗿𝗼𝗹𝗹𝗲𝗿 𝗼𝗳 𝘁𝗵𝗲 𝗖𝘂𝗿𝗿𝗲𝗻𝗰𝘆 (𝗢𝗖𝗖) suffered a recent cloud email breach, that highlighted critical vulnerabilities in email security and access management that have broader implications for all federally regulated institutions. 𝚂̲𝚞̲𝚖̲𝚖̲𝚊̲𝚛̲𝚢̲ ̲𝚘̲𝚏̲ ̲𝚝̲𝚑̲𝚎̲ ̲𝙾̲𝙲̲𝙲̲ ̲𝙱̲𝚛̲𝚎̲𝚊̲𝚌̲𝚑̲ ̲An attacker gained unauthorized access to a privileged administrative email account within the Microsoft environment. The breach went undetected for 8 months, during which sensitive government communications were silently exfiltrated. More than 150K email messages were compromised, affecting around 100 officials. The incident exposed critical shortcomings in access control enforcement, monitoring, and response protocols. 𝙺̲𝚎̲𝚢̲ ̲𝙵̲𝚊̲𝚒̲𝚕̲𝚞̲𝚛̲𝚎̲𝚜̲ ̲𝙸̲𝚍̲𝚎̲𝚗̲𝚝̲𝚒̲𝚏̲𝚒̲𝚎̲𝚍̲ 1. Overprivileged Access – An administrative account with wide mailbox visibility was compromised, facilitating prolonged data exfiltration. 2. Delayed Detection – Anomalous behavior went unnoticed for months, raising concerns about the efficacy of real-time monitoring and alerting. 3. Stale and Unlocked Service Accounts: There were no policies in place for password rotation, inactivity lockout, or login attempt lockout for service accounts, making them vulnerable to brute-force or credential stuffing attacks. 4. Unaddressed Internal Warnings – Known risks flagged in prior audits related to email and access security had not been remediated in time. 5. Insufficient Conditional Access Policy Enforcement – The compromised account, linked to Azure, bypassed MFA and geo restrictions due to a poorly enforced conditional access framework. VPN usage further masked malicious activity.   𝙻̲𝚎̲𝚜̲𝚜̲𝚘̲𝚗̲ ̲𝚕̲𝚎̲𝚊̲𝚛̲𝚗̲𝚎̲𝚍̲:̲ 1. Enforce Microsoft Conditional Access Policies – Ensure all accounts, including service accounts, are subject to robust Conditional Access, MFA, and geo-restrictions. 2. Tighten Access Control – Limit and monitor privileges of administrative and service accounts; apply just-in-time access models. 3. Audit and Harden Service Accounts – Eliminate hardcoded credentials, enforce regular password rotation, enable account lockouts after failed login attempts, and setinactivity thresholds. 4. Strengthen Detection – Invest in behavioral analytics, adaptive authentication, and cloud-native threat detection tools. 5. Review and Limit Privileges – Conduct a review of privileged accounts and implement RBAC and JIT access where possible. 6. Ensure compliance with secure baseline configurations like those in DHS CISA BOD 25-01 - Secure Cloud Baseline [SCuBA] (stated in OCC response) The 𝗢𝗖𝗖 𝗯𝗿𝗲𝗮𝗰𝗵 is a cautionary tale—reactive controls alone are insufficient in today’s environment. Proactive hardening of identity, access, and cloud email infrastructure must be a top priority. https://lnkd.in/ef_4DQ3V