Trusted Internet Guidance on the US Cybersecurity and Infrastructure Security Agency Emergency Directive on Microsoft Email Compromise
The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued an emergency directive today, warning Federal Government users of a breach in Microsoft’s O365 email system, instructing Federal Government users on determining which accounts have been compromised and how to regain control of these email accounts.[1]
According to the directive, the Russian state-sponsored cyber actor known as Midnight Blizzard exfiltrated email correspondence between Federal Civilian Executive Branch (FCEB) agencies and Microsoft through a successful compromise of Microsoft corporate email accounts. Microsoft has disclosed the incident and followed up via multiple communications, beginning in January 2024.
According to Microsoft, Midnight Blizzard has increased the volume of some aspects of the intrusion campaign by as much as 10-fold in February, compared to an already large volume seen in January 2024.
According to CISA, Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies and likely extends beyond just federal agencies.
This Emergency Directive requires agencies to analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to ensure the security of authentication tools for privileged Microsoft Azure accounts.
Here’s what we think:
Trusted Internet strongly recommends moving away from Microsoft Authenticator to a strong third-party MFA product for individuals and corporate offices relying on that mobile app. There are many strong alternatives to this particular app, which we will discuss below. We host Cisco Duo for corporate clients. Additional best practices:
Perform frequent credential updates. Best practice balanced with usability is important, but considering the CISA warning, we recommend an immediate update, with future password changes no later than every 90 days.
Limit the length of an authenticated session. Best practice suggests no more than one hour of inactivity should force a logout by users.
Validate user login geolocations using an email monitoring tool. Trusted Internet offers a managed version of Avanan Advanced Email Protect.
Ensure administrative access is separated from non-administrative access.
Do not allow administrative access to be used for non-administrative purposes.
Private Individual alternative authenticator mobile apps:
Cisco Duo
LastPass (part of a service that Trusted Internet can host)
Sophos Intercept X (part of a service that Trusted Internet can host)
Twilio Authy
Google Authenticator
Business clients managed MFA Alternatives:
Cisco Secure Access by Duo (hosted by Trusted Internet)
ESET Secure Authentication
HID Advanced MFA
IBM Security Verified Access
Okta
Ping Identity PingOne
RSA SecureID
SecureAuth Identity
Twilio Authy
Disclaimer: Listing of the above alternatives does not necessarily represent an endorsement of their specific product. We choose and host specific products based on several factors, but your security is paramount.
For assistance in hardening your O365 environment, including setting up a new third-party authenticator, contact your Trusted Internet Virtual CISO™ or our Executive Support Center.
[1] https://www.cisa.gov/news-events/directives/ed-24-02-mitigating-significant-risk-nation-state-compromise-microsoft-corporate-email-system