CrowdStrike finds 'logging inaccuracies' in Microsoft 365 – TechTarget

CrowdStrike finds 'logging inaccuracies' in Microsoft 365 – TechTarget

CrowdStrike finds 'logging inaccuracies' in Microsoft 365 – TechTarget 0 0 Alan Dickson

James Thew – Fotolia
The Microsoft 365 platform is not properly maintaining its user sign-in logs and is providing false-positive reports for user logins.
In a blog post published Thursday, security vendor CrowdStrike said it has conducted “multiple investigations” of the way Microsoft 365 Azure Active Directory (Azure AD) logs information on user sign-in attempts. Specifically, the team found that under certain configurations, a successful log-in will be recorded when the attempt has in fact been blocked.
“In recent investigations, CrowdStrike has found a pattern of inaccurate logging in the Azure AD sign-in logs that seems to falsely indicate a mailbox sync via legacy authentication protocols (IMAP or POP),” CrowdStrike researchers Christopher Romano and Vaishnav Murthy wrote in the blog post.
“This pattern appears to manifest in M365 tenants that: do not have legacy authentication configured to be blocked via a conditional access policy (CAP); have POP and IMAP blocked at an individual mailbox level; and have the SMTP authentication protocol allowed at the mailbox level.”
Having an inaccurate set of logs could always pose a threat to network security, as it gives administrators a distorted view of how well their network security protections are performing. But in some instances, it can be devastating.
The CrowdStrike researchers explained that the mishandling of the legacy protocol logins is particularly bad for data breach investigators.
“These protocols result in downloading a mailbox’s contents locally to the client from where the authentication request was initiated,” Romano and Murthy explained.
“Hence, whenever these protocols are seen to be used in an investigation involving email compromise, an assumption is made that the entirety of the mailbox contents, which often include sensitive information, has been exfiltrated by the threat actor.”
In theory, a data breach investigator could end up wasting valuable time pursuing a supposedly successful breach attempt that was actually blocked by access controls.
CrowdStrike noted that Microsoft had previously announced that it will disable POP and IMAP authentication to Exchange Online on Oct. 1.
Microsoft did not respond to a request for comment on the report.
To protect their networks from the logging errors, CrowdStrike recommended that administrators take basic steps to block out the legacy authentication protocols, including disallowing connections via IMAP, POP or SMTP.
With its rebranded Explore conference, VMware made it clear its focus is on supporting customers’ multi-cloud and edge computing …
Steps in DNS server troubleshooting include checking the DNS status, looking at zone configurations and evaluating logs. Follow …
‘Emerging Green Technologies’ details how technology is a flexible tool organizations can use to make business operations more …
Numerous organizations wrote to the Federal Trade Commission Friday, raising data privacy and competition concerns about Amazon’s…
High-profile lawsuits and the potential for new FTC data privacy rules should be a warning to businesses to ensure that internal …
The Inflation Reduction Act increases incentives for clean energy, but there is concern that it doesn’t address existing …
A factory reset may be necessary when a device has performance issues or is set to go to a new user. IT can execute this process …
Businesses have delayed and reduced their desktop and laptop orders from HP and Dell, executives reported. The PC market has …
The shift to Chromium has improved several aspects of Microsoft’s Edge browser — from privacy settings to reliability.
AWS Glue and Azure Data Factory have key differences despite being similar services. Learn which best suits your organization’s …
Multi-cloud and cloud-native strategies emerged as major themes at VMware Explore 2022. Explore key announcements from the …
AWS WAF focuses on Layer 7 protection, while Shield protects against DDoS attacks. Firewall Manager manages the protection. Learn…
East Sussex-based altnet spreads its wings across coastal regions of southern England with fibre offer into two neighbouring …
Study from customer experience technology provider shows lack of transparency is cited as the most consistent quality failure of …
After heading home and discovering that his country had been invaded, Konstantin Klyagin was forced to make life-changing family …
All Rights Reserved, Copyright 2000 – 2022, TechTarget

Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info

source

    Would you like to receive notifications on latest updates? No Yes