CrowdStrike, a Leading Cybersecurity Firm have been notified by Microsoft on the attempted made by the threat actors to access and read the organisations’ emails via Microsoft Azure Credentials that been compromised.
Micheal Sentonas, CrowdStrike CTO have been disclosed here that sound like belows:
Specifically, they identified a reseller’s Microsoft Azure account used for managing CrowdStrike’s Microsoft Office licenses was observed making abnormal calls to Microsoft cloud APIs during a 17-hour period several months ago. There was an attempt to read email, which failed as confirmed by Microsoft. As part of our secure IT architecture, CrowdStrike does not use Office 365 email
Microsoft has disclosed about the attack that been published this month where they explained how stolen a credentials and access tokens. The recommended to the organization that uses Azure and Azure Administrator to study deeply on how of the attack flow and how to discover any suspicious behaviour within the organization’s network
CrowdStrike have been analysed their Azure environment and it was deemed not been compromised by the attacks related to SolarWinds. The most challenging things found during their analysis is it’s hard to enumerate privileges that been allocated to their third-party resellers and partners
Sentonas have said that
We found it particularly challenging that many of the steps required to investigate are not documented, there was an inability to audit via API, and there is the requirement for global admin rights to view important information which we found to be excessive. Key information should be easily accessible
The description for the tools is been taken from CrowdStrike Reporting Tool for Azure