Microsoft recently faced criticism after security researchers revealed that the company had sent data breach notifications to Microsoft 365 customers that were mistaken for spam and even blocked by the company’s security tools. The emails in question raised concerns among customers for several reasons, including requests for high-level account information, unclear connections to Microsoft, and improper implementation of DMARC anti-spoofing protocols.
Security researcher Kevin Beaumont highlighted the issue in a LinkedIn post that garnered significant attention. He pointed out that Microsoft had experienced a breach by Russia that impacted customer data but had failed to follow the proper data breach process for Microsoft 365 customers. The notifications were sent via email to tenant admins instead of being posted in the portal, leading to confusion and skepticism among recipients.
One commenter noted that the lack of SPF and DKIM authentication in the emails only added to the suspicion that they were phishing attempts. The use of a URL hosted on a simple Azure PowerApp with a basic SSL certificate further fueled concerns about the legitimacy of the notifications.
The incident, which stemmed from the Midnight Blizzard attack earlier this year, was reported by numerous Microsoft customers on company forums. Additionally, more than 500 organizations identified the emails as phishing attempts and took action by submitting them to sandboxes for further investigation.
Microsoft’s own documentation on email authentication highlights the importance of SPF, DKIM, and DMARC in preventing spoofing and phishing attacks. However, the challenge lies in implementing these protocols correctly to ensure maximum protection. Despite efforts to promote DMARC adoption, a recent study found that only 19% of top manufacturing companies have fully embraced the p=reject policy, which offers comprehensive protection against phishing and spoofing.
Proper implementation of DMARC involves a step-by-step process that includes verifying SPF, DKIM, and DMARC policies, deploying DMARC in monitoring mode, and gradually increasing enforcement levels as issues are resolved. While this may require time and effort, the potential benefits in enhancing cybersecurity defenses and safeguarding against cyber attacks are significant.
By prioritizing the implementation of DMARC and other email authentication protocols, organizations can strengthen their cybersecurity posture and mitigate the risk of falling victim to malicious activities. Ultimately, taking proactive steps to enhance email security practices can help prevent embarrassing incidents and maintain public trust in the face of evolving cyber threats.