State-backed hackers use Microsoft 365 vulnerability to breach US Treasury

Reuters reported over the weekend that foreign state-backed hackers have breached Microsoft 365 accounts at the US Treasury Department, using their access to secretly monitor email accounts and email exchanges between the US Treasury and the National Telecommunications and Information Administration. The attack was extremely sophisticated and was able to bypass Microsoft’s authentication controls.

Microsoft has released guidance for how organizations can bolster security to attempt to avoid these attacks, and we suggest having your IT provider take a look at this document and make sure your organization is following the recommended best practices. In addition to Microsoft’s recommendations, here are 3 tools and tips to help protect both personal and business accounts from cybercriminals:

1) Set up Two-Factor Authentication (2FA)

Two-factor authentication is the one tool that provides the highest ROI in terms of protecting your accounts from unauthorized access. Microsoft has said that 2FA can prevent 99% of automated attacks on Microsoft 365 accounts, and a recent Symantec study found that 2FA would have prevented up to 80% of data breaches (of all types). If your organization is not currently securing all employee accounts with 2FA, then implementing it should be your top priority. You can also set up 2FA for most of your critical personal accounts (like online banking) in just a few minutes. In general, we recommend using an app-based solution like Duo or Google Authenticator rather than SMS-based text messages for both business and personal accounts. If you’d like to learn more about 2FA, you can check out our One-Minute Wednesday episode on how it works.

2) Improve your password hygiene

Never use the same password twice—if your password becomes compromised in a data breach, cybercriminals can (and will) attempt to use it on all your other accounts. For personal accounts, we recommend using a password manager (like LastPass) to help you 1) keep track of all your unique passwords and 2) create highly-complex, strong passwords. Good passwords should avoid using common words, uses as many characters as possible, and includes a variety of different character types (uppercase, lowercase, numbers, and special characters).

For business accounts, the best practice would be to implement Single Sign On, which allows you to use a single master username and password to access all your business applications, and then protect it with Two-Factor Authentication. You can learn more about SSO by checking out our recent article on it.

3) Learn to spot phishing scams

If you get an email claiming that one of your accounts has been breached and you need to login immediately, it is probably a phishing scam. Phishing is a type of attack where cybercriminals impersonate a person or organization you trust in an attempt to trick you into providing personally-identifiable information (PII) like passwords or credit card numbers. Phishing emails normally include a link to a malicious website or attachment.

The best way to avoid getting compromised is to know how to spot phishing emails. They often have misspelled words, involve a slightly misspelled website like (like microsoftsupport.ru or microsft.com), or include an urgent call to take action immediately. You can learn more about how to spot phishing emails by checking out one of our One-Minute Wednesday episodes on phishing. If you receive an email that seems suspicious, either delete it or forward it to the Anti-Phishing Working Group at phishing-report@us-cert.gov.

About TechMD

TechMD is an award-winning IT services firm that specializes in managed IT services in Orange County and Los Angelesmanaged cybersecuritycloud solutions, and strategic IT consulting. We are passionate about bringing enterprise-level productivity, scalability, and security to small and medium businesses.