Security News

Qualys report looks at how misconfiguration issues on cloud service providers help attackers gain access. Cloud misconfiguration - incorrect control settings applied to both hardware and software elements in the cloud - are threat vectors that amplify the risk of data breaches.

A bunch of networks, including US Government networks, have been hacked by the Chinese. The hackers used forged authentication tokens to access user email, using a stolen Microsoft Azure account consumer signing key.

Microsoft has explained why it seemingly took its time to fix a flaw reported to it by infosec intelligence vendor Tenable. On July 10, Tenable again contacted Microsoft to reports its findings on what it regarded as a dangerously incomplete fix.

Microsoft has accidentally revealed an internal 'StagingTool' utility that can be used to enable hidden features, or Moments, in Windows 11. As first discovered by Windows sleuth XenoPanther, Microsoft has a utility for enabling hidden development features in Windows 11 called 'StagingTool'.

Microsoft on Friday disclosed that it has addressed a critical security flaw impacting Power Platform, but not before it came under criticism for its failure to swiftly act on it. "The vulnerability could lead to unauthorized access to Custom Code functions used for Power Platform custom connectors," the tech giant said.

Microsoft fixed a security flaw in the Power Platform Custom Connectors feature that let unauthenticated attackers access cross-tenant applications and Azure customers' sensitive data after being called "Grossly irresponsible" by Tenable's CEO. The root cause of the issue stemmed from inadequate access control measures for Azure Function hosts launched by connectors within the Power Platform. "It should be noted that this is not exclusively an issue of information disclosure, as being able to access and interact with the unsecured Function hosts, and trigger behavior defined by custom connector code, could have further impact," says cybersecurity firm Tenable which discovered the flaw and reported it on March 30th. "However, because of the nature of the service, the impact would vary for each individual connector, and would be difficult to quantify without exhaustive testing."

Microsoft has officially begun killing off Cortana as the company moves its focus towards integrating ChatGPT and AI into Windows 11. [...]

Microsoft's new Azure Active Directory Cross-Tenant Synchronization feature, introduced in June 2023, has created a new potential attack surface that might allow threat actors to more easily spread laterally to other Azure tenants. Microsoft tenants are client organizations or sub-organizations in Azure Active Directory that are configured with their own policies, users, and settings.

An infamous Kremlin-backed gang has been using Microsoft Teams chats in attempts to phish marks in governments, NGOs, and IT businesses, according to the Windows giant. In its latest crime spree, a crew that Microsoft Threat Intelligence now tracks as Midnight Blizzard uses previously compromised Microsoft 365 tenants to create domains that masquerade as organizations offering tech support.

Microsoft is investigating an issue causing Outlook Desktop to unexpectedly ask users to restore windows closed during a previous session. [...]