Make Senior Execs Use 2 Factor Authentication? Get Real

This is beyond stupid for an attack in 2023, but that sums up Microsoft. Microsoft network breached through password-spraying by Russian-state hackers | Ars Technica

Russia-state hackers exploited a weak password to compromise Microsoft’s corporate network and accessed emails and documents that belonged to senior executives and employees working in security and legal teams, Microsoft said late Friday.

Password spraying is an attack where a bad-guy tries a PW across a set of user IDs. Since most systems are set to lock out a user after a certain number of failed tries to log in, this attack bypasses that by trying numerous accounts.

It is only possible if you ignore some basic security protocols, or as the article says, security hygiene.

As Steve Bellovin, a computer science professor and affiliate law prof at Columbia University with decades of experience in cybersecurity, wrote on Mastodon:

A lot of fascinating implications here. A successful password spray attack suggests no 2FA and either reused or weak passwords. Access to email accounts belonging to “senior leadership… cybersecurity, and legal" teams using just the permissions of a "test tenant account” suggests that someone gave that test account amazing privileges. Why? Why wasn't it removed when the test was over? I also note that it took Microsoft about seven weeks to detect the attack.

I'll say it again. You can't get senior management to use 2 factor authentication. It is too complicated for their tiny, C-suite minds. Use a password manager to have complicated passwords? That is also too complicated.

Doctors. Lawyers. Executives. And while I've never worked directly with doctors, all three are impossible to have follow any kind of security protocol. "I'm a [fill in the blank]! I can't follow those directives, I don't have the time!" Or something. I wonder if MS execs will have the time for 2FA now. Somehow I doubt it.