Serious security oversight at Microsoft

Vaisha Bernard, chief hacker at Eye Security, saves thousands of companies from risk of cyber attack

Microsoft's "Attack Simulation Training" software, designed to educate company employees on phishing attacks, suffered from serious security oversights. Originally intended as a training ground for employees to recognise and respond to potential threats, the program harboured a critical security error, posing a significant risk to millions of unsuspecting Microsoft users to be taken advantage of by cybercriminals. 

These serious security errors were brought to light by Vaisha Bernard, Chief Hacker at the European cybersecurity and insurance firm Eye Security, who played a pivotal role in assisting Microsoft in rectifying the vulnerability. Initially considering "Attack Simulation Training" for Eye Security's customer portfolio, Bernard was testing the program when he uncovered a security gap through a phishing email template within the system. 

A link in the template directed him to a 'non-existing’ confluence page. He promptly registered the page in his name, triggering requests from users around the world to access the page. It was at this point that Bernard identified two major issues: not only did the templates contain links to unregistered pages and domains, but the email addresses used by Microsoft for sending out phishing simulations were also linked to unregistered domains. 

This meant that anyone could easily register them for a mere $10 each. Bernard registered some domains and started receiving responses to the phishing simulations from employees in companies worldwide. Alongside those who recognised it as a scam, many requested a resend of the simulated malware in PDF format. 

"Of course, I immediately alerted Microsoft, and together we have since resolved the issue. However, had a cybercriminal beaten me to it, thousands of unsuspecting employees from companies worldwide – Microsoft customers and users – would have clicked on suspicious links and fallen victim to phishing attacks. Ironically, Microsoft's attack simulation program would have transformed into a genuine phishing attack program, bypassing all protective mechanisms," warned Bernard. 

Bernard continues, “On a broader point, it goes to show preventative measures – such as awareness training, end point and cloud monitoring - are only the first line of defence. You need to assume that you will be breached so be ready to respond quickly.” 

Published on December 19, 2023

Related articles

Show all