Fed.up March 4, 2021 3:39 PM

@ Kurt Seifried

That’s not entirely true. Here’s an explanation:

links fractured

ht tps://

Also before patching everyone should first assess whether they have been exploited. Instructions here:
ht tps://

And if you were attacked, even if SMB or outside of the US, you might want to report it to CISA. ht tps://

According to information I read elsewhere this attack is hitting even SMB

I am not an attorney, so this cannot constitute legal advice but I believe the 2015 CISA law protects private entities from liability arising from a breach so long as they report it to CISA
ht tps://

The other day Senator Wyden said the Microsoft exploits are a Golden SAML attack. Which if true, may explain what happened to SalesForce on LinkedIn today.

Kurt Seifried March 4, 2021 4:45 PM


That mentions specifically where the client runs an on-premises version as well as using the hosted one. So my question still stands, why is the hosted one not vulnerable (security controls? they rewrote a chunk of it? something else?).

Clive Robinson March 4, 2021 6:54 PM

@ Kurt Seifried,

So my question still stands, why is the hosted one not vulnerable (security controls? they rewrote a chunk of it? something else?).

You are not the only one left wondering “Why?” the two are different, and potentially “What is Microsoft hiding?”.

@ Fed.up,

That’s not entirely true. Here’s an explanation:

I’m not nor ever will be a “Linkedin” user, they are without doubt scum and have a history of frightfully bad business and security decisions to demonstrate that fact.

So whilst Brian Krebs nothing berger statment gets displayed the comments that might provide a more useful discourse do not.

As for Brian Krebs I found that his reporting was getting less and less usefull as he appeared to get captured as Microsoft’s reporter of choice for patch Tuesday’s, so I can not remember the last time I went to his website (it might have been around the time of the Super DDOS hose down he got).

Fed.up March 4, 2021 7:04 PM

@ Kurt

The hosted version has been acknowledged to be compromised (links fractured)

ht tps://

Authenticator is 2FA
Intune is mobile device management

using BYOD to authenticate onto corporate or government networks is a bad idea IMHO
It’s a violation of all AUP’s, NIST 800-53

I wonder if this attack began with apps? There was an article on Bleeping Computer about a data dump of LinkedIn passwords found on the dark web and that it might be associated with this attack. The author surmised it might be the genesis of the compromised credentials.

How many users repeat use of passwords? It wasn’t only SW that does this.

Most of my employers banned social media including LI on work issued equipment. But then migrated to 0365 and never assessed the security ramifications of Authenticator on BYOD. How can anyone think that installing corporate tooling on employee devices will ever be safe, no matter how much scraping Microsoft performs? When Microsoft or LinkedIn is scraping BYOD data that means others are too. A compromised employee is a compromised employer.

What Microsoft fails to recognize is that most of their customers have outsourced Exchange so they have no ability to get to Zero Trust, even though Microsoft claims it is the solution to this attack.

Last September Microsoft announced they will no longer be selling on-prem licenses. They also recently announced exchange server will become passwordless. This seems like the Windows 10 upgrade where no one had a choice in the matter.

ht tps://

AL March 4, 2021 7:17 PM

I wonder how valuable this exploit would be if email was wall-to-wall encrypted. Unencrypted email might just constitute an attractive nuisance.

Fed.up March 4, 2021 7:28 PM

@ Clive

I am in agreement with you on LI and Krebs.

I visit Krebs site when I want info on Microsoft patches. But sometimes the comments are very helpful as in this case.

One thought about LI. They likely have a lot of metrics. They surely know what constitutes normal attrition at all types of companies. I bet they can tell when a company has crappy Cybersecurity. Because Cybersecurity turnover is a regulatory measure that indicates elevated risk. When companies won’t address vulnerabilities talented cyber employees move to a new job rather than risk their resume.

Somebody Anon March 5, 2021 2:35 AM

There are many who will use every opportunity they get, to exploit zero-day vulnerabilities, for their benefit. Only blaming those who exploit such vulnerabilities is disingenuous. Some of the blame must be directed to those who allow such vulnerabilities to exist, in the first place. There will be more incidents in future, until the basic security framework changes !! If security remains an afterthought, then exploits will continue …

Kurt Seifried March 5, 2021 11:15 AM


That’s an entirely different incident and nothing to do with this (source code theft does not equate to a compromised platform, hint: the OpenSource world…). I can only assume you’re arguing in bad faith and trying to string up some conspiracy theory with unrelated items.

Clive Robinson March 5, 2021 4:58 PM

@ Fed.up,

One thought about LI. They likely have a lot of metrics. They surely know what constitutes normal attrition at all types of companies.

Yes I dread to think what Linked In knows or potentialy could know about companies.

It’s no secret I do not have anything to do with social media, but few ever ask why…

It’s the “data aggregation” aspect, we all know the old saw of “Do not put all your eggs in one basket!” but how many think what they are giving away.

Apparently Amazon have, as they are trying to force employees to use social media that Amazon have control of in various ways…

The problem is the more you think about it the worse you realize it is…

Clive Robinson March 5, 2021 5:28 PM

@ AL,

Unencrypted email might just constitute an attractive nuisance.

I would say it does offer temptation where it should not.

The postman gets to read the back of a post card to get the delivery address, how much else they might read we do not know.

The problem with Email is not only does the electronic postman get to see all, in this day and age they can not only store it all indefinitely, they can also examine and evaluate it for gain.

Thus the electronic postman or atleast some of them like Google, get to raid the sweety-store continuously…

The reason this is possible, is that Email originated in a time of very limited resources. You had the DoD and others squeasing every drop they could get out of things just to get the most primative of things to work. Whilst over in Europe lots and lots of work was being put into “future standards” that would be both scalable and secure.

Whilst we have the likes of the DoD and later IETF RFC standards they were almost always “work in progress” documents, which have become “legacy problems”. Which are still with us today.

As for what went on in Europe, well I guess some know what LDAP is, others about why CA certs are a bit odd, oh and the “ISO OSI seven layer model” which we only half jokingly add layer 8 for users, layer 9 for managers etc.

It’s not just Email that drags the massive ball and chain of “legacy” with it, security does as well. Worse that ball has more chains and balls of it’s own, each one a “cludge” “add on” where people have tried to add features that were not originally thought about.

At some point the legacy weight will drag it all to a halt, unless we decide to do something about it…

However the last time we tried to replace IPv4 with IPv6 more than a quater of a century later, we are still using IPv4 and adding fresh cludges to stretch it that extra mile or three, year after year…

I see no evidence that trying to update Email will actually fair any better. In fact I suspect a lot of vested interests will fight every which way to keep Email an “attractive nuisance” so they keep benifiting. Which also means there is the likely hood of “legislative” methods being used…

Fed.up March 5, 2021 5:31 PM

@ Kurt Seifried

I imagine you are having a really bad day. Customers want guidance.

I’m not the bad guy.

This is from December, 2020 and refers to a Cisco mobile phone 2FA tool being compromised to access Outlook 365

Who cares what the initial attack vector was. This has been going on for years. At this point we need to figure out how to stop it. Patching won’t be enough if it is a Golden SAML.

An IBM’r once created a Manual AD and DL (outlook distribution list) validation tool for me. My employer wasn’t allowed to possess any orphaned data so this tool queried Managers each month to validate the access rights and file shares of their direct reports. It was intense. But if the response wasn’t received by the tool on a certain date, access was automatically cut off.

If something like this is the solution now then it needs to capture/validate home IP, and all access rights too. It needs to immediately focus on Privileged Access most of all. But Microsoft or Cyberark needs to be forthcoming about how that privileged access is created by Golden SAML. For example does it bypass IAM tools like SailPoint?

I watched the Microsoft hearings last week, both the Senate and House – at some point a Congressperson addressed that this exploit was deleting Microsoft logs for those clients that have them. So this validation needs to be a third party tool is my thought. It cannot come from a software vendor already compromised in the stack.

This event will present an opportunity for security vendors to develop tools to address WFH monitoring. Because if we go back to the office really fast to circumvent this that will have a disastrous outcome for the US and world. It is hard not to knee jerk in the middle of a disaster.

I have more ideas but I will let you tell me you want to hear them. Especially as it concerns immediate remediation and also future WFH surveillance.

Fed.up March 5, 2021 6:35 PM

@ Clive

I wish I could have a cup of tea with you one day. I know we would have a lot to talk about.

I cannot engage here on that topic as much as I would love to right now.

But I will say this, social media is one of the vectors of this attack.

The Cisco/Microsoft attack was a cookie attack.

But we don’t know which app on the phone was throwing those cookies. It is likely more than one app. It is also likely very popular.

I don’t even have email on my phone. No apps. Just voice/text.


Clive Robinson March 5, 2021 7:32 PM

@ Fed.up,

But we don’t know which app on the phone was throwing those cookies. It is likely more than one app. It is also likely very popular.

Shhush you must not mention “Walled Gardens” people might get the wrong idea 😉

Yet, the security promises of the walled garden oeners whereby you in effect hand over ownership of your device to a mega-corp in return for security, now sound hollow, very hollow.

What was it that Thomas Jefferson said,

“Those who desire to give up freedom in order to gain security will not have, nor do they deserve, either one. Any society that would give up a little liberty to gain a little security will deserve neither and lose both. He who sacrifices freedom for security deserves neither.”

The problem is made worse these days, because the choice made by one person effects the security and privacy of the many.

Fed.up March 6, 2021 11:21 AM

@ Clive (links fractured)

For your reading pleasure. Chris Krebs was formerly the Cybersecurity Director of the Dept of Homeland Security. The top US Cyber official. He previously worked for Microsoft. Here’s a few of his tweets about the Microsoft attack yesterday:

It will turn into Ransomware:
ht tps://

It is caused by “contractors gone wild”. Biden cannot handle this.
ht tps://

The solution is to move to the cloud
ht tps://

It was caused by customers hosting Exchange and it is wrong to do that. Retweets China now owns them
ht tps://

Is this another watershed attack like 9/11? Surely there are lots of whistleblowers who tried to prevent this. Prior to 9/11 the FBI had a lot of whistleblower tips that they ignored and repressed. Congress investigated and wanted to shut down the FBI (report linked below). The compromise was to create the Department of Homeland Security under which the FBI would be contained and reined in. So here we are 20 years later going through yet another massive attack that has the potential to destroy our country and then like now it was perpetrated by those we trusted and called our friends. The Head of the FBI then was Robert Mueller and here’s his 2002 report. ht tps://

China is the big get. American companies always think they are terminally unique and China will let them make big money. But it never happens. Even Jack Ma got smacked down and ANT group was just valued at $0 by China after the USA investors (Silver Lake and friends) threw $10 Billion at it. Now that money is poof – gone.
ht tps://

Even so, it appears that Microsoft is betting on China and perhaps they even cut a backroom deal to hand over a gutted USA? Yesterday Microsoft announced that are in a joint venture with a Chinese Gov’s 21Vianet to build out cloud infrastructure and Azure in China. China’s cloud is already dominated by Alibaba, Tencent and Baidu.
ht tps://

China’s 21Vianet is listed on Nasdaq so they will be using American money to fund this Chinese project. Meanwhile Chinese companies trading on US Exchanges do not provide any audited financial statements. We have no insight into their profit or income, no where our investment goes. In the past few months this stock has surged from $5 to $40 p/s ht tps://

Last year Google abandoned China for the 2nd time because they recognize they will never make money there. ht tps://

Also yesterday Bloomberg identified the “Peace Cable” as an additional source of stress of the USA. Going forward the USA may have difficulty communicating with the Middle East. It certainly strains our already strained relationship with France. ht tps://

I find it so offensive that China fund their country’s infrastructure with American pension and mutual fund money on Nasdaq and NYSE. I’d rather US Institutions invest in fossil fuels and Smith and Wesson — at least that’s profitable and they do business in the USA.

American cultural norms make Americans different, not better. That’s why American tourists always stand out wherever they go. Each country has a cultural norm. In some countries it is okay to cut off women’s heads or rape children. Women have no rights. And in some countries the only way to get ahead is to game the system. Darwinism. But Americans always make the mistake of thinking that other countries want to embrace our cultural norms when their people come here to work or do business with us from afar. That is never the case. American Exceptionalism that you/Clive spoke about is really just ignorance and bias. ht tps://

I think Chris Krebs is correct that Biden may not have the backbone for what he needs to do.

ht tps://

JonKnowsNothing March 6, 2021 6:55 PM

@Fed.up @All

Software and Hardware vulnerabilities have less to do with Nationality than with NeoLiberal-Libertarian Short Term Profits as practiced in many parts of the globe.

Vulnerabilities are inherent in the setup of business practices that rely on Wall Street Zero Sum Gaming for guide posts on what and how things should be done.

As far as Cultural Norms, perhaps you have not worked for a Multi-National Business that spans over many countries. Take a walk down the Wall Street Journal or any major stock market (UK,Germany,Japan).

The only American Exceptionalism you will find on those stock exchanges, is the Exceptional Incomes of the major players and the inability to plan, prepare or execute a secure system.

Moving to the Cloud makes this no more secure. The Cloud by it’s very design is less secure than most anything else and improves nothing.

Historically, Systems that were considered Secured Systems have been plundered many times over the ages. Hardly a tomb robber or thief hasn’t been made into a hero by Hollywood. Museums globally hold the plundered wealth of other cultures and countries.

You can put your barn, tomb, business or system on the tallest peak but if you don’t secure the doors, walls and roof it’s not going to be secure overall. If you ignore the floor and basement, it’s not going to be any better than on the flat.

ht tps://

ht tps://

Over the Easter holiday in 2015, millions of dollars worth of cash, gems and jewelry were stolen from a facility where London jewelers stored their wares. The audacious theft … involved descending through an elevator shaft and drilling through concrete and metal walls.

(url fractured to prevent autorun)

Clive Robinson March 7, 2021 3:25 AM

@ JonKnowsNothing,

With regards,

“Over the Easter holiday in 2015, millions of dollars worth of cash, gems and jewelry were stolen from a facility where London jewelers stored their wares.”

Nobody knows how much might or might not have been stolen. Some reports said hundreds of millions (very doubtful) others in the mid to high tens of millions, others such as insurance have said under five million.

Why the large range?

Well it appears most of the stuff in there was,

1, Not insured.
2, Not listed.
3, Not on books.

The reason being that much of it was “hiden from authorities” for various reasons that are at best questionable through full on “proceads of violent crime” that might include murder.

You will hear a lot of “Oh my’s” about little old jem dealers trading in cafes in Hatton Garden… The fact is that much of the trading was “traditional” meaning in the words of the song “No tax no VAT” and the UK government had repeatedly failed to “get what was due unto Ceaser” it’s known for instance that bullion was traded that had the imprint of The London Brick Company on it…

So it’s realy unknown. However that has not stopped the UK Gov using verious very dubious laws to try and,

1, Get their hands on the money.
2, Ensure that the old men will die in jail.

Put simply without any evidence the authorities have decided that there must have been 30million taken from the vault. Thus have told the old men that unless they pay 6million each they will get another 7years added to their tarrif.

Well they can not give what they have not got, so two things will happen,

1, The truth will go to the grave with the old men.
2, That even though there is no evidence 30million ever existed, various Gov departments can now claim it does.

This second point is important because it’s not for “auditing” purposes but to make “effectivness” thus budgetary claims to “Empire Build” various Gov depts.

But why do the UK Gov want the truth to die in jail? Well the authorities made claims in court that “were not factual” involving illegal surveillance and fabricated evidence…

We are seeing more of the same over the Encrochat phones. It would appear thst the UK Government at the highest levels have sanctioned “purjury” by the authorities, because the authorities can not do their jobs within the lawful constraints applied to them…

Just more evidence the UK is turning into a “Banana Republic”.

But more interestingly the problem of the “28th Euro State Economy” which is not a nation but “Criminal Enterprise”. Hidden out of sight is a criminal economy atleast as large as the largest of EU nations… Authorities see the money “disappear” and assume it has entered that economy where it obviously creates “churn” but no tax is paid and it’s unknown as to if the money stays in that economy or gets washed into the more general economy of the EU.

Personally I hope they do not find the money, because the effect on the more general economy could be disastrous for various reasons.

reader4563 April 15, 2021 5:49 PM

very nice hint, thanks i missed that news otherwise. looks like data transfer is the propose of using ms products. if you are smart you take the money for education and gnu/linux deployment. if you are a fraud who wastes stolen money you support thugs like microsoft. simple :/ NSA do your ****** job right and kick some as*** 😀

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.