This week the Microsoft Identity and Security Services Division announced another new security report feature is now in preview that helps protect Azure Active Directory Premium customers from the risk associated with leaked credentials.
The Risk of Leaked Account Credentials
One scenario that has unfortunately become all too common is where account credentials are stolen in bulk by criminals through website breaches. Credentials are also unwittingly provided directly by the victims themselves through phishing attacks, or harvested from systems that are infected with malware. As we reported in the Microsoft Security Intelligence Report volume 17, account credentials that are stolen in bulk directly from organizations’ websites contribute a significant amount to the trade in stolen credentials. As part of its customer account protection operations during the period from November 2013 to June 2014, Microsoft tracked about 1,700 distinct website credential thefts, comprising a little more than 2.3 million credentials that were posted in public places on the Internet. This number represents only a small fraction of the credentials that are traded in forums and specialized websites on less publicly accessible spaces on the Internet that cater to the illicit trade in stolen credentials.
Figure 1: Number of publicly posted website credential thefts, per month, from November 2013 to June 2014
Figure 2: Number of stolen credentials from publicly-posted credential thefts, per month, from November 2013 to June 2014. The spike in February represents includes the public posting of 1 million hashed credentials that had been stolen from Forbes
In addition to attacks on websites, a substantial number of the illicit account credentials trade is provided by devices infected with malware.
Figure 3: Trends for the most commonly encountered password stealers in the 1st half of 2014
Security Mitigations in Microsoft’s Cloud Services that can Help
Last November I wrote about a unique capability built into Azure Active Directory Premium that allows customers to identify devices that have been compromised with some of the worst professionally managed threats on the Internet, and are attempting to sign into Azure based applications. This information allows customers to identify and remediate infected systems in their environments quickly.
Figure 4: An example report illustrating “sign ins from possibly infected devices” available to Microsoft Azure Active Directory Premium customers
This week the Microsoft Identity and Security Services Division announced yet another new security report feature is now in preview that helps protect Azure Active Directory Premium customers from the risk associated with leaked credentials.
Figure 5: The new “Users with leaked credentials” report in the Azure management portal surfaces any matches between the leaked credentials lists that Microsoft discovers posted publically and your tenant
You can get more details here: Azure Active Directory Premium reporting now detects leaked credentials.
Another security mitigation that can help to mitigate the risk of leaked credentials is multi-factor authentication. Typically, a user presents something they know, like their secret password, as proof of authenticity. The basic idea behind multi-factor authentication is for the user to present one or more additional proofs based on something they have, like a device for example, or something they are, such as a fingerprint or retinal scan.
Microsoft Azure and Office 365 already have multi-factor authentication support to help you manage this risk. You can get more details here: Azure Multi-Factor Authentication.
Many of the customers I talk to that manage on-premise environments have implemented some form of multi-factor authentication that helps protect their user accounts. But only a few customers I have talked to look for lists of leaked credentials and test them against their on-premise directory services. I suspect that the new “users with leaked credentials” report will be of high interest to many customers in a world where credential leakage and theft have become so commonplace.
Chief Security Advisor
Worldwide Cybersecurity & Data Protection
 A. Greenberg, “How The Syrian Electronic Army Hacked Us: A Detailed Timeline,” Forbes.com, 20.Feb.2014. [Online]. http://www.forbes.com/sites/andygreenberg/2014/02/20/how-the-syrian-electronic-army-hacked-us-a-detailed-timeline/. [Accessed: 17-Jul-2014].