Security in the Enterprise

A friend found this link, clearly showing Microsoft has been aware of the risk of users giving consent to illicit applications since at least January 2018. https://blogs.technet.microsoft.com/office365security/defending-against-illicit-consent-grants/ They have not done much to prevent this, but has worked to create more post-mortem tools. One of the links in the article points to an article by a former cyber criminal, which has a youtub video showing PoC of a real-time crypto-locker working on the users mailbox. Scary stuff. https://youtu.be/VX59Gf-Twwo What has changed What makes this even worse today is, that the Microsoft Sample code Wizard makes it very easy to create the phishing website. The wizard generates passwords, and creates source code with your own AppID and password inserted. So now we are down where this is possible with a minimum of coding skills. We also have the fact, that 2 years ago, knowledge of free Let's Encrypt certificate was not so widesprea

Microsoft AzureAD and Office365 - Not secure by default Or 3 clicks and you are dead Cloud Identity is a great thing these days. You can sign up to lots of services using your social identity from Facebook, Google, or from Microsoft. You do not have to invent new passwords (or reuse passwords used elsewhere), and you get easy Single Sign On. This has more advantages than drawbacks for by far the majority of users. The purpose of this article is to create awareness of some of the dangers. Microsoft AzureAD - The special case Your Microsoft company identity is just another cloud identity for most services, and in many ways it is better than some of the others. You get secure multi-factor logon, you might even get passwordless logon. Conditional Access to protect your Sign in attempts even more, maybe blocking countries like China, Russia and Brazil, or doing it risk based. It all depends an how the enterprise has configured things. It is trivial to create your own web server,