Security company Malwarebytes suspects a breach of its Office 365 and Azure tenancies is by the same attacker behind the SolarWinds hack, but reckons flaws in Azure Active Directory security are also to blame.
Malwarebytes, whose products include widely used anti-malware tools for consumers and businesses, said that it does not use SolarWinds but believes that the same attacker used "another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments".
The attack was spotted because of suspicious activity reported by Microsoft's Security Response Center.
The intruder "only gained access to a limited subset of internal company emails" said Malwarebytes, and there was no evidence of unauthorised access to internal or on-premises and production environments. Malwarebytes also checked its source code and build processes including "reverse engineering our own software" but could not find any evidence of compromise, concluding that "our software remains safe to use."
I don't really see why credentials can be assigned to default service principals this way and what a possible legitimate purpose would be of this
How was Malwarebytes breached? There is some but not complete information on this subject in the company's report. On Microsoft's cloud, there are directory objects called service principals which can have privileges assigned to them. Service principals are specific to an Azure AD tenancy and represent an application in that tenancy. When admins give permission to an application, they actually give permissions to its service principal.
Users are not the same as applications, but there are techniques by which a user can log in as ..