October 28, 2022 update: Added a Customer FAQ section.
Summary
Security researchers at SOCRadar informed Microsoft on September 24, 2022, of a misconfigured Microsoft endpoint. This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services.
Upon being notified of the misconfiguration, the endpoint was quickly secured and is now only accessible with required authentication. Our investigation found no indication customer accounts or systems were compromised. We have directly notified the affected customers.
Customer Impact
The business transaction data included names, email addresses, email content, company name, and phone numbers, and may have included attached files relating to business between a customer and Microsoft or an authorized Microsoft partner. The issue was caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability. We are working to improve our processes to further prevent this type of misconfiguration and performing additional due diligence to investigate and ensure the security of all Microsoft endpoints.
We appreciate SOCRadar informing us about the misconfigured endpoint, but after reviewing their blog post, we first want to note that SOCRadar has greatly exaggerated the scope of this issue. Our in-depth investigation and analysis of the data set shows duplicate information, with multiple references to the same emails, projects, and users. We take this issue very seriously and are disappointed that SOCRadar exaggerated the numbers involved in this issue even after we highlighted their error.
More importantly, we are disappointed that SOCRadar has chosen to release publicly a “search tool” that is not in the best interest of ensuring customer privacy or security and potentially exposing them to unnecessary risk. We recommend that any security company that wants to provide a similar tool follow basic measures to enable data protection and privacy:
- to implement a reasonable verification system to ensure that a user is who it purports to be;
- to follow data minimization principles by scoping the results delivered solely to information pertaining to _that _verified user only;
- where that company is not in a position to determine with reasonable fidelity which customers had affected data, to not then surface to a given user information (including metadata/filenames) that may belong to another customer.
We have focused our attention on directly notifying impacted customers and provided them with instructions for contacting Microsoft with questions or concerns. If you did not receive a Message center communication, our investigation did not identify an impact to you or your organization.
-MSRC
Customer FAQs
Q: How do I know if I was affected by this misconfigured endpoint? A: Microsoft notified affected customers about this issue via Message center starting on October 4, 2022 (Pacific Time).
Q: I have concerns that my organization was impacted by this issue but I don’t see a notification from Microsoft. What should I do? A: We sent Message center notifications to affected customers using a Data Privacy tag which means only users with a global administrator role or a Message center privacy reader role can view the notification. These roles are appointed by your organization. You can learn more about these roles and how to assign them here.
Q: Was the misconfigured endpoint part of Microsoft cloud services? A: No. The misconfigured endpoint did not allow access to the production environment of a Microsoft cloud service. Customer environments, tenants and subscriptions were not affected by this issue.
Q: I’m an affected customer. Can you tell me what data of mine was in the misconfigured endpoint? A: To ensure high confidence of attributing affected data to the correct customer, we use strict validation methods when investigating potentially affected data, and we are providing that data where attributable. Customers should refer to their Message center notification for more information as this is our secure method of communicating with Microsoft 365 customers about privacy and security events.
Q: Was this issue the result of a vulnerability? A: No, this issue was the result of an unintentional misconfiguration on an endpoint that is no longer in use across the Microsoft ecosystem.
Q: I have more questions. What is the best way for me to get support? A: Customers can reach Microsoft several different ways:
- Sign-in to Microsoft 365 with your Microsoft 365 admin account and select Support > New service request. If you’re in the admin center, select Support > New service request.
- If you’re an admin on the account, call (800) 865-9408 (toll-free, US only). If you’re outside the United States, see the global support phone numbers.