Microsoft unveiled new features for its political clients last week as the company continues to grapple with the fallout from the latest high-profile hack associated with its email platform.
A recent Wall Street Journal report noted how an estimated 250,000 Microsoft Exchange servers worldwide belonging to businesses, government offices and schools were vulnerable to four zero-day bugs. Microsoft released patches on March 2, but hackers were installing back doors as early as January.
Joe Stocker, a cybersecurity consultant who serves on Microsoft’s Security Partner Advisory Council, said that the latest breach dwarfs the earlier one associated with American software company SolarWinds.
“SolarWinds had 18,000 vulnerable customers. When you do the math on it, it’s fourteen times the size of SolarWinds,” said Stocker, who in 2020 trained campaigns on how to use Microsoft’s AccountGuard cyber security services. “We’re seeing more threat activities now globally in the first quarter of this year than we have in other years. It’s almost like there’s a cyber war going on. It’s extremely intense. Just think about the scale of these last two attacks that were back-to-back."
In an interview with C&E, Jan Neutze, senior director of Digital Diplomacy and Head of the Defending Democracy Program at Microsoft, said the latest high-profile hacks just underscore the need for great attention to be paid to cybersecurity. “All of these attacks, taken to together, are proof that there is a very well resourced and focused set of adversaries out there.”
PatriotConsulting CEO Stocker and others have estimated that there are now 11 nation-state backed threat groups probing U.S. cyber defenses at all levels — and the campaign industry remains a ripe target for hack-and-leak operations.
With that in mind, on Tuesday Microsoft announced it was re-upping some contributors to the AccountGuard program. Going forward, limited-edition swag will still include free YubiKeys as part of the services bundle.
The keys offer two-factor authentication and protect against phishing attacks. Microsoft also announced the general availability of passwordless authentication solutions for Azure Active Directory (Azure AD).
“It’s so important to fortify and up your protections when it comes to especially your email accounts because phishing attacks continue to be a major threat vector,” said Neutze. “2020 overall was a success story in terms of having improved defenses for the political and campaign ecosystem, but I think we cannot and should not rest on those laurels.”
Since 2018, Microsoft has been offering low- or no-cost technology solutions to campaigns, generally focused around email and network identity protection. Following an FEC ruling in 2019, last cycle the company offered campaigns and committees security solutions at free-to-low-cost through Robby Mook and Matt Rhoades’s Defending Digital Campaigns non-profit. “Our pilot showed that organizations taking advantage of these tools saw an 18% improvement in their Microsoft Identity Protection Security Score,” Microsoft said.
Neutze said he’s watching what moves cyber threat groups make in Europe ahead of important elections in the Netherlands, Finland, Estonia, the Czech Republic and, in particular, Germany, which could be a proving ground for tactics that will be used against U.S. political entities in the midterms.
“We are going to be watching very carefully what we’re seeing on the cyber side, but also the disinformation side to see if any interesting or novel techniques are being explored in other regions, other contexts,” Neutze said.
Stocker, who helps onboard AccountGuard clients and “harden their Office 365 environment,” said consultants and even candidates should be doing a threat assessment on their businesses and campaigns now.
"If I was an adversary, I would be targeting them when they’re not looking for it. It’s like Sun Tzu’s Art of War, they’re going to hit you when you’re weak."