NSA issues new Microsoft warning.
Corbis via Getty Images
America’s NSA has issued a stark Microsoft warning given the continual “exploitation of vulnerabilities.” The agency’s advice is aimed at admins running on-premise Microsoft setups, but includes critical guidance for users as well. This follows Microsoft’s own warning for users, as hackers continue to gain access to unsecured accounts.
The NSA advisory urges organizations with on-premise Exchange setups to adopt its list of best practices. Whilst extensive, it boils down to fast patching, retiring defunct servers, restricting admin access and enabling multi-factor authentication for accounts. Put simply — stop hackers breaking in or logging in to accounts and networks.
Arguably, the NSA document which has been released in conjunction with America’s cyber defense agency, provides a better, all-in-one guide than is available from Microsoft itself. The frustration will be that nothing here is new or revolutionary. But despite a frightening rise in ransomware and other attacks, adherence remains patchy.
NSA warns that “multi-factor authentication is widely recognized as one, if not the most, important preventative security controls available today.” But despite this, “it is notoriously difficult to deploy and many organizations, small and large, still have not done so even if they recognize the value.”
On that note, Microsoft has just reiterated its own advice that “even when attackers possess valid usernames and passwords, multi-factor authentication blocks access in over 99% of cases.” Just as with NSA’s persistent, repeated advice, this 99% MFA stat dates back to 2019. And yet adherence is nowhere close to where it should be.
Microsoft has famously committed to pushing its billion-plus account holders to delete passwords completely and to adopt passkeys instead. This is an easy-to-use equivalent to the hardware based authentication keys that may be provided by your organization.
These options link account security to hardware security. A passkey does so by restricting usage to a device you’re logged into, your phone, PC or tablet. But despite its push to delete passwords, Microsoft is not making as much progress as expected.
Dashlane’s latest passkey report lauds Google as the class-leader. “Google passkey authentications exploded by 352% over the past year,” following the company’s decision in 2023 “to make passkeys the default login option for personal Google Accounts.”
While Google’s move “effectively exposed hundreds of millions of users to passwordless authentication, creating the largest real-world deployment of passkeys to date,” Microsoft is nowhere close to this level of adoption yet despite a similar decision.
According to Dashlane, “while not a member of the top 20 most popular passkey domains,” Microsoft is one of the “fastest-growing passkey domains.” Its commitment to passwordless security has driven “120% growth in passkey authentications.” The fact it so badly lags Google’s personal account adoption highlights the complexity when MFA falls to organizations and not individuals. Thus this latest NSA warning.
NSA says attacks on Microsoft accounts “remain persistent,” with “Exchange environments continuously targeted for compromise and should be considered under imminent threat.” If you don’t have MFA at work, ask why. While the primary threat is to the organization, it affects you as well. You do not want to find your account the initial entry point for a ransomware or other attack,
