Despite the growing interest in cloud accounts by opportunistic and state-sponsored actors, too many organizations fail to implement basic security measures to protect their cloud apps, such as multi-factor authentication (MFA) for administrators and users.
This is the concerning finding of a report recently released by Microsoft, according to which just 22% of Azure Active Directory customers implement strong authentication mechanisms such as MFA or passwordless authentication.
In a cloud-first world, identity is the new battleground, as the same report states: the growing number of mega breaches has led to a wide availability of compromised credentials that can be recycled for password-spraying or credential-stuffing attacks. These attacks are convenient and effective because of their relatively low effort and, in contrast, the high return on investment given the value of a compromised account.
Inevitably, this simplicity has ended up attracting the unwelcome attention of state-sponsored actors, such as APT28 (AKA Fancy Bear, Sofacy, or STRONTIUM) and the Iran-linked DEV-0343, just to mention two recent campaigns targeting cloud accounts. Sadly this is not enough to raise awareness and push the enforcement of stronger security policies, considering that another study from Microsoft revealed that 99.9% of compromised accounts do not use MFA.