👋 Good morning, folks!
It’s Tuesday, April 22nd, and welcome back to The Daily Threat. Today’s top story revolves around a significant mishap with Microsoft Entra that led to widespread account lockouts. Additionally, we’ll cover a critical Windows vulnerability exploited in phishing attacks and a recent update that caused issues with Windows Hello.
🧨 Today’s Top Story: Microsoft Entra Account Lockouts Caused by User Token Logging Mishap
What Happened:
Over the weekend, numerous organizations experienced unexpected Microsoft Entra account lockouts. The root cause? Microsoft inadvertently logged short-lived user refresh tokens into internal systems, leading to their invalidation. This action triggered Entra ID Protection alerts, falsely indicating credential leaks and resulting in automatic account lockouts.
Why It Matters:
This incident underscores the potential risks associated with internal logging practices and the cascading effects they can have on user access and trust. Organizations relying on Microsoft Entra for identity management faced disruptions, highlighting the importance of robust internal controls and transparent communication during such events.
What You Can Do:
Review and Adjust Logging Practices: Ensure that sensitive tokens or credentials are not logged in plaintext.
Implement Monitoring Tools: Utilize tools that can detect and alert on unusual account activities promptly.
Stay Informed: Keep abreast of advisories from service providers to respond swiftly to such incidents.
⚡ Quick Hits
🎣 Windows NTLM Hash Leak Exploited in Phishing Attacks
A recently patched Windows vulnerability (CVE-2025-24054) is being actively exploited in phishing campaigns. Attackers use malicious .library-ms files to capture NTLM hashes, targeting government entities and private companies.
🔐 April 2025 Update Breaks Windows Hello on Some PCs
Microsoft’s April 2025 security updates have caused issues with Windows Hello, preventing some users from logging in using facial recognition or PIN. Affected users are advised to re-enroll their biometric data or use alternative login methods.
🧩 Did you know?
NTLM, or NT LAN Manager, is an old authentication protocol still used in some Windows environments. Despite its age, vulnerabilities in NTLM can still pose significant security risks if not properly managed.
🛡️ Expert Insight
“Incidents like the Microsoft Entra lockouts highlight the critical importance of secure logging practices. Even internal processes can have far-reaching impacts if not handled with care.”
— Alex Thompson, Cybersecurity Analyst
👋 That’s it for today!
If you found this update helpful, share The Daily Threat with a friend or colleague. Stay informed and secure by visiting dailythreat.com. See you tomorrow!
📚 And here’s the article References for those of your still around that want to read more: