Discovery to Resolution: Critical Microsoft 365 Vulnerability Unveiled by Stratus Security

A recent discovery by Stratus Security has brought to light critical vulnerabilities within Microsoft 365, exposing sensitive data across industries such as finance, healthcare, and government. These flaws, predominantly found in the Dynamics 365 and Power Apps Web API, highlight significant risks that could jeopardize millions of records globally. This article delves into the specifics of these vulnerabilities, their implications, and actionable measures to mitigate future threats.

Unveiling the Vulnerabilities

Dynamics 365 and Power Apps: A Closer Look

Microsoft’s Dynamics 365 is a robust CRM/ERP solution, and Power Apps is a low/no-code platform for developing business applications. Both utilize data stored in the “Dataverse,” accessible via APIs with granular access controls. However, Stratus Security’s research uncovered three critical flaws:

1. OData Web API Filter Bypass: This vulnerability allowed attackers to bypass access controls by exploiting API filters. For instance, while the API correctly denied direct access to sensitive columns like password hashes, a filtering technique enabled attackers to infer and extract sensitive data incrementally, similar to SQL Injection techniques.
2. Orderby Query Exploit: After Microsoft patched the initial issue on February 4, 2024, a second vulnerability emerged. Using the orderby desc query parameter, attackers could directly access restricted columns without requiring complex exploitation methods.
3. FetchXML API Exploit: The third vulnerability involved the FetchXML API, allowing attackers to bypass controls entirely and query restricted columns directly. This flaw was particularly alarming due to its ease of exploitation and potential for large-scale data exposure.

Who Was Affected?

These vulnerabilities potentially impacted thousands of Power Pages applications, widely used by consulting firms, nonprofits, healthcare providers, and financial institutions. Default tables such as “contacts” and “accounts” often contained personal information, financial details, and even government IDs. Stratus Security’s estimates suggest that millions of records were at risk, though the exact number remains undisclosed.

Implications of the Breach

Data and Business Risks

1. Credential Compromise: Leaked password hashes could be cracked and used for corporate account breaches, enabling attackers to gain unauthorized access to critical systems.
2. Sensitive Information Exposure: Personal and financial data could be used for identity theft, social engineering, or phishing campaigns.
3. Monetization of Data: Threat actors could sell the data on dark web marketplaces, leading to widespread exploitation.

Financial and Reputational Impact

The IBM Cost of a Data Breach Report estimates an average cost of $165 per exposed record. Assuming exposure of 14 million records—similar to recent large-scale breaches—the financial impact could exceed $2.3 billion. The reputational damage for affected organizations and Microsoft further compounds the issue.

10 Measures to Prevent Future Threats

Conclusion

The vulnerabilities uncovered in Microsoft 365 underscore the critical need for rigorous security practices in modern digital ecosystems. While Microsoft’s swift action in patching these flaws is commendable, this incident serves as a stark reminder of the evolving nature of cyber threats. Organizations must remain vigilant, prioritize robust cybersecurity frameworks, and adopt proactive measures to protect sensitive data.