Microsoft has acknowledged a recent issue that triggered widespread alerts in its Entra ID Protection system, flagging user accounts as high risk due to supposed credential leaks on the dark web. The alerts have been attributed to a combination of an internal token logging error and the rollout of a new security feature called MACE Credential Revocation, causing confusion among system administrators globally. One user remarked, “Microsoft rolled out a new dark web credential detection app called MACE this Easter weekend, which promptly ruined my Saturday with its false alarm on my primary M365/Entra ID account.” Another post highlighted the scale, noting an MDR provider received over 20,000 notifications overnight. Microsoft has advised affected customers to use the “Confirm User Safe” feature in Entra ID Protection to resolve erroneous high-risk flags, as detailed in its documentation. Administrators can also review sign-in logs in the Microsoft Entra admin center under Monitoring & Health for error codes like AADSTS50053, which indicate account lockouts. Compounding the issue, Microsoft rolled out a new security feature, MACE Credential Revocation, over the same weekend. Microsoft is conducting a Post Incident Review (PIR) to investigate both the token logging issue and the MACE rollout’s false positives. Social media posts and online forums, including Reddit, have reported similar experiences, with some administrators noting that even passwordless accounts were affected, suggesting the alerts were erroneous. Microsoft’s swift acknowledgment and corrective actions demonstrate its commitment to user security, but the false positives have highlighted the challenges of rolling out new security features at scale. The user noted that the accounts showed no matches on Have I Been Pwned (HIBP), raising suspicions of a Microsoft error. Microsoft identified that it was inadvertently logging a subset of short-lived user refresh tokens for a small percentage of users, contrary to its standard practice of only logging metadata. Microsoft has stated there is no evidence of unauthorized access to these tokens, but it will follow standard security incident response protocols if any is detected. Additionally, Microsoft recommends resetting passwords for locked accounts and ensuring MFA is enabled, though many affected accounts already had these measures in place. Confirm User Safe: Use the Entra ID Protection admin feature to clear false high-risk flags. However, the rollout led to widespread false positives, with accounts being flagged as high risk despite having strong, unique passwords and multi-factor authentication (MFA) enabled. However, this invalidation process unintentionally generated alerts in Entra ID Protection between 4:00 AM and 9:00 AM UTC on April 20, 2025, indicating that users’ credentials may have been compromised.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 21 Apr 2025 19:10:16 +0000