Azure compromised account - Refund policy

Question

Azure compromised account - Refund policy

Chris 0

Hello, I have the following question regarding Microsoft’s policy for compromised accounts.

Last November/2022 a customer's Microsoft 365 account was compromised. The malicious actor created a massive amount of resources, that resulted to a large consumption that exceeded 50,000 USD, in three days. That amount could be easily reach 100 thousands or more. After opening a ticket, Microsoft responded that they cannot refund the amount due to the policy described here: https://learn.microsoft.com/en-gb/partner-center/non-payment-fraud-misuse, that is completely irrelevant to the case, as all resources were created and consumed without the knowledge of the Customer. Microsoft Support also suggested that: "You should subscribe to receive Azure fraud notifications to be alerted if potential fraud is detected so you can take appropriate action to mitigate the fraud". Although we were subscribed, there wasn’t any notification triggered for the fraud. Later Microsoft Support admitted that: "The Azure fraud notification system in Partner Center currently does not detect all types of fraud and is not guaranteed to detect all types of anomalous usage".

Is this really Microsoft's policy for compromised accounts and how Microsoft handles this type of incidents? Shouldn’t Microsoft have in place a mechanism that protects its Partners and Customers from excessive consumption? I do not believe it is normal to partner with a company that can put you in such a high financial risk. Best Regards, Chris

Petr Tylk 0 Reputation points

2024-03-27T12:52:52.6466667+00:00

Hi Chris Hi can you let us know how you solved your situation? We are in the same situation now. Thanks

1 answer

Your answer

Petr Tylk 0 Reputation points

2024-03-27T12:52:52.6466667+00:00

Hi Chris Hi can you let us know how you solved your situation? We are in the same situation now. Thanks

Answer 1

David Broggy 6,191 MVP

Hi Chris, I sincerely feel for your concerns.

Your point is excellent education for both newcomers and existing organizations that use any 3rd party services which have public access.
I can suggest to anyone reading this article to take very seriously the monitoring of all resources under your own responsibility.

Some good tips that have worked for me:

Set alerts for cost caps which will email you the moment they're exceeded.
Use Resource Locks to restrict the enablement of new resources.
Limit the number of users with admin access.
Use PIM to minimize the hours any user has access to privileged use.
Configure Sentinel to monitor, alert and even automatically lock out unauthorized use.
Configure Conditional access and 2FA to restrict user entry.

Chris 0 Reputation points

2023-04-07T07:48:09.5233333+00:00

Hi David, Thank you for your message. Unfortunately cost alerts and Azure budgets can be easily overridden when an account is compromised. The only defense line is Azure fraud detection and notification system and Budget control in Partner Center, that in our case didn't work. Conditional access, PIM, Sentinel require additional licenses that customers are not always willing to pay. My concern here is the way that Microsoft handles these cases and how easy for a malicious actor is to create and consume thousands of resources in Azure without anyone get notified. It is also disappointing that Microsoft references a policy that actually accuses the end-user as a fraud although all resources were created without the knowledge of the end-user. Best Regards, Chris.

Share via

Azure compromised account - Refund policy

1 answer

Your answer