According to Reuters, hackers abused Microsoft’s Microsoft 365 platform and monitored the U.S. Treasury Department for months. < / P > < p > however, Microsoft denied that cloud services had been hacked. “We also want to clarify to all customers that we have not identified vulnerabilities in any of Microsoft’s products and cloud services in these investigations,” the statement said However, Microsoft stressed that it was conducting a large-scale investigation against the government and private enterprises, and warned security personnel to pay attention to the following signs: < / P > < p > this leads to the attacker gaining a foothold in the network, which can be used to obtain higher credentials. Microsoft defender can now detect these files. See also solarwinds Security Bulletin. < / P > < p > an intruder uses administrative rights obtained through a local compromise to access the organization’s trusted SAML token signing certificate. In this way, they can forge SAML tokens to simulate any existing users and accounts in the organization, including those with higher privileges. < / P > < p > an abnormal login using a SAML token created by a compromised token signing certificate can be used to trust certificates for any local resource (regardless of identity system or vendor) and any cloud environment (regardless of vendor) because it is configured. Because SAML tokens are signed with their own trusted certificates, organizations may miss exceptions. < / P > < p > with a highly privileged account obtained through the above techniques or other means, attackers can add their own credentials to an existing application service principal, enabling them to call the API with the permissions assigned to the application. Global Tech