Full Report
Windows administrators from numerous organizations report widespread account lockouts triggered by false positives in the rollout of a new Microsoft Entra ID's "leaked credentials" detection app called MACE. [...]
Analysis Summary
# Incident Report: Widespread Microsoft Entra User Lockouts Due to New Feature Rollout
## Executive Summary
A widespread, non-malicious incident occurred where numerous organizations experienced mass lockouts of user accounts in Microsoft Entra ID, triggered by Microsoft's rollout of a new security feature designed to detect leaked credentials. The attack vector was an internal configuration change (the deployment of the "MACE Credential Revocation" application), leading to incorrect identity protection alerts and subsequent account lockouts, impacting operations but not indicating actual compromise.
## Incident Details
- **Discovery Date:** Early morning (date not specified, but implied by context of "posted early this morning").
- **Incident Date:** When the lockouts began (implied to be concurrently with the feature rollout).
- **Affected Organization:** Numerous organizations globally relying on Microsoft Entra ID (Azure AD).
- **Sector:** All sectors utilizing Microsoft Entra ID for identity management.
- **Geography:** Global (as applicable to all Entra users).
## Timeline of Events
### Initial Access
- **Date/Time:** Configuration change initiated prior to mass lockouts.
- **Vector:** Internal configuration deployment by Microsoft.
- **Details:** The "MACE Credential Revocation" application, a new Microsoft Entra feature designed to detect leaked credentials, was rolled out to tenants.
### Lateral Movement
- **N/A.** This was not an external attack; movement was related to internal Microsoft service configuration affecting entitlements/policies.
### Data Exfiltration/Impact
- **Impact:** Mass user account lockouts (Error Code: 53003 for conditional access policy) affecting potentially one-third of users in some organizations. No successful data exfiltration due to actual compromise was indicated.
### Detection & Response
- **How it was discovered:** Administrators observed a flurry of Entra alerts indicating leaked credentials, followed by user reports of being locked out.
- **Response actions taken:** Organizations contacted Microsoft support. Microsoft confirmed the issue was related to the MACE rollout and engineering was working to resolve the ticket status (from "compromise" to "lockout").
## Attack Methodology
This incident was not an external cyberattack; therefore, typical MITRE ATT&CK categories do not strictly apply. The 'attack' was a configuration error causing false positives:
- **Initial Access:** Microsoft internal deployment of "MACE Credential Revocation" application.
- **Persistence:** N/A.
- **Privilege Escalation:** N/A.
- **Defense Evasion:** N/A.
- **Credential Access:** N/A (The feature *searches* for leaked credentials, but the lockouts occurred without evidence of actual compromise or successful credential theft on HIBP).
- **Discovery:** N/A (The MACE feature performs discovery/validation against credential breach databases).
- **Lateral Movement:** N/A.
- **Collection:** N/A.
- **Exfiltration:** N/A.
- **Impact:** Conditional Access mechanism triggered by the new feature resulting in widespread Error Code: 53003 lockouts.
## Impact Assessment
- **Financial:** Unspecified, but likely involved costs related to IT support staff redirection to resolve mass lockouts.
- **Data Breach:** None confirmed. Affected accounts showed no signs of compromise, and breach notification services (like HIBP) had no matches.
- **Operational:** Significant immediate disruption due to large numbers of users being unable to access resources.
- **Reputational:** Potential minor reputational impact on M365/Entra reliability, necessitating quick clarification from Microsoft.
## Indicators of Compromise
As this was a system malfunction, standard defensive IoCs are less relevant, but the diagnostic markers include:
- **Network indicators:** N/A.
- **File indicators:** N/A.
- **Behavioral indicators:** Mass conditional access denial notices, specifically **Error Code: 53003**.
## Response Actions
- **Containment measures:** Organizations documented the affected user lists and symptoms while awaiting vendor guidance.
- **Eradication steps:** Dependent on Microsoft; the underlying cause was an application misconfiguration requiring vendor intervention.
- **Recovery actions:** Admins likely had to manually verify accounts where possible or wait for the backend service change to allow logons.
## Lessons Learned
- **Key takeaways:** New feature rollouts, even security-focused ones, carry inherent risks of unintended wide-scale impact if improperly configured or tested pre-deployment.
- **What could have been done better:** Microsoft could have staged the rollout more gradually or ensured comprehensive testing prior to mass deployment impacting production authentication.
## Recommendations
- Organizations should closely monitor logs (especially Conditional Access entries) following any major application or identity feature upgrade within critical services like Entra ID.
- Establish clear communication channels with cloud vendors during widespread authentication disruptions to immediately ascertain if the event is an active attack or a platform issue.