Microsoft承認了一個問題，該問題觸發了其ENTRA ID保護系統中廣泛的警報

微軟已經確認了最近的一個問題，該問題觸發了其ENTRA ID保護系統中廣泛的警報，將用戶帳戶標記為高風險，這是由於在深色Web上的憑據洩漏而引起的。

Microsoft has confirmed an recent issue that led to widespread alerts in its Entra ID Protection system, warning of high-risk user accounts due to alleged credential leaks on the dark web.

微軟已經確認了最近的一個問題，該問題導致其ENTRA ID保護系統中廣泛的警報，警告高危用戶帳戶，這是由於據稱在黑暗網絡上的憑證洩漏。

The alerts, which impacted system administrators globally, were attributed to a combination of an internal token logging error and the rollout of a new security feature called MACE Credential Revocation, causing confusion among IT professionals.

該警報影響了全球系統管理員，這歸因於內部令牌記錄錯誤和推出名為MACE憑據撤銷的新安全功能的組合，從而引起了IT專業人員的混亂。

Token Logging Issue Sparks Alerts

令牌記錄問題火花警報

Microsoft identified that it was inadvertently logging a subset of short-lived user refresh tokens for a small percentage of users, deviating from its standard practice of only logging metadata.

Microsoft確定，它是無意間記錄了一小部分用戶的短壽命用戶刷新令牌，這與僅記錄元數據的標準實踐偏離了。

This issue was promptly corrected, and the affected tokens were invalidated to protect users. However, this invalidation process unintentionally generated alerts in Entra ID Protection, indicating that users' credentials may have been compromised.

該問題得到了迅速糾正，受影響的令牌被無效以保護用戶。但是，這種無意外地在ENTRA ID保護中生成的警報，表明用戶的憑據可能已被損害。

The alerts occurred between 4:00 AM and 9:00 AM UTC on April 20, 2025, and there was no evidence of unauthorized access to these tokens. If any is detected, Microsoft will follow standard security incident response protocols.

警報發生在2025年4月20日UTC之間的4:00 AM至9:00 AM之間，並且沒有證據表明未經授權訪問這些令牌。如果檢測到任何，Microsoft將遵循標準的安全事件響應協議。

MACE Rollout Triggers False Positives

狼牙棒推出觸發誤報

Concurrently, Microsoft rolled out its new security feature, MACE Credential Revocation, over the same weekend, aiming to detect and respond to potentially compromised credentials by checking for matches on the dark web and other sources.

同時，Microsoft在同一周末推出了其新的安全功能MACE憑證撤銷，旨在通過檢查Dark Web和其他來源上的比賽來檢測並響應潛在的憑據。

However, the rollout led to widespread false positives, with accounts being flagged as high risk despite having strong, unique passwords and multi-factor authentication (MFA) enabled.

但是，推出導致了廣泛的誤報，儘管啟用了強大，獨特的密碼和多因素身份驗證（MFA），但帳戶被標記為高風險。

Social media posts and online forums, including Reddit, reported similar experiences, and some administrators noted that even passwordless accounts were affected, further suggesting that the alerts were erroneous.

社交媒體帖子和在線論壇（包括Reddit）報告了類似的經驗，一些管理員指出，即使是無密碼帳戶也受到影響，進一步表明警報是錯誤的。

One administrator shared on Reddit: "I just got a half dozen alerts for accounts supposedly found with valid credentials on the dark web. ... The six accounts don't have much in common ... There are no risky sign-ins, no other risk detections, everyone is MFA."

一位管理員在reddit上分享了：“我剛剛在黑暗網絡上找到了有效憑據的帳戶六個警報。...六個帳戶沒有太多共同點……沒有風險的簽名，沒有其他風險檢測，每個人都是MFA。”

The user added that the accounts didn't show any matches on Have I Been Pwned (HIBP), fueling suspicions of a Microsoft error.

用戶補充說，這些帳戶沒有顯示我的匹配項（HIBP），這加劇了對Microsoft錯誤的懷疑。

Microsoft's Response and Customer Actions

微軟的回應和客戶行動

Microsoft has advised affected customers to use the "Confirm User Safe" feature in Entra ID Protection to resolve the erroneous high-risk flags, as detailed in its documentation.

微軟已建議受影響的客戶在ENTRA ID保護中使用“確認用戶安全”功能來解決錯誤的高風險標誌，如其文檔中所述。

This feature allows administrators to manually clear the risk status for affected users. Additionally, Microsoft recommends resetting passwords for any locked accounts and ensuring that MFA is enabled, although many affected accounts already had these measures in place.

此功能允許管理員手動清除受影響用戶的風險狀態。此外，Microsoft建議為任何鎖定帳戶重置密碼，並確保啟用MFA，儘管許多受影響的帳戶已經採取了這些措施。

Administrators can also review sign-in logs in the Microsoft Entra admin center under Monitoring & Health for error codes like AADSTS50053, which indicate account lockouts.

管理員還可以查看Microsoft Entra Admin Center的登錄日誌，並在監視和健康狀況下查看錯誤代碼，例如AADSTS50053，這表示帳戶鎖定。

Ongoing Investigation and Recommendations

正在進行的調查和建議

Microsoft is currently conducting a Post Incident Review (PIR) to investigate both the token logging issue and the MACE rollout's false positives.

微軟目前正在進行事件後審查（PIR），以調查令牌記錄問題和MACE推出的誤報。

The PIR will be shared with affected customers through official channels and open support cases. Customers are encouraged to configure Azure Service Health alerts to receive updates on the PIR and future Azure service issues.

PIR將通過官方渠道和開放支持案例與受影響的客戶共享。鼓勵客戶配置Azure服務健康警報，以接收有關PIR和將來的Azure服務問題的更新。

Administrators facing these alerts are advised to:

面臨這些警報的管理員建議：

The incident has sparked frustration among IT professionals, with posts on X describing the MACE rollout as "ruining" their weekend due to false alarms.

該事件引起了IT專業人員的挫敗感，X上的帖子將梅斯的推出描述為由於錯誤的警報而“破壞”了周末。

One user remarked, "Microsoft rolled out a new dark web credential detection app called MACE this Easter weekend, which promptly ruined my Saturday with its false alarm on my primary M365/Entra ID account."

一位用戶說：“在這個複活節週末，Microsoft推出了一個名為Mace的新的Dark Web憑據檢測應用程序，該應用程序在我的主要M365/Entra ID帳戶上迅速毀了我的星期六。”

Another post highlighted the scale, noting that an MDR provider received over 20,000 notifications overnight.

另一篇文章強調了規模，指出MDR提供商在一夜之間收到了20,000多個通知。

This incident follows other recent cybersecurity challenges, such as Microsoft's April 2025 Patch Tuesday, which addressed 126 vulnerabilities, including an actively exploited zero-day (CVE-2025_29824). While unrelated to the Entra issue, it underscores the heightened scrutiny on Microsoft's security processes.

該事件發生在其他最近的網絡安全挑戰之後，例如微軟的2025年4月星期二，它解決了126個漏洞，包括積極利用的零日（CVE-2025_29824）。儘管與ENTRA問題無關，但它突顯了對微軟安全流程的審查。

Microsoft's swift acknowledgment and corrective actions demonstrate its commitment to user security, but the false positives have highlighted the challenges of rolling out new security features at scale.

微軟的迅速確認和糾正措施表明了其對用戶安全性的承諾，但是誤報強調了按大規模推出新的安全功能的挑戰。

Administrators are urged to remain vigilant, follow Microsoft's guidance, and leverage external monitoring tools to ensure their systems remain secure. For further updates, customers can monitor the Azure Service Health portal or contact Microsoft support directly.

敦促管理員保持警惕，遵循微軟的指導，並利用外部監控工具，以確保其係統保持安全。有關進一步更新，客戶可以監視Azure Service Health門戶網站或直接聯繫Microsoft支持。