CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Posts Tagged ‘Microsoft’

Estimated 30,000 U.S. Organizations and Businesses Hacked Through Microsoft Exchange Server “Zero-Day” Vulnerabilities

Posted on: March 10th, 2021

By: John Ghose

State-sponsored hackers have accessed the Microsoft email environments of an estimated 30,000 U.S. organizations – including many small and medium-sized companies, universities, and government agencies.  This hack is nearly twice the size of the recent SolarWinds hack, and immediate action is needed to determine if your organization has been compromised. Below we explain how to assess whether your organization has been affected, and what to do if your data has been compromised.    

On Wednesday, March 3, 2021, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to businesses and organizations running Microsoft Exchange on-premises products. The emergency directive was prompted by a blog post written by Microsoft a day earlier that described successful efforts by a Chinese state-sponsored hacking group to exploit previously unknown “zero day” vulnerabilities of its MS Exchange product.  Volexity, the security firm that first discovered the zero-day vulnerabilities, said in this article that hackers have been using these vulnerabilities to access victims’ email environments as far back as January 6, 2021.

According to guidance from Microsoft and CISA, if your organization uses MS Exchange on-premises (not cloud) servers, you should take the following steps immediately:

  • Run the free script and deploy security updates provided by Microsoft to assess your exposure and patch your system;
  • If these initial assessments reveal indicators of compromise, your organization should activate its incident response plan and contact your cyber insurance carrier, if you have one, which can assist you with retaining a law firm and forensics vendor for guidance and advice.
  • Finally, your organization should back-up network data immediatelyAs reported by Brian Krebs, the security community fears that hackers could later exploit the web shell “back doors” installed as part of this hack by conducting a mass ransomware attack campaign to disrupt the American economy.  Backing-up data mitigates this ransomware risk.

If you need help with any of these steps, FMG’s Data Protection, Privacy, and Technology practice section is available and already advising several clients who have been affected by this breach.  In addition, we are partnering with Tracepoint, a leading cyber incident response firm, to provide clients with a zero-cost initial consultation to help them determine what actions are needed because of this hack.  Please contact co-chairs David Cole and John Ghose for further information.

Microsoft Takes Control of Domains Exploiting COVID-19 Crisis in Phishing Attacks

Posted on: July 17th, 2020

By: Barry Miller

Microsoft now controls several domain names that, according to the company, were used in attempts to get personal information from Microsoft account holders during the COVID-19 crisis.

A Virginia federal court issued a temporary restraining order July 7, finding good cause to believe that two John Doe defendants would likely violate federal law by using the domain names in phishing attacks. That order directed the registries to give Microsoft control over the hosting and administration of the offending internet domains.

The Court also unsealed Microsoft’s complaint. It alleges that the John Doe Defendants registered the domains such as “OfficeInventorys.com,” and “OfficeSuiteSoft.com,” using them to send emails “designed to look like they come from an employer or other trusted source.”

Links in those emails, if clicked, would lead the victim to servers hosting malicious web applications that interacted with Office 365 services. Those applications granted the criminals access to Office 365 accounts holding “email, contacts, notes and material stored in the victims’ One Drive for Business” or SharePoint, according to the complaint.

Microsoft’s Digital Crimes Unit began investigating these criminals in December 2019, according to a blog post from Tom Burt, Corporate Vice President, Customer Security and Trust. It blocked their activity but continued to monitor them. “Recently, Microsoft observed renewed attempts by the same criminals, this time using COVID-19 related lures in the phishing emails to target victims,” Mr. Burt’s post stated.

His post cited the FBI’s 2019 Internet Crime Report stating business email compromise attacks (BECs) are the most expensive complaints the Internet Crime Complaint Center receives. The FBI attributed losses exceeding $1.7 billion to BECs.

Mr. Burt pledged that Microsoft would continue to investigate and disrupt cybercriminals, but reminded users that cyber threats continue to evolve, making it “more important than ever to remain vigilant against cyber attacks.”

If you have questions or would like more information, please contact Barry Miller at [email protected].

Additional Information:

FMG has formed a Coronavirus Task Force to provide up-to-the-minute information, strategic advice, and practical solutions for our clients. Our group is an interdisciplinary team of attorneys who can address the multitude of legal issues arising out of the coronavirus pandemic, including issues related to Healthcare, Product Liability, Tort Liability, Data Privacy, and Cyber and Local Governments. For more information about the Task Force, click here.

You can also contact your FMG relationship partner or email the team with any questions at [email protected].

**DISCLAIMER: The attorneys at Freeman Mathis & Gary, LLP (“FMG”) have been working hard to produce educational content to address issues arising from the concern over COVID-19. The webinars and our written material have produced many questions. Some we have been able to answer, but many we cannot without a specific legal engagement. We can only give legal advice to clients.  Please be aware that your attendance at one of our webinars or receipt of our written material does not establish an attorney-client relationship between you and FMG. An attorney-client relationship will not exist unless and until an FMG partner expressly and explicitly states IN WRITING that FMG will undertake an attorney-client relationship with you, after ascertaining that the firm does not have any legal conflicts of interest.  As a result, you should not transmit any personal or confidential information to FMG unless we have entered into a formal written agreement with you. We will continue to produce education content for the public, but we must point out that none of our webinars, articles, blog posts, or other similar material constitutes legal advice, does not create an attorney client relationship and you cannot rely on it as such. We hope you will continue to take advantage of the conferences and materials that may pertain to your work or interests.**

Massachusetts Superior Court Rules Non-Compete Agreement Fully Enforceable Despite Minor Change in Job Duties Between Signing and Enforcement of Agreement

Posted on: June 22nd, 2020

By: Janet Barringer and Zinnia Khan

The Massachusetts Superior Court’s recent decision in Now Business Intelligence, Inc. v. Sean Donahue, et al., held minor changes in an employee’s job duties will not create a “new employment contract” so as to invalidate or obviate the employee’s existing non-compete agreement with the employer. This decision reveals the best course of action for employers is to require employees to sign new non-competes in connection with substantial job changes. If there is any doubt or ambiguity as to whether a job change is “substantial” or “material,” we recommend consulting with counsel.

The decision in Now Business Intelligence, Inc. v. Sean Donahue, et al., centered on whether the employer, Now Business Intelligence, Inc. (“NBI”), may hold its former employee, Sean Donahue (“Donahue”), liable for breaching a non-compete agreement, thereby interfering with NBI’s business relations or whether the nature of Donahue’s job had transformed since he had first been hired and entered into the non-compete agreement so as to now invalidate the agreement under the “material change” doctrine. NBI maintained its former employee breached the non-compete agreement, thereby violating the Massachusetts Consumer Protection Law (Chapter 93A).

By way of background in a case from more than fifty years ago, F.A. Bartlett Tree Expert Co. v. Barrington, 353 Mass. 585 (1968), Massachusetts law declares the “material change” doctrine may be invoked by a former employee to support that a restrictive covenant in an employment agreement, such as a non-compete clause, is no longer enforceable because substantial changes to the nature of the employee’s job have occurred since the time the employee entered into the employment agreement. 

In the recent NBI case, Donahue was a former Project Manager at NBI, a technology-based consulting company placing information technology specialists inside of client companies to assist with, manage or solve their technology issues. Immediately prior to his first day on the job at NBI, Donahue executed a non-compete and confidentiality agreement. During his first year at NBI, Donahue was assigned to assist NBI client Raytheon with its implementation of SharePoint, a proprietary Microsoft technology requiring specialized knowledge to implement and operate. 

In or about July 2016, approximately eleven months after he signed his non-compete agreement, Raytheon cut short Donahue’s assignment due to its decision to pause SharePoint implementation. At this stage of Donahue’s employment, Donahue and NBI’s respective accounts of his ensuing job duties began to differ. NBI maintained Donahue was experiencing a slow work period while his job title, key job duties and rate of pay did not change. In contrast, Donahue claimed his position with NBI changed entirely from a Project Manager to a Sales Representative and included new duties such as recruiting customers for NBI and attending sales meetings.  In or about August 2017, Donahue voluntarily left NBI to start his own consulting business.  When NBI discovered Donahue, after his departure from NBI, provided SharePoint services to NBI’s former clients, including Raytheon, NBI sued Donahue to enforce the non-compete agreement. As a defense to NBI’s claims, Donahue invoked the “material change” doctrine and claimed the changes to his job beginning in July 2016 were material thereby invalidating his non-compete agreement with NBI. 

The Superior Court agreed with NBI there were no material changes to Donahue’s job while at NBI which would invalidate his non-compete agreement. The Court noted after his Raytheon assignment concluded, Donahue’s job title at NBI did not change, he was not asked to sign a new non-compete agreement, he was nether promoted nor demoted, his rate of pay remained the same and SharePoint-related tasks remained a significant portion of his billable work. Additionally, the NBI court determined certain changes to Donahue’s regular job duties, such as the need for occasional client pitches, were not a basis for finding the non-compete enforceable under Bartlett Tree. Further, NBI emphasized changes to an employee’s job must be material for the “material change” doctrine to apply, and cited Bartlett Tree as an example. In Bartlett Tree, the employee’s job changed significantly over an eighteen year period, including a promotion, different employment titles, different job duties, changes in remuneration and changes in sales area. These changes, taken together, showed a clear new employment contract and that the original employment contract was “abandoned and rescinded by mutual consent.”

The NBI v. Donahue decision is helpful for employers because it reaffirms only “material” job changes invalidate an existing employment agreement. Even so, employers must remain aware of the “material change” doctrine and the potential it holds for invalidating employment agreements. As a practical matter, it can be burdensome to require employees to enter into a new non-compete each time his or her position changes. Yet, if employees do not sign new agreements following a change in job duties or circumstances that is later deemed to be “material,” then a pre-existing non-compete may be deemed unenforceable.  

The best course of action for employers is to require key employees to sign new non-competes in connection with substantial job changes. If there is any doubt or ambiguity as to whether a job change is “substantial” or “material,” we recommend consulting with counsel.

If you have questions or would like more information, please contact Janet Barringer at [email protected] or Zinnia Khan [email protected].

Cybersecurity in Georgia Hits a Roadblock

Posted on: May 14th, 2018

By: Ze’eva Kushner

On May 8, 2018, Georgia’s Governor Nathan Deal made a controversial decision to veto a cybersecurity bill.  Issued in the wake of the massive data breach of Atlanta-based Equifax, among other data breaches across the country, the cybersecurity bill would have made logging into a computer without permission illegal, even if no information was stolen.  The recent ransomware attack on the City of Atlanta serves as a reminder of the potential significant costs of not having computer systems protected adequately.

However, the bill included multiple exemptions, one of which would have permitted individuals to engage in active defense measures aimed at preventing or detecting unauthorized computer access.  In the industry, this is often referred to as “hacking back.”  The defensive actions could have included techniques such as using beaconing technology to determine the location of a hacker or leaving one’s network to track down stolen data.  The legality of these cyber defense measures is murky.

Google and Microsoft both urged Governor Deal to veto the bill, explaining that the active defense exemption would have authorized the hacking of other networks and systems under the pretext of cybersecurity and potentially lead to anticompetitive behavior.  According to Governor Deal, the end result of the bill would have hurt organizations’ ability to secure their computer systems.

If you have any questions or would like more information, please contact Ze’eva Kushner at [email protected].

Head In the Cloud – United States Supreme Court Takes On Application of Domestic Warrant To Information Stored Internationally

Posted on: March 9th, 2018

By: Glenn M. Kenna

The Supreme Court is set to decide a vital question this term – Can the government use a warrant served in the United States to obtain emails stored abroad?  The United States Government says it can, Microsoft disagrees.  The Case is United States v. Microsoft Corporation, in which the Supreme Court heard oral argument on February 27, 2018.

To understand the nature of the conflict a little back story is necessary.  Congress passed a law in 1986, the Electronic Communications Privacy Act (ECPA).  Part of title II of the ECPA, 18 USC § 2703, allows law enforcement agencies to issue warrants, so called Section 2703 Warrants, to discover electronic communications stored in an “electronic communications system.”  In other words, the government can serve a warrant on an email service provider, such as Microsoft, and obtain emails stored on Microsoft’s servers.

In the Microsoft case, the Government did exactly that.  It served a warrant on Microsoft in Redmond Washington to discover electronically stored communications in connection with an ongoing investigation into a crime allegedly committed in the United States.  The issue at the heart of the dispute is that the warrant sought the contents of communications stored on servers in Ireland.  In response to the warrant, Microsoft turned over domestically stored information (in this case certain metadata about the emails) but refused to turn over the contents of the communications stored abroad.  A legal battle between the Government and Microsoft has ensued, ultimately leading to the Supreme Court granting cert.

In the ongoing dispute between Microsoft and the Government, Microsoft contends that the Government’s attempt to enforce the warrant is an extraterritorial act, i.e. and attempt by the Government to enforce Untied States Law abroad.  It further asserts that complying with the warrant could run afoul of the law in the country where the information is stored.  The United States’ position is that, should the ECPA not apply to information stored abroad, every service provider would simply move their servers out of the United States – taking the communications beyond the reach of US law enforcement agencies.  Moreover, it reasons, Microsoft can access the information domestically regardless of where the information is stored, which the government contends does not require the application of the ECPA abroad.

The ECPA pre-dates the internet.  Email as we know it today did not exist in 1986.  The drafters of the ECPA could not have imagined a world where people stored their entire lives on remote servers, or a world where those servers could be located anywhere across the globe.  Those are issues with which courts continue to struggle, including the Supreme Court in this case.

It remains to be seen how the Court will rule in the Microsoft case, or if Congress will act to modernize the ECPA before the Court’s decision (indeed, a bipartisan group of senators has introduced the CLOUD act to address the issues raised in the Microsoft case.)  What is clear, however, is that Microsoft represents just one small part of an ongoing clash between law and technology.  While not at issue directly in the Microsoft case, the dispute also raises the question, what right do we have in the privacy of our electronic worlds?

If you have any questions or would like more information, please contact Glenn Kenna at [email protected].