Seriously? This reads like a joke. They brute forced some tenant test systems.
Fine, I bet the password was Password123!, but then "they used account's permissions" to access various corporate emails. How is that even possible? What does it mean "they used the account's permissions"? Are you telling me there was no privilege separation between a tenant test environment and the internal domain? That the tenant system was not in its own isolated network? This is absolutely insane. Whenever I read stuff like that I wonder if some junior IT employee didn't just buy a new home for cash few months ago. I'm all for "don't look for malice where incompetence is a sufficient explanation", but that's just a little too much incompetence to be believable.
Fine, I bet the password was Password123!, but then "they used account's permissions" to access various corporate emails. How is that even possible? What does it mean "they used the account's permissions"? Are you telling me there was no privilege separation between a tenant test environment and the internal domain? That the tenant system was not in its own isolated network? This is absolutely insane. Whenever I read stuff like that I wonder if some junior IT employee didn't just buy a new home for cash few months ago. I'm all for "don't look for malice where incompetence is a sufficient explanation", but that's just a little too much incompetence to be believable.