The importance of hardening customer support tools against cyberattacks

The Deputy CISO blog series is where Microsoft  Deputy Chief Information Security Officers (CISOs) share their thoughts on what is most important in their respective domains. In this series, you will get practical advice, tactics to start (and stop) deploying, forward-looking commentary on where the industry is going, and more. In this article, Raji Dani, Vice President and Deputy CISO for Microsoft business functions, finance, and marketing at Microsoft dives into the importance of securing customer service solutions.

In my role as Deputy CISO for Microsoft’s business operations, I focus on the unique risks within our customer support operations. The tools and processes that empower our customer support agents are essential for helping customers, but if architected with excessive privilege or trusted too broadly between services, they can introduce significant risk to Microsoft and our customers. Understanding and mitigating these risks is a core part of my job, and this post shares the key lessons we apply in this space.

Customer support: What could go wrong?

Customer support agents require powerful tools to resolve customer issues—unlocking accounts, troubleshooting complex environments, and more. Given how powerful they can be, the tools used by customer support agents, if not properly architected or protected, can be harmful if they fall into the wrong hands. Cyberattackers know that customer support operations can require privileged access, and that organizations sometimes treat customer support as an auxiliary function—resulting in a lower security bar. As a result, cyberattackers see customer support as an attractive target that can potentially serve as a vector to gain access to sensitive data and environments. To use the common security parlance, a major reason driving cyberattacker focus on customer support infrastructure is that this infrastructure can provide them with an opportunity to move laterally into core service that hosts customer data.

These risks are not theoretical. Recent cyberattacks, including those by nation-state actors like Midnight Blizzard, have targeted customer support operations at Microsoft and across the industry. Cyberattackers have targeted resources across customer support ecosystems—spanning support agent identities, case management systems, and diagnostic tools—in attempt to steal valuable data and gain access to other environments.

Securing customer support: What can we do?

Given the risks described above, a comprehensive security strategy is needed that spans the identities used for customer support and the tools used by those identities, specifically focusing on mitigating the risk that these identities and tools can be exploited in an attempt to access other environments or data. With that in mind, we are implementing (and will continually refine) the following approaches to mitigate risk in the customer support space.

1. Curated and secured support identities 

At Microsoft, we create dedicated identities curated and secured for the customer support function. These identities are separate from the accounts employees use to perform the parts of their job not related to customer support. Standardizing and strengthening these customer support identities—with Phishing Resistent Multifactor Authentication (PRMFA) and identity isolation—is foundational, as this helps mitigate the risk of lateral movement. Cyberattackers often target support agent accounts using phishing and password spray techniques, knowing that identity security can vary, especially when third parties are involved.

2. Least privilege and device protection

Even with hardened identities, we adopt an assume-breach mindset. We implement least privilege and enforce device protection so that no agent has standing access to support tools or data. Access is granted only for active cases, and permissions are tightly scoped—this is known as case-based role-based access control (RBAC), based on strong just-in-time (JIT) and just-enough-access (JEA) implementations that are informed by active cases. Additionally, when an agent does need to work on a case they operate from restricted, managed virtual desktops that prevent downloading unauthorized software, further reducing breach risk by reducing the likelihood that a malware-infected device is able to operate against customer support tools or data.

3. Architecting secure tools and managing service-to-service trust and high privileged access

Support tools often require access to production environments like Microsoft 365 or Microsoft Azure—for example, an agent may need to troubleshoot a performance issue on a customer’s Azure Virtual Machine. We ensure the tools used for these scenarios operate with scoped privileges and avoid unsafe high privileged access (HPA) patterns. Critically, we minimize service-to-service (S2S) trust. Support tools are designed to perform only specific support functions, with tightly scoped permissions against downstream resources that they may need to access. By limiting S2S trust, we prevent cyberattackers from using compromised support tools to access or damage production environments.

4. Monitoring and response

Continuing with the theme of assume breach, we implement strong telemetry across all the previously mentioned scenarios—we have to assume that cyberattackers will exploit our tools and operations, no matter how much we harden them. Strong telemetry gives our incident response teams visibility into any possible anomalies or attempts to exploit customer support agents or the tools they use, which enables us to stop potential cyberattacks faster. The fact that agents use a dedicated, isolated identity for customer support also enables us to more effectively respond if compromise is suspected since we can target our response operations precisely within the dedicated identity boundary.

Takeaways

Customer support tooling and operations can be exploited by cyberattackers to harm Microsoft and our customers. We cannot treat customer support as an auxiliary function with a low security bar. Given its relationship to core infrastructure, maintaining a high security posture is essential to prevent lateral movement by cyberattackers. We achieve this through identity isolation and protection, case-based RBAC, removal of unsafe access patterns, minimizing S2S trust, and strong telemetry at all layers to detect and mitigate anomalies.

These lessons extend beyond customer support—any business function historically considered auxiliary should be deeply understood for lateral movement risk and secured to a higher standard if needed. Security is not just a technical imperative. It’s a shared responsibility that must extend to every corner of the digital ecosystem, including customer support infrastructure and other business functions. Whether your organization manages its own support center or relies on a third-party provider, it’s important not to treat customer support as an afterthought in terms of security.

Approaches like ours—anchored in identity segmentation, JIT and JEA, case-based RBAC, task-specific controls, and enhanced telemetry—don’t have to be exclusive to large enterprises. They can be realistically adapted by organizations of all sizes. For those with in-house customer support teams, it’s a good idea to invest in security training and align performance metrics with secure outcomes. If you’re using third-party providers, require transparency, enforce contractual security obligations, and ensure that access controls are tightly scoped and monitored. All organizations, whether small businesses or large enterprises, should be mindful of the applications they use for customer support—how they’re designed, how they’re configured, and how they interact with other systems and data. Any customer support applications that can access sensitive resources or data need to have the strongest controls. Finally, having an assume breach mindset is critical. All organizations should implement strong telemetry that provides visibility into potential anomalies at both the identity and tooling layers, so potential cyberattacks can be quickly spotted and remediated.

Final thoughts on strengthening support operations and security

Security isn’t just a technical concern—it’s a shared responsibility that reaches every part of your digital ecosystem, including customer support infrastructure. Whether you manage your own support center or work with a third-party provider, don’t treat customer support as an afterthought when it comes to security.

Approaches like JIT and JEA, case-based RBAC, task-specific controls, and enhanced telemetry aren’t just for large enterprises. Organizations of all sizes can adapt them. If you have an in-house support team, invest in security training and align performance metrics with secure outcomes. If you work with third-party providers, require transparency, enforce contractual security obligations, and make sure access controls are tightly scoped and monitored. Even the smallest organizations should be mindful of the customer support applications they use—how they’re designed and configured matters.

The goal is to close gaps in your security. Treat customer support infrastructure as critical and apply layered, context-aware controls to reduce exposure to session hijacking and lateral movement across your network. Security must be holistic—it’s about protecting not just what you build, but also what supports it. These lessons apply to other business functions too, like sales, consulting, and reseller relationships. Each of these areas may use tools or systems that could allow lateral movement into core infrastructure. That’s why it’s important to prioritize these tools and make sure they meet the highest security standards.

Learn more with Microsoft Security

​​To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post The importance of hardening customer support tools against cyberattacks appeared first on Microsoft Security Blog.

Source: Microsoft Security