The flaw wasn't considered a major issue until Windows 8 began allowing users to sign into their Microsoft accounts -- which links their Xbox, Hotmail and Outlook, Office, and Skype accounts, among others.
Overnight, the attack got larger in scope, and now it allows an attacker to conduct a full takeover of a Microsoft account. The flaw works because Internet Explorer and Edge (on Windows 10) allow a user to access local network shares but don't fully block connections to remote shares.
There's a simple mitigation, according to the group. Don't use Internet Explorer, Edge, or Microsoft Outlook, and don't log in to Windows with a Microsoft account.