In a recent disclosure, Microsoft has revealed that a cyberattack orchestrated by a China-based “nation-state actor” has successfully gained access to email accounts hosted on Exchange Online and Outlook.com. The targets of the attack reportedly include approximately 25 organizations, including several government agencies.
Microsoft has stated that the mitigation of the attack has been completed. The company has attributed the attack to a threat actor known as Storm-0558, which is believed to operate out of China. Storm-0558 has a history of targeting government agencies in Western Europe and specializes in activities such as espionage, data theft, and credential access. Microsoft has emphasized that it has taken action to block the use of tokens created by the compromised Microsoft account key, and a new key has been put in place.
The compromise of the email accounts occurred through the unauthorized use of a Microsoft account key, which was utilized to generate tokens for accessing Outlook Web Access and Outlook.com. A flaw in token validation allowed Storm-0558 to exploit this vulnerability, enabling them to impersonate Azure AD users and gain unauthorized access to the affected accounts.
Microsoft has been diligent in responding to the incident. The company has reached out to all organizations that were targeted or compromised directly through their tenant administrators. These organizations have been provided with crucial information to assist them in investigating and responding to the breach. Microsoft has assured entities that have not been contacted that their investigations have shown no impact on these organizations.
Following Microsoft’s disclosure, the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have also released a statement regarding the cyberattack. They confirm that at least one US federal civilian executive branch agency was compromised during the attack. However, CISA and the FBI have clarified that the leaked data was limited to unclassified information. The compromise was initially detected in mid-June when the affected agency noticed an abnormal application ID being used to access email account messages.
In light of this incident, the US government has advised organizations to implement certain measures to detect similar attacks in the future. Specifically, enabling logging for the “mail items accessed” event in Microsoft 365’s auditing system can help identify unauthorized activity. Critical infrastructure organizations, in particular, have been urged to ensure this feature is activated to enhance their cyber defenses.
The Microsoft cyberattack highlights the ongoing threat posed by nation-state actors and the need for robust cybersecurity measures. Organizations, especially those in sensitive sectors such as government agencies, must remain vigilant and take proactive steps to protect their systems and data. Collaboration between private entities and government agencies, as demonstrated in this case, is crucial in mitigating the impact of such attacks and sharing valuable insights for future prevention.