Microsoft has recently disclosed an attack against customer email accounts, revealing that it affected several U.S. government agencies and resulted in stolen data. While there are still unanswered questions surrounding the attacks, Microsoft has provided some details to shed light on the situation.
The attack, which lasted for a month, began on May 15 and was reported to Microsoft by a federal civilian executive branch agency in June. The threat actor responsible for the attack has been identified as Storm-0558, a China-based group that Microsoft has been tracking. They breached email accounts by exploiting a vulnerability in Outlook Web Access (OWA) in Exchange Online and Outlook.com, forging authentication tokens in the process. Around 25 organizations, including government agencies, were affected by this breach.
Fortunately, Microsoft was able to successfully block further access by the threat group, and all affected organizations were promptly notified. According to a blog post from the Microsoft Security Response Center (MSRC), Storm-0558 has a history of targeting government agencies in Western Europe for activities such as espionage, data theft, and credential access.
It is worth noting that the initial detection of the suspicious activity was done by the Cybersecurity and Infrastructure Security Agency (CISA), which then notified Microsoft. CISA published an advisory that included an attack timeline, technical details, and mitigation recommendations. They stated that an executive branch agency observed suspicious activity in their Microsoft 365 (M365) environment in the previous month. CISA’s advisory highlighted that advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data, thanks to the acquired MSA key used to forge tokens to gain access.
Both Microsoft and CISA confirmed that the threat actors used the forged tokens to access Outlook Web Access and Outlook.com. Microsoft acknowledged that they are uncertain about how the threat group obtained the MSA key, but it is suspected to have been acquired through covert means.
Customer action is not required, according to Microsoft, but CISA has provided mitigation recommendations. Additionally, the FBI and CISA advised critical infrastructure organizations to strengthen their cloud defenses and implement baseline security configurations for Microsoft Exchange, Azure, and other Microsoft products and services.
Charlie Bell, the executive vice president of security at Microsoft, took accountability for the breach in a separate blog post, stating that Microsoft remains committed to ensuring their customers’ safety. He mentioned that the incident serves as a learning opportunity for Microsoft, prompting them to evaluate and enhance their identity/access platforms to manage evolving risks associated with keys and tokens.
This email attack is not the only incident that Microsoft has disclosed recently. They have released two other security advisories detailing additional threat activities. One advisory revealed that a Russia-based threat group exploited an unpatched zero-day vulnerability in Office and Windows products for an ongoing phishing campaign. The second advisory shed light on a campaign where threat actors weaponized Windows drivers with forged signatures, resulting in several cyber attacks. Attribution for these incidents remains unknown.
In addition to these incidents, Microsoft confirmed last month that disruptions in M365 and Azure services were not due to technical issues but resulted from powerful Layer 7 DDoS attacks. These attacks caused significant disruptions to various cloud services throughout June.
In conclusion, Microsoft’s disclosure of an attack against customer email accounts that affected U.S. government agencies serves as a reminder of the ongoing cybersecurity threats faced by organizations. The attribution to a China-based threat group and the prompt action taken by Microsoft and government agencies to mitigate the attack demonstrate the importance of robust security measures and continuous monitoring. As cyber threats continue to evolve, it is crucial for organizations to remain vigilant and proactive in safeguarding their systems and data.