The recent email compromises of several Microsoft customers, including U.S. government agencies, have left many people with unanswered questions regarding the company’s response to the attacks. Microsoft, on July 11, disclosed an attack against customer email accounts by a China-based threat actor known as Storm-0558, which is affiliated with a nation-state. In a series of initial blog posts, Microsoft revealed that attackers were able to gain access to 25 organizations, including U.S. government agencies, by using forged authentication tokens in Outlook Web Access in Exchange Online and Outlook.com.
The attack campaign, which lasted for a month, started on May 15. Storm-0558 was able to obtain a Microsoft account consumer signing key, which enabled them to forge authentication tokens for both Azure Active Directory (AD) enterprise and MSA users. It was not until June that the Cybersecurity and Infrastructure Security Agency (CISA) discovered the campaign following suspicious activity found in a federal civilian executive branch (FCEB) agency’s Microsoft 365 environment. The FCEB agency only became aware of the intrusion because they had logging capabilities limited to the highest-tier E5 and G5 Azure licenses, which are also the most expensive.
This revelation stirred criticism aimed at Microsoft. The company faced scrutiny for only providing advanced logging capabilities to the most expensive Azure licenses, leaving lower-tier customers with limited visibility into potential security breaches. As a response to this criticism, Microsoft announced its plan to introduce enhanced logging capabilities for lower-tier Azure customers in September.
Furthermore, Microsoft received negative feedback regarding its response to the threat campaign. In a July 14 update, the company stated that it was still investigating how Storm-0558 acquired the MSA key. However, as of early August, Microsoft has yet to provide additional details or an update on the progress of their investigation. This lack of transparency and communication has added to the frustration felt by affected customers and the general public.
The Storm-0558 attacks and Microsoft’s handling of the situation have sparked discussions around cloud transparency and accountability. In a recent episode of the “Risk & Repeat” podcast, TechTarget editors Rob Wright and Alexander Culafi delve into these topics, shedding light on the significance of the attacks and dissecting the implications for Microsoft and its customers. The episode provides valuable insights into the incident and the broader cybersecurity landscape.
In conclusion, the recent email compromises targeting Microsoft customers, including U.S. government agencies, have raised serious concerns about the company’s response. Questions remain unanswered, particularly regarding how the attackers obtained the MSA key and the progress of Microsoft’s investigation. The incident has highlighted the need for enhanced logging capabilities for all customers and sparked discussions on cloud transparency and accountability. As the cybersecurity landscape continues to evolve, it is crucial for companies like Microsoft to prioritize effective incident response and communication to maintain customers’ trust and safeguard their sensitive information.