A China-based threat actor was able to access cloud-based Microsoft email accounts of approximately 25 organizations — including government agencies, as well as related consumer accounts of individuals likely associated with these organizations — by forging authentication tokens to access user email, the company has warned.
It doesn’t say how, but the group — which Microsoft dubs Storm-0558 — acquired a Microsoft account (MSA) consumer signing key. Then, for several weeks starting on May 15, it broke into Outlook Web Access (OWA) in Exchange Online and Outlook.com accounts.
Microsoft said in a report Tuesday that since being notified of suspicious activity in June, it blocked Storm-0558 from accessing customer email using forged authentication tokens. The company has contacted all targeted or compromised organizations directly via their tenant admins and provided them with important information to help them investigate and respond. If you haven’t been contacted by now, your organization hasn’t been impacted.
Microsoft’s warning came the same day as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a cybersecurity advisory saying unnamed advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data from a unnamed federal civilian executive branch agency.
The CISA report says an unnamed APT actor accessed and exfiltrated unclassified Exchange Online Outlook data from a small number of accounts using a Microsoft account (MSA) consumer key. It was used to forge tokens to impersonate consumer and enterprise users, the CISA report says. Microsoft remediated the issue by first blocking tokens issued with the acquired key and then replacing the key to prevent continued misuse.
Microsoft said in its report that the gang used the acquired MSA key to forge tokens to access OWA and Outlook.com. MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems, and should only be valid for their respective systems. But the gang was able to exploit a token validation issue to impersonate Azure AD users and access enterprise mail.
“We have no indications that Azure AD keys or any other MSA keys were used by this actor,” Microsoft said. “OWA and Outlook.com are the only services where we have observed the actor using tokens forged with the acquired MSA key.”
The CISA and the FBI strongly encourage critical infrastructure organizations to enable audit logging, which caught this event. Federal agencies are obliged to do so.
In addition the CISA says organizations should
- enable Purview Audit (Premium) logging. This logging requires licensing at the G5/E5 level. See Microsoft’s guidance on Assigning Microsoft 365 Licenses to Users for additional information;
- ensure logs are searchable by operators. The relevant logs need to be accessible to operational teams in a platform (e.g., security operations center [SOC] tooling) that enables hunting for this activity and distinguishing it from expected behavior within the environment;
- enable Microsoft 365 Unified Audit Logging (UAL). UAL should be enabled by default, but organizations are encouraged to validate these settings;
- understand your organization’s cloud baseline. Organizations are encouraged to look for outliers and become familiar with baseline patterns to better understand abnormal versus normal traffic.