Microsoft disclosed an attack against customer email accounts that affected U.S. government agencies and led to stolen data.
While questions remain about the attacks, Microsoft provided some details in two blog posts Tuesday, including attribution to a China-based threat actor it tracks as Storm-0558. The monthlong intrusion began on May 15 and was first reported to Microsoft by a federal civilian executive branch (FCEB) agency in June.
During the attack, the threat actor breached email accounts using Outlook Web Access (OWA) in Exchange Online and Outlook.com by forging authentication tokens. Microsoft said attackers gained access to approximately 25 organizations, including government agencies.
All affected organizations were notified, and Microsoft said it "successfully blocked" further Storm-0558 access. The threat group is known to target government agencies in Western Europe for espionage, data theft and credential access purposes, according to a Microsoft Security Response Center (MSRC) blog post.
While Microsoft has mitigated the attack vector, CISA was first to initially detect the suspicious activity. The government agency published an advisory that included an attack timeline, technical details and mitigation recommendations. CISA said an FCEB agency discovered suspicious activity in its Microsoft 365 (M365) environment sometime last month.
"The agency reported the activity to Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA), and Microsoft determined that advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data," CISA wrote in the advisory.
It appears that access was limited in scope, as CISA said it only affected a small number of accounts. Unlike Microsoft, CISA has not provided attribution of the attacks.
Big questions remain unanswered
To gain email access, the attackers used a Microsoft account (MSA) sign-in key to forge tokens to impersonate users, Microsoft and CISA confirmed.
"The actor used an acquired MSA key to forge tokens to access OWA and Outlook.com. ... The actor exploited a token validation issue to impersonate Azure AD [Active Directory] users and gain access to enterprise mail," MSRC wrote in the blog post.
It's unclear how the threat actor acquired the MSA key. Microsoft did not respond to TechTarget Editorial's requests for comment.
Microsoft has said no customer action is required, but CISA provided mitigation recommendations. Both CISA and the FBI urged critical infrastructure organizations to ensure enhanced audit logging is enabled and that relevant logs are accessible to operational teams. CISA noted in its advisory that the FCEB agency was only able to identify the suspicious activity by using enhanced logging, which detected unusual MailItemsAccessed events in its M365 environment.
"CISA and FBI are not aware of other audit logs or events that would have detected this activity," the agency said. "Critical infrastructure organizations are strongly urged to implement the logging recommendations in this advisory to enhance their cybersecurity posture and position themselves to detect similar malicious activity."
Even though mitigations fell on Microsoft and the software giant said no customer actions are needed, CISA and the FBI recommended hardening cloud defenses and implementing baseline security configurations for Microsoft Exchange, Azure, and other Microsoft products and services.
In a separate blog post, Charlie Bell, executive vice president of security at Microsoft, said accountability for the breached email accounts "starts right here at Microsoft."
"We remain steadfast in our commitment to keep our customers safe," Bell wrote. "We are continually self-evaluating, learning from incidents, and hardening our identity/access platforms to manage evolving risks around keys and tokens."
The email attack is one of many incidents Microsoft has publicly disclosed over the past month. Two other security advisories were released Tuesday that detailed additional threat activity. The first revealed that a Russia-based threat group exploited a zero-day vulnerability that remains unpatched in Office and Windows products to conduct an ongoing phishing campaign. The second shed light on a campaign where threat actors weaponized Windows drivers with forged signatures. Attribution remains unknown, but the threat resulted in several cyber attacks.
And last month, Microsoft confirmed M365 and Azure service disruptions were not related to technical issues, but were actually caused by powerful Layer 7 DDoS attacks. The attacks caused major disruptions to various cloud services throughout June.
Arielle Waldman is a Boston-based reporter covering enterprise security news.