Risk & Repeat: Microsoft takes heat over Storm-0558 attacks

The recent email compromises of several Microsoft customers, including U.S. government agencies, has raised questions about the company's response as many questions remain unanswered.

Microsoft on July 11 disclosed an attack against customer email accounts by a China-based, nation-state-affiliated threat actor designated Storm-0558. In an initial series of two blog posts, the tech giant said attackers gained access to 25 organizations, including U.S. government agencies, via forged authentication tokens in Outlook Web Access in Exchange Online and Outlook.com.

The campaign, which began May 15 and lasted a month, occurred because Storm-0558 obtained a Microsoft account consumer signing key to forge authentication tokens for both Azure Active Directory (AD) enterprise and MSA users.

In an advisory posted at the time, CISA said it first discovered the campaign when an unnamed federal civilian executive branch (FCEB) agency discovered suspicious activity in its Microsoft 365 environment in June. It was revealed that the FCEB agency only became aware of the intrusion because it had logging capabilities only available on the highest-tier E5 and G5 Azure licenses, which are also the most expensive.

This detail led to criticism against Microsoft, and the company announced shortly after that it would roll out enhanced logging capabilities for lower-tier Azure customers in September.

Microsoft also faced criticism for its response to the threat campaign. The vendor said in a July 14 update that it was still investigating how Storm-0558 obtained the MSA key. As of early August, Microsoft has still not provided additional details nor an update on its investigation.

On this episode of the Risk & Repeat podcast, TechTarget editors Rob Wright and Alex Culafi discuss the Storm-0558 attacks, Microsoft's cloud transparency and more.

Subscribe to Risk & Repeat on Apple Podcasts.

Alexander Culafi is a writer, journalist and podcaster based in Boston.