Some of you might have noticed a peculiar silence in the _secpro pages last week about a certain problem in the world of Microsoft. Allegedly, a Chinese threat actor group had obtained keys to the Microsoft backend and had started to wreak havoc on the internal state of the world’s largest tech company. We were intrigued; our interests were piqued and our ears picked, but we didn’t want to jump the gun on the story–which is always very easy to do. So, we’ve watched and waited to find out a little more about what happened last week and we can now deliver you a report which is more accurate than first assumed.
Sadly, it’s also a lot more boring.
What happened with the Chinese hack on Microsoft?
Chinese hackers exploited a vulnerability in Microsoft’s cloud email service to gain unauthorized access to approximately 25 email accounts, including those of U.S. government agencies and individuals associated with these organizations.
Microsoft was alerted to the intrusion by customers who noticed anomalous mail activity. The attack had gone undetected for about a month. The State Department was one of the federal agencies compromised. Microsoft confirmed that the breach has been successfully mitigated, and Storm-0558 no longer has access to the compromised accounts. However, it remains unclear if sensitive data was exfiltrated during the period the hackers had access.
Who was behind the hack?
The hacking group, known as Storm-0558, utilized forged authentication tokens to access user accounts through Outlook Web Access in Exchange Online (OWA) and Outlook.com. The group was described as a “well-resourced” adversary focused on espionage for intelligence collection.
The U.S. cybersecurity agency CISA stated that the attackers accessed unclassified email data, and a senior FBI official referred to the intrusion as a “targeted campaign” impacting government agencies in “single digits.” The U.S. government has not yet attributed the attack to China, but it was a government-backed actor that exfiltrated a limited amount of Exchange Online data.
CISA and the FBI urge any organization detecting anomalous activity in Microsoft 365 to report it to the agencies.
How did CISA and the FBI respond?
A government agency known as the Federal Civilian Executive Branch (FCEB) detected unusual activity within its Microsoft 365 (M365) cloud environment. The agency promptly reported the incident to both Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA). Subsequent investigation by Microsoft revealed that advanced persistent threat (APT) actors had gained unauthorized access to unclassified data from the Exchange Online Outlook platform.
In response to this security breach, CISA and the Federal Bureau of Investigation (FBI) have jointly issued a Cybersecurity Advisory to offer guidance to critical infrastructure organizations. The purpose of this advisory is to assist such entities in strengthening their monitoring capabilities for Microsoft Exchange Online environments. By implementing the logging recommendations provided in the advisory, organizations can enhance their cybersecurity posture and better detect any similar malicious activities.
In the event that organizations identify suspicious or anomalous activity, it is imperative to promptly notify Microsoft to initiate appropriate mitigation measures, considering the cloud-based nature of the affected infrastructure. Additionally, reporting such incidents to both CISA and the FBI is essential to facilitate comprehensive tracking and protection against potential threats.
What actually happened?
Here is the CISA report in short:
In Mid-June 2023, an FCEB agency observed MailItemsAccessed events with an unexpected ClientAppID and AppID in M365 Audit Logs. The MailItemsAccessed event is generated when licensed users access items in Exchange Online mailboxes using any connectivity protocol from any client. The FCEB agency deemed this activity suspicious because the observed AppId did not normally access mailbox items in their environment. The agency reported the activity to Microsoft and CISA.
Microsoft determined that APT actors accessed and exfiltrated unclassified Exchange Online Outlook data from a small number of accounts. The APT actors used a Microsoft account (MSA) consumer key to forge tokens to impersonate consumer and enterprise users. Microsoft remediated the issue by first blocking tokens issued with the acquired key and then replacing the key to prevent continued misuse. Microsoft determined that this activity was part of a campaign targeting multiple organizations (all of which have been notified by Microsoft).
The affected FCEB agency identified suspicious activity by leveraging enhanced logging—specifically of MailItemsAccessed events—and an established baseline of normal Outlook activity (e.g., expected AppID). The MailItemsAccessed event enables detection of otherwise difficult to detect adversarial activity. CISA and FBI are not aware of other audit logs or events that would have detected this activity. Critical infrastructure organizations are strongly urged to implement the logging recommendations in this advisory to enhance their cybersecurity posture and position themselves to detect similar malicious activity.
How do I avoid suffering the same fate?
Audit logging is the word on everyone’s lips right now. If you’re unsure if your processes are up to scratch, check out this easy four-step process from CISA:
- Enable Purview Audit (Premium) logging
- Ensure logs are searchable by operators
- Enable Microsoft 365 Unified Audit Logging (UAL)
- Understand your organization’s cloud baseline
For further guidance, check out the official CISA advice here.