Microsoft recently announced that it successfully mitigated an attack orchestrated by a China-based threat actor known as Storm-0558. This malicious actor primarily focuses on government agencies in Western Europe and engages in espionage, data theft, and credential access. The attack specifically targeted customer emails, leading Microsoft to launch an investigation into the anomalous mail activity reported by customers. After several weeks of investigation, Microsoft identified the attack vector and implemented measures to safeguard customer accounts. This article provides an overview of the attack, Microsoft’s response, and the steps taken to protect affected customers.
The Attack: On June 16, 2023, Microsoft initiated an investigation following reports of suspicious mail activity from its customers. The subsequent inquiry revealed that Storm-0558 had gained unauthorized access to email accounts, impacting approximately 25 organizations, including government agencies. The threat actor accomplished this by utilizing forged authentication tokens and exploiting a token validation issue within Outlook Web Access in Exchange Online (OWA) and Outlook.com. By impersonating Azure AD users, Storm-0558 successfully infiltrated enterprise mail systems.
Microsoft’s Response: Upon discovering the attack, Microsoft promptly commenced mitigation efforts to safeguard its customers’ email accounts. Leveraging telemetry data, Microsoft was able to block Storm-0558 from accessing customer emails using the forged authentication tokens. This proactive response ensured that no further customer action was required. In addition, Microsoft reached out to all targeted or compromised organizations directly via their tenant admins, providing them with crucial information to aid in their investigations and response efforts.
Mitigation Measures: To neutralize the threat and prevent future attacks of a similar nature, Microsoft undertook the following proactive steps:
- Blocking of Forged Authentication Tokens: Microsoft immediately blocked the usage of tokens signed with the acquired Microsoft account (MSA) key in Outlook Web Access, effectively thwarting further threat actor enterprise mail activity.
- Key Replacement: As part of their response, Microsoft replaced the compromised MSA key to prevent Storm-0558 from leveraging it to forge tokens and gain unauthorized access to customer email accounts.
- Protection of Consumer Customers: Microsoft also took measures to block the usage of tokens issued with the acquired MSA key for all impacted consumer customers, ensuring the security of their accounts.
Collaborative Efforts: Recognizing the severity of the attack and its potential impact on customers, Microsoft has partnered with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA) and other relevant entities to protect affected customers and address the issue. This collaborative approach enhances the effectiveness of the mitigation efforts and strengthens overall cybersecurity resilience.