Cyber Security Threat Summary:
“Microsoft has mitigated an attack by a China-based threat actor Microsoft tracks as Storm-0558 which targeted customer emails. Storm-0558 primarily targets government agencies in Western Europe and focuses on espionage, data theft, and credential access” (Microsoft, 2023).

Microsoft began receiving customer reports on June 16, 2023. Over a few weeks of investigating anomalous mail activity, Microsoft found that since May 15, 2023, Storm-0558 had gained access to email account of approximately 25 organizations including government agencies and the consumer accounts of individuals likely associated with these organizations.

Microsoft is partnering with DHS CISA and others to protect affected customers and address the issue. They continue to investigate and monitor the Storm-0558 activity.

Security Officer Comments:
The threat actors used forged authentication tokens to access user email accounts, specifically, they acquired a Microsoft (MSA) consumer signing key. Microsoft says they have contact all targeted and compromised organizations directly and will continue to help them with investigation and response activities.

“Microsoft investigations determined that Storm-0558 gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens to access user email. The actor used an acquired MSA key to forge tokens to access OWA and Outlook.com. MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems. The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail. We have no indications that Azure AD keys or any other MSA keys were used by this actor. OWA and Outlook.com are the only services where we have observed the actor using tokens forged with the acquired MSA key” (Microsoft, 2023).

Suggested Correction(s):
No customer action is required, Microsoft has mitigated the acquired MSA key and our telemetry indicates the actor activities have been blocked. They took the following proactive steps as our investigation proceeded:

• Microsoft blocked the usage of tokens signed with the acquired MSA key in OWA preventing further threat actor enterprise mail activity.
• Microsoft completed the replacement of the key to prevent the threat actor from using it to forge tokens.
• Microsoft blocked usage of tokens issued with the key for all impacted consumer customers.

Microsoft says they have continuously improved the security of the MSA key management systems since the acquired MSA key was issued, as part of defense in depth, to ensure the safety and security of consumer keys.

Link(s):
https://msrc.microsoft.com/