Last week, it was revealed that Chinese attackers had gained access to various government agencies’ online exchange accounts. Surprisingly, Microsoft did not notice this breach themselves. Instead, it was customers who drew attention to unusual activities in their mailboxes. However, customers were only able to determine this using “premium log data,” which Microsoft charges extra fees for. Now, Microsoft has announced that they will cease this practice and provide all Microsoft 365 customers with free access to log data starting from September.
Over the next few months, customers will be able to access logged access to their emails through the standard Microsoft Purview Audit package, previously only available through the paid Purview Audit Premium. This change in policy was not entirely voluntary. Both Microsoft and CISA (the US security authorities) are selling it as a joint result, but it is clear that pressure from the US security authorities played a role. Interestingly, European security authorities have remained silent on the matter, even though Western European governments were the majority of the victims according to Microsoft.
The attack by the Chinese hack group “Storm-0558” revealed a series of embarrassing security issues in Microsoft’s cloud flagship, Microsoft 365. The attackers were able to steal a signature key, allowing them to issue access tokens and gain script-controlled access to Exchange online accounts, giving them unauthorized access to victims’ emails. Microsoft still doesn’t know how the signature key was stolen, but they plan to keep it in a better secured key store in the future.
Another embarrassment for Microsoft was the fact that the signature key should not have issued any valid access tokens at all, as it was meant for Microsoft accounts in the consumer area, not the business area. This “validation issue” indicates a significant failure in the most important function of authentication.
Furthermore, Microsoft failed to notice the attack themselves. It was a civil US federal agency that used separately licensed premium log data to detect suspicious activity in its Microsoft 365 cloud environment and reported it to Microsoft and the supervisory authority CISA. This triggered the necessary actions to lock out the attackers. As a result, Microsoft plans to improve monitoring and alerting for key activities in the future.
If you are concerned about whether your company was affected by these security problems, you can rely on Microsoft’s explanation that all affected customers have been notified. Alternatively, you can refer to the Cybersecurity Advisory Enhanced Monitoring to Detect APT Activity Targeting Outlook Online, which provides guidance on how to search for clues on your own.
In conclusion, Microsoft’s handling of the Chinese attack on their cloud flagship revealed significant security vulnerabilities. The company plans to make changes to address these issues and improve monitoring and alerting. However, the fact that they did not notice the attack themselves raises concerns about their ability to secure sensitive data.
