Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
Microsoft has revealed that Chinese hackers successfully accessed the email accounts of various government organizations. The breach was reportedly detected only weeks after the activity began.
According to Microsoft, an entity based in China, named Storm-0558, managed to gain access to email accounts linked to around 25 organizations. These include government agencies and personal accounts of individuals associated with those organizations.
We assess this adversary is focused on espionage, such as gaining access to email systems for intelligence collection.
Charlie Bell – Executive Vice President
What Do We Know About The Attack?
Microsoft investigations determined that Storm-0558 gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens to access user email. The targeted government agencies were located in the US and Western Europe.
The threat actors known as Storm-0558 primarily target government agencies and engage in activities such as cyberespionage, data theft, and credential access attacks.
Microsoft has taken steps to mitigate the issue for all its customers and has implemented enhanced automated detection systems to strengthen defenses and customer environments against known indicators of compromise related to this attack.
- Microsoft blocked the usage of tokens signed with the acquired MSA key in OWA preventing further threat actor enterprise mail activity.
- Completed the replacement of the key to prevent the threat actor from using it to forge tokens.
- Blocked the usage of tokens issued with the key for all impacted consumer customers.
The Federal Bureau of Investigation is currently investigating the incident, although the number of affected email accounts is believed to be limited. Fortunately, accounts at the Pentagon, intelligence community, and military remain unaffected.
This is not the first time Microsoft has faced vulnerabilities in its products and services. Back in June, Microsoft reported an attack targeting organizations that attended the NATO Summit in Vilnius.US Cybersecurity and Infrastructure Security Agency (CISA) confirms Microsoft does have a problem and recently added five new vulnerabilities to its catalog, four of which are related to Microsoft.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.
With over three years as a SOC Team Lead in the Heimdal MXDR department, Adelina is dedicated to sharing her knowledge and insights through her writing. Her articles and publications provide invaluable guidance on emerging trends, best practices, and effective strategies to combat cyber threats.
