ATP Groups Attacking Outlook, the popular email service offered by Microsoft, recently faced a significant cybersecurity threat from a China-based Advanced Persistent Threat (APT) actor. This malicious group gained unauthorized access to Microsoft 365 cloud environments and exfiltrated unclassified Exchange Online Outlook data from a limited number of accounts. In response to this attack, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint Cyber Security Advisory to assist organizations in mitigating the risks associated with this incident.
In June 2023, a Federal Civilian Executive Branch (FCEB) agency detected suspicious activity within their Microsoft 365 (M365) cloud environment. This agency promptly reported the incident to Microsoft and CISA. Subsequently, Microsoft identified the threat as an APT attack carried out by a China-based hacking group known as Storm-0558. This article aims to provide a comprehensive overview of the attack and highlight essential measures organizations can take to protect their Outlook and Exchange Online environments.
Table of Contents
APT Access Outlook Online
Storm-0558, the APT group responsible for the attack, gained access to the cloud-based Outlook Web Access in Exchange Online (OWA) and Outlook.com email services. Over the course of nearly a month, starting in May 2023, they infiltrated unclassified email accounts. By utilizing forged authentication tokens from a Microsoft account signing key, the attackers were able to bypass security measures and access sensitive email data. Approximately 25 organizations fell victim to this targeted attack, including the FCEB agency.
Discovery of the Attack
The FCEB agency became aware of the attack through MailItemsAccessed events recorded in the M365 Audit Logs. These events are generated whenever licensed users access items within Exchange Online mailboxes using any connectivity protocol and client. Alarming to the agency was the presence of an unexpected ClientAppID and AppID in the audit logs, indicating unauthorized access. Recognizing the severity of the situation, the agency promptly reported the suspicious activity to Microsoft and CISA.
Forged Authentication Tokens
To gain unauthorized access to Outlook Online, Storm-0558 employed forged authentication tokens created from a compromised Microsoft account signing key. By utilizing these tokens, the attackers bypassed security measures and gained entry into email accounts within the targeted organizations. Upon discovering the breach, Microsoft acted swiftly by blocking the issued tokens and replacing the compromised key to prevent further misuse.
Impact on Organizations
While the exact extent of the impact varies across organizations, it is crucial for all entities to assess the potential damage caused by the APT attack. By accessing unclassified Exchange Online Outlook data, the attackers could have obtained sensitive information, compromising confidentiality and potentially breaching privacy regulations. It is vital for affected organizations to perform thorough investigations to determine the scope of the attack and assess the potential risks to their infrastructure and stakeholders.
Also Read this: HACKERS USE WORMGPT 2023
The Importance of Audit Logging
FBI and CISA strongly recommend that critical infrastructure organizations enable audit logging to detect and mitigate malicious activity effectively. To comply with the Office of Management and Budget (OMB) M-21-31 guidelines, Microsoft audit logs should be retained for a minimum of twelve months in active storage, with an additional eighteen months in cold storage. Organizations can achieve this either by offloading logs from the cloud environment or natively through Microsoft by implementing an audit log retention policy.
Compliance with OMB M-21-31
Organizations affected by the APT attack should ensure compliance with OMB M-21-31 to preserve essential audit logs for an extended duration. This measure allows for comprehensive forensic analysis and investigation of potential threats. Compliance requires organizations to either offload logs from the cloud environment or utilize Microsoft’s audit log retention policies, which allow for the necessary data to be stored and accessed when needed.
Enable Purview Audit Logging
To enhance threat detection and incident response capabilities, it is recommended that organizations enable Purview Audit (Premium) logging. This advanced feature requires licensing at the G5/E5 level and provides comprehensive visibility into user activity, aiding in the identification of potential threats. By enabling Purview Audit logging, organizations can proactively monitor their environments and swiftly respond to any suspicious activity.
Proactive Threat Hunting
Organizations are encouraged to adopt a proactive approach to threat hunting by continuously monitoring and analyzing logs for any anomalous patterns or outliers. By establishing baseline patterns and understanding normal traffic, security teams can quickly identify abnormal behavior and potential threats. Implementing robust threat hunting practices will allow organizations to stay one step ahead of attackers and respond effectively to mitigate any risks posed by APT groups.
The recent APT attack targeting Outlook and Exchange Online highlights the ever-present cybersecurity risks organizations face in today’s interconnected world. By remaining vigilant and implementing the recommended measures, organizations can enhance their security posture and protect their valuable data and resources. It is crucial for organizations to enable audit logging, comply with regulatory guidelines, and leverage advanced logging capabilities to proactively detect and respond to potential threats.
How did the APT group gain access to Outlook Online?
The APT group utilized forged authentication tokens created from a compromised Microsoft account signing key to bypass security measures and gain unauthorized access to Outlook Online.
How many organizations were affected by the attack?
Approximately 25 organizations, including a Federal Civilian Executive Branch agency, fell victim to this targeted APT attack.
What actions did Microsoft take to mitigate the attack?
Microsoft promptly blocked the issued tokens and replaced the compromised key to prevent further misuse.
What are the recommendations from FBI and CISA?
FBI and CISA strongly recommend enabling audit logging, complying with OMB M-21-31 guidelines, and implementing Purview Audit (Premium) logging for enhanced threat detection.
How can organizations proactively hunt for threats?
Organizations should establish baseline patterns, monitor logs for abnormal activity, and leverage advanced threat hunting techniques to detect and respond to potential threats effectively.