As it is Fridy and almost time for the weekend, here is something that is a really good read from CISA regarding the breach by malicious actor, STORM-0558.
This report stems from the Exchange Online breach that occurred during Summer 2023.
What happened?
A malicious actor, known as STORM-0558 managed to get a hold of a Microsoft Services Account (MSA) cryptographic key. This was then used by the malicious actor to compromise Microsoft Exchange Online mailboxes by using authentication tokens.
This allowed the threat actor to access mailboxes of high-profile individuals without any indication they were breached. Microsoft was not aware they had lost control of this key until they were notified by one of the affected organisations, the US State Department, which had 60000 emails exfiltrated.
Currently, standard Microsoft 365 licenses do not come with additional logging capabilities. Without these additional logging capabilities, it can be difficult to carry out forensic investigations into intrusions and potential intrusions.
To quote from the report:
“Victims found it difficult to investigate these intrusions after initial detection because Microsoft could not, or in some cases did not, provide victim organizations with holistic visibility into all necessary data. Although Microsoft activated enhanced logging for identified victims who did not have the appropriate license, Microsoft could not give historical logs to customers unless they already had the premium licenses at the time of the intrusion. Thus, customers could capture data from the time that Microsoft enabled additional logging capabilities but were unable to view past intrusion activity”
Key Takeaways
- According to the report, Microsoft still does not know how they lost control of the signing key.
- Current logging on the standard licences are not adequate for logging purposes and investigations.
- Enable ‘MailItemsAccessed’ logging if not already done so.
- Keep an eye on the logs and setup custom alerts.
Even if your environment is as secure as possible, if the provider is breached, potentially everyone is affected.
I highly recommend reading the report as it goes quite in depth.
