Microsoft published a report called “Analysis of Storm-0558 techniques for unauthorized email access.” The report revealed a cyberattack on approximately 25 organizations, including government agencies and consumer accounts in the public cloud. Although only 25 organizations were attacked, it could have affected many individuals as some government bodies employ a large number of people.
The attack exploited two security flaws in Microsoft’s back-end operations, which the company could fix internally without requiring client-side software updates. The attack used unauthorized access to victims’ Exchange data via Outlook Web Access (OWA) using illicitly acquired authentication tokens.
The attackers managed to use fraudulent email interactions to sneak into the victims’ systems, indicating they had compromised the process of creating authentication tokens. They were able to generate fake authentication tokens that passed Microsoft’s security checks, leading to unauthorized access.
Microsoft’s threat hunters identified the attack’s nature and concluded that the affected customers’ list is exhaustive. They have taken measures within their cloud service to address the issues and disown stolen signing keys.
For those not contacted by Microsoft, it is likely they were not affected. However, those involved in IT should remember the importance of applied cryptography, security segmentation, and thorough threat hunting to ensure comprehensive cybersecurity.