A china based APT actor accessed Microsoft 365 cloud environment and exfiltrated unclassified Exchange Online Outlook data from a small number of accounts.
In June 2023, a Federal Civilian Executive Branch (FCEB) agency observed suspicious activity in their Microsoft 365 (M365) cloud environment and reported the activity to Microsoft and CISA.
CISA and the Federal Bureau of Investigation (FBI) are releasing this joint Cyber Security Advisory to provide guidance to all organizations to mitigate the attack.
APT Access Outlook Online:
Microsoft has announced that it successfully thwarted an attack by a China-based hacker group called Storm-0558 on Outlook and Exchange Online email accounts of its customers.
A Chinese espionage actor -Storm-0558, accessed cloud-based Outlook Web Access in Exchange Online (OWA) and Outlook(.)com unclassified email service for nearly a month commencing in May 2023.
Used forged authentication tokens from a Microsoft account signing key to access the email data, and 25 organizations were affected by this targeted attack.
The FCEB agency observed MailItemsAccessed events with an unexpected ClientAppID and AppID in M365 Audit Logs.
The MailItemsAccessed event is generated when the licensed users access the items in Exchange Online mailboxes using any connectivity protocol from any client.
The FCEB agency informed Microsoft and CISA about this anomalous activity since the observed AppId did not routinely access mailbox items in their environment.
Microsoft immediately blocked the tokens issued with the acquired key and then replaced the key to prevent continued misuse.
FBI and CISA strongly recommended critical infrastructure organizations enable audit logging to detect malicious activity.
The Office of Management and Budget (OMB) M-21-31 requires Microsoft audit logs to be retained for at least twelve months in active storage and an additional eighteen months in cold storage.
This can be accomplished either by offloading the logs out of the cloud environment or natively through Microsoft by creating an audit log retention policy.
Enable Purview Audit (Premium) logging, which requires licensing at the G5/E5 level
Recommended to check logs are searchable by operators in order to hunt for threat activity.
Organizations are encouraged to look for outliers and become familiar with baseline patterns to better understand abnormal versus normal traffic.