Cyber Security News

Chinese APT Groups Actively Targeting Outlook and Exchange Online Email Accounts

A china based APT actor accessed Microsoft 365 cloud environment and exfiltrated unclassified Exchange Online Outlook data from a small number of accounts.

In June 2023, a Federal Civilian Executive Branch (FCEB) agency observed suspicious activity in their Microsoft 365 (M365) cloud environment and reported the activity to Microsoft and CISA.

CISA and the Federal Bureau of Investigation (FBI) are releasing this joint Cyber Security Advisory to provide guidance to all organizations to mitigate the attack.

APT Access Outlook Online:

Microsoft has announced that it successfully thwarted an attack by a China-based hacker group called Storm-0558 on Outlook and Exchange Online email accounts of its customers.

A Chinese espionage actor -Storm-0558, accessed cloud-based Outlook Web Access in Exchange Online (OWA) and Outlook(.)com unclassified email service for nearly a month commencing in May 2023. 

Used forged authentication tokens from a Microsoft account signing key to access the email data, and 25 organizations were affected by this targeted attack.

The  FCEB agency observed MailItemsAccessed events with an unexpected ClientAppID and AppID in M365 Audit Logs. 

The MailItemsAccessed event is generated when the licensed users access the items in Exchange Online mailboxes using any connectivity protocol from any client. 

The FCEB agency informed Microsoft and CISA about this anomalous activity since the observed AppId did not routinely access mailbox items in their environment.

Microsoft immediately blocked the tokens issued with the acquired key and then replaced the key to prevent continued misuse.

Recommendations:

FBI and CISA strongly recommended critical infrastructure organizations enable audit logging to detect malicious activity.

The Office of Management and Budget (OMB) M-21-31 requires Microsoft audit logs to be retained for at least twelve months in active storage and an additional eighteen months in cold storage. 

This can be accomplished either by offloading the logs out of the cloud environment or natively through Microsoft by creating an audit log retention policy.

Enable Purview Audit (Premium) logging, which requires licensing at the G5/E5 level

Recommended to check logs are searchable by operators in order to hunt for threat activity.

Organizations are encouraged to look for outliers and become familiar with baseline patterns to better understand abnormal versus normal traffic.

Sujatha

Sujatha is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under her belt in Cyber Security, she is covering Cyber Security News, technology and other news.

Share
Published by
Sujatha
Tags: cyber attackcyber securityEmail security
5 months ago

Recent Posts

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

11 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

15 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

15 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

17 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

18 hours ago

Okta Hack: Threat Actors Downloaded all Customer Support System Users’ Data

In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…

19 hours ago