Microsoft Cloud Email Breach: 5 Things To Know

Two government agencies in the U.S. are reportedly among the victims of the breach, which Microsoft has attributed to Chinese hackers.

Microsoft Cloud Email Breach

As much as Microsoft has expanded to become a leading cybersecurity vendor by just about every measure, the company’s widely deployed applications and vast client base continue to be appealing targets for malicious actors. This week, the Redmond, Wash.-based tech giant revealed that attackers recently succeeded at compromising the defenses around its cloud email service, though the disclosure of the breach omitted a number of important specifics. Other organizations have filled in some of the gaps, including the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The breach was discovered after a U.S. federal civilian agency “identified suspicious activity in their Microsoft 365 (M365) cloud environment,” and reported it to Microsoft, CISA said in a post.

Notably, Microsoft did offer attribution for the attack, pinning the breach on a hacking group working on behalf of the Chinese government. At least two U.S. government agencies are reportedly among the victims.

Microsoft said in its post that it has “completed mitigation of this attack for all customers,” and that customers do not have to take any action in response. “If you have not been contacted, our investigations indicate that you have not been impacted,” the company said.

What follows are five key things to know about the Microsoft cloud email breach.

Timing And Attribution

The attack is believed to have begun on May 15, according to Microsoft. The company’s investigation began June 16, after Microsoft received a customer report about “anomalous mail activity.”

Microsoft has attributed the breach to a group it calls “Storm-0558,” which the company has described as a China-based threat actor. The Chinese hacking group “primarily targets government agencies in Western Europe and focuses on espionage, data theft, and credential access,” Microsoft said in a post.

Microsoft added a bit more detail in a separate post, saying that key espionage activities for the group include “gaining access to email systems for intelligence collection. This type of espionage-motivated adversary seeks to abuse credentials and gain access to data residing in sensitive systems.”

How The Breach Happened

Microsoft said its investigation found that “Storm-0558” managed to acquire access to customer email accounts via Outlook Web Access in Exchange Online and Outlook.com, through using forged authentication tokens in order to gain access to users’ email accounts. The attackers “used an acquired MSA key to forge tokens to access OWA and Outlook.com,” Microsoft said.

The company noted that “MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems.” The attackers “exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail,” Microsoft said. “We have no indications that Azure AD keys or any other MSA keys were used by this actor. OWA and Outlook.com are the only services where we have observed the actor using tokens forged with the acquired MSA key.”

Breach Victims

The Chinese government hacking group is believed to have acquired access to the email accounts of “approximately 25 organizations,” which include “government agencies as well as related consumer accounts of individuals likely associated with these organizations,” Microsoft said in a post. “They did this by using forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key.”

Microsoft did not specify the location or names of affected government agencies. CISA indicated in its post that a U.S. Federal Civilian Executive Branch agency was among the victims, though CISA did not specify which agency it was referring to. Media reports, including from ABC News, indicate that both the Departments of State and Commerce were impacted in the attacks. An account belonging to Secretary of Commerce Gina Raimondo (pictured) was among those compromised in the breach, according to the ABC News report.

Unclassified Data Stolen

According to CISA, however, the data stolen in the attack was not classified, and the number of impacted accounts was minimal. “Microsoft determined that APT actors accessed and exfiltrated unclassified Exchange Online Outlook data from a small number of accounts,” CISA said in its post.

In a statement quoted by NPR, National Security Council spokesman Adam Hodge said that “last month, U.S. government safeguards identified an intrusion in Microsoft’s cloud security, which affected unclassified systems.” Hodge added that “officials immediately contacted Microsoft to find the source and vulnerability in their cloud service.”

Mitigation Completed

Microsoft said in its post that it has “completed mitigation of this attack for all customers,” and that customers do not have to take any action in response. “Our telemetry indicates that we have successfully blocked Storm-0558 from accessing customer email using forged authentication tokens. No customer action is required,” the company said.

“As with any observed nation-state actor activity, Microsoft has contacted all targeted or compromised organizations directly via their tenant admins and provided them with important information to help them investigate and respond. We continue to work closely with these organizations,” Microsoft said. “If you have not been contacted, our investigations indicate that you have not been impacted.”