Microsoft: Cloud Email Breach Still Under ‘Ongoing Investigation’

While an API flaw that enabled the attack to succeed has been fixed, Microsoft is still trying to figure out how the attackers were able to acquire an Azure Active Directory key in the first place.


Microsoft said Friday that while it has fixed an API flaw that helped to enable a threat actor to compromise certain customer cloud email accounts, including those used by multiple U.S. government agencies, the company is still trying to determine how an attacker was able to steal an Azure Active Directory key used in the compromise.

The company said the stolen Azure AD key was then misused to forge authentication tokens and gain access to emails from an estimated 25 organizations.

[Related: Microsoft Cloud Email Breach: 5 Things To Know]

Sponsored post

“The method by which the actor acquired the key is a matter of ongoing investigation,” Microsoft said in a post Friday.

Microsoft has said that the attackers were able to access customers’ Exchange Online data via Outlook Web Access.

The company “initially assumed the actor was stealing correctly issued Azure Active Directory (Azure AD) tokens,” the company said in the Friday post. However, Microsoft said that its analysts “later determined that the actor’s access was utilizing Exchange Online authentication artifacts, which are typically derived from Azure AD authentication tokens.”

“Further in-depth analysis over the next several days led Microsoft analysts to assess that the internal Exchange Online authentication artifacts did not correspond to Azure AD tokens in Microsoft logs,” Microsoft said.

Chinese Threat Actor

Microsoft has attributed the breach to a hacking group working on behalf of the Chinese government, which the company tracks under the identifier “Storm-0558.”

The breach was discovered after a U.S. federal civilian agency “identified suspicious activity in their Microsoft 365 (M365) cloud environment,” and reported it to Microsoft, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in a post.

Several reports have identified the agency as the State Department. ABC News reported that the Commerce Department was also impacted in the attacks, and that an account belonging to Commerce Secretary Gina Raimondo was among those compromised in the breach.

In its post Friday, Microsoft said that “our telemetry and investigations indicate that post-compromise activity was limited to email access and exfiltration for targeted users.”

According to CISA, the data stolen in the attack was not classified, and the number of impacted accounts was minimal. “Microsoft determined that APT actors accessed and exfiltrated unclassified Exchange Online Outlook data from a small number of accounts,” CISA said in its post.

In a statement, National Security Council spokesman Adam Hodge said that “last month, U.S. government safeguards identified an intrusion in Microsoft’s cloud security, which affected unclassified systems.” Hodge added that “officials immediately contacted Microsoft to find the source and vulnerability in their cloud service.”

The attack is believed to have begun on May 15, according to Microsoft. The company’s investigation began June 16, after Microsoft received a customer report about “anomalous mail activity.”

API Flaw

While Microsoft has not yet determined how the Azure AD key was acquired by attackers, the company has suggested the theft would not have led to a breach of customer accounts if it wasn’t for an API flaw. Holders of such keys are not supposed to be capable of forging authentication tokens with the keys, according to Microsoft.

“Though the key was intended only for [Microsoft] accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens,” the company said in the Friday post. “This issue has been corrected.”

More specifically, the attacker was “able to obtain new access tokens by presenting one previously issued from this API due to a design flaw,” Microsoft said. “This flaw in the GetAccessTokenForResourceAPI has since been fixed to only accept tokens issued from Azure AD or MSA respectively. The actor used these tokens to retrieve mail messages from the OWA API.”

Microsoft said in its post earlier this week that it had “completed mitigation of this attack for all customers,” and that customers do not have to take any action in response. “If you have not been contacted, our investigations indicate that you have not been impacted,” the company said.