In recent weeks, there was a significant breach targeting Microsoft 365 Cloud Email. Malicious actors exploited forged authentication tokens to gain unauthorized access to user accounts. The act is attributed to a China-based group known as Storm-0558.

The breach affected several US government agencies. It has also raised concerns for enterprises across the world.

Here, we’ll examine six things you should know about the breach.

How the Breach Occurred

The attack is believed to have begun on May 15, 2023. A US federal civilian agency detected anomalous mail activity within its Microsoft 365 cloud environment. The attackers used acquired Microsoft account (MSA) keys to forge tokens. It then accessed Outlook Web Access (OWA) and This allowed them to exploit a token validation issue and impersonate Azure AD users, leading to unauthorized access to enterprise mail.

Who are Storm-0558?

Storm-0558 is a well-resourced APT hacking group associated with the Chinese government. Their primary aim centres around espionage, data theft, and credential access. In this breach, they focused on gaining access to email systems to collect intelligence. Storm-0558 seeks to abuse credentials and access data residing in sensitive systems, potentially leading to severe consequences for the targeted organizations.

APT hacking group

What is an APT Hacking Group?

An APT group is a patient and persistent hacking group. They take their time to understand their target, studying weaknesses and staying hidden for long periods of time. Their goal is usually to accomplish big, dangerous cyberattacks.

The Impact of the Breach on its Victims

Approximately 25 organizations, including government agencies, fell victim to the breach. Some personal accounts of individuals associated with these organizations were also compromised. Luckily, the stolen data wasn’t classified, but the breach has raised concerns about the attackers’ capabilities and the potential risk posed to sensitive information.

Vulnerabilities and Threats

The swiped MSA keys allowed the threat actors to forge access tokens for various Azure Active Directory applications. These included:

  • SharePoint
  • Teams
  • OneDrive
  • Other customer applications supporting ‘login with Microsoft’ functionality
  • certain multi-tenant applications

The APT group could also have easy access to various other services, including email boxes, file services, and cloud accounts, as well as services like Skype and Xbox.

However, it is challenging to assess how and if Storm-0558 has used this broader access. This is because of a lack of crucial email logs available to Microsoft’s customers. These customers simply cannot find any evidence of compromise within their logs. This doesn’t mean that they avoided attack – it means that they don’t have the evidence to spot it.  

Why didn’t customers have access to these logs?

In order to be able to check if they had suffered a break-in, victims needed access to Microsoft’s advanced log set. But, Microsoft limits access to advanced logs unless an organisation pays for their premium-level license. Unfortunately, the vast majority of Microsoft customers cannot afford to pay the premium price that is attached, meaning that they are left vulnerable.

Microsoft’s Response

Microsoft swiftly mitigated the attack, providing protection against further unauthorized access for all impacted customers. However, the ongoing challenge posed by sophisticated threat actors necessitates constant vigilance against potential future attacks.

Key Learnings from the Microsoft 365 Cloud Email Breach

  • Comprehensive Protection Should Go Beyond Network Security

Data protection is as crucial as network security. Enhanced logging and monitoring improve security posture, especially with sensitive information. Fortifying data protection prevents devastating consequences even during cyberattacks.

  • Understanding the Threat Landscape

Knowing about potential adversaries and understanding their tactics and techniques can help organizations better prepare for future attacks.

  • Importance of Advanced Logging and Monitoring:

One of the significant challenges highlighted by the breach was the lack of crucial email logs available to Microsoft’s customers. Without adequate logs, detecting and responding to such attacks becomes challenging. Access to advanced logging can help detect suspicious activities, providing crucial evidence in case of an incident. It can enable organizations to respond effectively to cyberattacks.

Galaxkey offers a simple and ultra-secure platform to safeguard sensitive data effectively. Its advanced encryption techniques, secure file transfer, and email encryption ensure that data remains protected throughout its lifecycle.

Key Features of Galaxkey:

  • State-of-the-art encryption techniques for unmatched data security.
  • Secure file transfer and email encryption to thwart unauthorized access.
  • Full logging and auditability, providing complete transparency and accountability for all actions.

Want to know more about Galaxkey? Get in touch today.