Microsoft has been criticized for charging its cloud services customers extra to access security logs after a China-based threat group hacked email accounts from more than two dozen organizations, including U.S. government agencies.
The agencies targeted by the attackers reportedly include the State and Commerce Departments. Among the individuals email accounts accessed was one belonging to Secretary of Commerce Gina Raimondo.
The threat group behind the attacks, identified by Microsoft as Storm-0558, used forged authentication tokens to access Microsoft 365 (M365) accounts using Outlook Web Access and Outlook.com. The attacks were first revealed July 11 and Microsoft provided a more detailed account of the compromise on Friday last week.
Microsoft said it had completed mitigation of the attack for all customers and was still investigating how the attackers acquired the forged tokens.
‘Pay to play’ security
Steven Adair, president of Volexity, said on Twitter his security firm worked with one of the impacted organizations and “despite a notification from Microsoft regarding unauthorized access, we could not find any corroborating evidence.”
“The incident was invisible to us with the data at our disposal and this was due to the customer’s M365 license level: E3,” he said.
While email access attacks were logged by Microsoft’s “MailItemsAccessed” operation, a log of that operation was generally not available to customers, like the victim, who held E3 licensees. It was part of the additional logging capability provided on Microsoft’s more expensive E5 and G5 plans, Adair said.
Dublin-based independent security consultant Brian Honan said the organization that first detected the Storm-0558 attack was only able to do so because it subscribed to the E5 plan.
“Microsoft and other cloud service providers need to provide their clients with access to security logs and not have this as a feature that is an additional charge,” he said.
Sen. Ron Wyden, D-Ore., said in a statement the extra costs were akin to “selling a car and then charging extra for seatbelts and airbags."
A Microsoft spokesperson told CyberScoop the company was “evaluating feedback,” and remained “open to other models.”
Key access remains a mystery
In its Friday analysis of the attack, Microsoft said Storm-0558 began using forged authentication tokens to access user email on May 15 this year.
“Since identification of this malicious campaign on June 16, 2023, Microsoft has identified the root cause, established durable tracking of the campaign, disrupted malicious activities, hardened the environment, notified every impacted customer, and coordinated with multiple government entities.”
The threat actor’s methods were consistent with those of an espionage-focused adversary and while Microsoft had observed “some minimal overlaps with other Chinese groups” such as Violet Typhoon (also known as Zirconium, APT31), it appears Storm-0558 operated as a distinct group.
“Historically, this threat actor has displayed an interest in targeting media companies, think tanks, and telecommunications equipment and service providers. The objective of most Storm-0558 campaigns is to obtain unauthorized access to email accounts belonging to employees of targeted organizations.”
According to the post, Storm-0558 acquired an inactive Microsoft account (MSA) consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and Outlook.com.
“The method by which the actor acquired the key is a matter of ongoing investigation,” Microsoft said.
“Ongoing monitoring indicates that all actor activity related to this incident has been blocked. Microsoft will continue to monitor Storm-0558 activity and implement protections for our customers.”
