Cloud Security, Email security, Threat Management

Microsoft blocks attack on cloud email accounts by Chinese APT group

Microsoft Outlook icon.

Microsoft reported mitigating an attack on customer Outlook and Exchange Online email accounts by a China-based threat actor Microsoft tracks as Storm-0558.

In an advisory posted July 11, Microsoft said Storm-0558 primarily targets government agencies in Western Europe and focuses on espionage, data theft and credential access.

However, evidently this threat group has a much wider reach. The Cybersecurity and Infrastructure Security Agency (CISA) also said on July 12 that in June 2023, a federal civilian executive branch (FCEB) agency identified suspicious activity in their Microsoft 365 cloud environment. The civilian agency reported the issue to Microsoft and CISA, and Microsoft determined that advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data.

CISA and the FBI released an advisory that offers guidance to critical infrastructure organizations for monitoring Microsoft Exchange Online environments. It should be noted that the CISA-FBI advisory does not mention China by name, but does link back to the July 11 Microsoft advisory on Storm-0558 that's the subject of this story.

Storm-0558 gained access to email accounts affecting approximately 25 organizations, including U.S. government agencies as well as the related consumer accounts of users likely associated with those organizations. The APT group did this by using forged authentication tokens to access user email using an acquired Microsoft account consumer signing key.

Microsoft said its telemetry indicates that it has successfully blocked Storm-0558 from accessing customer email using forged authentication tokens. They said customers do not have to take any action and if an organization has not been contacted directly by Microsoft, they have not been impacted.

Chinese cyber espionage has come a long way from the smash-and-grab tactics many of us are familiar with, said John Hultquist, Mandiant chief analyst at Google Cloud. Hultquist said they have transformed their capability from one that was dominated by broad, loud campaigns that were far easier to detect.

“They were brash before, but now they are clearly focused on stealth,” said Hultquist. “Rather than manipulating unsuspecting victims into opening malicious files or links, these actors are innovating and designing new methods that are already challenging us. They are leading their peers in the deployment of zero-days and they have carved out a niche by targeting security devices specifically. The reality is that we are facing a more sophisticated adversary than ever, and we'll have to work much harder to keep up with them.”

Security pros need to take a state-sponsored attack on government agencies seriously, said Zane Bond, head of product at Keeper Security. Bond said a threat actor gaining access to emails poses a serious threat to any victim organization with potential impacts to national security because of Microsoft’s assessment that the adversary was focused on espionage.

“Nation-state adversaries are well-resourced and particularly difficult to defend against,” said Bond. “They can use an undiscovered zero-day vulnerability to attack, but this comes with risks, as these types of attacks can be quite noisy, are highly visible and easy for victims to triage."

Because the attack targeted the cloud, Bond said Microsoft was immediately able to patch and resolve the issue for all Azure customers.

Joseph Carson, chief security scientist and Advisory CISO at Delinea, added that while most cyberattacks are conducted by cybercriminals who are financially motivated, we must remember that espionage, data theft and credential access continue to be a top target by nation-state backed attackers, as well. 

“The reminder here is to always assume breach and that an attacker could be active on your network and resources,” said Carson.

He recommended that organizations periodically check for abnormal credential and identity activity on their networks, rotate credentials periodically and implement strong privileged access security controls that prevents lateral moves.

Lorri Janssen-Anessi, director of external cyber assessments at BlueVoyant, pointed out that there are many similarities between different nation-states and their tactics, techniques, and procedures, so security teams should focus on mitigating the vulnerabilities with the highest risk.

“If you believe that you are being targeted by China or any other nation-state actor, it’s imperative to have a good understanding of the network's baseline activity so that anomalous, or out-of-the-ordinary activities can be quickly identified and investigated,” Janssen-Anessi said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.