Microsoft email attacks

Topic

New Reply

https://blogs.microsoft.com/on-the-issues/2023/07/11/mitigation-china-based-threat-actor/

This doesn’t look good

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Replies

Microsoft has mitigated an attack by a China-based threat actor Microsoft tracks as Storm-0558 which targeted customer emails. Storm-0558 primarily targets government agencies in Western Europe and focuses on espionage, data theft, and credential access.
…
Microsoft has completed mitigation of this attack for all customers.
…
No customer action is required.

Reply | Quote

An attacker stole a consumer Microsoft account cert.  They’re not done “mitigating “ this.  This is a big deal b and I would recommend reading additional articles and not just Microsoft’s word.

Susan Bradley Patch Lady/Prudent patcher

3 users thanked author for this post.

Microfix, Cybertooth, PKCano

Reply | Quote

Read this one
https://www.washingtonpost.com/national-security/2023/07/12/microsoft-hack-china/

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

oldfry

Reply | Quote

U.S. officials also say they believe the incident has been contained.

Reply | Quote

The method of attack means that they will be back.  Sorry B this is still a big deal and a huge news item slid in on a Patch Tuesday on a day they renamed Azure AD to Microsoft Entra (gawd don’t get me started on that rename).

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

Cybertooth, bbearren

Reply | Quote

National Security Adviser Jake Sullivan said the federal government is responding in coordination with Microsoft.

“We detected it fairly rapidly and we were able to prevent further breaches,” Mr. Sullivan told ABC’s “Good Morning America” from Lithuania.

Microsoft says China hacked emails; Biden administration investigating the fallout

Reply | Quote

B – understand the bigger picture.  They got a consumer level Microsoft account code signing cert and spoofed the better cloud security. It’s why they also voided a bunch of drivers and I’m sure a lot of other code review that they will be doing in the coming weeks.  They’ve only just begun to review the long term implications.

The only reason it was spotted was because someone in these risk categories was paying for the additional logging and ability to track what was going on. Unless you pay for this level of logging, it’s not exposed to you.  Note too that Microsoft didn’t alert them, the government alerted them.

Don’t get me wrong, I think we’re in a world where we should consider email a hostile entry point and react to it accordingly, but the argument that Microsoft has given that hosting your own email server is no longer able to be secured and oh – come to our cloud because it’s more secure isn’t the great pitch it used to be.

Bottom line consider email hostile.  Period.

Susan Bradley Patch Lady/Prudent patcher

4 users thanked author for this post.

wavy, oldfry, Donny H, Cybertooth

Reply | Quote

Susan Bradley wrote:

B – understand the bigger picture.  They got a consumer level Microsoft account code signing cert and spoofed the better cloud security. It’s why they also voided a bunch of drivers …

Not the same cause: Windows driver policy loophole allows signature timestamp forging

1 user thanked author for this post.

oldfry

Reply | Quote

The underlying root cause of forgery applies to both attack scenerios.  Attackers know that the best way in is to pretend to be valid.  So they will spoof authentication, spoof drivers, spoof code signing.

My guess is that we will see more voiding, more hardening, more actions.  That’s what I meant by the bigger picture.  Both events are related.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

oldfry

Reply | Quote

CISA and the FBI strongly encourage critical infrastructure organizations to ensure audit logging is enabled.

Enhanced Monitoring to Detect APT Activity Targeting Outlook Online

Reply | Quote

Only with an E5 license.  This should be DEFAULT for EVERYONE and not just for the top most expensive licensing.  This got caught because someone was paying for it.  It is not default for Microsoft 365 unless you have that plan.

$57 a person per month.

https://petri.com/microsoft-365-e3-vs-e5-plans-compared/

Susan Bradley Patch Lady/Prudent patcher

3 users thanked author for this post.

IT Manager Geek, oldfry, b

Reply | Quote

“The MailItemsAccessed event”

That one particular event which is SOOOOOO important for forensics is ONLY available to the upper premium license holders.

Sorry, you just hit a sore spot for me because this should be default on all Microsoft mail servers.  Period. Microsoft should not be making that key forensic tool only available to some customers.

Once upon a time when Office 365 first came out there was a way that you could get that info as it wasn’t gated.  You just had to know that the info was available.  Then they realized that, hey that’s premium info that someone might pay for.  https://www.lmgsecurity.com/the-office-365-magic-unicorn-tool-lives/  Bottom line it wasn’t released as a free tool, you have to pay for it.

Susan Bradley Patch Lady/Prudent patcher

5 users thanked author for this post.

Microfix, wavy, IT Manager Geek, oldfry, b

Reply | Quote

“Storm-0558 acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and Outlook.com. All MSA keys active prior to the incident – including the actor-acquired MSA signing key – have been invalidated. Azure AD keys were not impacted. The method by which the actor acquired the key is a matter of ongoing investigation. Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been corrected.”

https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/

That’s the big fat hairy deal.  How did an attacker get a Consumer MSA signing key?

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Ongoing monitoring indicates that all actor activity related to this incident has been blocked.

Reply | Quote

Given that Microsoft didn’t find it initially and it was the Government researchers that alerted them, I’d say that the customer should be the one to make that final determination.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

https://www.cisa.gov/news-events/news/when-tech-vendors-make-key-logging-info-available-free-everyone-wins

 

https://www.microsoft.com/en-us/security/blog/2023/07/19/expanding-cloud-logging-to-give-customers-deeper-security-visibility/

 

Today we are expanding Microsoft’s cloud logging accessibility and flexibility even further. Over the coming months, we will include access to wider cloud security logs for our worldwide customers at no additional cost.

 

Microsoft will begin rolling out these logging updates in September 2023 to all government and commercial customers. To access existing and new logs as they become available, visit the Microsoft Purview compliance portal and select Audit from the Solutions panel. Microsoft has historically provided security log data to customers, with options to maintain logs through Microsoft’s storage services or with other security and storage vendors, depending on preferences. Different customers have varying preferences and needs for where they save their audit logs, how they are analyzed, and how long they are retained. We know customers have multiple issues to consider, including data storage capacity and which Microsoft or third-party log management tools they want to use, and our newly expanding, flexible logging options help customers decide what is best for their requirements.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

oldfry

Reply | Quote

Forgoing revenue for reputation means it is a very big deal.

Will they now provide an automated tool to make that sort of checking easy for everyone?

cheers, Paul

1 user thanked author for this post.

oldfry

Reply | Quote

From July 14, 2023, Page A3: Microsoft finally ticked off the US federal government:

https://www.wsj.com/articles/china-hacking-was-undetectable-for-some-who-had-less-expensive-microsoft-services-58730629
(protected by paywall)

“Offering insecure products and then charging people for premium features necessary to not get hacked is like selling a car and then charging extra for seatbelts and airbags” – US Senator Ron Wyden

Would Microsoft gain better optics putting all security features in the baseline O365 product?

Susan add of non paywall link:  https://www.wsj.com/articles/china-hacking-was-undetectable-for-some-who-had-less-expensive-microsoft-services-58730629?st=b6ct5bv9ipbuoh1&reflink=desktopwebshare_permalink

Windows 10 22H2 desktops & laptops on Dell, HP, ASUS; No servers, no domain.

1 user thanked author for this post.

Cybertooth

Reply | Quote

Microsoft’s Role in Email Breach to Be Part of Cyber Inquiry

A US cybersecurity advisory panel will investigate malicious targeting of cloud computing environments, including Microsoft Corp.’s role in a recent breach of government officials’ email accounts by suspected Chinese hackers, the Department of Homeland Security confirmed on Friday…

Senator Ron Wyden : investigate Microsoft and hold the company “responsible for its negligent cybersecurity practices.

“Government emails were stolen because Microsoft committed another error,”
“Microsoft should not have had a single skeleton key that, when inevitably stolen, could be used to forge access to different customers’ private communications.”..

3 users thanked author for this post.

Cybertooth, oldfry, Microfix

Reply | Quote

Gate’s open, Bill gone…
I’ll bet he’s glad he’s not in the firing line

Win8.1/R2 Hybrid lives on..

1 user thanked author for this post.

Alex5723

Reply | Quote

https://www.politico.com/news/2023/09/15/digital-tripwire-helped-state-uncover-chinese-hack-00115973

All thanks to ‘Big Yellow Taxi’: How State discovered Chinese hackers reading its emails

The State Department relied on a clever alert system to uncover and unravel an advanced Chinese spying campaign that involved breaches of officials’ emails.

2 users thanked author for this post.

oldfry, Cybertooth

Reply | Quote