![]() ![]() MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems. This was only possible because of a validation error in Microsoft code. But further analysis showed that Storm-0558 was forging Azure AD tokens using an acquired Microsoft account (MSA) consumer signing key to access OWA and. Attribution is based on Microsoft Threat Intelligence assessment that Storm-0558 is a China-based threat actor with activities and methods consistent with espionage objectives.Īt first Microsoft assumed that the spies were using legitimate Azure Active Directory (Azure AD) tokens stolen by malware. Microsoft analysis attributed the activity to a group called Storm-0558 based on established prior tactics, techniques, and procedures (TTPs). Investigation learned that the customer’s Exchange Online data was accessed using Outlook Web Access (OWA). The investigation started on Jun 16, 2023, when Microsoft was notified by a customer about an anomalous Exchange Online data access. The attacks were targeted and lasted for about a month before they were first discovered. Microsoft is getting criticized for the way in which it handled a serious security incident that allowed a suspected Chinese espionage group to access user email from approximately 25 organizations, including government agencies and related consumer accounts in the public cloud. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |