Microsoft has disclosed that that a cyberattack by a China-based "nation-state actor"\u00a0managed to access email hosted on Exchange Online and Outlook.com belonging to about 25 organizations, including government agencies.\n\nMitigation of the attack is complete, according to a statement from Microsoft, which blamed a threat actor tracked by the company as Storm-0558. That actor, based in China, \u201cprimarily targets government agencies in Western Europe and focuses on espionage, data theft, and credential access,\u201d according to the statement, issued Tuesday evening.\n\nThe email accounts were compromised via a Microsoft account key, which was used to forge tokens for access to Outlook Web Access and Outlook.com. A token validation issue allowed Storm-0558 to \u201cimpersonate Azure AD users\u201d in order to get access to the affected accounts, according to Microsoft. The company said that it has blocked the use of tokens created by the MSA key in question and replaced the key.\n\n\u201cAs with any observed nation-state actor activity, Microsoft has contacted all targeted or compromised organizations directly via their tenant admins and provided them with important information to help them investigate and respond,\u201d the company\u2019s statement said. \u201cIf you have not been contacted, our investigations indicate that you have not been impacted.\u201d\n\nAnother statement, issued Wednesday by the US Cybersecurity and Infrastructure Security Agency and the FBI, said that at least one US federal civilian executive branch agency was compromised in the attack. The leak, which CISA and the FBI said was limited to unclassified data, was first observed in mid-June, when the affected agency observed an unusual application ID being used to access messages in email accounts.\n\nThe government\u2019s statement said that similar attacks can be detected by enabling logging for the \u201cmail items accessed\u201d event in Microsoft 365\u2019s auditing system, and urged critical infrastructure organizations to ensure that that feature is turned on.\n\nCISA and the FBI also stated that potential targets for this type of attack should enable purview audit logging, ensure that log data can be searched by operators, and apply CISA\u2019s recommended baseline security configurations for Microsoft applications. (Full mitigation suggestions can be found here.)\n\n\u201cAlthough these mitigations will not prevent this or related activity where actors leverage compromised consumer keys, they will reduce the impact of less sophisticated malicious activity targeting cloud environments,\u201d CISA and the FBI said.