China-based hackers accessed US federal executive branch emails

Microsoft has disclosed that that a cyberattack by a China-based “nation-state actor” managed to access email hosted on Exchange Online and Outlook.com belonging to about 25 organizations, including government agencies.

Mitigation of the attack is complete, according to a statement from Microsoft, which blamed a threat actor tracked by the company as Storm-0558. That actor, based in China, "primarily targets government agencies in Western Europe and focuses on espionage, data theft, and credential access," according to the statement, issued Tuesday evening.

The email accounts were compromised via a Microsoft account key, which was used to forge tokens for access to Outlook Web Access and Outlook.com. A token validation issue allowed Storm-0558 to "impersonate Azure AD users" in order to get access to the affected accounts, according to Microsoft. The company said that it has blocked the use of tokens created by the MSA key in question and replaced the key.

"As with any observed nation-state actor activity, Microsoft has contacted all targeted or compromised organizations directly via their tenant admins and provided them with important information to help them investigate and respond," the company's statement said. "If you have not been contacted, our investigations indicate that you have not been impacted."

Another statement, issued Wednesday by the US Cybersecurity and Infrastructure Security Agency and the FBI, said that at least one US federal civilian executive branch agency was compromised in the attack. The leak, which CISA and the FBI said was limited to unclassified data, was first observed in mid-June, when the affected agency observed an unusual application ID being used to access messages in email accounts.

The government's statement said that similar attacks can be detected by enabling logging for the "mail items accessed" event in Microsoft 365's auditing system, and urged critical infrastructure organizations to ensure that that feature is turned on.

CISA and the FBI also stated that potential targets for this type of attack should enable purview audit logging, ensure that log data can be searched by operators, and apply CISA's recommended baseline security configurations for Microsoft applications. (Full mitigation suggestions can be found here.)

"Although these mitigations will not prevent this or related activity where actors leverage compromised consumer keys, they will reduce the impact of less sophisticated malicious activity targeting cloud environments," CISA and the FBI said.