After receiving a report from a US federal government agency, Microsoft discovered that a Chinese espionage actor it calls Storm-0558 gained access to its cloud-based Outlook Web Access in Exchange Online (OWA) and Outlook.com unclassified email service for about a month starting on May 15, 2023, as part of a targeted campaign that affected 25 organizations. The Chinese hackers gained access to email data by using forged authentication tokens obtained via a Microsoft account signing key, although it\u2019s unclear if Microsoft itself experienced a breach. The software giant mitigated this attack for all customers without requiring any action on their part and said it added "substantial automated detections for known indicators of compromise associated with this attack to harden defenses and customer environments."\n\nAlthough Microsoft did not name the initial reporting agency, the US State Department was the first to detect the espionage campaign. The date of the hack's discovery in June was close to the time of Antony Blinken's travel to China, the first US secretary of state to visit Beijing in five years.\n\nThe Chinese threat actors also breached emails at the Commerce Department, including that of Secretary Gina Raimondo. The Commerce Department has been active in limiting the US export of technology to China, given the country\u2019s active surveillance activities and aggressive military modernization.\n\nWhile Microsoft attributes the campaign to China, the US government has refrained from doing so. "In terms of attribution, the sophistication of this attack where actors were able to access the mailbox content of victims is indicative of APT activity, but we are not prepared to discuss attribution at a more specific level," a senior FBI official told reporters.\n\nAlthough government officials won't reveal which agencies or how many accounts were affected, "The number of United States organizations is in the single digits, and the number of impacted accounts for each was a small number," a senior CISA official told reporters. "This appears to have been a very targeted surgical campaign that was not seeking the breadth of access that we have seen in other campaigns such as SolarWinds."\n\nAudit logging was crucial to the campaign's discovery\n\nFollowing Microsoft's announcement of the campaign, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA), the Enhanced Monitoring to Detect APT Activity Targeting Outlook Online, to guide agencies and critical infrastructure organizations on enhancing monitoring in Microsoft Exchange Online environments.\n\nIn the advisory, CISA and the FBI strongly encourage critical infrastructure organizations to ensure audit logging that tracks software activity across organizational systems, which they credit with discovering the attack, is enabled. "It bears noting that the affected agency was able to detect initially the suspicious activity by leveraging enhanced logging, a specific log called MailItemsAccessed as described in our joint advisory and noted that this logging event was a deviation from their normal cloud environment activity," a senior CISA official told reporters.\n\nCISA and the FBI said in the advisory that "the MailItemsAccessed event is generated when licensed users access items in Exchange Online mailboxes using any connectivity protocol from any client. The FCEB [Federal Civilian Executive Branch] agency deemed this activity suspicious because the observed AppId did not normally access mailbox items in their environment."\n\nThe agencies stressed the importance of audit logging to what government officials say was a swift reaction to the campaign, particularly compared to past government intrusions. "Every organization is urged to review the logging guidance and hardening recommendations in our joint advisory, which are necessary for every organization using cloud business applications, whether or not they have been impacted by this specific intrusion campaign," the senior CISA official said.\n\nMaking robust audit logging free would help\n\nOne significant barrier to adopting robust audit logging is the premium price that Microsoft places on its higher tiers of audit logging, which include MailItemsAccessed. "It is our perspective that every organization using a technology service like Microsoft 365 should have access to logging and other security data out of the box to reasonably detect malicious cyber activity. We have been working closely with Microsoft to ensure the availability of this necessary logging for all organizations, federal and non-federal, without added charge," the CISA official said.\n\n"We appreciate Microsoft's commitment to making further progress in this area. We cannot rely upon organizations paying more for better logging. That is a recipe for inadequate visibility and adversaries having unnecessary levels of success in targeting American organizations."\n\nFollow baseline configurations\n\nIn the meantime, the advisory strongly encourages critical infrastructure organizations to ensure audit logging is enabled. In addition, CISA and the FBI recommend that all organizations adopt minimum viable secure configuration baselines that are part of CISA's Secure Cloud Business Applications (SCuBA) Project.\n\nThey also encourage organizations to enable premium logging, ensure logs are searchable by operators, and understand their cloud baseline. They further recommend that organizations implement the following to harden their cloud environments:\n\nMost importantly, "Every organization identifying anomalous activity on their cloud or on-prem environments should immediately contact CISA or the FBI in the coming days," the CISA official said. "We will keep working with Microsoft and our partners to better understand the root causes of this incident and ensure execution of all necessary improvements consistent with the administration's focus on driving security by design across every product and every vendor."