Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

Microsoft Shares More Details About Chinese Cyberattack That Breached Exchange Email Accounts

Last week, Microsoft confirmed that Chinese hackers gained unauthorized access to email accounts of U.S. government agencies and other sensitive organizations. On Friday, the company detailed a blog post to explain the cause of the security breach that compromised Exchange Online email services.

According to Microsoft’s Threat Intelligence team, the Storm-0558 hacking group abused three vulnerabilities in Exchange Online and Azure Active Directory (Azure AD). The threat actors started exploiting zero-day flaws in the Microsoft cloud services on May 15. They gained access to email data from 25 organizations and other consumer accounts.

The researchers explained that Storm-0558 first acquired an inactive Microsoft accounts (MSA) consumer signing key. Then, the hackers managed to use it to forge email authentication tokens for Azure AD. The researchers noted that Storm-0558 used the token to access Exchange email accounts through Outlook Web Access (OWA).

“Once authenticated through a legitimate client flow leveraging the forged token, the threat actor accessed the OWA API to retrieve a token for Exchange Online from the GetAccessTokenForResource API used by OWA. The actor was able to obtain new access tokens by presenting one previously issued from this API due to a design flaw,” the Microsoft Threat Intelligence team explained.

Microsoft Shares More Details About Chinese Cyberattack That Breached Exchange Email Accounts — Python code snippet of the token refresh functionality

Microsoft revokes MSA signing keys to block Exchange email attacks

Microsoft said that it was informed about the intrusion on June 16. The company has since blocked the tokens issued with the stolen signing key to address the issue for all customers. “This flaw in the GetAccessTokenForResourceAPI has since been fixed to only accept tokens issued from Azure AD or MSA respectively. The actor used these tokens to retrieve mail messages from the OWA API,” Microsoft’s researchers added.

Microsoft has found that the Storm-0558 group has now moved to other techniques to target enterprise customers. The company plans to continue to monitor potential malicious activities and boost protections for organizations.

by Rabia Noureen
Jul 17, 2023

Rabia comes from a solid IT background and has been writing professionally about Microsoft products and other technology for four years. Rabia has also written for OnMSFT.com as well as Windows Report. She is always up to date on the latest trends in...

How to Connect to Exchange Online Using PowerShell

Jun 9, 2023
Dec 05, 2023
How to Whitelist a Domain in Office 365

Jun 5, 2023
Jul 24, 2023
Microsoft Says Chinese Hackers Compromised Exchange Email Accounts

Jul 13, 2023

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.