Threat Actor: Storm-0558 (Chinese nation-state actor)

Target: Microsoft’s email infrastructure

Attack Scope: Broader than initially thought

Cloud security company Wiz has discovered that the recent cyberattack against Microsoft’s email infrastructure by the Chinese nation-state actor Storm-0558 had a more extensive impact than previously known. The Azure AD Token Forging attack exploited an inactive Microsoft account (MSA) consumer signing key to forge Azure Active Directory (Azure AD) tokens and gain unauthorized access to Outlook Web Access (OWA) and Outlook.com. However, the same key could also forge access tokens for a wide range of Azure AD applications, including OneDrive, SharePoint, and Teams, among others. This poses a significant threat to users and organizations relying on Microsoft services.

 Mitigation:

• Monitor for signs of unauthorized access, especially in Azure AD-related services.
• Review authentication practices and implement additional security measures.
• Secure and protect identity providers’ signing keys to prevent unauthorized use.
• Stay informed about further updates from Microsoft regarding the incident and recommended actions.
• Enhance threat detection capabilities to identify similar attacks in the future.