The company has published these details of activity by threat actor Storm-0558 which is believed to be China-based. In addition to implicating companies, the hackers are also believed to have access accounts of individuals likely associated with these organisations.
Motivated threat actors continue to focus on compromising IT systems, as the rate of global cyber attacks increase. Not only is this a threat to business, but also to political and government organisations whose data could be leaked.
Forged authentication threatens cyber operations
The investigation conducted by Microsoft has determined that Storm-0558 gained access to customer email accounts by using Outlook Web Access in Exchange Online (OWA) and Outlook.com by managing to forge authentication tokens to access user emails.
Microsoft has been working with impacted customers and notifying them prior to going public with this information. At this stage, the company has said that they hope to share details of the incident and threat actor to benefit cybersecurity within the industry.
The company has claimed that this hack was focused on gaining access to these systems for intelligence collection and apparently gain access to sensitive data.
In a recent blog post, Microsoft stated that the group that it has identified as Storm-0558 was able to remain undetected for a month after gaining access to email data from around 25 organisations in mid-May. The software company only discovered the breach following an investigation in mid-June, after being alerted by customer reports about abnormal mail activity.
Microsoft has now confirmed that the actor activities have now been blocked. It mitigated this via blocking the usage of tokens in OWA to prevent further mail activity, as well as replacing the relevant MSA key. The company states that it is working to continuously improve the security of the MSA key management systems to ensure the safety and security of consumer keys.
Microsoft and other tech leaders in the industry have called for transparency concerning cyber incidents so that cybersecurity can continue to improve. The increased sophistication and volume of cyber attacks cannot be overlooked and tech organisations are seeing a greater need to share information in order to better protect cyber systems.
The consequences of the MOVEit ransomware attack for example highlight how back door cyberattacks on critical areas of business have potential to permanently impact organisations to the point of closure.