Microsoft claims hackers have breached government emails

Share
Motivated threat actors continue to focus on compromising IT systems, as the rate of global cyber attacks increase
Microsoft releases information about hacker group Storm-0558 breaching email accounts of 25 high profile organisations, adding to increased cyber concerns

Microsoft has released information to suggest that a group of hackers have gained access to email accounts affecting approximately 25 organisations, including government agencies.

The company has published these details of activity by threat actor Storm-0558 which is believed to be China-based. In addition to implicating companies, the hackers are also believed to have access accounts of individuals likely associated with these organisations.

Motivated threat actors continue to focus on compromising IT systems, as the rate of global cyber attacks increase. Not only is this a threat to business, but also to political and government organisations whose data could be leaked.

Forged authentication threatens cyber operations

The investigation conducted by Microsoft has determined that Storm-0558 gained access to customer email accounts by using Outlook Web Access in Exchange Online (OWA) and Outlook.com by managing to forge authentication tokens to access user emails.

Microsoft has been working with impacted customers and notifying them prior to going public with this information. At this stage, the company has said that they hope to share details of the incident and threat actor to benefit cybersecurity within the industry. 

The company has claimed that this hack was focused on gaining access to these systems for intelligence collection and apparently gain access to sensitive data.

In a recent blog post, Microsoft stated that the group that it has identified as Storm-0558 was able to remain undetected for a month after gaining access to email data from around 25 organisations in mid-May. The software company only discovered the breach following an investigation in mid-June, after being alerted by customer reports about abnormal mail activity.

Microsoft has now confirmed that the actor activities have now been blocked. It mitigated this via blocking the usage of tokens in OWA to prevent further mail activity, as well as replacing the relevant MSA key. The company states that it is working to continuously improve the security of the MSA key management systems to ensure the safety and security of consumer keys.

Microsoft and other tech leaders in the industry have called for transparency concerning cyber incidents so that cybersecurity can continue to improve. The increased sophistication and volume of cyber attacks cannot be overlooked and tech organisations are seeing a greater need to share information in order to better protect cyber systems.

The consequences of the MOVEit ransomware attack for example highlight how back door cyberattacks on critical areas of business have potential to permanently impact organisations to the point of closure.

Share

Featured Articles

SonicWall and CrowdStrike Unite for SMB Security Service

SonicWall partners with endpoint protection specialist CrowdStrike to offer managed detection and response capabilities through managed service providers

FS-ISAC CISO Talks Cyber Strategies for Financial Providers

FS-ISAC CISO JD Denning explains the cyber strategies financial providers need to adopt in order to stay afloat in the wave of cyber attacks

Darktrace Reports 692% Surge in Black Friday Cyber Scams

AI cybersecurity firm Darktrace reveals increase in brand impersonation attacks targeting retailers, with holiday-themed phishing attacks rising 327%

KnowBe4 Launches AI Agents to Counter Phishing Threats

Technology & AI

Gen Reports 614% Rise in Command Prompt Manipulation Scams

Cyber Security

SAVE THE DATE – Cyber LIVE London 2025

Cyber Security