Microsoft disclosed that a threat actor used forged authentication tokens to access email accounts of government agencies and other organizations. The threat actor gained access to keys that were inadvertently left in a lower environment, allowing the actor to forge tokens and gain entry into enterprise email accounts hosted by Microsoft.
Despite Microsoft having a highly secured and isolated environment where the keys were initially located, the keys were eventually moved to a less secure, lower environment. This occurred due to a series of bugs in Microsoft’s automated flows and subsequent system check failures. The keys were never supposed to be moved to a lower environment.
Misplaced data in lower environments may have fewer controls in place, less monitoring, and more exposure. The resulting breach left Microsoft with a tarnished reputation not only with their customers, but also led to regulatory scrutiny from the US Department of Homeland Security’s Cyber Safety Review Board.
What happened?
Starting on May 15, 2023, a China-based threat actor, Storm-0558, used forged authentication tokens to access email accounts of around 25 organizations including those belonging to government agencies. Individual consumer accounts associated with those organizations were also compromised.
The starting point for the incident occurred in April 2021, when a consumer signing system crash generated a crash dump, a snapshot of the crashed process. Typically, sensitive data including keys are redacted from crash dumps. However, a race condition, machine error in which the system fails to perform operations in a proper sequence, permitted the inclusion of keys in the crash dump. The crash dump was then moved from a secured, production environment to a lower environment for debugging. At some point later, Storm-0558 compromised a Microsoft engineer’s corporate account, which had access to the lower environment that contained the crash dump.
At the time of the email account compromise, Microsoft mail systems allowed access to enterprise email accounts using a security token signed with a consumer key. After Storm-0558 acquired the consumer signing key, it used it to forge tokens. The threat actor then used those tokens to access Outlook Web Access in Exchange Online (OWA) and Outlook.com of government agencies and other targets.
At the time of this writing, compromised organizations have been contacted by Microsoft with information on how to proceed with investigation and response.
How Cyera helps protect secrets data
The following highlights how Cyera’s AI-powered discovery, classification, and contextual enrichment would have detected this exposure and empowered the security team to prevent such an attack:
- Discover and classify secrets data including keys, tokens, and passwords across different file formats. Secrets data is commonly found in a number of data formats: pgp, pem, xls, doc, docx, and more. However, secrets data can also be captured in snapshots, just like what had happened in the Microsoft key breach incident.
- Scan and uncover secrets data across different environments
- Detect improper storage of secrets data in a less secure, non-production environment
- Detect access risks when secrets data becomes available in a datastore with permissive access
- Detect encryption violations, when secrets data is exposed in plaintext
- Assign a severity score to the correlated events, based on level of risk and potential extent of damages
- Generate an alert, notifying the assigned teams and triggering workflows to remediate the issue
Cyera’s data security platform provides deep context on your data, applying correct, continuous controls to assure cyber-resilience and compliance.
Cyera takes a data-centric approach to security, assessing the exposure to your data at rest and in use and applying multiple layers of defense. Because Cyera applies deep data context holistically across your data landscape, we are the only solution that can empower security teams to know where their data is, what exposes it to risk, and take immediate action to remediate exposures and assure compliance without disrupting the business.
To learn more about how you can secure secrets data, schedule a demo today.
