Incident Details
In July 2023, Microsoft revealed a breach that affected 25 organizations, which included government agencies and other associated individuals. Attackers obtained sensitive data by exploiting validation flaws in Exchange Online and AzureAD services.
Incident
How Did the Breach Happen?
The threat actor obtained a Microsoft Account consumer signing key through undisclosed methods, leveraging it to access enterprise Exchange environments due to a validation error on Microsoft's part.
What Data has been Compromised?
Unclassified Exchange Online Outlook data including emails from the US Department of State, Commerce Secretary's email account, 'email accounts at the House of Representatives,' and the US Ambassador to China, Nicholas Burns.
Why Did the company's Security Measures Fail?
The security measures failed due to a validation error on Microsoft's part which allowed the threat actor to leverage a sensitive key and pivot into enterprise Exchange environments.
What Immediate Impact Did the Breach Have on the company?
There were calls for Microsoft to change its licensing model to provide comprehensive audit logging to all customers, not just those subscribed to their highest tier. Microsoft conceded, announcing that such logs would be free starting September 2023.
How could this have been prevented?
The breach could have been prevented by having more robust validation methods and immediate detection capabilities, as well as ensuring that critical security features are available to all users regardless of subscription level.
What have we learned from this data breach?
It is crucial to provide adequate logging and detection capabilities for all users, to fix validation flaws promptly, and to understand the value of security over revenue streams.
Summary of Coverage
The Microsoft Exchange Online breach by Storm-0558 in 2023 exposed sensitive unclassified data due to validation flaws and a compromised Microsoft Account key. It resulted in a shift in Microsoft's approach towards providing logging capabilities and highlighted the importance of security above profit, transparency, and the necessity for organizations to adequately invest in security measures.