Wiz: Microsoft Cyberattack Posed Greater Risk to More Users

A recent Microsoft cyberattack that gave nation-state actors access to email accounts of high-ranking officials could be bigger and more dangerous than anticipated.

That’s according to researchers at Wiz, a cloud security provider.

Earlier this month, Microsoft reported a threat actor attributed to China, Storm-0558, gained access to email accounts in approximately 25 organizations. The affected organizations were primarily government agencies, but also included individuals who were likely consumers associated with those agencies. The perpetrators gained access to Outlook Web Access in Exchange Online (OWA) and Outlook.com.

The threat actor acquired a private encryption key and used it to forge access tokens for OWA and Outlook.com. Additionally, the threat actor reportedly exploited two security issues in Microsoft’s token verification process.

Microsoft Cyberattack ‘More Powerful’ than It Seemed

Microsoft said Outlook.com and Exchange Online were the only applications known to have been affected via the token forging technique. However, Wiz research has found that the compromised signing key was more powerful than it may have seemed, and was not limited to just those two services. It highlighted the increased risk in a blog.

Wiz researchers found the compromised key in the Microsoft cyberattack could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications. That includes every application that supports personal account authentication, such as SharePoint, Teams, OneDrive, customers’ applications that support the “login with Microsoft” functionality, and multi-tenant applications in certain conditions.

In addition, while Microsoft mitigated this risk by revoking the impacted key and publishing attacker indicators of compromise (IoC), Wiz discovered that it may be difficult for customers to detect the use of forged tokens against their applications. That’s due to a lack of logs on crucial fields related to the token verification process.

Millions of Applications Were Potentially Vulnerable

Wiz’s Shir Tamari

“At this stage, it is hard to determine the full extent of the incident as there were millions of applications that were potentially vulnerable, both Microsoft apps and customer apps, and the majority of them lack the sufficient logs to determine if they were compromised or not,” said Shir Tamari, Wiz’s head of research. “However, there are some critical actions items that application owners should perform. The first and foremost is to update their Azure SDK to the latest version and ensure their application cache is updated; otherwise, their apps may still be vulnerable to a threat actor using the compromised key.”

Microsoft sent us the following statement:

“This blog highlights some hypothetical attack scenarios, but we’ve not observed those outcomes in the wild. We recommend that customers review our blogs, specifically our Microsoft Threat Intelligence blog, to learn more about this incident and investigate their own environments using the IOCs that we’ve made public. We’ve also recently expanded security logging availability, making it free for more customers by default, to help enterprises manage an increasingly complex threat landscape.”