A Federal Civilian Executive Branch (FCEB) agency has identified advanced cyber threats targeting Microsoft 365 cloud environments like Outlook. Researchers found that advanced persistent threat (APT) actors accessed and extracted unclassified Microsoft Exchange Online Outlook data.
“APT actors used a Microsoft account to forge tokens to impersonate consumer and enterprise users,” Microsoft confirmed after investigating the suspicious activities identified in mid-June 2023. The company promptly addressed the issue by blocking tokens issued with the acquired key and replacing them to prevent further misuse.
A joint Cybersecurity Advisory has been issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) in response to the threat. Both of these organizations urged critical infrastructure entities to monitor Microsoft Exchange Online after this attack.
“In addition to enabling audit logging, organizations should ensure logs are searchable by operators and enable Microsoft 365 Unified Audit Logging (UAL),” suggested CISA and the FBI. By understanding their cloud baseline, organizations can better detect adversarial activity that otherwise may be difficult to identify.
“CISA and FBI are not aware of other audit logs or events that would have detected this activity,” emphasized the federal agencies.
Microsoft has assumed responsibility for all mitigation actions due to the cloud-based infrastructure affected. Nonetheless, to harden their cloud environments, CISA and the FBI recommend that organizations separate administrator accounts from user accounts and apply recommended baseline security configurations.
They’re also recommended to use a telemetry hosting solution, review contractual services with Cloud Service Providers, and collect and store access to security logs. These steps will enable cybersecurity organizations to better handle threat actors attacking Cloud-based software.
“Although these mitigations will not prevent this or related activity where actors leverage compromised consumer keys, they will reduce the impact of less sophisticated malicious activity targeting cloud environments.”
“Organizations are encouraged to report suspicious activity to CISA via CISA’s 24/7 Operations Center,” the advisory urges.
Information concerning suspicious or criminal activity should also be reported to local FBI field offices.