Microsoft Storm Breach by Chinese State-Sponsored Threat Group
Unauthorized email access and compromised Microsoft signing key.
What is the attack?
Storm-0558 compromised Microsoft's systems, accessed sensitive US govt email accounts, across multiple tenants. The breach expanded beyond email, potentially affecting multiple types of Azure Active Directory applications. Threat actors acquired a signing key, enabling the forging of access authentication tokens.
Why did it get through?
Email accounts for several US government agencies and key officials were accessed over an extended period, possibly several months. Access to the M365 tenants for these government agencies was unmonitored for this suspicious and risky access. Compromised access key enabled access to Azure as well.
What is required to solve for this attack?
Continuous behavioral analysis across cloud and SaaS ecosystems to detect anomalies in user and application access and behavior. Utilize AI-driven behavioral detection to flag anomalies especially for OAuth application changes or token use. Correlate suspicious events across Cloud + SaaS ecosystems.