Microsoft Storm Breach by Chinese State-Sponsored Threat Group
Unauthorized email access and compromised Microsoft signing key.
What is the attack?
- Storm-0558 compromised Microsoft's systems, accessed sensitive US govt email accounts, across multiple tenants.
- The breach expanded beyond email, potentially affecting multiple types of Azure Active Directory applications.
- Threat actors acquired a signing key, enabling the forging of access authentication tokens.
Why did it get through?
- Email accounts for several US government agencies and key officials were accessed over an extended period, possibly several months.
- Access to the M365 tenants for these government agencies was unmonitored for this suspicious and risky access.
- Compromised access key enabled access to Azure as well.
What is required to solve for this attack?
- Continuous behavioral analysis across cloud and SaaS ecosystems to detect anomalies in user and application access and behavior.
- Utilize AI-driven behavioral detection to flag anomalies especially for OAuth application changes or token use.
- Correlate suspicious events across Cloud + SaaS ecosystems.