Microsoft's storm-proof defense wins

Emre Çitak
Jul 13, 2023
Updated • Jul 13, 2023
Microsoft
|
2

Microsoft has successfully countered a cyber-attack conducted by Storm-0558, a threat actor believed to be linked to China.

This attack specifically targeted customer emails, putting user accounts and sensitive information at risk.

However, through its relentless efforts and robust security measures, Microsoft has managed to neutralize the threat, ensuring the safety of its users and preventing unauthorized access to their email accounts.

Microsoft Storm-0558
Microsoft recently announced that it successfully mitigated a cyber-attack conducted by Storm-0558 - Image: Microsoft

Who is Storm-0558?

Storm-0558 is a notorious threat actor that primarily focuses on government agencies located in Western Europe. These malicious individuals engage in cyber activities such as cyber espionage, data theft, and credential access attacks.

The attack was brought to Microsoft's attention on June 16, 2023, when a customer reported suspicious activity. Following a thorough investigation, it was revealed that Storm-0558 had gained unauthorized access to email accounts associated with approximately 25 organizations.

These organizations included government agencies and individual consumer accounts associated with these entities.

Microsoft Storm-0558
Storm-0558 engages in various cyber activities, including cyberespionage, data theft, and credential access attacks

Microsoft's ongoing battle with Storm-0558

Microsoft has been engaged in an ongoing battle with Storm-0558, constantly working to counter their cyber attacks and protect its users' data. When Storm-0558 initiated the attack on May 15, 2023, they employed a technique involving forged authentication tokens.

By utilizing a Microsoft account (MSA) consumer signing key they had obtained, Storm-0558 was able to forge these tokens, bypassing security measures and gaining access to Outlook Web Access in Exchange Online (OWA) and Outlook.com. This enabled them to compromise a significant number of email accounts, potentially compromising sensitive information.

Microsoft Storm-0558
Microsoft's telemetry systems detected Storm-0558's activities and effectively blocked their access to customer email accounts

However, Microsoft's robust security systems detected Storm-0558's activities and promptly blocked their access to customer email accounts. Through advanced telemetry and security measures, Microsoft successfully prevented Storm-0558 from further exploiting the forged authentication tokens.

In a recent statement, Microsoft assured its users that no further action was required from their end.

Need to stay vigilant

Microsoft has taken a proactive approach to support the affected organizations. They have directly contacted the targeted entities, providing them with important information to aid in their investigation and response efforts.

This demonstrates Microsoft's dedication to assisting its customers and ensuring their continued security in the face of cyber threats.

You may check Microsoft's detailed investigation process via the link here.

Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Anonymous said on July 14, 2023 at 7:14 am
    Reply

    yes, and Santa Claus is real.

  2. Anonymous said on July 13, 2023 at 3:09 pm
    Reply

    Thats not completly true.
    The Attack was only identified by an advanced logging of the MailItemsAccessed event by a Federal Civilian Executive Branch (FCEB) agency. And they reported this to Microsoft.

    Microsoft didn’t realized the attack.

    https://www.cisa.gov/sites/default/files/2023-07/aa23-193a_joint_csa_enhanced_monitoring_to_detect_apt_activity_targeting_outlook_online.pdf

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.