+44 (0)203 88 020 88

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

Microsoft Key Used for Unauthorised Email Access

The threat actor tracked by Microsoft as Storm-0558 has been able to utilise a stolen consumer signing key to access accounts and emails in Exchange Online through Outlook Web Access (OWA), and on Outlook.com. This threat actor is thought to be based in China and has a history of targeting Western European and U.S.-based companies and government agencies in espionage, data theft, and credential access attacks. In a Threat Intelligence blog post Microsoft confirm that in previous attacks Storm-0558 has targeted “diplomatic, economic, and legislative governing bodies”, as well as “media companies, think tanks, and telecommunications equipment and service providers”. This current forged signing key attack has been focused on government agencies and their associated consumer accounts, with approximately 25 organisations confirmed as victims. 

 

This attack was first detected by a customer in June, who notified Microsoft of some unexpected data access taking place on their Exchange Online accounts. Researchers concluded that the attacks had begun in May, and through identifying known tactics, techniques, and procedures (TTPs) attributed the attacks to threat actor Storm-0558. As with other previously observed attacks conducted by Storm-0558, the objective of this incident was to obtain access to the email accounts of employees at their target organisation, for email access and data exfiltration purposes. At first it was assumed that the threat actors were using malware to steal valid Azure Active Directory (Azure AD) tokens that were correctly issued to users. However, this was found not to be the case, with the threat actors instead exploiting a validation flaw in the system that allowed them to create forged Exchange Online authentication artifacts without valid Azure AD tokens.  

 

Microsoft uses authentication tokens to validate the identity of users when they attempt to access their emails. These tokens are signed using a private key unique to the user, and a public key that belongs to the identity provider, in this case Azure AD. Consumer accounts are validated by Microsoft account (MSA) consumer signing keys, and Azure AD accounts are validated through Azure AD enterprise signing keys. As these keys are from separate providers, and managed in separate systems, they should not be able to validate for the other system. A now-patched code error was exploited by the attackers that enabled them to use a MSA consumer signing key, designed for consumer accounts only, to sign requests to Azure AD enterprise accounts.  

 

The threat actors obtained an inactive MSA signing key and used it to forge authentication tokens which gave them valid signatures to access to OWA and Outlook.com accounts. After the forged token is validated by the identity provider, the threat actor could then access the OWA API in order to obtain an authentication token for Exchange Online using the GetAccessTokenForResource API. A flaw in the system allowed the attackers to continually receive new access tokens by presenting ones previously issued by this API. Using these tokens Storm-0558 were able to retrieve email messages from the OWA API, giving them both read and data exfiltration capabilities. Just the one MSA key is thought to have been used in these attacks, to create multiple forged tokens, however it is still unknown how the threat actors were able to acquire the MSA signing key in the first place. 

 

To mitigate this form of attack, Microsoft blocked the usage of tokens signed with the MSA key known to be controlled by the threat actors in OWA. Tokens issued with this key were also blocked for use in the customer environments of the confirmed victims to these attacks. The validation flaws allowing for the incorrect key usage to result in valid tokens being issued have been patched, and further isolation of environments has been added to prevent another similar issue arising. The storage location of MSA keys has also been moved to the key store for enterprise systems for added security. Microsoft continue to take steps to provide Defense-In-Depth, including increased monitoring of key activity and automated alerting in these system environments. 

 

They also revoked and issued replacement keys for all signing keys in use at the time of attack, including the threat actor controlled MSA key. Research into this attack conducted by Wiz shows that 8 public keys for Azure AD enterprise accounts and 7 public keys for MSA consumer accounts which had been active since at least 2016 were the ones in use at the time of the attacks. These keys could sign OpenID tokens, leading Wiz researchers to believe that the scope of applications potentially affected by the flaws exploited in this attack is greater than just Exchange Online and Outlook.com. Potentially affected applications include any Azure AD apps that work with the OpenID v2.0 protocol, which includes Microsoft managed apps such as Outlook, SharePoint, Teams, and OneDrive, as well as third party applications that use ‘Login with Microsoft’. Microsoft have confirmed that no customer action is required as the mitigation steps they have performed have resolved the issue for all customers. However, if a greater range of applications and services may have been affected compared to those investigated by Microsoft, administrators may wish to use the Indicators of Compromise listed on the Threat Intelligence blog to determine if they have fallen victim to this form of attack.  

 

Since these remediation steps have been taken by Microsoft no further activity has been detected using MSA signing keys in attacks. Microsoft have also stated that they have observed the threat actor utilising “other techniques” to perform their attacks, further confirming that the hardening steps taken has resolved the flaws with the key validation processes. Previously, Storm-0558 are known to have performed credential harvesting phishing campaigns in order to steal credentials for initial access to email accounts. OAuth token attacks have also been observed as early as 2021, with the threat actors performing token theft and token replay attacks. Other initial access techniques including exploiting web-facing applications through the installation of web shells has also been utilised by this group. Microsoft have not yet confirmed which techniques they have observed this threat actor moving on to since their ability to forge signing tokens was revoked.  

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

CREST
CCS
ISO9001
ISO27001
CE-PLUS

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

0

No products in the basket.

No products in the basket.