Skip to main content
close search
site logo
Dive Brief

Microsoft attackers may have data access beyond Outlook, researchers warn

Microsoft is pushing back on claims by Wiz that compromised private encryption keys may have exposed SharePoint, Teams and OneDrive data to an APT actor.

Published July 21, 2023
David Jones's headshot
Reporter
Activision
A signage of Microsoft is seen in New York City. jeenah Moon via Getty Images

Dive Brief: 

  • The China-linked threat actors behind the theft of U.S. State Department and other Microsoft customer emails may have gained access to applications beyond Exchange Online and Outlook.com, according to a report released Friday by Wiz. 
  • Researchers said the compromised private encryption key may have allowed the hackers to forge access tokens for multiple types of Azure Active Directory applications, including SharePoint, Teams and OneDrive. 
  • “Many of the claims made in this blog are speculative and not evidence based,” a spokesperson for Microsoft said via email. “We recommend that customers review our blogs, specifically our Microsoft Threat Intelligence blog, to learn more about this incident and investigate their own environments using the indicators of compromise we’ve made public.”

Dive Insight:

Microsoft earlier this month warned that about 25 customers worldwide, including multiple government clients, were hacked by an advanced persistent threat group that Microsoft calls Storm-0558. 

The hackers gained access to sensitive State Department emails as well as, reportedly, emails from the U.S. Commerce Secretary Gina Raimondo, among others. After government officials notified Microsoft about the compromise, the Cybersecurity and Infrastructure Security Agency worked with Microsoft on measures to contain the damage and further investigate how the hackers originally gained access.

The threat actor gained access to an MSA consumer signing key, which allowed it to forge access tokens for Exchange Online and Outlook.com, Microsoft said earlier this month. However, the Wiz research shows that the key provides access to a much wider array of applications.

“Our biggest surprise with this investigation came when we discovered that the threat actor’s impact could be much broader than most of the security community realized – many incorrectly assumed that it was limited to Outlook – and also, that we don’t know the full possible impact,” Nir Ohfeld, senior security researcher at Wiz, said via email.

Wiz researchers worked with Microsoft on the new research report, and organizations should search for forged token usage on any applications that might have been affected. Users should make sure none of the applications use a cached version of Microsoft OpenID public certificates, according to the report. If they do, refresh the cache. 

Microsoft recently made security logging data available by default after a backlash from federal officials and rival security firms. 

Editors' picks

Company Announcements

View all | Post a press release
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Breaches
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell