Storm-0558: Understanding How Microsoft Failed to Protect Itself

You’re undoubtedly familiar with the so-called Storm-0558 attacks from July 2023. If not a quick recap: these attacks (widely attributed as the work of the Chinese government) compromised a number of high-value Exchange Online mailboxes, including the US Secretary of Commerce and the US Ambassador to China. Given the sensitivity of the mailboxes, it’s likely that they were hosted in GCC-High or DOD tenants.

In Microsoft’s initial disclosure of the breach, they made some fairly vague statements about how the threat actor had been able to breach the service by obtaining a key, and on September 6, 2023, they released a more detailed post-mortem on how the attacker got the key. It’s sobering, not to mention alarming, and you should understand the nature of the failure(s) to better understand the inherent risk in using a cloud service like Microsoft 365.

Read more…
Source: Practical365