[LINK] Microsoft MSA key acquired and used to access enterprises' mail
Roger Clarke
Roger.Clarke at xamax.com.au
Thu Jul 13 08:50:16 AEST 2023
Microsoft mitigates China-based threat actor Storm-0558 targeting of
customer email
MSRC
July 11, 2023
https://msrc.microsoft.com/blog/2023/07/microsoft-mitigates-china-based-threat-actor-storm-0558-targeting-of-customer-email/
[ Reading past the obnoxious corporate propaganda, sorry
professionally-responsible corporate communications, this says: ]
... an attack ... gained access to email accounts affecting
approximately 25 organizations including government agencies as well as
related consumer accounts ... using Outlook Web Access in Exchange
Online (OWA) and Outlook.com by forging authentication tokens.
The actor used an acquired MSA key to forge tokens to access OWA and
Outlook.com. MSA (consumer) keys and Azure AD (enterprise) keys are
issued and managed from separate systems and should only be valid for
their respective systems. The actor exploited a token validation issue
to impersonate Azure AD users and gain access to enterprise mail. We
have no indications that Azure AD keys or any other MSA keys were used
by this actor. OWA and Outlook.com are the only services where we have
observed the actor using tokens forged with the acquired MSA key.
[ Presumably MSA stands for (self-?)Managed Service Accounts.
[ The expression 'defense in depth' is used. But if a master key was
acquired, had such broad application that 25 organisations were
within-scope, and was used many times in multiple contexts before the
incidents were detected, it appears that the safeguard(s) weren't worth
much. ]
--
Roger Clarke mailto:Roger.Clarke at xamax.com.au
T: +61 2 6288 6916 http://www.xamax.com.au http://www.rogerclarke.com
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Visiting Professor in the Faculty of Law University of N.S.W.
Visiting Professor in Computer Science Australian National University
More information about the Link
mailing list