[LINK] Microsoft MSA key acquired and used to access enterprises' mail

[Stephen Loosley]

Roger notes

> Microsoft mitigates China-based threat actor Storm-0558 targeting
> of customer email   July 11, 2023
> https://msrc.microsoft.com/blog/2023/07/microsoft-mitigates-china-based-threat-actor-storm-0558-targeting-of-customer-email/

> ... an attack ... gained access to email accounts affecting
> approximately 25 organizations including government agencies as
> well as related consumer accounts ... using Outlook Web Access in
> Exchange Online (OWA) and Outlook.com by forging authentication
> tokens. The actor used an acquired MSA key to forge tokens to access
> OWA and Outlook.com. The actor gained access to enterprise mail. We
> have no indications that Azure AD keys or any other MSA keys were used
> by this actor. OWA and Outlook.com are the only services where we have
> observed the actor using tokens forged with the acquired MSA key.”


Hmm ..  https://mailman.anu.edu.au/pipermail/link/2023-May/041094.html

Pentagon Hacking Fears Fueled by Microsoft's Monopoly on Military IT

BY SHAUN WATERMAN ON 5/16/23 https://www.newsweek.com/pentagon-hacking-fears-raised-microsoft-military-software-it-antivirus-monopoly-cybersecurity-1794369

Microsoft Must Do The Right Thing For U.S. Government And Improve Security

The U.S. Department of Defense is quietly abandoning one of its longest running cybersecurity programs protecting its vast global IT network, and replacing it with off-the-shelf tools from Microsoft.

This is despite internal opposition and criticism from experts who say it will make the nation more vulnerable to foreign hackers, enemy cyberwarriors and online spies, Newsweek has learned.

At a series of meetings with DOD Chief Information Officer John Sherman last fall, as the department's fiscal year 2024 budget request was being finalized, a clear majority of senior IT leaders from the military services opposed the move, a former senior defense official directly involved told Newsweek.

They were concerned about the department's growing reliance on a single software vendor:

"I was completely against it. A lot of us were, for the same reason: It felt like we were further embedding ourselves into this monopolistic (Microsoft) monoculture."

The potential risks were laid bare in March, when it was revealed that hackers suspected to be from Russian military intelligence had been stealthily exploiting a vulnerability in Outlook, Microsoft's email program, for almost a year.

The incident, unreported except by the cybersecurity trade press, illustrates what experts say are the dangers of relying exclusively on Microsoft IT.

DOD's decision to push ahead with the move to Microsoft security tools, based on an assessment from the National Security Agency, has cast a new light on long-standing questions about the security of the software produced by the Redmond, Wash.-based technology giant, and the impact of its dominance in government technology markets. 

It also runs counter to the White House's new cybersecurity strategy, which calls on software companies to offer secure products in the first place rather than selling additional security measures on top.

The NSA declined to provide Newsweek with a copy of the assessment or to comment.

The Defense Department's IT network, one of the largest in the world, was already a poster child for what cyber experts call the Microsoft monoculture—an IT environment in which everyone uses the same software, meaning they are all potentially vulnerable to the same cyberattacks.

Since 2017, DOD has exclusively used the Microsoft Windows operating system on all of its four million-plus desktop computers and is increasingly employing Microsoft's Azure cloud computing services.

And most of its 2.1 million active duty and reserve military personnel and 750,000 civilian employees use Microsoft programs such as Outlook or Office for email, calendar, word processing and other administrative tasks ... (snip)