Professional Documents
Culture Documents
On July 11, Microsoft reported a Chinese threat actor from the group “Storm-0558” had
obtained a private encryption key that was used to forge authentication tokens, allowing them
to impersonate Azure Active Directory users, providing unauthorized access to Exchange Online
and Outlook.com applications. This access culminated in persistent access to email accounts
across numerous government agencies in Western Europe and the US for weeks, most notably
exposing sensitive information in emails belonging to US State Department officials. Further
research conducted by Wiz Research indicates that the compromised key may have provided
access to multiple Azure AD-based applications including SharePoint, Teams, and OneDrive.
The breach exposes a critical vulnerability in Microsoft’s ubiquitous Azure platform that drew
the wrath of Tenable’s CEO Amit Yoran, who formerly headed DHS’s National Cyber Security
Division and has a long history of key positions in cybersecurity service providers. In a LinkedIn
blog post, Yoran criticized Microsoft’s slow response to the breach (as did many in government
and industry) and remarked on their less-than-effective approach to addressing vulnerabilities
in a timely manner in their products. As an organization focused on helping organizations to
identify and remediate vulnerabilities, Tenable provided a timeline on their website that details
a considerably long path from discovery to remediation, critically extending risk exposure time
for users of the Azure platform.
Understandably, the initial news of the breach and the subsequent trickle of concerning details
is sending shockwaves through organizational and retail consumers alike as the pervasive use
of Microsoft platform applications dominate the market.
Page 1 www.axio.com
August 2023
While Microsoft was the target of this attack, it stands to reason that any cloud-based
application platform with a broad organizational user base is an attractive target. Since
Microsoft competitors use similar signing key architectures, the potential for extensive and
broad organizational damage in such a breach is significant, potentially resulting in scenarios
ranging from espionage-focused data exfiltration to disruption of critical operations and
infrastructure. In short, the potential outcomes of a breach of any cloud-based application and
service provider could be catastrophic, especially as reliance on the cloud is increasing and as
new digital transformations (such as the movement of operational technology and industrial
control systems to the cloud) continue.
So, what can an organization do when news breaks of a cloud-based intrusion? If properly
planned, key security controls (such as the use of a cloud access security broker—CASB for
short) should have been included as a functional requirement in an organization’s journey to the
cloud. Assuming this and other pre-move security considerations have been addressed, there
are a few other quick actions that should be high on the checklist.
Page 2 www.axio.com
August 2023
Page 3 www.axio.com
August 2023
Page 4 www.axio.com
August 2023
Next Steps
The Axio Report: Cybersecruity in Focus
In the end, an intrusion in a cloud platform on which your organization has built substantial
operational capabilities is a potential game-changer no matter what. But, you can make
investments today that will at least help you better navigate such an event and possibly help you
avoid significant damage.
Contacts
Page 5 www.axio.com