Key insights from the report by the Cyber Safety Review Board on the Microsoft Exchange Online incident of Summer 2023

What: a threat actor compromised the Microsoft Exchange Online mailboxes of 22 organizations and over 500 individuals around the world.

Who: The actor—known as Storm-0558 and assessed to be affiliated with the People’s Republic of China

How: —accessed the accounts using authentication tokens that were signed by a key Microsoft had created in 2016.

When: In May and June 2023

Why: in pursuit of espionage objectives— This intrusion compromised senior United States government representatives working on national security matters, including the email accounts of Commerce Secretary Gina Raimondo, United States Ambassador to the People’s Republic of China R. Nicholas Burns, and Congressman Don Bacon.

Context: SEV-0 rating intrusion. The hightes urgency level. This meant that the incident required robust comunication, visibility, and coordination across Microsoft and up to its most senior leadership, including its Board of Directors.

The U.S. Department of Homeland Security (DHS) has issued the findings and recommendations report of the Cyber Safety Review Board (CSRB) concerning the review of the summer 2023 Microsoft Exchange Online Intrusion. This report is invaluable from all perspectives, particularly for professionals working in the CyberDetection field.

Following an initial review of the report, below are some of the key insights gleaned:

• Biggest risk of using cloud infrastructure

Pag 11

• Must-have custom detection to alert on potential anomalous access to mailboxes

Pag 14

Pag 16

Pag 17

• 2 main mistakes that left the cloud vulnerable to intrusions

Microsoft's failure to implement automated signing key rotation and lack of an alerting system for aging keys in its consumer MSA identity infrastructure left it vulnerable to intrusions, as read on:

Pag 11

• The criticality of storing log data for threat hunting or forensic analysis

Pag 15

Pag 16

Pag 25

• Victim notification via email is a flawed system

Pag 18

Out of the 46 different hypotheses being investigated, which one ranked as the top one?

Pag 20

• Microsoft's security culture was deemed inadequate, supported by substantial evidence and analysis.

Pag 22

• Given the reported $17.4 billion in revenue for the third quarter of 2023 (Azure), this sentence is alarming from a business standpoint.

Pag 22

• Microsoft customers lack crucial information necessary to conduct their own risk assessments regarding the security of Microsoft Cloud environments.

Pag 23

• Despite the absence of any mention of Microsoft's Security Copilot in the report, Microsoft persistently promotes the utilization of artificial intelligence as a revolutionary asset for organizations, enabling them to thwart cyberattacks at machine speed.

STRATEGY RELATED STATEMENTS TO TAKE INTO CONSIDERATION

• To prioritize security improvements over feature developments.

Pag 24

• Course of business of pay per advanced logging capabilities should stop.

Pag 24

Microsoft has not yet determined how Storm-0558 obtained the 2016 MSA key and says that it is continuing to investigate. 

Source: https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf