Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Microsoft Cloud Hack Exposed More Than Exchange, Outlook Emails

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

Microsoft addresses Cobalt Strike abuse

Researchers at cloud security startup Wiz have an urgent warning for organizations running Microsoft’s M365 platform: That stolen Microsoft security key gave Chinese hackers access to data beyond Exchange Online and Outlook.com.

“Our researchers concluded that the compromised MSA key could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams, OneDrive,” Wiz researcher Shir Tamari said in a document posted online.

Tamari said the hackers may have also accessed Microsoft customer applications that support the “login with Microsoft” functionality, and multi-tenant applications in certain conditions.

When Microsoft acknowledged the hack and the stolen MSA key, the software giant said Outlook.com and Exchange Online were the only applications known to have been affected via the token forging technique but new research shows that “this incident seems to have a broader scope than originally assumed.”

“Wiz Research has found that the compromised signing key was more powerful than it may have seemed, and was not limited to just those two services,” the company said in a document that provides technical evidence that the stolen MSA key could have been used to forge access tokens Azure Active Directory applications, SharePoint, Microsoft Teams and Microsoft OneDrive.

“Organizations using Microsoft and Azure services should take steps to assess potential impact [beyond email],” Tamari said.

The Wiz research follows news that Chinese hackers were caught forging authentication tokens using a stolen Azure AD enterprise signing key to break into M365 email inboxes. The hack, which led to the theft of email from approximately 25 organizations, turned into a bigger embarrassment when customers complained they had zero visibility to investigate because they were not paying for the high-tier E5/G5 license.

Advertisement. Scroll to continue reading.

Earlier this week, Microsoft bowed to public pressure and announced it would free up access to cloud security logs and expand logging defaults for lower-tier M365 customers to help with post-incident forensics.


However, Wiz’s Tamari is cautioning that it may be difficult for Redmond’s customers to detect the use of forged tokens against their applications due to lack of logs on crucial fields related to the token verification process.

Although Microsoft has revoked the compromised key, meaning that Azure Active Directory applications will no longer accept forged tokens as valid tokens, Tamari says some problems remain.

“Tokens with extended expiration dates will also be rejected by these applications. However, during previously established sessions with customer applications prior to the revocation, the malicious actor could have leveraged its access to establish persistence. This could have occurred by leveraging the obtained application permissions to issue application-specific access keys or setting up application-specific backdoors,” he added.

“We believe this event will have long lasting implications on our trust in the cloud and the core components that support it,” Wiz said, noting that it’s very difficult to determine the full extent of the incident. 

“There were millions of applications that were potentially vulnerable, both Microsoft apps and customer apps, and the majority of them lack the sufficient logs to determine if they were compromised or not,” the company added.

Wiz’s Tamari is recommending that Microsoft customers urgently update Azure SDK deployments to the latest version and ensure application cache is updated to mitigate the risk of a threat actor using the compromised key.

Related: Chinese Cyperspies Use Stolen Microsoft Key to Hack Gov Emails

Related: Microsoft Bows to Pressure to Free Up Cloud Security Logs

Related: Microsoft Warns of Office Zero-Day Attacks, No Patch Available

Related: Microsoft Blames Russian APT for Outlook Zero-Day Exploits

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.

Register

Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.