Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Microsoft Cloud Hack Exposed More Than Exchange, Outlook Emails

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

Microsoft AI

Researchers at cloud security startup Wiz have an urgent warning for organizations running Microsoft’s M365 platform: That stolen Microsoft security key gave Chinese hackers access to data beyond Exchange Online and Outlook.com.

“Our researchers concluded that the compromised MSA key could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams, OneDrive,” Wiz researcher Shir Tamari said in a document posted online.

Tamari said the hackers may have also accessed Microsoft customer applications that support the “login with Microsoft” functionality, and multi-tenant applications in certain conditions.

When Microsoft acknowledged the hack and the stolen MSA key, the software giant said Outlook.com and Exchange Online were the only applications known to have been affected via the token forging technique but new research shows that “this incident seems to have a broader scope than originally assumed.”

“Wiz Research has found that the compromised signing key was more powerful than it may have seemed, and was not limited to just those two services,” the company said in a document that provides technical evidence that the stolen MSA key could have been used to forge access tokens Azure Active Directory applications, SharePoint, Microsoft Teams and Microsoft OneDrive.

“Organizations using Microsoft and Azure services should take steps to assess potential impact [beyond email],” Tamari said.

The Wiz research follows news that Chinese hackers were caught forging authentication tokens using a stolen Azure AD enterprise signing key to break into M365 email inboxes. The hack, which led to the theft of email from approximately 25 organizations, turned into a bigger embarrassment when customers complained they had zero visibility to investigate because they were not paying for the high-tier E5/G5 license.

Earlier this week, Microsoft bowed to public pressure and announced it would free up access to cloud security logs and expand logging defaults for lower-tier M365 customers to help with post-incident forensics.

Advertisement. Scroll to continue reading.


However, Wiz’s Tamari is cautioning that it may be difficult for Redmond’s customers to detect the use of forged tokens against their applications due to lack of logs on crucial fields related to the token verification process.

Although Microsoft has revoked the compromised key, meaning that Azure Active Directory applications will no longer accept forged tokens as valid tokens, Tamari says some problems remain.

“Tokens with extended expiration dates will also be rejected by these applications. However, during previously established sessions with customer applications prior to the revocation, the malicious actor could have leveraged its access to establish persistence. This could have occurred by leveraging the obtained application permissions to issue application-specific access keys or setting up application-specific backdoors,” he added.

“We believe this event will have long lasting implications on our trust in the cloud and the core components that support it,” Wiz said, noting that it’s very difficult to determine the full extent of the incident. 

“There were millions of applications that were potentially vulnerable, both Microsoft apps and customer apps, and the majority of them lack the sufficient logs to determine if they were compromised or not,” the company added.

Wiz’s Tamari is recommending that Microsoft customers urgently update Azure SDK deployments to the latest version and ensure application cache is updated to mitigate the risk of a threat actor using the compromised key.

Related: Chinese Cyperspies Use Stolen Microsoft Key to Hack Gov Emails

Related: Microsoft Bows to Pressure to Free Up Cloud Security Logs

Related: Microsoft Warns of Office Zero-Day Attacks, No Patch Available

Related: Microsoft Blames Russian APT for Outlook Zero-Day Exploits

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.