Summer 2023 Microsoft Exchange Online Intrusion

In May and June 2023, Microsoft Exchange Online was compromised by Storm-0558, a threat actor linked to the People's Republic of China. The actor accessed mailboxes using authentication tokens signed by a key created by Microsoft in 2016.

The intrusion affected 22 organizations and over 500 individuals globally, including senior U.S. government officials. The U.S. State Department first detected the intrusion on June 15, 2023.

Microsoft invalidated the stolen key used by the attackers and began notifying impacted parties. The company also updated its security measures to prevent similar incidents in the future.

The US Cyber Safety Review Board (CSRB) concluded that the intrusion was preventable and resulted from a series of security failures at Microsoft. The CSRB also found that Microsoft had been unable to confirm how the key was obtained by the intrusion set. Recommendations were issued for Microsoft and other cloud service providers to improve security practices.

www.cisa.gov

https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf

www.microsoft.com

https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/

arstechnica.com

https://arstechnica.com/security/2023/09/hack-of-a-microsoft-corporate-account-led-to-azure-breach-by-chinese-hackers/