Storm-0558 Microsoft Attack and Adapt

In early July, Microsoft announced Storm-0558 where a Chinese threat actor used forged authentication tokens to access the information – primarily email accounts – of about 25 organizations. This attack included some significant organizations including the US Department of Commerce and, reportedly, the US Ambassador to China. The attack was particularly concerning because Microsoft revealed that the attacker was forging Azure AD tokens using an acquired Microsoft account signing key.   In Microsoft’s words, "Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been corrected."

(CISA has posted guidance for addressing the threat here.  Microsoft has also expanded licensing for Purview to include companies that do not have an E5/G5 license.)

What This Means for Defenders

Wiz stated in their research, “Identity provider’s signing keys are probably the most powerful secrets in the modern world.”  As identity experts, we agree.  Attacks like this look like entirely legitimate authentication and, without additional monitoring, can pass undetected for significant periods of time.  

HYPR Adapt and Updating Monitoring

On July 26, we announced HYPR Adapt which helps organizations to maintain real-time risk assessment and adaptive security controls.  In other words, it’s entirely focused on protecting authentication by detecting anomalous activity and taking action such as requiring re-authentication.

While Microsoft believes that Storm-0558 has been mitigated, it’s instructive to look at how monitoring could be employed to address scenarios where their MSA or Azure AD signing keys have been compromised.

One of the key observations is that because of Adapt’s ability to deploy Policy as Code, it can be quickly updated with new policies based on recently identified threats known as IOC and IOA.  Once the risk has been identified, HYPR Adapt takes targeted action against the identified risk.  These patterns can be detected and action taken to revoke access or mitigate the impact of a newly identified identity threat.  

How it Works

Below are the implementation steps to prevent identity-based attacks in the event that a Microsoft signing key is compromised. 

  1. Configuring HYPR ADAPT to ingest Azure Audit logs requires only a simple webhook client configuration, from there HYPR ADAPT will receive all Audit entries from Azure ( in the case of STORM-0558, this would be the Audit. Exchange logs.)
  2. As the logs enter HYPR ADAPT they are transformed into datasets that can be leveraged for policy evaluation. As noted earlier, the flexibility of policy as code allows any of the information in these datasets to be computed and evaluated. 
  3. The HYPR Adapt policy will evaluate the user’s events by looking for the MailItemsAccessed event from Microsoft and will determine if this is an event that’s potentially generated using a token generated by a compromised MSA key. This is done using a combination of the user’s behavior such as applications, and client ids typically used, the token issuance process, and additional metadata that is evaluated in real-time. 
  4. If the HYPR Adapt policy determines the token is maliciously generated and utilized, it will terminate that token on Azure AD and the user will be asked to immediately re-authenticate. If the policy is not breached, the user will not be interrupted. 

The HYPR Adapt policy can also be implemented to alert the enterprise SOC or similar to be notified and react to any indicators of compromise. However, we believe that having actionable insights and policies that can be executed in real-time is critical for reacting to threats quickly and decisively with accuracy. This is what HYPR Adapt is enabling our customers to do! 

Maintaining Vigilance

Microsoft indicated in early July that Storm 0558 has been fully mitigated.  Smart security teams are continuing to look for other examples where compromised tokens are being utilized to create new attack vectors. 

Finding evidence of attack in the rearview mirror is now insufficient.  Risk assessment needs to include the ability to automatically take action to defend against identity threats while minimizing the overall impact to the user experience. Interested? Contact us to find out more about HYPR Adapt.  

Related Content