Microsoft has reported that a China-based hacking group gained access to the emails of approximately 25 organisations and Western government agencies, as well as a number of associated consumer accounts.

Microsoft’s said that hacking group Storm-0558 had remained undetected for around a month. The company discovered the breach following an investigation in mid-June.

Microsoft revealed in a statement that it looked into the hack after receiving customer reports of abnormal email activity.

While the targeted organisations have not been revealed, the nature of the attack is concerning as it points to a vulnerability in Microsoft’s cloud computing software.

Microsoft offers a service that authenticates users with a single-sign-on token.

According to Microsoft’s investigations, Storm-0558 gained access to the customer email accounts using Outlook Web Access in Exchange Online and by forged authentication tokens to access user email via an acquired Microsoft account consumer signing key.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

The threat actor was able to gain authentication by exploiting a token validation issue to impersonate Azure AD users and gain access to enterprise emails.

Microsoft said in a statement it had competed mitigation of the attack for all customers.  

“In cloud security, issues ultimately arise when the cloud is not utilised, configured, and managed properly. This case of token theft demonstrates the importance of having effective security control measures in place in your organisation,” Stephen Crow, general manager of security at UK cloud services company ANS, told Verdict.

Crow emphasised that platforms such as Microsoft offer controls and security measures to keep data stored in the cloud secure but only work if they are actually put in place. Controls he mentioned include conditional access configuration in Azure Active Directory only permitting known devices to authenticate tokens or reducing the time that a token is valid.

“With the right measures and controls in place, security breaches like the recent Chinese-hacking group’s attack can be soundly protected against,” he added.

Crow believes the best approach to guard against becoming the victim of these sorts of attacks includes taking a proactive rather than reactive security stance, which would enable flexible working while adapting to the ever-changing cyber risk landscape.

“If you are concerned that your business does not have the correct cloud configurations and security measures in place, the best port of call would be to speak to a trusted vendor or third party expert who can create a flexible cyber security framework for you.”