In early July, the news broke that threat actors in China used a Microsoft security flaw to execute highly targeted and sophisticated espionage against dozens of entities. Victims included the U.S. Commerce Secretary, several U.S. State Department officials and other organizations not yet publicly named. Officials and researchers alike are concerned that Microsoft products were again used to pull off an intelligence coup, such as during the SolarWinds incident.

In the wake of the breach, the Department of Homeland Security released a report stating that the Cyber Safety Review Board (CSRB) will conduct its next review on the malicious targeting of cloud computing environments. What lessons can be learned from this latest cyber incident? And how might companies protect themselves?

In the wake of the Microsoft breach

Immediately upon learning of the incident in July, the Department considered whether the Microsoft breach would be an appropriate subject of the Board’s next review. The CSRB plans to examine how the government, industry and cloud service providers (CSPs) should seek to strengthen identity management and authentication in the cloud.

The CSRB plans to specifically investigate the recent Microsoft Exchange Online intrusion. Furthermore, the Board will develop actionable recommendations to advance cybersecurity practices for both cloud computing customers and CSPs themselves.

After targeting top U.S. officials’ emails, the espionage operation triggered sharp criticism of Microsoft. The complaints were based on evidence the breach was only detectable if customers paid for a premium logging tier. Microsoft has since announced that customers will have access to expanded logging and storage capability at no additional cost.

Related: Cost of a Data Breach Report

Actors forge authentication tokens

As per a Microsoft Security report, the China-based threat actor, Storm-0558, was behind the attack. Beginning May 15, 2023, Storm-0558 used forged authentication tokens to access user emails from approximately 25 organizations, including government agencies and related consumer accounts, in the public cloud.

According to the security report, Storm-0558 acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumers to access OWA and

Once authenticated through a legitimate client flow leveraging the forged token, the attackers accessed the OWA API to retrieve a token for Exchange Online from the GetAccessTokenForResource API used by OWA.

Storm-0558 then obtained new access tokens by presenting one previously issued from this API due to a design flaw. Since then, Microsoft reported that it has patched the vulnerability.

How to defend against identity threats

As mentioned in the Homeland Security notice, ways to improve identity management and authentication in the cloud will be addressed at the next CSRB review. Could these approaches prevent incidents similar to the Microsoft breach? There’s a good chance they can.

Modern identity management solutions provide deep, AI-powered context for both consumer and workforce identity and access management (IAM). Advanced IAM software uses machine learning and AI to analyze key parameters, such as user, device, activity, environment and behavior.

The end result is a comprehensive, adjustable risk score to determine whether or not to grant access. This enables more accurate, contextual authentication for the workforce, partners, customers and devices.

Regulatory changes ahead

The recent Microsoft incident will only strengthen the White House’s drive to implement more stringent security practices by software manufacturers. CISA Director Jen Easterly has emphasized that the burden of maintaining software security needs to shift. The onus for security maintenance should move to software manufacturers with the funding, expertise and personnel to invest in software security.

What happened to Microsoft continues to reveal that a secure cloud requires the right tools and effort. While software manufacturers must step up, companies should also do their part by implementing solid identity access strategies.

More from Cloud Security

How I got started: Cloud security engineer

3 min read - In today’s increasingly cloud-focused business environment, cloud security engineers are pivotal in protecting an organization’s critical data and infrastructure. As experts in cloud security, they leverage their expertise to ensure that the ever-expanding amount of cloud data is safe from emerging threats and vulnerabilities. Cloud security professionals combine their passion for technology with a deep understanding of security principles to design and implement robust cloud security strategies. What experience do these security experts have, and what led them to the…

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

What you need to know about protecting your data across the hybrid cloud

6 min read - The adoption of hybrid cloud environments driving business operations has become an ever-increasing trend for organizations. The hybrid cloud combines the best of both worlds, offering the flexibility of public cloud services and the security of private on-premises infrastructure. We also see an explosion of SaaS platforms and applications, such as Salesforce or Slack, where users input data, send and download files and access data stored with cloud providers. However, with this fusion of cloud resources, the risk of data…

Cloud security in the era of artificial intelligence

3 min read - AI and machine learning (ML) have revolutionized cloud computing, enhancing efficiency, scalability and performance. They contribute to improved operations through predictive analytics, anomaly detection and automation. However, the growing ubiquity and accessibility of AI also expose cloud computing to a broader range of security risks. Broader access to AI tools has increased the threat of adversarial attacks leveraging AI. Knowledgeable adversaries can exploit ML models through evasion, poisoning or model inversion attacks to generate misleading or incorrect information. With AI…