Public Cloud Security Breaches Documenting their mistakes so you don't make them.

Office 365 (2023)

Incident Details

Victimized Company:US Department of State & Department of Commerce, among others
Incident Dates:2023-05-15 to 2023-06-16
Disclosure Date:2023-07-11
Current Status:Investigation ongoing

In July of 2023, Microsoft disclosed a compromise of Exchange Online that targeted “25 organizations … including government agencies as well as related consumer accounts of individuals likely associated with these organizations.” The vector of compromise was several validation flaws in the Microsoft-hosted Exchange Online and AzureAD services.


Details of the Incident

As reported by CISA:

In June 2023, a Federal Civilian Executive Branch (FCEB) agency [subsequently identified by CNN as the US State Dept] identified suspicious activity in their Microsoft 365 (M365) cloud environment. The agency reported the activity to Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA), and Microsoft determined that advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data.

In as yet undisclosed method, the threat actor obtained a Microsoft Account (MSA) consumer signing key. Leveraging that very sensitive key, the threat actor pivoted into enterprise Exchange environments due to a validation error on Microsoft’s part. Per Microsoft: “The method by which the actor acquired the key is a matter of ongoing investigation.”1

Identified victims include:

  • US Department of State
  • US Department of Commerce
  • Commerce Secretary Gina Raimondo’s email account
  • “email accounts at the House of Representatives”2
  • The US Ambassador to China, Nicholas Burns

In a follow up research post, cloud security company Wiz noted:

“Our researchers concluded that the compromised MSA key could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams, OneDrive, customers’ applications that support the “login with Microsoft” functionality, and multi-tenant applications in certain conditions.”

This led us to believe that although the compromised key acquired by Storm-0558 was a private key designed for Microsoft’s MSA tenant in Azure, it was also able to sign OpenID v2.0 tokens for multiple types of Azure Active Directory applications.


Date Event
May 15, 2023 Storm-0558 begins to use forged authentication tokens to access mailboxes
June 16, 2023 Federal Agency notices abnormal MailItemsAccessed in M365 Audit Logs
June 16, 2023 Microsoft disabled stolen keys and disables
July 11, 2023 Microsoft quietly discloses the incident on their security blog
July 12, 2023 CISA issues an advisory describing the incident
July 14, 2023 Microsoft discloses a signing key was compromised and used in this incident
July 19, 2023 Microsoft announces that the E5 Audit logs that enabled detection of this incident will now be available to all customers.
July 20, 2023 WSJ Reports the US Ambassador to China was one of the victims
July 21, 2023 Cloud Security firm Wiz publishes a blog post which outlines broader potential impacts due to the signing key leak. (Archived Copy)
July 27, 2023 Sen. Wyden sends letter to the Attorney General and heads of CISA and the FTC asking them to investigate Microsoft’s security practices.
August 11, 2023 DHS announces the Cyber Safety Review Board to Conduct Review on Cloud Security, specificaly focusing on this incident
August 15, 2023 US Representative Don Bacon discloses he was notified by the FBI his personal and political email accounts were targeted by the attacker.

Attribution / Perpetrator

Microsoft has designated this threat actor Storm-0558 “a China-based threat actor with espionage objectives” and “maintain[s] high confidence that Storm-0558 operates as its own distinct group”.

Long-term Impact

So far there have been calls for Microsoft to change it’s licensing model to give all customers the same level of audit logging that the Department of State had subscribed to. Both CISA and Sen. Ron Wyden have called out Microsoft for only providing the logging necessary to detect this incident under their highest tier license.

“Every organization using a technology service like Microsoft 365 should have access to logging and other security data out of the box to reasonably detect malicious cyber activity,” a senior CISA official said Wednesday on a press call discussing the incident.

Microsoft was forced to concede this revenue stream and will make these logs free starting in September 2023.

Senator Ron Wyden (D-OR) sent a letter to the US Attorney General, along with the heads of CISA and the FTC asking for:

  1. The CISA director to investingate this breach under her shared authority to direct the Cyber Safety Review Board.
  2. The Attorney General to determine if Microsoft violated federal law in failing to follow required cybersecurity standards for government contractors
  3. The FTC to investigate Microsoft’s privacy and data security practices, and to determine if Microsoft violated a consent decree relating to Passport, a predecessor product to Microsoft Account.

It is too early to determine what if any impact will occur to Microsoft from the DOJ or FTC, or what other practices CISA will find.

Summary of Coverage

Cloud Security Lessons Learned

While this incident was the direct responsibility of Microsoft, one lesson for organizations operating in the cloud is to ensure that you’re paying for the proper level of logging for your risk profile.

The Wiz blog has a number of suggestions for detecting if your envionment was impacted by the leaked MSA key.