Microsoft 365 Breach Risk Widens to Millions of Azure AD Apps

The Storm-0558 breach that gave Chinese advanced persistent threat (APT) actors access to emails within at least 25 US government agencies could be much further-reaching and impactful than anyone anticipated, potentially placing a much broader swathe of Microsoft cloud services at risk than previously thought.

But the lack of authentication logging at many organizations means that the full scope of actual compromise stemming from the situation will take weeks, if not months, to determine.

In the email breach, a stolen Microsoft account (MSA) key allowed the Storm-0558 APT to forge authentication tokens to masquerade as authorized Azure Active Directory (AD) users, obtaining access to Microsoft 365 enterprise email accounts and the potentially sensitive information contained within.

But it turns out that the swiped MSA key could have allowed the threat actor to also forge access tokens for "multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams, OneDrive, customers' applications that support the 'login with Microsoft' functionality, and multitenant applications in certain conditions," according to research from Wiz released July 21.

Personal Microsoft accounts for services like Skype and Xbox are also vulnerable.

Shir Tamari, head of research at Wiz, noted that the APT could be lurking in position to have "immediate single hop access to everything, any email box, file service or cloud account."

Microsoft has confirmed the firm's findings, Tamari noted in a July 21 posting.

Determining the Scope of the Storm-0558 Breach

Microsoft revoked the stolen key in early July, and has released indicators of compromise (IoCs) for the email attack. But unfortunately, assessing whether the Storm-0558 actors actually made use of the broader access to any of the millions of additional susceptible applications will be much easier said than done.

"We discovered that it may be difficult for customers to detect the use of forged tokens against their applications due to lack of logs on crucial fields related to the token verification process," Tamari explained.

This relates to the so-called "logging tax" that came to light in the aftermath of Microsoft's original disclosure of the Storm-0558 breach last week: Many Microsoft customers have lacked visibility as to the impact of the attacks on their businesses, because the advanced logging that could detect the anomalous behavior has only been available as part of a paid premium service. Microsoft within days bowed to industry pressure, pledging to make access to advanced logging free, but that change will take a bit for customers to implement and use globally.

"Unfortunately, there is a lack of standardized practices when it comes to application-specific logging. Therefore, in most cases, application owners do not have detailed logs containing the raw access token or its signing key," wrote Tamari. "As a result, identifying and investigating such events can prove exceedingly challenging for app owners."

Nonetheless, the stakes remain high, noted Yossi Rachman, director of security research for AD security company Semperis. "The main concern here is understanding how exactly threat actors were able to get their hands on the compromised Azure AD key, as these types of breaches have the potential of quickly turning into a SolarWinds-scale event."

Azure AD Customers Could Still Be at Risk

Wiz warned that despite the key revocation, some Azure AD customers could potentially still be sitting ducks, given that Storm-0558 could have leveraged its access to establish persistence by issuing itself application-specific access keys, or setting up backdoors.

Further, any applications that retained copies of the Azure AD public keys prior to the revocation, and applications that rely on local certificate stores or cached keys that may not have updated, remain susceptible to token forgery.

"It is imperative for these applications to immediately refresh the list of trusted certificates," Tamari urged. "Microsoft advises refreshing the cache of local stores and certificates at least once a day."

In addition, Wiz, which listed details in its post as to which specific Azure AD configurations would be at risk from an attack, counseled organizations to update their Azure SDKs to the latest version and ensure their application caches are updated.

"The full impact of this incident is much larger than we initially understood it to be," Tamari noted. "We believe this event will have long lasting implications on our trust of the cloud and the core components that support it, above all, the identity layer which is the basic fabric of everything we do in cloud. We must learn from it and improve."