Kevin BeaumontJul 12, 2023
Microsoft quietly snuck out a blog yesterday to say that Office 365 got compromised by China and used to steal emails. Thread follows. https://msrc.microsoft.com/blog/2023/07/microsoft-mitigates-china-based-threat-actor-storm-0558-targeting-of-customer-email/
Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email | MSRC Blog | Microsoft Security Response Center

Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email

Show threadKevin BeaumontJul 12, 2023

They used Outlook Web App - runs the Exchange Server codebase btw - to craft tokens to bypass auth.

There's some clever wording in blog around only impacting OWA. OWA is a part of Microsoft 365 and Exchange Online.

The problem was discovered by the US Government and reported to Microsoft. https://edition.cnn.com/2023/07/12/politics/china-based-hackers-us-government-email-intl-hnk/index.html

Show threadKevin BeaumontJul 12, 2023
Microsoft have not linked the blog on @msftsecintel or @msftsecresponse Twitter accounts or social media, instead linking pieces yesterday about an unrelated phishing campaign.
Show threadKevin BeaumontJul 12, 2023

This one looks like a huge mistake, a consumer MSA key (managed end to end by Microsoft - there's no external logs) was able to forge any Azure AD key.

It's only become public it appears as the US Government told Microsoft, which forces public disclosure.

Show threadKevin BeaumontJul 12, 2023
Although MS haven't called this a vulnerability, haven't issued a CVE or used the term zero day.. they don't issue CVEs for cloud services, forging a token is a vulnerability, so it's a zero day.
Show threadPontificator.OMF
@GossiTheDog Perhaps one for the cloud vulnerability database? https://www.cloudvulndb.org/results?q=
Azure AZNFS-mount Utility Root Privilege Escalation | cloudvulndb.org

Cloud vulnerabilities database - an open project to list all known cloud vulnerabilities and Cloud Service Provider security issues

The Open Cloud Vulnerability and Security Issue Database
Jul 12, 2023 at 1:04pmWeb