Microsoft was alerted to the recent campaign conducted by the Chinese threat actor Storm-0558 by the US State Department, which claimed that its emails were accessed. Storm-0558 targeted more than two dozen email accounts belonging to various Western organizations, including government firms. The attack involved the use of forged authentication tokens to access Outlook Web Access in Exchange Online (OWA) and Outlook.com.
Microsoft confirmed that the threat actor obtained a Microsoft account consumer signing key and used it to forge tokens and gain unauthorized access to user email accounts. The Chinese government has denied any involvement in the attack and accused the United States of being the “world’s biggest hacking empire and global cyber thief.”
Storm-0558 utilized two malware strains, Bling and Cigril, with the latter described as a trojan capable of decrypting encrypted files and running them directly from system memory on the targeted endpoint. Microsoft discovered the intrusion after being notified by a Federal Civilian Executive Branch agency about suspicious activity in their Microsoft 365 cloud environment. It took about a month for Microsoft to uncover the attack and determine that the threat actors had accessed and exfiltrated unclassified Exchange Online Outlook data.
