Storm-0558 utilized two malware strains, Bling and Cigril, with the latter described as a trojan capable of decrypting encrypted files and running them directly from system memory on the targeted endpoint. Microsoft discovered the intrusion after being notified by a Federal Civilian Executive Branch agency about suspicious activity in their Microsoft 365 cloud environment. It took about a month for Microsoft to uncover the attack and determine that the threat actors had accessed and exfiltrated unclassified Exchange Online Outlook data.
