CISA Warns Critical Infrastructure of APT Actors Targeting Outlook Online

July 17, 2023 - The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) urged critical infrastructure entities to enhance monitoring of Microsoft Exchange Online environments following reports of malicious cyber activity.

According to CISA’s alert, a Federal Civilian Executive Branch (FCEB) agency reported suspicious activity within its Microsoft 365 (M365) cloud environment in June 2023. Microsoft later determined that advanced persistent threat (APT) actors had accessed and exfiltrated unclassified Exchange Online Outlook data.

“The APT actors used a Microsoft account (MSA) consumer key to forge tokens to impersonate consumer and enterprise users,” the alert noted. “Microsoft remediated the issue by first blocking tokens issued with the acquired key and then replacing the key to prevent continued misuse. Microsoft determined that this activity was part of a campaign targeting multiple organizations (all of which have been notified by Microsoft).”

The impacted FCEB agency was able to detect this suspicious activity due to its enhanced logging capabilities, which established a baseline of normal Outlook activity. The logging enabled the FCEB ageny to identify otherwise difficult-to-detect malicious activity.

“CISA and FBI are not aware of other audit logs or events that would have detected this activity,” CISA and FBI stated. “Critical infrastructure organizations are strongly urged to implement the logging recommendations in this advisory to enhance their cybersecurity posture and position themselves to detect similar malicious activity.”

In addition to ensuring that audit logging is enabled, CISA and FBI encouraged organizations to ensure logs are searchable by operators and enable Microsoft 365 Unified Audit Logging (UAL). In addition, the alert advised organizations to become familiar with baseline patterns in order to understand abnormal traffic.

These mitigations are the responsibility of Microsoft, CISA and FBI noted. However, critical infrastructure organizations can still take steps to harden their cloud environments by separating administrator accounts from user accounts, reviewing contractual obligations with cloud service providers (CSPs), and using a telemetry hosting solution.

As always, organizations that detect suspicious activity should report their findings to CISA.