



Microsoft and others in the industry have called for transparency around cyber incidents so we can learn and improve. Like us previously stated, we cannot ignore the exponential increase and frequency of sophisticated attacks. The growing challenges we face only reinforce our commitment to greater information sharing and partnership with industry. Today we publish details of a China-based actor that Microsoft is tracking as Storm-0558 who gained access to email accounts affecting approximately 25 organizations, including government agencies, as well as consumer accounts related to people likely to be associated with these organizations. We have worked with affected customers and notified them before going public with further details. At this point and in coordination with customers, we share incident and threat actor details for the benefit of the industry. Cyberattacks continue to increase in sophistication and frequency Motivated threat actors continue to focus on compromising computer systems. These well-resourced adversaries make no distinction between attempting to compromise business or personal accounts associated with targeted organizations, as it only takes a single successfully compromised account login to gain persistent access, exfiltrate information, and achieve spy targets. The threat actor that Microsoft associates with this incident is a China-based adversary that Microsoft calls Storm-0558. We assess this adversary to be focused on espionage, such as accessing email systems for intelligence gathering. This type of espionage-motivated adversary seeks to abuse credentials and gain access to data residing in sensitive systems. Mitigation complete for all clients On June 16, 2023, based on information provided by customers, Microsoft initiated an investigation into anomalous email activity. Over the following weeks, our investigation revealed that beginning on May 15, 2023, Storm-0558 gained access to the email data of approximately 25 organizations and a small number of associated consumer accounts of individuals likely associated with these organizations. They did this by using forged authentication tokens to access user emails using an acquired Microsoft Account Consumer (MSA) signing key. Microsoft has completed mitigation of this attack for all customers. We added substantial automated detections for known indicators of compromise associated with this attack to strengthen customer defenses and environments, and found no evidence of additional access. Coordinated response is key to rapid mitigation Microsoft’s real-time investigation and collaboration with customers enables us to apply safeguards in the Microsoft Cloud to protect our customers against intrusion attempts by Storm-0558. We have mitigated the attack and contacted affected customers. We have also partnered with relevant government agencies such as DHS CISA. We are grateful to them and others for working with us to help protect affected customers and resolve the issue. We are grateful to our community for a quick, strong and coordinated response. More details to support our customers and the advocate community can be found here. Responsibility begins with us Responsibility begins right here at Microsoft. We remain true to our commitment to keep our customers safe. We continually self-assess, learn from incidents, and strengthen our identity/access platforms to manage evolving key and token risks. We must continue to push the boundaries of security in order to be prepared for anything that may come our way. We will continue to work with our customers and our community to share information and strengthen our collective defenses.

