US CISA orders admins in authorities to mitigate the cyber risks of the Microsoft Cloud

[English]On April 2, 2024, the US cybersecurity authority CISA issued a directive to the administrators of US authorities requiring them to "mitigate" or eliminate the cyber risks posed to customers by a hack of the Microsoft Cloud or the Microsoft email system by Midnight Blizzard by April 30, 2024. The background to this is that state actors were able to read the email communication between customers and Microsoft during the hack and that these emails probably also contained security information for customer systems.


Background: Microsoft Cloud Hacks

This is the result of cloud hacks. In May 2023, we had the hack by the alleged Chinese hacker group Storm-0558, which used a stolen AAD key to generate self-generated access tokens for accessing Azure AD accounts (now Entra ID) and to spy on email accounts (see my article Stolen AAD key allowed (Storm-0558) wide-ranging access to Microsoft cloud services).

Since November 2023, there has also been a case of suspected Russian attackers from the Midnight Blizzard group using a hacked account on a test server to infiltrate Microsoft's email system and read emails from Microsoft executives and the security department. I reported on this in the article Microsoft hacked by Russian Midnight Blizzard; emails exfiltrated since Nov. 2023. Shortly afterwards, the hack of HPE reported in the article Hewlett Packard Enterprise (HPE) hacked by Midnight Blizzard since May 2023 became known. It is not yet clear whether there was a connection.

However, it is now clear that Midnight Blizzard was probably more stubbornly entrenched at Microsoft than Microsoft admitted. While it was initially said that "everything was under control, we have stopped the access", Microsoft later had to admit that Midnight Blizzard had probably continued to attack the systems and had also stolen source code (see Microsoft confirms: Russian spies (Midnight Blizzard) stole source code while accessing systems). These accounts were also used to communicate with customers and it cannot be ruled out that information about access to customer systems was exchanged there.

Since then, the Microsoft cloud has actually had to be considered compromised and customers would do well to consider what is still possible in terms of security. The fact that Microsoft is still lax when it comes to security has just been addressed in the blog post Unsecured Microsoft Azure Server exposes passwords etc. of Microsoft systems (Feb. 2024).

CISA call for "mitigation of cyber risks"

The US Cybersecurity & Infrastructure Agency (CISA) has now published Emergency Directive ED 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System on April 2, 2024, which can be interpreted as a kind of incendiary letter. The CISA refers to the above-mentioned successful cyberattack by the Russian hackers (Midnight Blizzard), who were able to successfully infiltrate Microsoft corporate email accounts and read the email correspondence between Federal Civilian Executive Branch (FCEB) authorities and Microsoft.


The CISA directive states that the threat actor uses information originally exfiltrated from Microsoft's email systems to gain or attempt to gain additional access to Microsoft customer systems. According to CISA, the exfiltrated data also includes authentication data exchanged between Microsoft customers and Microsoft via email.

According to Microsoft, Midnight Blizzard increased the volume of some aspects of the intrusion campaign, such as password sprays, tenfold in February compared to the already high volume in January 2024.

CISA considers the successful compromise of Microsoft corporate email accounts by Midnight Blizzard and the exfiltration of correspondence between agencies and Microsoft to pose a serious and unacceptable risk to U.S. agencies. In the Emergency Directive published in April 2024, CISA requires affected U.S. agencies to analyze the content of the exfiltrated emails, reset compromised credentials, and take additional steps to ensure that authentication tools for privileged Microsoft Azure accounts are secure.

Microsoft and CISA have notified all federal agencies whose email correspondence with Microsoft has been identified as having been exfiltrated by Midnight Blizzard. This means that the administrators of these systems have a lot of work to do, as large authorities may have exchanged a lot of emails between Microsoft and IT or employees and there is a lot to check. It kind of smells like a "security disaster", especially because no one can say whether it may have been compromised without being detected.

Affected authorities that receive email metadata from Microsoft that corresponds to known or suspected authentication compromises, or that become aware of specific details of such compromises, must respond immediately and take remediation actions for tokens, passwords, API keys, or other authentication data known or suspected to have been compromised. For all known or suspected authentication compromises identified by the above measure, the following actions must be taken by April 30, 2024:

  • Resetting credentials in associated applications and disabling associated applications that are no longer needed by the authority.
  • Review login, token issuance, and other account activity logs for users and services for possible malicious activity where credential compromise is suspected or observed.

Further, responsible parties must take steps to identify the full content of the agency's correspondence with compromised Microsoft accounts. This includes conducting a cybersecurity impact analysis in accordance with the details set out in the Annex to the Directive. This action must be completed by April 30, 2024.

If authentication compromises have been detected by an analysis by the authority or if such compromises are suspected, CISA must be notified. In addition, the steps described in the guideline (resetting the login data, etc.) must be carried out. CISA will work with the authorities to develop an updated timetable for the completion of these necessary measures, the directive states.

Similar articles:
China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud
Follow-up to the Storm-0558 cloud hack: Microsoft is still in the dark
After CISA report on Storm-0558 hack, Microsoft provides customers with enhanced cloud logging
Stolen AAD key allowed (Storm-0558) wide-ranging access to Microsoft cloud services
Microsoft's Storm-0558 cloud hack: US senator among the victims
Microsoft's Storm-0558 cloud hack: MSA key comes from Windows crash dump of a PC
Microsoft extends Purview logging (after Storm-0558 hack)

Microsoft as a Security Risk? U.S. senator calls for Microsoft to be held accountable over Azure cloud hack– Part 1
Microsoft as a Security Risk? Azure vulnerability unpatched since March 2023, heavy criticism from Tenable – Part 2

Microsoft hacked by Russian Midnight Blizzard; emails exfiltrated since Nov. 2023
Hewlett Packard Enterprise (HPE) hacked by Midnight Blizzard since May 2023
Microsoft confirms: Russian spies (Midnight Blizzard) stole source code while accessing systems
Microsoft slammed for a cascade of faults that leads to Storm-0558 cloud hack
Unsecured Microsoft Azure Server exposes passwords etc. of Microsoft systems (Feb. 2024)

Cookies helps to fund this blog: Cookie settings

This entry was posted in Cloud, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *