Microsoft breach impact could be larger than first thought

Microsoft still says only Outlook and Exchange Online were impacted

Cloud security firm Wiz Research has warned that the impact of the Microsoft Azure breach, disclosed earlier this month, could be much wider than initially reported.

The private encryption key the threat actors used could have given them access to a broad range of other Microsoft products, the company believes.

On the 11th July, Microsoft said a state-backed threat group covertly accessed email accounts at around 25 organisations worldwide, including government agencies in the US and Western Europe.

The company attributed the attacks to Storm-0558, a threat actor believed to be based in China.

The group allegedly used a Microsoft account (MSA) consumer signing key, enabling the hackers to forge authentication tokens and access customer email accounts via Outlook Web Access (OWA) in Exchange Online and Outlook.com.

Despite Microsoft's assertion that these were the only services affected, Wiz researchers claim to have found evidence indicating that the compromised signing key was "more powerful" and not limited solely to those two services.

Shir Tamari, head of research at Israel-based Wiz, wrote that Storm-0558 could have used the key to forge access tokens for a variety of Azure Active Directory applications, including those supporting personal account authentication such as SharePoint, Teams and OneDrive.

The hackers might also have gained access to Microsoft customer applications that support the "Login with Microsoft" feature, and multi-tenant applications under specific conditions.

Tamari pointed out that the attackers could be lurking in a position that grants them "immediate single hop access to everything, any email box, file service, or cloud account".

Microsoft revoked the compromised key and provided a list of indicators-of-compromise when the breach was spotted, to help affected users assess their situation. However, Tamari shared his concerns about the difficulty customers could face in confirming whether the criminals used forged tokens to steal data.

He attributed this difficulty to the absence of logs containing essential information related to the token verification process. This is because the advanced logging feature, which can detect anomalous behaviour, is limited to Microsoft's paid premium service.

As a result, customers relying on the standard service may not have had access to the logging necessary to identify unusual activities.

Microsoft agreed to provide free access to advanced logging services last Wednesday. However, the implementation and global availability may take some time for customers to adopt.

Wiz researchers also warned that, despite the revocation of the compromised key, certain Azure AD customers might still be vulnerable. The threat actors could have generated application-specific access keys for themselves or set up concealed backdoors, enabling them to maintain unauthorised access even after the key revocation.

In addition, any applications that stored copies of the Azure AD public keys before the revocation remain vulnerable to token forgery, according to Tamari.

"We believe this event will have long lasting implications on our trust of the cloud and the core components that support it, above all, the identity layer which is the basic fabric of everything we do in cloud," he wrote.

"We must learn from it and improve."