A U.S. government agency reportedly detected initial signs of an intrusion by a Chinese hacking group using a premium feature not available to customers on lower-priced Microsoft 365 versions.
The high-profile incident is raising new questions not just about the security of Microsoft’s online platforms for business and government, but also about the ways the company generates revenue from security features.
An agency in the Federal Civilian Executive Branch discovered the hack after detecting unusual activity in a type of audit log available to business and government customers only in the most advanced Microsoft 365 tier.
“Every organization using a technology service like Microsoft 365 should have access to logging and other security data out of the box to reasonably detect malicious cyber activity,” a senior official with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said on a press call, the Wall Street Journal reported.
Microsoft CEO Satya Nadella said in January that security revenue surpassed $20 billion annually (up from $15 billion a year earlier), which was about 10% of Microsoft’s $204 billion in revenue in the 2022 calendar year.
The hackers forged authentication tokens to access Outlook email accounts via Exchange Online, as detailed in this CISA post. The email account of U.S. Commerce Secretary Gina Raimondo was among those infiltrated, according to the Washington Post. Government officials say they don’t believe classified systems were accessed.
“We are monitoring our systems and will respond promptly should any further activity be detected,” the Department of Commerce said in an emailed statement. “The Department maintains strong cyber security protections, which we update to address a rapidly evolving cyber security landscape.”
An executive with Google, Microsoft’s arch-rival in cloud-based productivity software, called on the U.S. government to rethink its approach.
“Security is a team sport, but it’s hard to defend when only one team is giving up goals. ‘Monoculture’ in govt productivity software creates an easy attack surface. I hope this latest in a series of incidents pushes the U.S. govt to look at alternatives,” wrote Amit Zavery, Google Cloud VP, GM, and head of platform, on Twitter.
The hackers, whom Microsoft has dubbed “Storm-0558,” used an “acquired” Microsoft consumer account key to forge digital tokens that gave them access to the email accounts of “approximately 25 organizations including government agencies as well as related consumer accounts of individuals likely associated with these organizations,” Microsoft said in a post earlier this week.
Microsoft says the vulnerability that allowed the forged tokens to be used to access the email accounts has been fixed. The company has not yet explained how the consumer account key that was used to create the tokens was acquired by the hacking group. GeekWire has asked Microsoft for comment on this issue.
“The accountability starts right here at Microsoft,” wrote Charlie Bell, Microsoft executive vice president for security, in a post earlier this week. “We remain steadfast in our commitment to keep our customers safe. We are continually self-evaluating, learning from incidents, and hardening our identity/access platforms to manage evolving risks around keys and tokens.”