Critical infrastructure organizations are strongly urged to implement the logging recommendations in this advisory to enhance their cybersecurity posture and position themselves to detect similar malicious activity. The MailItemsAccessed event enables detection of otherwise difficult to detect adversarial activity.ĬISA and FBI are not aware of other audit logs or events that would have detected this activity. The affected FCEB agency identified suspicious activity by leveraging enhanced logging-specifically of MailItemsAccessed events-and an established baseline of normal Outlook activity (e.g., expected AppID). Microsoft remediated the issue by first blocking tokens issued with the acquired key and then replacing the key to prevent continued misuse. Microsoft determined that this activity was part of a campaign targeting multiple organizations (all of which have been notified by Microsoft). The APT actors used a Microsoft account (MSA) consumer key to forge tokens to impersonate consumer and enterprise users. (Updated July 14, 2023) Microsoft determined that APT actors accessed and exfiltrated unclassified Exchange Online Outlook data from a small number of accounts. The agency reported the activity to Microsoft and CISA. The FCEB agency deemed this activity suspicious because the observed AppId did not normally access mailbox items in their environment. The MailItemsAccessed event is generated when licensed users access items in Exchange Online mailboxes using any connectivity protocol from any client. In Mid-June 2023, an FCEB agency observed MailItemsAccessed events with an unexpected ClientAppID and AppID in M365 Audit Logs. Organizations that identify suspicious, anomalous activity should contact Microsoft for proceeding with mitigation actions due to the cloud-based infrastructure affected, as well as report to CISA and the FBI.ĪA23-193A Enhanced Monitoring to Detect APT Activity Targeting Outlook Online (PDF, 410.82 KB Organizations can enhance their cyber posture and position themselves to detect similar malicious activity by implementing logging recommendations in this advisory. The agency reported the activity to Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA), and Microsoft determined that advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data.ĬISA and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory to provide guidance to critical infrastructure organizations on enhancing monitoring of Microsoft Exchange Online environments. In June 2023, a Federal Civilian Executive Branch (FCEB) agency identified suspicious activity in their Microsoft 365 (M365) cloud environment.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |