I meant to post this earlier but got distracted by a few other things. Yay for busy life, right?
Earlier this month Microsoft concluded their investigation of the recent Storm-0558 email compromise/attack and the results are... fascinating. I highly recommend checking out the blog post when you get a chance. It's available here.
In the meantime, here's a quick summary of the highlights:
- [Issue #1] A signing process crashed on a production component for Office/Outlook which caused a sensitive private key to be stored in a crash dump file. The key shouldn't have been stored in this dump file.
- [Issue #2] The crash dump file was moved to a less-secure environment for debugging. Microsoft had DLP scanning between the environments but the security controls didn't detect the presence of the key in the data.
- [Issue #3] A Microsoft engineer's account was compromised (details not specified) and that (theoretically) allowed the bad actor to access the crash dump file.
- [Issue #4] Microsoft didn't have log data going back far enough. So at this time, there's no concrete evidence of the exfiltration; it's just the most likely explanation of the behavior.
- [Issue #5] The signing key that was taken had far too much control; it allowed access to both outlook.com and enterprise Office accounts.
After the bad actor got the signing key, they were able to forge credentials on-demand and get access to ~25 high-level accounts (specific customers not disclosed).
So what can we learn from all of this? I think this highlights that software and cloud services are still products of human design (for now at least... I've got my eye on you, Skynet :-) ). It's also a reminder that risk is always present for organizations regardless of budget. Anyone and everyone should plan for potential breaches.