Earlier this month, Microsoft and CISA reported the discovery of a recent advanced persistent threat (APT), Storm-0558, which gained access to Exchange and harvested corporate emails. The threat actor group responsible managed to gain access to exchange data via Outlook Web Access (OWA) API, using an access token obtained by exploiting vulnerabilities in the Microsoft ecosystem related to token exchange and signature validation. They started with a stolen authentication key created for a different purpose.
How was it detected?
What’s interesting about this breach scenario is what led to the investigation and eventual discovery of the sophisticated threat. Although Microsoft ultimately found the APT, it was a Microsoft customer who first alerted on and investigated anomalous events of MailItemsAccessed through the Microsoft audit log.
When it comes to sophisticated attacks such as this, people often assume that they primarily leverage 0-day vulnerabilities, making them near impossible to defend against. Discovering a 0-day exploit is challenging, but it isn’t the only way to detect an APT. Bad actors seldom carry out an entire attack chain using only 0-days (via server-side RCE or SQLI, etc.). To reduce cost and effort, they will likely return to the standard service path at some point. Inevitably, this leaves a trace of activity at the application level, making it far less difficult to detect the threat.
To help visualize this, imagine a thief breaking into your home using a key mold to unlock your front door. You have no way of knowing where or when they obtained this mold. Regardless, the security camera flags and tracks the activity the moment they step foot on your property. You are alerted once they attempt to open your door.
The same was true for this incident. After exploiting a few 0-day vulnerabilities, the threat actors eventually returned to the standard service path, OWA API, leaving MailItemsAccessed records in audit logs that eventually found them out.
How to harness audit log intel at scale
In this particular example, the audit log showed signs of anomalous activity and suspicious events that were then linked to key validation and token exchange exploits after an internal investigation of Microsoft. The logs could have just as easily hinted at other vulnerabilities that lead to identity theft such as XSS. With constant monitoring and assessment in place, audit logs can provide a powerful source of information for your threat detection and investigation efforts.
Obsidian’s industry-leading threat and posture capabilities for SaaS make it possible to identify and investigate threats quickly—before a material data breach occurs.
- Visualize user activity within and across interconnected SaaS applications.
- Identify employee compromise and insider threats quickly with powerful ML models.
- Investigate incidents precisely with clear timelines of malicious SaaS activity.
- Take recommended remediation action directly from Obsidian.
If you’re concerned about the security of Microsoft or any other central SaaS platforms such as Salesforce, Google Workspace, ServiceNow, or Workday, Obsidian Security is offering a no-cost risk assessment to help teams better understand the risks present in their environment.
Learn more about this risk assessment program and apply here.
