‹  Back

April 11, 2024 · 5m read

Takeaways from the Microsoft Exchange Online Intrusion Review

Ivan Dwyer 


There’s a phrase we’ve been championing here at Material – your productivity suite isn’t just another application, it’s critical infrastructure.

In its detailed review of a 2023 Microsoft incident, where threat actor Storm-0558 linked to the People’s Republic of China compromised a number of Microsoft Exchange Online mailboxes, the Cyber Safety Review Board (CSRB) put a stake in the ground and declared that cloud service providers (CSP) are indeed critical infrastructure.

"The cloud creates enormous efficiencies and benefits but, precisely because of its ubiquity, it is now a high-value target for a broad range of adversaries, including nation-state threat actors. An attacker that can compromise a CSP can quickly position itself to compromise the data or networks of that CSP’s customers. In effect, the CSPs have become one of our most important critical infrastructure industries. As a result, these companies must invest in and prioritize security consistent with this ‘new normal,’ for the protection of their customers and our most critical economic and security interests." - Cyber Safety Review Board

CSRB findings and recommendations

The harsh but fair conclusion to the CSRB’s in-depth review is that this incident should “never have happened” – it was the result of a cascade of avoidable failures internally at Microsoft, enabling a chain of events that culminated in the compromise. A signing key issued in 2016 that was only intended for Outlook Web Access (OWA) was improperly validated by Enterprise Exchange Online (EEO) due to a serious flaw in Microsoft’s token validation system, in which they had neglected to automate key rotation since a 2001 incident. As a result, Storm-0558 was able to exploit this flaw to create a common OpenID Connect endpoint that listed signing keys, which they then used to gain unauthorized access to a wide range of email accounts – many of which were of senior U.S. government officials.

It wasn’t Microsoft that first detected the compromise; it was the State Department. Give credit where credit is due – the Security Operations Center (SOC) within the State Department built custom rules and automation based around anomalous access to mailboxes. A rule named “Big Yellow Taxi” triggered an investigation, at which point they determined that malicious actions were taken. One interesting aspect of this investigation is that the State Department was only able to perform such an in-depth investigation given their purchase of the most advanced (and expensive) logging available from Microsoft. However, the logging product is limited in its historical lookback, which left the State Department in the dark in certain areas. 

Not surprisingly, the recommendations from the CSRB to Microsoft emphasize the importance of taking security more seriously. The report specifically calls out the CEO and Board of Directors, even suggesting that new feature development should be deprioritized until security risks are addressed. Beyond Microsoft, the recommendations also highlight the industry-wide need for cloud providers to prioritize collaboration on security measures.

The entire industry must come together to dramatically improve the identity and access infrastructure that safeguards the information CSPs are entrusted to maintain. Global security relies upon it.

Cyber Safety Review Board

Why your productivity suite is critical infrastructure

When we think of CSPs, we generally think of the major infrastructure providers – AWS, GCP, and Microsoft Azure. Every other cloud service gets lumped together in a generic SaaS category, which has subsets of markets based on use case. 

We make a distinction here at Material. Your productivity suite – Microsoft 365 or Google Workspace – is home to all of your people, content, and communications over all time. It’s the first system that employees get onboarded into and the last to get offboarded. As such, they’re critical infrastructure to your business.

These systems also carry an outsized risk profile, and are more complex to operate than any SaaS application. The level of depth that is needed to make a difference requires focus that frankly, has yet to be widely acknowledged by our industry. There are massive ecosystems around cloud security, but what about cloud office security? 

(Where cloud office == productivity suite == M365 / Google Workspace)

We bang this drum constantly because of its importance, but also because of the status quo. Security & Risk Management teams who carry the responsibility of securing their M365 or Google Workspace environments inevitably find themselves dealing with a heavy set of disjointed tasks that break their tool budget (money) and alert budget (time). 

Threat wrangling: responding to large volumes of sophisticated email-based attacks such as phishing, business email compromise (BEC), and account takeover (ATO) scenarios.

Config wrangling: staying on top of a wide range of fine-grained user and system configurations that could lead to exploitable vulnerabilities due to poor posture or improper settings.

Data wrangling: gaining visibility across the sprawl of sensitive data across various data sources in order to apply governance and access controls according to company policy and compliance guidelines.

The first decade of the cloud spawned a wide range of security tools that addressed specific pain points and gaps that differed from traditional on-prem architectures. Over time, however, many of these tools started to converge around a few key areas – workloads, identity, and data leading the charge. And now we’re starting to see further consolidation roll up into single cloud security platforms.

The same needs to happen with the cloud office. Teams that have one solution in place to block emails, another to monitor accounts, another to classify data, and another to measure risk will invariably miss the correlation between events, making it extremely difficult to instill robust defenses and to perform effective incident response.

We have a hypothesis as to where this starts – with email.

Secure your productivity suite

The email attack lifecycle

Practically speaking, the primary focus area for Security & Risk Management teams as it relates to your productivity suite is email – and email security is far from a solved problem. It’s easy to point to increased volume and sophistication of attacks as the reasoning, but as this incident reminds us, email is more than just an attack delivery method – it’s also a vector and a target. Compromised email accounts enable elevated access to systems and applications, and a mailbox contains a treasure trove of sensitive data. 

While this particular incident occurred at the provider level, the lessons are similar for teams who manage these systems on behalf of the business. Blocking attacks take a concerted effort, but defenses should be designed with an “assume breach” mentality, monitoring signals for and containing the reach of a potentially compromised account or insider risk scenario.

Email is the grand unifier here. From the attacker’s perspective, it’s a method, vector, and target as illustrated. From the defender’s perspective, it’s the relationship between people, content, and communications that can be correlated across the attack lifecycle. For reasons mentioned above, however, disjointed tasks make this correlation challenging.

How can we unify the grand unifier? This is where Material shines.

The Email Attack Lifecycle

As a result, cloud service providers (CSPs) have become custodians of nearly unimaginable amounts of data... An attacker that can compromise a CSP can quickly position itself to compromise the data or networks of that CSP’s customers.

Cyber Safety Review Board

Material’s holistic approach to email security

Since our inception, Material has focused its team efforts on addressing the harder parts of email security. 

Our early days were anchored around the sensitive data that is accessible from within an employee’s mailbox. Data Protection for Email was built to apply an added layer of authentication to email messages. 

Because we’re connected directly to the provider via API, we also found that we could uncover notable risk signals associated with system configurations and user behaviors. Posture Management was built to surface high risk signals with quick remediation flows. 

As the de facto identity layer across a wide range of systems and applications, email accounts can be used to gain elevated access. Identity Protection was built to plug SSO gaps and expose Shadow IT uses by leveraging email patterns to uncover and block application misuse such as password resets.

Of course, there’s phishing attacks. We started down this path by leveraging similarity patterns across attacks, making it easier for incident response teams to triage cases in bulk. Recent advancements in Phishing Protection have further boosted our detections to identify and block a wide range of sophisticated attacks.

Finally, we recently expanded coverage into file repositories with Data Protection for Google Drive. Customers who appreciated our depth of coverage into employee mailboxes requested we do the same for documents. 

In the spirit of this conversation, the value of our product suite becomes a 1 + 1 = 3 scenario when you bring it all together. And we’re continuing our journey to cover your full productivity suite.

Material Security's holistic approach to email security

Placing trust in your cloud service providers

Closing this out, there’s one more notable takeaway from this report – and it has everything to do with data.

Security leaders are constantly faced with the question of how much trust to place in their CSPs. The commonly referenced Shared Responsibility Model of each provider isn’t always as clear as depicted – when it comes to Security especially, the inherited customer responsibility of securing resources and applications should also factor in the possibility of a compromise within the underlying compute, storage, and networking infrastructure maintained by the provider that could be taken advantage of by sophisticated attackers.

Taking a cue from the State Department in this case, the ability to get to the underlying data and logs of your cloud systems is paramount to incident response. This can, of course, be costly for organizations that are constrained by budget and resources. In many ways, this attack resembles the 2009 nation state attack dubbed Operation Aurora, which led Google to re-architect their entire corporate infrastructure through an initiative named BeyondCorp. For companies who are not Google, however, the effort was simply too monumental to even consider – but what emerged over time is what we now know as Zero Trust.

If I were to play this out, what will emerge from incidents like this is the greater adoption of data products that can effectively correlate events across systems for the purposes of forensic investigations. Our friends over at Snowflake describe this as a Security Data Lake

Here at Material, we’ve invested heavily into this type of architecture with our underlying data platform. Every one of our customers is deployed into an isolated GCP tenant, where we continually sync with your provider to build out a structured data warehouse of people, content, and events.

It’s with this underlying data platform, and only with this data platform, that we’re able to get to the depth required to cover the full spectrum of cloud office security. As the State Department proves, effective incident response requires a full historical lookback and correlation of events across entities.

Our customers have built advanced search & discovery workflows atop our data platform much like the State Department did with “Big Yellow Taxi.” I’d love to know how that was named – as a music lover, I hope it’s an homage to Joni Mitchell, but alas, we may never know.

Material Security's Data Platform

We’d love to hear your thoughts on this topic, and let you see for yourself with a demo. Schedule some time with our team to learn more.