Valence Threat Labs strives to keep our customers informed about significant breaches and security incidents that impact the SaaS landscape. On June 16, 2023, a Microsoft 365 customer alerted Microsoft to some anomalous email activity they had detected. Microsoft began investigating and found that an external adversary had compromised the email of 24 other customers as well. The attack began 32 days prior, on May 15, 2023.
This breach was notable for a number of reasons. First, instead of going after each target organization individually, the adversary chose a more efficient route. They compromised the SaaS vendor, Microsoft, to get to each of the target companies. This way, only one attack was necessary to access the email of 25 separate organizations, rather than 25 separate attacks.
Microsoft determined that the attack was performed by a China-based adversary referred to as Storm-0558, which has been associated with politically motivated attacks. Microsoft also noted that this adversary specializes in phishing, email, and SaaS attacks. The targets included US government agencies and private companies that work with the US government. Storm-0558 could have targeted any Microsoft 365 customer, but chose to limit focus to these 25 organizations for reasons that aren’t known or haven’t yet been shared.
The attacker used some novel exploits to achieve this attack by abusing signing and access keys. The attacker used a stolen signing key to forge Azure AD tokens. The term forge is important here, because a validation issue in Microsoft’s code made it possible to create and use invalid tokens. As long as these tokens were properly signed, Microsoft would allow their use.
The forged Azure AD tokens were then used to generate access tokens and steal email via the Outlook Mail API. Microsoft permanently addressed the two vulnerabilities that enabled these attacks but still haven’t discovered how the attacker stole the initial signing key that was used to kick off this attack.
Incident responders working for some customers affected by this attack became frustrated that necessary data wasn’t available. This data was unavailable because the customers weren’t paying for Microsoft’s premium security suite. This mirrors the experience shared at the beginning of this post and emphasizes that, while vendors should provide the necessary security features and tools, the customer still needs to ensure they’re paid for, deployed and working as expected.
Valence Threat Labs Recommendations
While Microsoft stopped the attack and fixed the vulnerabilities, it was a customer who originally detected the attack, over a month after it began. This breach emphasizes the importance of maintaining and utilizing security controls that are accessible to you, as the customer of a SaaS platform. Also, the line drawn in the SaaS vendor’s shared responsibility model may not be drawn where you expect it to be, or want it to be.
Know Your Tokens
Access tokens are everywhere. Every modern login, app, and service today generates a new access token. As the name implies, these tokens grant access to certain features, data and capabilities within the SaaS platform.
Tracking these tokens may be challenging, but it is essential to ensure that your environment is not accessed by parties in ways that you did not intend.
Awareness of new access tokens created and used during this breach could have allowed the affected organizations to escalate the issue earlier, potentially preventing further data loss.
- Track newly generated access tokens, given their access scopes and owners
- Watch for Token Replay attacks (when a token is stolen, and used elsewhere)
- Prepare playbooks to invalidate tokens when necessary to mitigate threats
Log, Monitor, Alert
Before you can respond to threats in your environment, you first need to know they are happening. This process can be broken down into 3 steps.
Log - Logs are a record of events that occur in your environment:
- Get to know your platform’s logging capabilities and events
- Map the important events and understand their meaning
- Enable relevant logs (some platforms disable logs by default)
Monitor - Now that we are recording events, we can monitor them. There are many tools that can ingest logs, prioritize and alert on notable events. Traditionally, SIEMs have been used to centralize this data, but often suffer from alert fatigue challenges. Posture management tools have emerged in the past few years to address this challenge for SaaS, Cloud, and other environments.
Alert - Platforms can generate a ton of logs, quickly drowning teams in events that can’t be effectively tracked. You should write queries that highlight and alert on specific events of interest or chains of events.
For example, this specific breach could have been detected using the following event types:
- Suspicious IP address activity - look out for suspicious IP addresses that access your environment (Such as Tor, VPN, or any other abnormal IP addresses). In this breach, both Tor and VPNs were used to access the targeted organizations. For a list of IOCs, including IP addresses, related to this breach, see Microsoft’s list here.
- Mass Download of Data - create a baseline for typical data access volume and investigate any deviation from the norm. In this breach, the actor downloaded large amounts of email data from target organizations.
- Token generation - monitor new tokens and their scopes. In this breach, the actor generated new tokens with high-privilege scopes.
- Token use - tokens may be generated by a user, but are easily stolen and used by an attacker. Create a baseline for typical usage, and look for abnormal activity. In this breach, the actor used API calls to download large amounts of email, which may not have been typical for the targeted users.
The term ‘posture management’ has been borne out of the realization that security teams need more than event data to monitor and understand IT environments like the cloud and SaaS. In addition to alerting on critical events and discovering misconfigurations, posture management also includes the concept of setting baselines and policies that make configuration drift visible.
Once a baseline is established, however, it becomes much easier to spot anomalies, like the strange behavior related to this breach, that customers noticed and reported to Microsoft.
Conclusion - Improve Your Readiness
This breach is sadly only one example where we’ve seen SaaS attacks that involve similar techniques. Token theft and abuse has been present in the CircleCI, Lastpass, and Heroku/Travis-CI/GitHub breaches as well.
Security incidents are stressful events we should all do our best to prevent, but they’re also opportunities. Within the details of breaches are lessons to be learned - a roadmap for improving your security program. Don’t wait until the day the attack comes. Ensure you have the necessary training, preparation and tools before scenarios like these occur.
- Simulate Attack Scenarios to verify that security operations and incident response teams can detect and respond to a SaaS breach
- Prepare Playbooks for General Scenarios in each platform such as Invalidating Tokens, Blocking IP Addresses, Disabling Compromised Users, etc.
Get the 2023 State of SaaS Security report
The 2023 Valence State of SaaS Security report compiles our perspective on SaaS security, the latest threats, data from dozens of real companies, and finally, our recommendations and predictions for this market. It is a perfect primer for anyone wanting to better understand SaaS security challenges and how to solve them. Grab a copy today and share with your colleagues!