www.cisa.gov
Open in
urlscan Pro
2a02:26f0:3500:88d::447a
Public Scan
URL:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a
Submission: On August 14 via api from IE — Scanned from DE
Submission: On August 14 via api from IE — Scanned from DE
Form analysis 2 forms found in the DOM
<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id1" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form><form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id2">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id51" class="gstl_51 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti51" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id2" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st51" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb51" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>Text Content
Skip to main content
An official website of the United States government
Here’s how you know
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United
States.
Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the
.gov website. Share sensitive information only on official, secure websites.
Cybersecurity & Infrastructure Security Agency
America's Cyber Defense Agency
Search
×
search
Menu
Close
×
search
* Topics
Topics
Cybersecurity Best Practices
Cyber Threats and Advisories
Critical Infrastructure Security and Resilience
Election Security
Emergency Communications
Industrial Control Systems
Information and Communications Technology Supply Chain Security
Partnerships and Collaboration
Physical Security
Risk Management
How can we help?
GovernmentEducational InstitutionsIndustryState, Local, Tribal, and
TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help
Locally
* Spotlight
* Resources & Tools
Resources & Tools
All Resources & Tools
Services
Programs
Resources
Training
Groups
* News & Events
News & Events
News
Events
Cybersecurity Alerts & Advisories
Directives
Request a CISA Speaker
Congressional Testimony
* Careers
Careers
Benefits & Perks
HireVue Applicant Reasonable Accommodations Process
Hiring
Resume & Application Tips
Students & Recent Graduates
Veteran and Military Spouses
Work @ CISA
* About
About
Culture
Divisions & Offices
Regions
Leadership
Doing Business with CISA
Contact Us
Site Links
Reporting Employee and Contractor Misconduct
CISA GitHub
Report a Cyber Issue
America's Cyber Defense Agency
Breadcrumb
1. Home
2. News & Events
3. Cybersecurity Advisories
4. Cybersecurity Advisory
Share:
Cybersecurity Advisory
ENHANCED MONITORING TO DETECT APT ACTIVITY TARGETING OUTLOOK ONLINE
Release Date
July 12, 2023
Alert Code
AA23-193A
SUMMARY
In June 2023, a Federal Civilian Executive Branch (FCEB) agency identified
suspicious activity in their Microsoft 365 (M365) cloud environment. The agency
reported the activity to Microsoft and the Cybersecurity and Infrastructure
Security Agency (CISA), and Microsoft determined that advanced persistent threat
(APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data.
CISA and the Federal Bureau of Investigation (FBI) are releasing this joint
Cybersecurity Advisory to provide guidance to critical infrastructure
organizations on enhancing monitoring of Microsoft Exchange Online environments.
Organizations can enhance their cyber posture and position themselves to detect
similar malicious activity by implementing logging recommendations in this
advisory. Organizations that identify suspicious, anomalous activity should
contact Microsoft for proceeding with mitigation actions due to the cloud-based
infrastructure affected, as well as report to CISA and the FBI.
Download the PDF version of this report:
AA23-193A Enhanced Monitoring to Detect APT Activity Targeting Outlook Online
(PDF, 410.82 KB )
TECHNICAL DETAILS
In Mid-June 2023, an FCEB agency observed MailItemsAccessed events with an
unexpected ClientAppID and AppID in M365 Audit Logs. The MailItemsAccessed event
is generated when licensed users access items in Exchange Online mailboxes using
any connectivity protocol from any client. The FCEB agency deemed this activity
suspicious because the observed AppId did not normally access mailbox items in
their environment. The agency reported the activity to Microsoft and CISA.
(Updated July 14, 2023) Microsoft determined that APT actors accessed and
exfiltrated unclassified Exchange Online Outlook data from a small number of
accounts. The APT actors used a Microsoft account (MSA) consumer key to forge
tokens to impersonate consumer and enterprise users. Microsoft remediated the
issue by first blocking tokens issued with the acquired key and then replacing
the key to prevent continued misuse. Microsoft determined that this activity was
part of a campaign targeting multiple organizations (all of which have been
notified by Microsoft). [1(link is external)]
The affected FCEB agency identified suspicious activity by leveraging enhanced
logging—specifically of MailItemsAccessed events—and an established baseline of
normal Outlook activity (e.g., expected AppID). The MailItemsAccessed event
enables detection of otherwise difficult to detect adversarial activity.
CISA and FBI are not aware of other audit logs or events that would have
detected this activity. Critical infrastructure organizations are strongly urged
to implement the logging recommendations in this advisory to enhance their
cybersecurity posture and position themselves to detect similar malicious
activity.
LOGGING
CISA and the FBI strongly encourage critical infrastructure organizations to
ensure audit logging is enabled. Note: Per CISA’s Microsoft Exchange Online
Microsoft 365 Minimum Viable Secure Configuration Baselines, FCEB agencies shall
enable audit logging. These minimum viable secure configuration baselines are
part of CISA’s Secure Cloud Business Applications (SCuBA) Project, which
provides guidance for FCEB agencies securing their cloud business application
environments and protecting federal information created, accessed, shared, and
stored in those environments. Although tailored to FCEB agencies, the project
provides security guidance applicable to all organizations with cloud
environments. The Office of Management and Budget (OMB) M-21-31 requires
Microsoft audit logs be retained for at least twelve months in active storage
and an additional eighteen months in cold storage. This can be accomplished
either by offloading the logs out of the cloud environment or natively through
Microsoft by creating an audit log retention policy.
In addition to enabling audit logging, CISA and FBI strongly encourage
organizations to:
* Enable Purview Audit (Premium) logging. This logging requires licensing at
the G5/E5 level. See Microsoft’s guidance on Assigning Microsoft 365 Licenses
to Users(link is external) for additional information.
* Ensure logs are searchable by operators. The relevant logs need to be
accessible to operational teams in a platform (e.g., security operations
center [SOC] tooling) that enables hunting for this activity and
distinguishing it from expected behavior within the environment.
* Enable Microsoft 365 Unified Audit Logging (UAL). UAL should be enabled by
default, but organizations are encouraged to validate these settings.
* Understand your organization’s cloud baseline. Organizations are encouraged
to look for outliers and become familiar with baseline patterns to better
understand abnormal versus normal traffic.
GENERAL CLOUD MITIGATIONS
All mitigation actions for this activity are the responsibility of Microsoft due
to the cloud-based infrastructure affected; however, CISA and the FBI recommend
that critical infrastructure organizations implement the following to harden
their cloud environments. Although, these mitigations will not prevent this or
related activity where actors leverage compromised consumer keys, they will
reduce the impact of less sophisticated malicious activity targeting cloud
environments. Note: These mitigations align with CISA’s SCuBA Technical
Reference Architecture (TRA), which describes essential components of security
services and capabilities to secure and harden cloud business applications,
including the platforms hosting the applications.
* Apply CISA’s recommended baseline security configurations for Microsoft
Defender for Office 365, Azure Active Directory, Exchange Online, OneDrive
for Business, Power BI, Power Platform, SharePoint Online, and Teams [SCuBA
TRA Section 6.6].
* Separate administrator accounts from user accounts according to the National
Institute of Standards and Technology’s (NIST’s) guidance, AC-5: Separation
of Duties. Only allow designated administrator accounts to be used for
administration purposes. If an individual user requires administrative rights
over their workstation, use a separate account without administrative access
to other hosts.
* Collect and store access and security logs for secure cloud access (SCA)
solutions, endpoint solutions, cloud applications/platforms and security
services, such as firewalls, data loss prevention systems, and intrusion
detection systems [SCuBA TRA Section 6.8.1].
* Use a telemetry hosting solution (e.g., SIEM solution) that aggregates logs
and telemetry data to facilitate internal organization monitoring, auditing,
alerting, and threat detection activities [SCuBA TRA Section 6.8.1].
* Review contractual relationships with all Cloud Service Providers (CSPs) and
ensure contracts include:
* Security controls the customer deems appropriate.
* Appropriate monitoring and logging of provider-managed customer systems.
* Appropriate monitoring of the service provider’s presence, activities, and
connections to the customer network.
* Notification of confirmed or suspected activity.
REPORTING SUSPICIOUS ACTIVITY
Organizations are encouraged to report suspicious activity to CISA via CISA’s
24/7 Operations Center (report@cisa.gov(link sends email) or 888-282-0870). The
FBI encourages recipients of this document to report information concerning
suspicious or criminal activity to their local FBI field office or IC3.gov.
RESOURCES
* CISA: Microsoft Exchange Online Microsoft 365 Minimum Viable Secure
Configuration Baselines
* CISA: SCuBA Project
* Microsoft: Assigning Microsoft 365 Licenses to Users(link is external)
* CISA: SCuBA TRA
* CISA: Recommended Baseline Security Configurations (Microsoft)
* Defender for Office 365
* Azure Active Directory
* Exchange Online
* OneDrive for Business
* Power BI
* Power Platform
* SharePoint Online
* Teams
* NIST: AC-5: Separation of Duties
Update July 14, 2023:
* Microsoft: Microsoft Mitigates China-based Threat Actor Storm-0558 Targeting
of Customer Email(link is external)
* Microsoft: Mitigation for China-Based Threat Actor Activity(link is external)
* Microsoft: Analysis of Storm-0558 Techniques for Unauthorized Email
Access(link is external)
End Update
REFERENCES
[1] Microsoft Security Response Center (MSRC) blog: Microsoft mitigates
China-based threat actor Storm-0558 targeting of customer email(link is
external)
ACKNOWLEDGEMENTS
Microsoft contributed to this CSA.
DISCLAIMER
The information in this report is being provided “as is” for informational
purposes only. The FBI, and CISA do not endorse any commercial product or
service, including any subjects of analysis. Any reference to specific
commercial products, processes, or services by service mark, trademark,
manufacturer, or otherwise, does not constitute or imply endorsement,
recommendation, or favoring by the FBI and CISA.
This product is provided subject to this Notification and this Privacy &
Use policy.
PLEASE SHARE YOUR THOUGHTS
We recently updated our anonymous product survey; we’d welcome your feedback.
RELATED ADVISORIES
Aug 03, 2023
Cybersecurity Advisory | AA23-215A
2022 TOP ROUTINELY EXPLOITED VULNERABILITIES
Aug 01, 2023
Cybersecurity Advisory | AA23-213A
THREAT ACTORS EXPLOITING IVANTI EPMM VULNERABILITIES
Jul 27, 2023
Cybersecurity Advisory | AA23-208A
PREVENTING WEB APPLICATION ACCESS CONTROL ABUSE
Jul 20, 2023
Cybersecurity Advisory | AA23-201A
THREAT ACTORS EXPLOITING CITRIX CVE-2023-3519 TO IMPLANT WEBSHELLS
Return to top
* Topics
* Spotlight
* Resources & Tools
* News & Events
* Careers
* About
Cybersecurity & Infrastructure Security Agency
* Facebook
* Twitter
* LinkedIn
* YouTube
* Instagram
* RSS
CISA Central 888-282-0870 Central@cisa.dhs.gov(link sends email)
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
* About CISA
* Accessibility
* Budget and Performance
* DHS.gov
* FOIA Requests
* No FEAR Act
* Office of Inspector General
* Privacy Policy
* Subscribe
* The White House
* USA.gov
* Website Feedback