AdvisoriesCISAAA23-193AJuly 12, 2023
July 12, 2023
In June 2023, a Federal Civilian Executive Branch (FCEB) agency noticed unusual events in M365 Audit Logs. The agency considered this suspicious because the observed AppID used in the client connection did not typically access mailbox items in their system. Microsoft investigated and found that advanced persistent threat (APT) actors had gained access to and extracted Exchange data from a few accounts. The actors used a consumer key to forge tokens and impersonate users. CISA and the FBI are not aware of any other logs or events that could have detected this activity. It is strongly recommended that critical infrastructure organizations implement the logging recommendations provided in this advisory to enhance their cybersecurity and detect similar malicious activities.
July 12, 2023
Most security incidents require resolutions from multiple controls, such as an EDR or an IDS. Rarely is an event best solved by addressing a single control. This advisory urges organizations using Exchange to enable audit logging to identify this attack in the wild. This should be done - but endpoint protection platforms (EPP) also have a responsibility. When a client makes an authenticated - but forged - request, it should be detected and subsequently blocked. This is a difficult proposition for most EPP tools due to the vast preponderance of client side applications that can make forged requests. But the prominence of this event should make it a priority to resolve, for the time being.
Be immediately notified of new advisories and associated security tests
AdvisoryCISAAA24-207AJuly 25, 2024
