AdvisoryAdvisoriesCISAAA23-193A

July 12, 2023

APT Activity Targeting Outlook Online

July 12, 2023

What we know so far

In June 2023, a Federal Civilian Executive Branch (FCEB) agency noticed unusual events in M365 Audit Logs. The agency considered this suspicious because the observed AppID used in the client connection did not typically access mailbox items in their system. Microsoft investigated and found that advanced persistent threat (APT) actors had gained access to and extracted Exchange data from a few accounts. The actors used a consumer key to forge tokens and impersonate users. CISA and the FBI are not aware of any other logs or events that could have detected this activity. It is strongly recommended that critical infrastructure organizations implement the logging recommendations provided in this advisory to enhance their cybersecurity and detect similar malicious activities.

Arrow Right

Schedule a test

Subscribe to advisory alerts

Be immediately notified of new advisories and associated security tests

More advisories