Joint Cybersecurity Advisory on Enhanced Monitoring to Detect APT Activity Targeting Outlook Online

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA), Enhanced Monitoring to Detect APT Activity Targeting Outlook Online, to provide guidance to agencies and critical infrastructure organizations on enhancing monitoring in Microsoft Exchange Online environments. 

In June 2023, a federal civilian agency observed unexpected events in its Microsoft 365 audit logs. After reporting the incident to Microsoft, the activity was deemed malicious. Microsoft is tracking this activity as Storm-0558 with a nexus to China that focuses on espionage, data theft, and credential access. The goal of this CSA is to enhance organizational cybersecurity posture and position organizations to detect similar malicious activity via implementing the listed logging recommendations.

According to Microsoft, beginning on May 15, 2023, Storm-0558 gained access to email accounts affecting approximately 25 organizations including at least one U.S. government agency as well as related consumer accounts of individuals likely associated with these organizations. While Microsoft has completed mitigation of this attack across its customer base, members are encouraged to maintain heightened awareness of their Microsoft Outlook Online environment, implement suggested logging to detect similar methods, and report any suspicious, anomalous activity to Microsoft, CISA, and the FBI. Read more at CISA.