CISA, FBI directs enhanced monitoring for Exchange Outlook Online APT across critical infrastructure

U.S. cybersecurity agencies rolled out Wednesday a joint Cybersecurity Advisory (CSA) to provide guidance to agencies and critical infrastructure organizations on enhancing monitoring in Microsoft Exchange Online environments. After reporting the incident to Microsoft, network defenders deemed the activity malicious. Organizations are called upon to enhance organizational cybersecurity posture and enable detection of similar malicious activity by implementing logging recommendations.

The guidance, issued by the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI), comes in the wake of a Federal Civilian Executive Branch (FCEB) agency identified suspicious activity in their Microsoft 365 (M365) cloud environment last month. The agency reported the activity to Microsoft and the CISA, and Microsoft determined that advanced persistent threat (APT) hackers accessed and exfiltrated unclassified Exchange Online Outlook data.

“In Mid-June 2023, an FCEB agency observed ‘MailItemsAccessed’ events with an unexpected ‘ClientAppID’ and ‘AppID’ in M365 Audit Logs,” the agencies wrote in the advisory titled ‘Enhanced Monitoring to Detect APT Activity Targeting Outlook Online.’ “The ‘MailItemsAccessed’ event is generated when licensed users access items in Exchange Online mailboxes using any connectivity protocol from any client. The FCEB agency deemed this activity suspicious because the observed ‘AppId’ did not normally access mailbox items in their environment. The agency reported the activity to Microsoft and CISA.”

The guidance added that Microsoft determined that APT actors accessed and exfiltrated unclassified Exchange Online Outlook data from a small number of accounts. “The APT actors used a Microsoft account (MSA) consumer key to forge tokens to impersonate consumer and enterprise users. Microsoft remediated the issue by first blocking tokens issued with the acquired key and then replacing the key to prevent continued misuse.”

Furthermore, the affected FCEB agency identified suspicious activity by leveraging enhanced logging, specifically of ‘MailItemsAccessed’ events, and an established baseline of normal Outlook activity (e.g., expected AppID), the advisory said. “The ‘MailItemsAccessed’ event enables detection of otherwise difficult to detect adversarial activity.”

The agencies confirmed that they are not aware of other audit logs or events that would have detected this activity. “Critical infrastructure organizations are strongly urged to implement the logging recommendations in this advisory to enhance their cybersecurity posture and position themselves to detect similar malicious activity,” they added.

The advisory also encouraged critical infrastructure organizations to ensure audit logging is enabled. “These minimum viable secure configuration baselines are part of CISA’s Secure Cloud Business Applications (SCuBA) Project, which provides guidance for FCEB agencies securing their cloud business application environments and protecting federal information created, accessed, shared, and stored in those environments,” it added.

Additionally, the Office of Management and Budget (OMB) M-21-31 requires Microsoft audit logs be retained for at least twelve months in active storage and an additional eighteen months in cold storage. This can be accomplished either by offloading the logs out of the cloud environment or natively through Microsoft by creating an audit log retention policy.

Apart from enabling audit logging, CISA and FBI recommend enabling Purview Audit (Premium) logging. This logging requires licensing at the G5/E5 level. They also suggest ensuring logs are searchable by operators. The relevant logs need to be accessible to operational teams in a platform that enables hunting for this activity and distinguishing it from expected behavior within the environment.

Additionally, the agencies advise enabling Microsoft 365 Unified Audit Logging (UAL). UAL should be enabled by default, but organizations are encouraged to validate these settings. They also suggest understanding an organization’s cloud baseline. Organizations must look for outliers and become familiar with baseline patterns to better understand abnormal versus normal traffic. 

Organizations can enhance their cyber posture and position themselves to detect similar malicious activity by implementing logging recommendations in this advisory. Additionally, organizations that identify suspicious, anomalous activity should contact Microsoft for proceeding with mitigation actions due to the cloud-based infrastructure affected, as well as report to the cybersecurity agencies.

The cybersecurity agencies call upon critical infrastructure organizations to apply CISA’s recommended baseline security configurations for Microsoft Defender for Office 365, Azure Active Directory, Exchange Online, OneDrive for Business, Power BI, Power Platform, SharePoint Online, and Teams. They also advise separate administrator accounts from user accounts in accordance with the National Institute of Standards and Technology’s (NIST’s) guidance, while also collecting and storing access and security logs for secure cloud access (SCA) solutions, endpoint solutions, cloud applications/platforms and security services, such as firewalls, data loss prevention systems, and intrusion detection systems. 

The advisory also recommends using a telemetry hosting solution that aggregates logs and telemetry data to facilitate internal organization monitoring, auditing, alerting, and threat detection activities. It also suggests reviewing contractual relationships with cloud service providers (CSPs) and ensure contracts include security controls the customer deems appropriate; suitable monitoring and logging of provider-managed customer systems; relevant monitoring of the service provider’s presence, activities, and connections to the customer network; and notification of confirmed or suspected activity. 

Last week, the CISA, FBI, the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) published a joint CSA warning of cyber hackers leveraging newly identified Truebot malware variants against organizations in the two countries. Truebot is a botnet that has been used by malicious cyber groups, like the CL0P ransomware gang, to collect and exfiltrate information from its target victims.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.