Storm 0558 & Microsoft Vulnerability – Key Takeaways

Discussing the Potential Threats of Storm 0558 and Confirmation of No Impact to Archive360 Customers

NEW YORK, July 27, 2023 - Background: In June 2023, a Federal Civilian Executive Branch agency identified suspicious activity in their Microsoft 365 cloud environment. Several media reports identify the US State Department as the reporting agency and that the US Commerce Department was also 
impacted, including Commerce Secretary Gina Raimondo’s account being among those 
compromised. The agency reported the activity to Microsoft and the Cybersecurity and 
Infrastructure Security Agency (CISA), and Microsoft determined that the actors accessed and 
exfiltrated unclassified Exchange Online Outlook data. According to Microsoft, the actors
acquired a private encryption key and used it to forge access tokens for Outlook Web Access 
and Outlook.com. CISA and the FBI released a joint Cybersecurity Advisory to provide guidance 
to critical infrastructure organizations on enhancing monitoring of Microsoft Exchange Online 
environments https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a. The 
actors were identified as a China-based adversary referred to as “Storm-0558” associated with 
politically motivated attacks. On July 12, 2023, CISA released an Advisory relating to this 
security incident in both federal and commercial email systems compromised via Microsoft 
Azure Active Directory OpenID endpoint. https://www.cisa.gov/news-events/cybersecurityadvisories/aa23-193

Extent of Exploit: Microsoft has provided detailed analysis on the threat 
(*https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniquesfor-unauthorized-email-access/), and associated mitigation steps. Some analysts, including 
security vendor Wiz (July 21, 2023), suggested the exploit was not limited to just Exchange 
Online and Outlook.com. Wiz researchers believe the compromised MSA key could have 
allowed Storm 0558 to forge access tokens for other Azure Active Directory applications that 
consume OpenID endpoints (e.g., SharePoint, Teams, OneDrive). See Wiz blog reported at
https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-ofcountless-micr. Microsoft has not commented on this potential threat to date, however 
Archive360 has analyzed its environment based on the potential broader risk.

Confirmation of No Impact to Archive360 Customers: We wish to assure our customers that 
Archive360 does not utilize the impacted Azure Active Directory OpenID Endpoint for customer 
deployments. Out of an abundance of caution, Archive360 conducted vulnerability scans and 
design and post deployment audits to confirm that this issue does not impact Archive360 
customers nor Archive360 internal systems. No related vulnerabilities were found from these 
scans and audits. Findings from the audit may be disclosed to Archive360 customers upon 
request. Microsoft 365 customers impacted by these, or other security incidents may engage 
with Archive360 to restore and validate corrupt or missing data and provide chain of custody 
attestations.

Archive360 Best Practices to Mitigate These Types of Risks: Archive360 has additional 
security checks and time-based forced refresh designs to mitigate these sorts of external and 
internal risks. The primary barrier to this type of exploit is Archive360’s use of an isolated 
network. Secondly, even if an actor could gain access to the network by a misappropriated 
token, our data storage involves encryption at the classification level, resulting in data which is 
unreadable to an actor. Finally, for our customers that require state of the art security, our cloud 
data protection gateway (CDPG) product, Archive360 Security Gateway, is available. This 
process permits field encryption of customer data before it is migrated, with the keys separated 
from the storage account, thereby minimizing impact from a breach at the ISV/data center. This 
product may also be leveraged to insulate customer data from governmental seizures by way of 
subpoena or otherwise, as such a disclosure would result in encrypted and unreadable data 
since the ISV would not have access to the encryption keys. 
***
Thank you for your consideration of this Statement. If you have questions or concerns, please 
contact your Archive360 Sales representative or ceo@archive360.com.

James M. McCarthy | Chief Compliance Officer & General Counsel