NEW YORK, July 27, 2023 - Background: In June 2023, a Federal Civilian Executive Branch agency identified suspicious activity in their Microsoft 365 cloud environment. Several media reports identify the US State Department as the reporting agency and that the US Commerce Department was also
impacted, including Commerce Secretary Gina Raimondo’s account being among those
compromised. The agency reported the activity to Microsoft and the Cybersecurity and
Infrastructure Security Agency (CISA), and Microsoft determined that the actors accessed and
exfiltrated unclassified Exchange Online Outlook data. According to Microsoft, the actors
acquired a private encryption key and used it to forge access tokens for Outlook Web Access
and Outlook.com. CISA and the FBI released a joint Cybersecurity Advisory to provide guidance
to critical infrastructure organizations on enhancing monitoring of Microsoft Exchange Online
environments https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a. The
actors were identified as a China-based adversary referred to as “Storm-0558” associated with
politically motivated attacks. On July 12, 2023, CISA released an Advisory relating to this
security incident in both federal and commercial email systems compromised via Microsoft
Azure Active Directory OpenID endpoint. https://www.cisa.gov/news-events/cybersecurityadvisories/aa23-193
Extent of Exploit: Microsoft has provided detailed analysis on the threat
(*https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniquesfor-unauthorized-email-access/), and associated mitigation steps. Some analysts, including
security vendor Wiz (July 21, 2023), suggested the exploit was not limited to just Exchange
Online and Outlook.com. Wiz researchers believe the compromised MSA key could have
allowed Storm 0558 to forge access tokens for other Azure Active Directory applications that
consume OpenID endpoints (e.g., SharePoint, Teams, OneDrive). See Wiz blog reported at
https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-ofcountless-micr. Microsoft has not commented on this potential threat to date, however
Archive360 has analyzed its environment based on the potential broader risk.
Confirmation of No Impact to Archive360 Customers: We wish to assure our customers that
Archive360 does not utilize the impacted Azure Active Directory OpenID Endpoint for customer
deployments. Out of an abundance of caution, Archive360 conducted vulnerability scans and
design and post deployment audits to confirm that this issue does not impact Archive360
customers nor Archive360 internal systems. No related vulnerabilities were found from these
scans and audits. Findings from the audit may be disclosed to Archive360 customers upon
request. Microsoft 365 customers impacted by these, or other security incidents may engage
with Archive360 to restore and validate corrupt or missing data and provide chain of custody
attestations.
Archive360 Best Practices to Mitigate These Types of Risks: Archive360 has additional
security checks and time-based forced refresh designs to mitigate these sorts of external and
internal risks. The primary barrier to this type of exploit is Archive360’s use of an isolated
network. Secondly, even if an actor could gain access to the network by a misappropriated
token, our data storage involves encryption at the classification level, resulting in data which is
unreadable to an actor. Finally, for our customers that require state of the art security, our cloud
data protection gateway (CDPG) product, Archive360 Security Gateway, is available. This
process permits field encryption of customer data before it is migrated, with the keys separated
from the storage account, thereby minimizing impact from a breach at the ISV/data center. This
product may also be leveraged to insulate customer data from governmental seizures by way of
subpoena or otherwise, as such a disclosure would result in encrypted and unreadable data
since the ISV would not have access to the encryption keys.
***
Thank you for your consideration of this Statement. If you have questions or concerns, please
contact your Archive360 Sales representative or ceo@archive360.com.
James M. McCarthy | Chief Compliance Officer & General Counsel