Joint Cybersecurity Advisory (CSA) - 20230713001

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory (CSA), on enhancing monitoring in Microsoft Exchange Online environments.

An unexpected malicious events in Microsoft 365 (M365) audit logs, have been observed, whereby licensed users can access items in exchange online mailboxes using any connectivity protocol from any client.Microsoft has determined that advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data. The APT actors use a Microsoft account (MSA) consumer key to forge tokens to impersonate consumer and enterprise users.

What is vulnerable?

The vulnerability affects Microsoft`s cloud environments:

• Microsoft Exchange Online
• Microsoft 365 Defender
• Microsoft Azure Active Directory
• Microsoft OneDrive for Business
• Microsoft Power BI
• Microsoft Power Platform
• Microsoft Sharepoint Online
• Microsoft Teams

What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of one month (refer Patch Management):

• M365 Secure configuration baseline
• SEcure Cloud Business Applications (SCuBA)

Additional References

• CISA and FBI joint Cybersecurity Advisory