back to article Microsoft admits unauthorized access to Exchange Online, blames Chinese gang

US Commerce Secretary Gina Raimondo and other State and Commerce Department officials were reportedly among the victims of a China-based group's attack on Microsoft's hosted email services. The widespread reports cite "unnamed officials" as their source and note that the US State Department denies that any classified systems …

  1. Anonymous Coward
    Anonymous Coward

    I blame Microsoft

    It doesn't matter if we're talking about state actors or run-of-the-mill criminals: Microsoft should not make their life easier with shoddy coding.

    1. Abominator

      Re: I blame Microsoft

      This is Microsoft. It's always going to be shoddy code.

      Just look at the bloat that is Teams. Their modern, cutting edge messaging app.

      1. jgard

        Re: I blame Microsoft

        Boooooooooring!

        Can't you come up with anything better mate? You know, like better than the usual: " Duh.... um.... duh.... erm.... oh.. erm Microsoft... erm they're rubbish, must be shoddy code. Just look at all the bloated software they write! Duhh... erm... "

        Yeah, it's all down to Microsoft writing shoddy code. Says you: a person who doesn't understand what they are talking about, wouldn't know what shoddy code was if it jumped up and slapped them in the chops, and simply is not skilled or experienced enough to ever work as a Microsoft developer.

        But yeah, shoddy code. Right!

        1. Lil Endian

          Re: I blame Microsoft

          Do you sell chocolate teapots?

        2. Anonymous Coward
          Anonymous Coward

          Re: I blame Microsoft

          OK Microshill.

        3. Anonymous Coward
          Anonymous Coward

          Re: I blame Microsoft

          Most true an established facts are boring, sorry.

          Gravity exists - boring. An object in motion continues to do so until other forces impact them, like Teslas running into emergency vehicles /and/or children - boring. Microsoft writing exceptionally shoddy code for the last 30 years and so party to over 99% of every. single. ransomware. and. hacking. attack. - boring.

          But fact.

        4. Anonymous Coward
          Anonymous Coward

          Re: I blame Microsoft

          The fact that MS365 and Azure have the by far worst uptime rates of any cloud provider should have already told you that Microsoft's software stack is very likely made up from old toilet paper cores and bubblegum, surrounded by quicksand.

          Which is also why we see truly outstanding clusterfucks like OMIGOD only from Microsoft and not the other cloud providers.

          Of course, that's also all just in addition to the fact that Microsoft already had a long track record of writing shitty code even before cloud was a thing, as also evidenced by the uncountable fuck-ups and mis-steps when trying to patch their wobbly operating systems and shoddy applications. I mean, really, they even fucked up basic stuff like printing several times, which truly is an art in itself.

          It's probably boring for you because deep down you already know that the other posters are correct, but then who knows maybe your job depends on not having a too close look at what services you or your employer subscribe to.

          The only thing more idiotic than Microsoft's software stack are business leaders who entrust their business to this shit show.

    2. Roland6 Silver badge

      Re: I blame Microsoft

      Part of the problem is cloud.

      Before cloud criminals needed to search for individual exchange servers, with cloud they are all behind a publicly known address…

      1. Lusty

        Re: I blame Microsoft

        "Before cloud criminals needed to search for individual exchange servers"

        No they didn't, email servers have always had DNS records pointing at them. All people need or ever needed was a mail domain, it's literally how email works!

        1. Anonymous Coward
          Anonymous Coward

          Re: I blame Microsoft

          For email, yes, but cloud storage has indeed made life a lot easier for data thieves - one system, one security structure, and no direct access to traffic, audit and access records.

          As for email, cloud based email has made it possible to set up world's biggest intercept operation ever.

        2. Roland6 Silver badge

          Re: I blame Microsoft

          >” email servers have always had DNS records pointing at them”

          If the email server is at xyz.Microsoft.com what are the odds of it not being Exchange compared to some random email serviced lurking behind a port 25 on a random IP address?

          Basically, I can search Shodan (*) or walk through DNS records and then face a potentially different security setup for each email server Shodan identifies as exchange, or target MS and with a high level of certainty know the security setup etc is common to all instances, so find a weakness in one…

          (*) As part of my security setup, I check Shodan, as yet it hasn’t identified my on-prem email server as Exchange…

    3. Michael Wojcik Silver badge

      Re: I blame Microsoft

      While details are scarce, the one thing we know about this breach is that it was due to a leaked key. That might be the result of shoddy coding, but is at least as likely to be the result of shoddy practice.

  2. Anonymous Coward
    Anonymous Coward

    Aquired taste

    Entry was forced by forging email authentication tokens with an acquired Microsoft accounts (MSA) consumer signing key.

    And how did an MSA consumer signing key get leaked? It doesn't help to revoke the one key if the leak isn't detected and plugged.

    It's like picking up the quarter that fell out of the pocket with a hole in it, and putting it back in the same pocket.

    1. Anonymous Coward
      Anonymous Coward

      Re: Aquired taste

      Microsoft’s messaging on this is dishonest.

      How did their MSA signing key get “acquired”?

      How could they have such a fundamental vulnerability as allowing tokens signed by a key for a consumer service access their enterprise service (OWA)?

      Two massive and inexcusable fails.

      I’ve been working with their cloud products, at scale, for years now and their constant dropping of the ball is starting to get me looking at competitors.

      Stop focusing all your effort on AI and start fixing your dearth of HI Microsoft.

      1. really_adf

        Re: Aquired taste

        How did their MSA signing key get “acquired”?

        Yes, and more importantly, how will that be prevented in future? Microsoft seem to have reasonable measures in place to detect and assess the problem, as well as the processes to mitigate it, but prevention is better than cure.

        How could they have such a fundamental vulnerability as allowing tokens signed by a key for a consumer service access their enterprise service (OWA)?

        I think "consumer" in "consumer signing key" refers to a service that validates and uses (ie consumes) the token that was produced and then signed using that key, not "consumer" as in "consumer-grade".

        Another important question is, given the key provided "access to email accounts affecting approximately 25 organizations including government agencies as well as related consumer accounts of individuals", what else could have been accessed with it? If a single compromised key allows access to email of more than one organisation, what are the chances it was limited to those?

    2. Anonymous Coward
      Anonymous Coward

      Re: Aquired taste

      And how did an MSA consumer signing key get leaked?

      I suspect someone has found the US government API to their authentication and is using it for their own entertainment and profit.

      I hope I am wrong, but as far as I can see Microsoft has made itself party to authentication processes by means of Office 365 and Windows. As last stage in the authentication chain they can generate an access token at will, so if agency X wants to look at protected contents that now no longer lives in a local DC but in a far flung cloud thing (that you don't get access records to) they could just give MS the email address and have them generate the required credential token, conveniently bypassing pesky passwords and 2FA demands.

      Nobody would be able to detect it other than Microsoft who has of course every reason not to look too closely.

    3. Anonymous Coward
      Anonymous Coward

      Re: Aquired taste

      There should never be ANY method by which a signing key could be "acquired".

      If this was actual theft, then the RCA points to poor architecture design on how their signing keys are stored & utilized. Who has access, etc. And it baits the question...How secure are the rest of their signing keys? And what evidence do they have that they were not ALSO compromised? Just because this one was caught being used does not mean there are not other breaches going unnoticed.

      If this was a willful release, then there should have been a disclosure notifying customers of the problem. They should not have waited until after the subsequent attack to admit the breech.

      The stupid thing is how many times I have heard "Microsoft security is good enough". Sure, it is good enough to keep pot-luck Susie from stealing your secret cake recipe. But not good enough for anything of value - from a consumer's financial information to corporate secrets to government secrets. We really need to stop trusting Microsoft.

      Oh, hey, Reg just posted today an article about MSFT releasing Entra "Permissions Management and Verified ID". Yeah, let's all jump on that bandwagon and trust Microsoft with our identification! What could possibly go wrong?

    4. Michael Wojcik Silver badge

      Re: Aquired taste

      Similar comments have been made by a number of security experts, such as the editors of SANS NewsBites. There's a lot of concern over the lack of information in the report and possibly explanations. One of the SANS editors (Frost, maybe) noted that the only obvious "leaked key" he could think of offhand in this scenario is the key used to sign JWTs, and losing control of that would be bad indeed.

  3. Yorick Hunt Silver badge
    Devil

    Splorf!

    If "senior US officials" decided to use Hotmail as their messaging system, they deserve everything they get (didn't they learn from Hillary's experiences?).

    1. Anonymous Coward
      Anonymous Coward

      Re: Splorf!

      The problem is, they were using Exchange Online not the consumer service.

      So a stolen consumer signing key was able to be used to sign forged access tokens for Outlook Web App!! This is a double fail.

      1. Roland6 Silver badge

        Re: Splorf!

        “Acquired” doesn’t necessarily mean “stolen”…

        1. Anonymous Coward
          Anonymous Coward

          Re: Splorf!

          Thanks for the English lesson. If Microsoft knowingly gave Chinese Intelligence a signing key for their consumer email service (and yes, we can all imagine scenarios where this might be required) without ensuring that same key was unable to be used to forge access tokens for their enterprise service in other geographies, then we’ve got a “fired C-Suite” level of fail right there.

      2. Yorick Hunt Silver badge

        Re: Splorf!

        Hotmail, MSN, Live, Outlook, Microsoft 365, Exchange Online, call it what you will - it's still the same product with the same sticky-tape-and-string coding that Microsoft is famous for.

        In corporate marketing parlance, "professional" and "enterprise" are terms used to infer higher pricing (and if you're lucky better support), not "better product." If a "WordPress Enterprise" CMS was to be offered, would you trust it for use on a critical site?

        1. Nick Ryan

          Re: Splorf!

          Don't forget the word "modern".

          In Microsoft terms this means that something is ill thought out, badly implemented, indescribably inefficient, annoying to use, opaque and has no diagnostic logging whatsoever... but it's "shiny". The last bit is important, of course.

  4. sitta_europea Silver badge

    People in government use Outlook?

    1. Martin Summers

      Err yeah, like it or not so does most of the corporate world. It's a standard tool, it works most of the time. It's also familiar. So regardless of Microsoft bashing, it is what it is until something actually better and deployable comes along.

      1. RedGreen925 Bronze badge

        "So regardless of Microsoft bashing"

        It is not bashing when you tell the truth about their absolute garbage products they produce. What a joke until something better comes along you say at this point anything is better than the virus delivery system that masquerades as a operating system that Microsoft delivers constantly FOR literally decades. And its products that are so full of these holes anyone who uses them should be fined massive amounts of cash for the chaos they cause to their customers. A million dollars per person, per incident just might get those morons attention. A million affected a billion in fines to both the companies using the software and the producer of it, this lets the market decide how much of the costs they wish to carry from using that garbage.

    2. Mr Dogshit

      As opposed to what? Notes?

      1. Michael Wojcik Silver badge

        qmail as MTA and the user's choice of MUA (with something like Thunderbird – which I don't particularly like, but at least it's not !@#$%^& Outhouse) would be a better choice. Exchange is a disaster.

    3. Strahd Ivarius Silver badge
      Facepalm

      Yes, they use the specific "government" instances, the most secure ones...

  5. ecofeco Silver badge

    And nothing was learned

    Not by Microsoft, not by the U.S. government, not by anyone.

    Not even by the Chinese, who already knew MS is a fabulous threat vector.

  6. Tron Silver badge

    This could come in handy.

    Savannah, where is your homework?

    I'm locked out of my home PC, Sir. Unnamed officials have told me that it is down to Chinese state hackers. My Dad said it was just Microsoft, but the unnamed officials said he was 'off narrative', took him away for a chat, and when he limped back, he confirmed that it was the Evil Commies. I was hoping for your support Sir, unless of course you are a secret Evil Commie. Have you now or have you ever been a member of the Communist Party of East Norfolk, Sir?

  7. Anonymous Coward
    Anonymous Coward

    Unauthorized

    Not just outsourced to the people who know how to get it to work then.

  8. david1024

    The key plz!

    Looks like poor key management. Heck, could even be social engineering.

    I want to know who the 25 were

  9. PhilipN Silver badge

    How curious

    Washington Post says ""the government was not yet attributing the attack to any country or group" alongside a similar clickbait headline.

  10. Anonymous Coward
    Anonymous Coward

    Why on earth is *any* system that requires reliable security running on top of Microsoft products.

  11. Anonymous Coward
    Facepalm

    observed MailItemsAccessed events with an unexpected ClientAppID

    What exactly is this consumer signing key (MSA) normally used for and how can it be leveraged to grant access to Exchange email. Is it wise for every government department to be using the exact same email system. As when one department gets hacked, they all gets hacked.

    observed MailItemsAccessed events with an unexpected ClientAppID and AppID in Microsoft 365 Audit Logs

    CyberWaffle .. has anyone ever managed to makes sense of Windows event logs?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like