Compromised Microsoft Key: More Impactful Than We Thought
Compromised Microsoft Key: More Impactful Than We Thought
Our investigation of the security incident disclosed by Microsoft and CISA and attributed to Chinese threat actor Storm-0558, found that this incident seems to have a broader scope than originally assumed. Organizations using Microsoft and Azure services should take steps to assess potential impact.
According to Microsoft, the compromised key was inactive and therefore any access token signed by this key must be considered suspicious.
Unfortunately, there is a lack of standardized practices when it comes to application-specific logging. Therefore, in most cases, application owners do not have detailed logs containing the raw access token or its signing key. As a result, identifying and investigating such events can prove exceedingly challenging for app owners.
Great article, thank you for sharing!
So if I understand, Wiz is saying some apps that use Azure AD might not have sufficient logging to identify the IOCs. But MS apps like Exchange Online and Teams do have sufficient logging?