Microsoft analysis attributed the activity to a group called Storm-0558 based on established prior tactics, techniques, and procedures (TTPs).
Investigation learned that the customer’s Exchange Online data was accessed using Outlook Web Access (OWA). The investigation started on Jun 16, 2023, when Microsoft was notified by a customer about an anomalous Exchange Online data access. The attacks were targeted and lasted for about a month before they were first discovered. Microsoft is getting criticized for the way in which it handled a serious security incident that allowed a suspected Chinese espionage group to access user email from approximately 25 organizations, including government agencies and related consumer accounts in the public cloud.
