In a seemingly recurring theme, Microsoft disclosed that a China-based adversary has exploited a vulnerability in its cloud platform. The cyber attack exposed email data for 25 organizations, including federal government agencies, according to the White House. First detected by the U.S. government in mid-June, the vulnerability enabled hackers to forge authentication tokens to gain access to individual email accounts.
This flaw, which has now been mitigated, highlights the need for layered data security so that, when vulnerabilities are exploited, measures are still in place to block unauthorized access to sensitive information, regardless of where it resides.
As emphasized in the Microsoft vulnerability brief, cyber attacks continue to escalate in frequency and sophistication — with email as a primary target for intelligence gathering. That’s why security leaders should be prioritizing data-centric protection for data flowing through vectors like email, file-sharing platforms, and SaaS apps.
The Microsoft Cloud Flaw: What Happened?
According to Microsoft:
On June 16, 2023, based on customer reported information, Microsoft began an investigation into anomalous mail activity. Over the next few weeks, our investigation revealed that beginning on May 15, 2023, Storm-0558 gained access to email data from approximately 25 organizations, and a small number of related consumer accounts of individuals likely associated with these organizations. They did this by using forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key… We added substantial automated detections for known indicators of compromise associated with this attack to harden defenses and customer environments, and we have found no evidence of further access.
Hackers had access to this data for at least a month before the vulnerability was reported, according to The New York Times.
The Washington Post reported that “The number of U.S. email accounts believed to be affected so far is limited, and the attack appeared targeted, though an FBI investigation is ongoing, said a person familiar with the matter who spoke on the condition of anonymity because of the matter’s sensitivity.”
While this vulnerability has been mitigated, it raises two important questions that every organization must answer:
- Do we trust Microsoft to protect our sensitive data? If so, how much?
- Should we consider implementing an extra layer of data access controls, beyond Microsoft’s system access controls?
Data Access vs. System Access
The more measures in place to safeguard access to the data itself, the stronger your security posture. Many organizations lean on Microsoft’s native security controls to protect information in email, file-sharing platforms, and SaaS apps — but because Microsoft continues to be a primary target of cyber attacks and an uncomfortably frequent victim of data breaches — it’s wise to put additional data protections in place.
TLDR: When data access is managed separately from system access, you have a degree of separation so that, should someone gain unauthorized access to your systems, they won’t automatically have access to the data, too.
Some of the ways that Virtru can help you put these additional data protections into place are through:
- Client-side, end-to-end email encryption: Native email security in platforms like Outlook and Gmail is often limited to transport-layer security (TLS), which protects data in transit, but not end-to-end. Client-side, end-to-end encryption gives users the ability to protect sensitive information before sharing it — and extending control of that data beyond your organization’s perimeter. When you have an easy-to-use client-side encryption tool like Virtru for Outlook or Virtru for Gmail, users and admins have the ability to share sensitive information without losing control of it, and without adding friction to their existing workflows.
- Server-side encryption to automate data protection: Applying server-side encryption gives you another layer of security for data leaving your organization. Server-side encryption can automatically detect sensitive information leaving your organization — and either block or automatically encrypt that information so it leaves securely. With tools like the Virtru Data Protection Gateway and Virtru Secure Share, you have additional data controls that allow you to revoke at any time.
- The ability to host your own encryption keys: When you control your encryption keys — rather than entrusting them to a cloud provider like Google or Microsoft — your encrypted data can be shared in the cloud without being visible or accessible to your cloud provider. It remains under your control, and you can host keys in the location of your choice with the Virtru Private Keystore.
Email and SaaS Apps Are Prime Threat Vectors for Espionage — But Virtru Can Help
When it comes to collecting intelligence, email represents a treasure trove of corporate and personal information that can be used against you, your organization, and even pose threats to national security, in the case of government agency and critical infrastructure data.
Beyond email, consider the other SaaS applications that your organization uses to manage customer or constituent data — apps like Salesforce, Zendesk,
At Virtru, we specialize in helping organizations safeguard information on the data object level, ensuring well-defined data access controls that extend beyond your organization’s perimeter and provide degrees of separation between system and data.
Ready to fortify your data security in your Microsoft, Google, or hybrid cloud ecosystem? Contact our team for a demo today.
