APT Activity in Microsoft Exchange Online

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) recently released a joint Cybersecurity Advisory (CSA) after observing malicious activities in Microsoft 365 (M365) audit logs in a Federal Civilian Executive Branch (FCEB) agency. The advisory encourages agencies and critical infrastructure organizations to enhance their cybersecurity posture by implementing recommended logging measures. In cases of suspicious activity, organizations are advised to contact Microsoft for mitigation steps, given the cloud-based nature of the infrastructure, and report the activities to both CISA and the FBI.

Preventative measures, such as enabling Audit Logging, are strongly recommended to reduce the risk of exposure. Additionally, CISA’s Microsoft Exchange Online Microsoft 365 Minimum Viable Secure Configuration Baselines, part of the Secure Cloud Business Applications (SCuBA) project, provide further guidance for securing the cloud-based infrastructure.

In essence, the advisory pushes for increased vigilance, enhanced logging practices, and a proactive approach towards detecting and mitigating potential threats in Microsoft 365 environments. Given the pervasiveness of these environments in contemporary business operations, this represents an essential part of our cybersecurity strategy going forward.