Storm-0558 - Millions of Azure AD Apps Affected

If you allow the "Log in with Microsoft" feature in your organisations you may be vulnerable to an authentication bypass, which could lead to account takeover by the APT perpetrators.

Checking for whether you may be vulnerable is an advanced task, as Microsoft has fixed the issue with new Azure App SDK which handles authentication, but you may still be vulnerable with older apps and those that have certain App settings embedden when they were created.

Wiz (cybersecurity company) has provided the following guidance on what they believe is a common attribute of Apps vulnerable to this threat:

Any Azure Active Directory application that supports “Personal Microsoft accounts only” and works against Microsoft’s v2.0 protocol was affected. This includes managed Microsoft applications, such as Outlook, SharePoint, OneDrive, and Teams, as well as customers’ applications that support Microsoft Account authentication, including those who allow the “Login with Microsoft” functionality.

The image below illustrates the settings that are affected when the app is created:

Overe's recommendation is to closely monitor for activity listed by Microsoft here, which may be difficult without advanced security expertise:

https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/#:~:text=Indicators%20of%20compromise

We expect further protection to be implemented by Microsoft to further limit your exposure, but in the meantime, as a good cyber-hygeine measure, you can revew the apps in your Microsoft Azure (Entra) environment and delete the ones you have assessed are no longer used:

https://entra.microsoft.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview?Microsoft_AAD_IAM_legacyAADRedirect=true

It is important to note that the Overe Microsoft App is not affected by this issue, also, our Overe "Premium" service will be able to detect these threats in future