[CDP-development] CISA, FBI Release Advisory Encouraging Organizations to Monitor Microsoft Exchange Online Environments

Masse, Theresa theresa.masse at cisa.dhs.gov
Wed Jul 12 07:20:41 PDT 2023 

FYSA

  

Today, the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory<https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a> that urges all organizations to enhance their cybersecurity posture and position themselves to detect malicious activity on their Exchange Online environments.



Recently, a federal agency observed suspicious, unexpected activity in unclassified Microsoft 365 audit logs and reported it to Microsoft and CISA. In coordination with Microsoft, it was determined that advanced persistent threat (APT) actors had accessed and exfiltrated Exchange Online Outlook data. The incident was remediated.



The joint advisory, “Enhanced Monitoring to Detect APT Activity Targeting Outlook Online<https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a>” provides security guidance on logging that should be implemented, to include:

·      Ensure Purview audit logging is enabled,

·      Ensure logs are searchable by operators,

·      Enable Microsoft 365 unified audit logging (UAL), and

·      Understand the cloud baseline for your organization.



Organizations that identify suspicious, anomalous activity should contact Microsoft for proceeding with mitigation actions due to the cloud-based infrastructure affected. Aligned with CISA’s Secure Cloud Business Application (SCuBA) Technical Reference Architecture (TRA)<https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project>, other recommended actions are provided that can help harden cloud environments and reduce the impact of less sophisticated malicious activity targeting cloud environments.



All critical infrastructure organizations are strongly urged to review this advisory, apply actions and mitigations to improve cybersecurity posture, and report any suspicious cyber activity or compromise to CISA or FBI.



Theresa A. Masse
Cybersecurity State Coordinator/Advisor, Region 10 (Oregon)
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
Phone: (503) 930-5671
Email: theresa.masse at cisa.dhs.gov<mailto:theresa.masse at cisa.dhs.gov>

[cid:image002.png at 01D9B491.4DED3870]





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20230712/d1769c99/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 16152 bytes
Desc: image002.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20230712/d1769c99/attachment-0001.png>

More information about the CDP-development mailing list