<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Franklin Gothic Book";
panose-1:2 11 5 3 2 1 2 2 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
p.paragraph, li.paragraph, div.paragraph
{mso-style-name:paragraph;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.normaltextrun
{mso-style-name:normaltextrun;}
span.eop
{mso-style-name:eop;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1856308207;
mso-list-template-ids:793123470;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">FYSA<o:p></o:p></p>
<p class="paragraph" style="margin:0in;vertical-align:baseline"><span class="normaltextrun"><span style="font-family:"Arial",sans-serif"> </span></span><span class="eop"><span style="font-family:"Franklin Gothic Book",sans-serif"> </span></span><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif"><o:p></o:p></span></p>
<p class="paragraph" style="margin:0in;vertical-align:baseline;user-select: text;-webkit-user-drag: none;-webkit-tap-highlight-color: transparent;overflow-wrap: break-word;white-space:pre-wrap;font-kerning: none">
<span class="normaltextrun"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">Today,</span></span><span class="normaltextrun"><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif;color:black">
</span></span><span class="normaltextrun"><span style="font-family:"Franklin Gothic Book",sans-serif">the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a
<a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a">joint Cybersecurity Advisory</a> that urges all organizations to enhance their cybersecurity posture and position themselves to detect malicious activity on their Exchange Online
environments.</span></span><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif"><o:p></o:p></span></p>
<p class="paragraph" style="margin:0in;vertical-align:baseline;user-select: text;-webkit-user-drag: none;-webkit-tap-highlight-color: transparent;overflow-wrap: break-word;white-space:pre-wrap;font-kerning: none">
<span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif"><o:p> </o:p></span></p>
<p class="paragraph" style="margin:0in;vertical-align:baseline;user-select: text;-webkit-user-drag: none;-webkit-tap-highlight-color: transparent;overflow-wrap: break-word;white-space:pre-wrap;font-kerning: none">
<span class="normaltextrun"><span style="font-family:"Franklin Gothic Book",sans-serif">Recently, a federal agency observed suspicious, unexpected activity in unclassified Microsoft 365 audit logs and reported it to Microsoft and CISA. In coordination with
Microsoft, it was determined that advanced persistent threat (APT) actors had accessed and exfiltrated Exchange Online Outlook data. The incident was remediated. </span></span><span class="eop"><span style="font-family:"Franklin Gothic Book",sans-serif"> </span></span><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif"><o:p></o:p></span></p>
<p class="paragraph" style="margin:0in;vertical-align:baseline;user-select: text;-webkit-user-drag: none;-webkit-tap-highlight-color: transparent;overflow-wrap: break-word;white-space:pre-wrap;font-kerning: none">
<span class="eop"><span style="font-family:"Franklin Gothic Book",sans-serif"> </span></span><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif"><o:p></o:p></span></p>
<p class="paragraph" style="margin:0in;vertical-align:baseline;user-select: text;-webkit-user-drag: none;-webkit-tap-highlight-color: transparent;overflow-wrap: break-word;white-space:pre-wrap;font-kerning: none">
<span class="normaltextrun"><span style="font-family:"Franklin Gothic Book",sans-serif">The joint advisory, “<u><a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a">Enhanced Monitoring to Detect APT Activity Targeting Outlook Online</a></u>”
provides security guidance on logging that should be implemented, to include: </span></span><span class="eop"><span style="font-family:"Franklin Gothic Book",sans-serif"> </span></span><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif"><o:p></o:p></span></p>
<p class="paragraph" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:57.0pt;text-indent:0in;mso-list:l0 level1 lfo2;vertical-align:baseline;user-select: text;-webkit-user-drag: none;-webkit-tap-highlight-color: transparent;overflow-wrap: break-word;white-space:pre-wrap;font-kerning: none">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span class="normaltextrun"><span style="font-family:"Franklin Gothic Book",sans-serif">Ensure Purview audit logging is enabled, </span></span><span class="eop"><span style="font-family:"Franklin Gothic Book",sans-serif"> </span></span><span style="font-family:"Franklin Gothic Book",sans-serif"><o:p></o:p></span></p>
<p class="paragraph" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:57.0pt;text-indent:0in;mso-list:l0 level1 lfo2;vertical-align:baseline;user-select: text;-webkit-user-drag: none;-webkit-tap-highlight-color: transparent;overflow-wrap: break-word;white-space:pre-wrap;font-kerning: none">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span class="normaltextrun"><span style="font-family:"Franklin Gothic Book",sans-serif">Ensure logs are searchable by operators, </span></span><span class="eop"><span style="font-family:"Franklin Gothic Book",sans-serif"> </span></span><span style="font-family:"Franklin Gothic Book",sans-serif"><o:p></o:p></span></p>
<p class="paragraph" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:57.0pt;text-indent:0in;mso-list:l0 level1 lfo2;vertical-align:baseline;user-select: text;-webkit-user-drag: none;-webkit-tap-highlight-color: transparent;overflow-wrap: break-word;white-space:pre-wrap;font-kerning: none">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span class="normaltextrun"><span style="font-family:"Franklin Gothic Book",sans-serif">Enable Microsoft 365 unified audit logging (UAL), and </span></span><span class="eop"><span style="font-family:"Franklin Gothic Book",sans-serif"> </span></span><span style="font-family:"Franklin Gothic Book",sans-serif"><o:p></o:p></span></p>
<p class="paragraph" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:57.0pt;text-indent:0in;mso-list:l0 level1 lfo2;vertical-align:baseline;user-select: text;-webkit-user-drag: none;-webkit-tap-highlight-color: transparent;overflow-wrap: break-word;white-space:pre-wrap;font-kerning: none">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span class="normaltextrun"><span style="font-family:"Franklin Gothic Book",sans-serif">Understand the cloud baseline for your organization. </span></span><span class="eop"><span style="font-family:"Franklin Gothic Book",sans-serif"> </span></span><span style="font-family:"Franklin Gothic Book",sans-serif"><o:p></o:p></span></p>
<p class="paragraph" style="margin:0in;vertical-align:baseline;user-select: text;-webkit-user-drag: none;-webkit-tap-highlight-color: transparent;overflow-wrap: break-word;white-space:pre-wrap;font-kerning: none">
<span class="eop"><span style="font-family:"Franklin Gothic Book",sans-serif"> </span></span><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif"><o:p></o:p></span></p>
<p class="paragraph" style="margin:0in;vertical-align:baseline;user-select: text;-webkit-user-drag: none;-webkit-tap-highlight-color: transparent;overflow-wrap: break-word;white-space:pre-wrap;font-kerning: none">
<span class="normaltextrun"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black;background:white">Organizations that identify suspicious, anomalous activity should contact Microsoft for proceeding with mitigation actions due to the cloud-based
infrastructure affected. Aligned with <a href="https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project">
CISA’s Secure Cloud Business Application (SCuBA) Technical Reference Architecture (TRA)</a>, other recommended actions are provided that can help harden cloud environments and reduce the impact of less sophisticated malicious activity targeting cloud environments. </span></span><span class="eop"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black;background:white"> </span></span><span class="eop"><span style="font-family:"Franklin Gothic Book",sans-serif"> <o:p></o:p></span></span></p>
<p class="paragraph" style="margin:0in;vertical-align:baseline"><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif"><o:p> </o:p></span></p>
<p class="paragraph" style="margin:0in;vertical-align:baseline;user-select: text;-webkit-user-drag: none;-webkit-tap-highlight-color: transparent;overflow-wrap: break-word;white-space:pre-wrap;font-kerning: none">
<span class="normaltextrun"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">All critical infrastructure organizations are strongly urged to review this advisory, apply actions and mitigations to improve cybersecurity posture, and report
any suspicious cyber activity or compromise to CISA or FBI. </span></span><span class="eop"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black"> </span></span><span class="eop"><span style="font-family:"Franklin Gothic Book",sans-serif"><o:p></o:p></span></span></p>
<p class="paragraph" style="margin:0in;vertical-align:baseline"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><span style="color:#1F497D">Theresa A. Masse<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Cybersecurity State Coordinator/Advisor, Region 10 (Oregon)
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Cybersecurity and Infrastructure Security Agency<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Department of Homeland Security<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Phone: (503) 930-5671
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Email:</span><span style="font-size:10.0pt;color:#777777">
</span><a href="mailto:theresa.masse@cisa.dhs.gov"><span style="font-size:10.0pt">theresa.masse@cisa.dhs.gov</span></a><u><span style="font-size:10.0pt;color:#0760C1"><o:p></o:p></span></u></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><img border="0" width="97" height="97" style="width:1.0138in;height:1.0138in" id="Picture_x0020_2" src="cid:image002.png@01D9B491.4DED3870"><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="paragraph" style="margin:0in;vertical-align:baseline"><o:p> </o:p></p>
<p class="paragraph" style="margin:0in;vertical-align:baseline;user-select: text;-webkit-user-drag: none;-webkit-tap-highlight-color: transparent;overflow-wrap: break-word;white-space:pre-wrap;font-kerning: none">
<span class="eop"><span style="font-family:"Franklin Gothic Book",sans-serif"> </span></span><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif"><o:p></o:p></span></p>
</div>
</body>
</html>