Microsoft Patch Tuesday Leaves Exploited Zero-Day Unpatched

Patch Tuesday often brings surprises, but this one is out of the ordinary.

First, Microsoft patched 132 bugs yesterday. That is a lot. Maybe not the most ever, but pretty close to the most. Among the bugs are 6 being actively exploited and 37 remote code execution bugs.

What is more important is that Microsoft says that there is one bug which is being actively exploited for which there is no patch available.

Microsoft says that a group of Chinese hackers has broken into some customer email systems to gather intelligence. They say this activity began a few weeks ago. CISA says that they detected “unusual activity in their Microsoft 365 email cloud environment”. While CISA didn’t say what agencies had been compromised, we do know, from other sources, that unclassified information at the State Department was compromised.

CISA did put out an advisory today, along with the FBI, that gives some good insight into how they detected the hackers. They call it enhanced monitoring to detect APT activity targeting Outlook.

In the details, CISA says that they observed MailItemsAccessed events with unexpected ClientAppID and AppID. The event is generated when users access mail items by any possible method.

They think the hackers got in by forging authentication tokens, something that we have heard about before. That allows the hacker to impersonate a legitimate user.

CISA recommends enhancing logging – this logging requires Purview Premium, which either requires Office 365 E5 or a security product.

CISA does have a Microsoft Exchange Online Microsoft 365 Minimum Viable Secure Configuration Guide (free), which is at draft version 0.1 – so definitely a work in progress, but worth reviewing.

CISA’s Enhanced Monitoring Alert does provide details and recommendations, all of which you should already be doing, but if not, now would be a good time to start.

Reports are that the attack starts by social engineering using compromised Office (Word) documents.

Microsoft says that they may release an emergency patch before the August patch Tuesday, but they are not committing to that right now.

For businesses, they should make sure that their users are on a heightened level of alert and if you have the option to increase logging and inspection consistent with CISA’s recommendations, that will help.

If you need assistance, please contact us.