A China-based threat actor gained access to a Microsoft account (MSA) cryptographic key, as early as 2021, and used it to spy on the US State and Commerce Departments and other US government agencies.
A series of unfortunate events allowed the China-backed adversary, which Microsoft tracks as Storm-0558, to gain ‘lawful’ access to the Exchange Online and Azure Active Directory (now called Microsoft Entra ID) accounts of 25 organizations.
In April 2021, a Microsoft consumer signing system crash combined with a bug resulted in the MSA key being inadvertently leaked into a crash dump of data outside of Microsoft’s protected zone – which the company described as a strictly access-controlled production environment.
Unfortunately, the system that was supposed to detect such unwanted data in crash dumps failed to detect the signing key, before and after the crash dump was moved to a debugging environment.
Compromised Account with Access to Debugging Environment
Sometime after this happened, Storm-0558 compromised a Microsoft engineer’s corporate account.
Microsoft analyzed the compromise and how the signing key had been used to access the cloud-based Outlook email systems of 25 organizations in a series of blog posts in July 2023, but did not explain how the threat actor got hold of said key.
In a forensic analysis published on September 6, the company revealed that the compromised corporate account likely had access to the debugging environment where the MSA key was still stored.
"Due to log retention policies, we don't have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key," Microsoft said.
Unwanted Link Between Enterprise and Consumer Accounts
With the legitimate cryptographic key in hand, Storm-0558 was able to exploit a zero-day vulnerability in the GetAccessTokenForResourceAPI.
This API was provided by Microsoft in 2018 to help customer systems using both consumer and enterprise applications cryptographically validate signatures. The company confirmed in July that the flaw “has since been fixed to only accept tokens issued from Azure AD or MSA respectively.”
This enabled the threat actor to forge signed access tokens and impersonate targeted accounts within the 25 organizations.
According to Microsoft, the campaign only allowed Storm-0558 to gain access to Exchange Online and Outlook.
However, in a July 21 post, Shir Tamari, head of research at Wiz, argued that the threat actor may have been able to access various Microsoft services, including “Outlook, SharePoint, OneDrive, and Teams, as well as customers’ applications that support Microsoft Account authentication.”
Microsoft revoked all valid MSA signing keys to prevent threat actors from accessing other compromised keys and ensured there was no additional evidence of unauthorized access to customer accounts employing the same token forging technique.
Read more: Microsoft Accused of Negligence in Recent Email Compromise
Microsoft also expanded access to cloud logging, a feature previously reserved for its premium customers, to all users. This could help network defenders detect future similar breach attempts.
This incident has been seen by many as a wake-up call for cloud security. The disclosure of the details of the campaign by Microsoft was praised by many in the cybersecurity research field.