Microsoft: Stolen key gave access to cloud services

Wiz security researchers have revealed that Chinese hackers, known as Storm-0558, successfully stole Microsoft’s consumer signing key.

With this key, the hackers gained access to breached accounts on Exchange Online and Outlook.com, as previously acknowledged by the company.

The cloud-based email service, Exchange Online, has gained widespread adoption among small, medium, and large businesses. Offering enhanced security, reliability, and scalability, it has become a preferred choice for many organizations.

Microsoft: Stolen key

In essence, Microsoft initially stated that only Outlook.com and Exchange Online were affected by the token forging technique. However, Wiz Research uncovered that the compromised signing key was more powerful than initially believed and wasn’t limited to just those two services.

According to their security researchers, the compromised MSA key could have allowed the threat actor to forge access tokens for various types of Azure Active Directory applications.

After revoking the stolen signing key, Microsoft did not recover from any other unauthorized access to its customers’ accounts using the same technique.

Microsoft reports that it has noticed a change in Storm-0558’s tactics, and this suggests that the malicious agents they no longer have access to any signing keys.

The company has recently made an announcement stating that they are yet to determine how Chinese hackers were able to steal the signature key used by Microsoft consumers.

However, in response to pressure from CISA, they have now agreed to provide free extended access to cloud log data. This decision aims to assist defenders in recognizing and thwarting similar breach attempts in the future.