Microsoft is still investigating how a threat actor was able to acquire the account sign-in key that led to breached email accounts for multiple customers, including U.S. government agencies. Last week, Microsoft disclosed that a China-based threat actor, known as Storm-0558, had breached email accounts using Outlook Web Access (OWA) in Exchange Online and Outlook.com for espionage purposes. To gain access, the threat actor stole a Microsoft account (MSA) consumer signing key to create forged tokens for Azure Active Directory (AD) enterprise and MSA users, allowing them to access Exchange Online and OWA accounts.
Approximately 25 organizations, including government agencies, were affected by the attack. The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory, stating that a federal civilian executive branch agency detected the suspicious activity in June and reported it to Microsoft. While both CISA and Microsoft confirmed the theft of an MSA key, the exact method of acquisition has not been revealed.
In an update published on Friday, Microsoft confirmed that they are still unsure of how the stolen MSA key was obtained. However, it appears that Storm-0558’s technique has been mitigated by Microsoft’s efforts. Microsoft stated in a blog post, “The method by which the actor acquired the key is a matter of ongoing investigation. No key-related actor activity has been observed since Microsoft invalidated the actor-acquired MSA signing key. Further, we have seen Storm-0558 transition to other techniques, which indicates that the actor is not able to utilize or access any signing keys.”
Microsoft also disclosed that the threat actor was able to use the stolen key due to a “validation error in Microsoft code,” which allowed Storm-0558 to use a key intended only for MSA accounts on Azure AD authentication tokens as well. Another new detail revealed in the blog post was that the stolen MSA consumer signing key was inactive. It remains unclear how the attackers were still able to use it to forge tokens.
When asked for further comment, Microsoft declined to provide additional information.
Storm-0558’s technique for gaining access involved the use of APIs, which present ongoing security challenges for enterprises. Microsoft revealed that the threat actors leveraged forged tokens to gain access through a legitimate client flow and exploited a flaw in the GetAccessTokenForResourceAPI, which was fixed on June 26.
“The actor was able to obtain new access tokens by presenting one previously issued from this API due a design flaw,” stated the blog post. “The actors used tokens to retrieve mail messages from the OWA API.”
With this access, Storm-0558 was able to download emails and attachments, locate and download conversations, and retrieve email folder information. While the scope of data exfiltration remains unclear, CISA confirmed that no classified information was accessed from government agency accounts.
To mitigate the threat, Microsoft completed key replacement on June 29, preventing the threat actor from using the stolen key to forge tokens. New signing keys have been issued in significantly updated systems. Additionally, Microsoft has increased the isolation of Exchange Online and Outlook systems from corporate environments, applications, and users. They have also enhanced automated alerts related to key monitoring.
At present, it appears that the campaign has been blocked, but Microsoft continues to monitor Storm-0558 activity closely.
In conclusion, Microsoft is still investigating the acquisition of the account sign-in key that led to breached email accounts. The breach affected several customers, including U.S. government agencies. Microsoft’s efforts to mitigate the threat and enhance security measures are ongoing. The stolen key was used to forge tokens and gain unauthorized access to Exchange Online and OWA accounts. While the exact method of acquisition remains unknown, Microsoft is actively working to determine how it occurred.