Last week, Microsoft reported that a group of Chinese hackers got access to government email accounts in the US and Europe. Specifically, the hacker group entered email accounts that were using Microsoft's Outlook Web Access in Exchange Online and also on Outlook.com.
In a follow-up blog post, Microsoft offered some more details about how this group, known as Storm-0558, managed to gain access to these accounts using the company's online system. Microsoft stated:
Storm-0558 acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and Outlook.com. All MSA keys active prior to the incident – including the actor-acquired MSA signing key – have been invalidated. Azure AD keys were not impacted. The method by which the actor acquired the key is a matter of ongoing investigation. Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been corrected.
The blog also explains how the hacker group used this signing key to gain access to the web version of Outlook:
Once authenticated through a legitimate client flow leveraging the forged token, the threat actor accessed the OWA API to retrieve a token for Exchange Online from the GetAccessTokenForResource API used by OWA. The actor was able to obtain new access tokens by presenting one previously issued from this API due to a design flaw. This flaw in the GetAccessTokenForResourceAPI has since been fixed to only accept tokens issued from Azure AD or MSA respectively. The actor used these tokens to retrieve mail messages from the OWA API.
As part of its efforts to fix this issue, Microsoft has made some changes in its procedures:
This includes increased isolation of the systems, refined monitoring of system activity, and moving to the hardened key store used for our enterprise systems. We have revoked all previously active keys and issued new keys using these updated systems. Our active investigation indicates these hardening and isolation improvements disrupt the mechanisms we believe the actor could have used to acquire MSA signing keys.
Microsoft says no action is needed from its Outlook web customers as it claims "all actor activity related to this incident has been blocked." It added that it will "continue to monitor Storm-0558 activity and implement protections for our customers.