In July, Microsoft revealed that a known Chinese hacker group labeled as Storm-0558 was able to access government email accounts in the United States and Western Europe. The company said the group "used an acquired MSA key to forge tokens to access OWA and Outlook.com." It added, "The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail."
Microsoft launched an investigation on how the MSA (Microsoft Account) key was acquired and how a consumer key was able to access enterprise Outlook email accounts. This week, the company posted its findings on its Microsoft Security Responses Center website.
Microsoft says that an event that happened over two years ago was the cause of the group getting access to the MSA key:'
Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (“crash dump”). The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump (this issue has been corrected). The key material’s presence in the crash dump was not detected by our systems.
Microsoft added that the crash dump data was then moved from "moved from the isolated production network into our debugging environment on the internet-connected corporate network." which was the standard procedure. However, a scan of the crash dump data did not detect the MSA key. Microsoft says this has also been fixed.
The company believes that Storm-0558 was able to get the MSA key from the crash dump data by compromising a corporate account from one of Microsoft's engineers. There is no direct evidence of this that points to a specific account being compromised but Microsoft does believe "this was the most probable mechanism by which the actor acquired the key."
Finally, the company believes Storm-0558 was able to duplicate the MSA key and turn it into one that was used to access enterprise email accounts because of an error in updating an API:
As part of a pre-existing library of documentation and helper APIs, Microsoft provided an API to help validate the signatures cryptographically but did not update these libraries to perform this scope validation automatically (this issue has been corrected). The mail systems were updated to use the common metadata endpoint in 2022. Developers in the mail system incorrectly assumed libraries performed complete validation and did not add the required issuer/scope validation. Thus, the mail system would accept a request for enterprise email using a security token signed with the consumer key (this issue has been corrected using the updated libraries).
After the hacking incident with government email accounts was discovered, Microsoft blocked the use of the MSA key, and also blocked usage of tokens issued with the key. In August, the US government's Cyber Safety Review Board (CSRB) announced it would conduct its own investigation into the incident. It will be a part of an overall examination of hackers going after cloud computing systems and companies in general.
