MS consumer signing key breach
Date: 20230711
Method: TL;DR: A number of things that went wrong which lead to the attacker forged auth token and exfiltrated customer’s emails The auth token was minted using MSA signing key. The MSA signing key was stolen from a Microsoft’s employee device that got compromised via malware The MS employee shuold not supposed to have the signing key, BUT he had the core dump of the MSA Key Signing server.
Impact: High number of MS’s cusotmers had their email stolen, including federal customers.
Attacker: Storm-0558 (IChina backed group)
Noteworthy: Organization should sanitize logs from any sensitive information and use hardware security module (HSM) for key storage.
References
Analysis of Storm-0558 techniques for unauthorized email access
Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email
Wiz’s Storm-0558 Update: Takeaways from Microsoft’s recent report