Unseen Risks: How the Stolen Microsoft Key Could Unlock More than Expected

Reading Time: ( Word Count: )

July 24, 2023

The alleged theft of a Microsoft security key could have enabled spies linked to Beijing to breach more than just Outlook and Exchange Online email accounts.

In a shocking revelation that merits more attention, an internal private cryptographic key belonging to Microsoft – employed to sign access tokens for its online services digitally – was somehow procured by someone. The spies fabricated tokens using this key, granting them access to Microsoft customer email systems. This made it appear as if Microsoft had legitimately issued the tokens.

Possessing these valuable tokens, the believed China-based infiltrators gained access to US government officials’ Microsoft cloud email accounts, including US Commerce Secretary Gina Raimondo. A federal government agency detected the cyber intrusion and raised the alert.

How this potent private signing key was acquired remains a mystery to Microsoft. As far as we know, they still need to figure it out, or at least they still need to make it public. Microsoft has revoked that particular key. The spies are code-named Storm-0558

The private key could have given access to more than just people’s Outlook and Exchange Online accounts, as we are told. Microsoft, however, disputes this assertion. 

Also Read: “ChatGPT’s AI Performance: Beyond the Turing Test or Not Quite There?”

Stolen Microsoft Key Could Unlock More

Furthermore, it applies to customer-owned applications that support the “login with Microsoft” feature and multi-tenant applications set up to use the “common” v2.0 keys endpoint as opposed to the “organizations” one. Applications using OpenID v1.0 remain secure.

While Microsoft invalidated the compromised encryption key and shared a list of indicators of compromise for those questioning if Storm-0558 also targeted them, Wiz contends it may be tough for Microsoft’s clientele to identify if crooks used forged tokens to extract data from their applications. Tamari attributes this to the need for more logs linked to token verification.

In a twist, Redmond agreed to give all customers free access to cloud security logs under pressure from the US government – a service typically reserved for premium clients – but only from September.

Microsoft reported the attack on July 11. The Azure giant stated then, and in a July 14 update, that the spies utilised counterfeit authentication tokens to breach email accounts of government agencies for espionage.

The Wall Street Journal reported on Thursday that Chinese spies also accessed the inboxes of the US ambassador to China, Nicholas Burns, and Daniel Kritenbrink, the assistant secretary of state for East Asia.

How the spies got the private encryption, key initially remains a puzzle. According to the Wiz security team, the China-based group appears to have secured one of several keys used for verifying Azure Active Directory (AAD) access tokens, enabling them to sign any OpenID v2.0 access token for personal accounts and both multi-tenant and personal-account AAD applications as Microsoft.

While Microsoft has decommissioned the compromised key, thus it can no longer be used to fabricate tokens and gain access to AAD applications; there’s a possibility that during earlier sessions, attackers might have utilized this access to install backdoors or establish persistence.

“A prominent example of this is how, before Microsoft’s intervention, Storm-0558 issued valid Exchange Online access tokens by forging access tokens for Outlook Web Access (OWA),” wrote Tamari.

Saher Mahmood

Saher Mahmood


Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

Automated vs Manual Penetration Testing

Automated vs Manual Penetration Testing

Pentesting is largely divided into two methodologies: Automated vs Manual Penetration Testing. Both have ...
8 Steps in Penetration Testing You Should Know

8 Steps in Penetration Testing You Should Know

Mastering the art of penetration testing has become a critical ability for security experts to combat cyber ...
Spear Phishing vs Whaling: What is the Difference

Spear Phishing vs Whaling: What is the Difference

Spear phishing is a particularly devious type of phishing assault in which the individual targeted plays a ...
How Often Should Penetration Testing Be Done

How Often Should Penetration Testing Be Done

Penetration testing is a crucial technique that involves simulating a cyberattack on networks, computer systems, ...

Submit a Comment

Your email address will not be published. Required fields are marked *