Microsoft still investigating stolen MSA key from email attacks

While Microsoft provided additional attack details and techniques used by Storm-0558, it remains unclear how the Microsoft account signing key was acquired.

Microsoft said it's still investigating how a threat actor acquired the account sign-in key that led to breached email accounts for several customers, including U.S. government agencies.

Last week, Microsoft revealed a China-based threat actor it tracks as Storm-0558 breached email accounts using Outlook Web Access (OWA) in Exchange Online and for espionage purposes. To gain access, Storm-0558 operators stole a Microsoft account (MSA) consumer signing key to forge tokens for Azure Active Directory (AD) enterprise and MSA users to access Exchange Online and OWA accounts.

The attack affected approximately 25 organizations, including government agencies, and warranted an advisory from CISA, which said a federal civilian executive branch agency initially detected the suspicious activity in June and was first to report the activity to Microsoft. While both CISA and Microsoft confirmed last week that a MSA key was stolen, it was not revealed how.

Microsoft published an update Friday afternoon that confirmed the company doesn't know how the stolen MSA key was acquired. However, it also appears Storm-0558's technique has been quelled by Microsoft's mitigations.

"The method by which the actor acquired the key is a matter of ongoing investigation," Microsoft wrote in a blog post. "No key-related actor activity has been observed since Microsoft invalidated the actor-acquired MSA signing key. Further, we have seen Storm-0558 transition to other techniques, which indicates that the actor is not able to utilize or access any signing keys."

Additionally, Microsoft said the threat actor was able to use the stolen key due to a "validation error in Microsoft code." That error allowed Storm-0558 to use a key intended only for MSA accounts on Azure AD authentication tokens as well.

Another new detail provided in Friday's blog showed the stolen MSA consumer signing key was inactive. It is unclear how attackers could still use it to forge tokens.

Microsoft declined to comment further.

MSA key leads to compromised email accounts

Storm-0558's identity technique for access involved the use of APIs, which pose ongoing security challenges for enterprises. Microsoft said after attackers leveraged the forged tokens to gain access through a legitimate client flow, Storm-0558 operators exploited a flaw in the GetAccessTokenForResourceAPI, which was fixed on June 26.

"The actor was able to obtain new access tokens by presenting one previously issued from this API due a design flaw," the blog post said. "The actors used tokens to retrieve mail messages from the OWA API."

That access helped Storm-0558 download emails and attachments, locate and download conversations, and retrieve email folder information. The scope of data exfiltration remains unclear, but CISA did confirm that no classified information was accessed from government agency accounts.

Microsoft said it completed key replacement on June 29, which should "prevent the threat actor from using it to forge tokens." New signing keys have since been issued in substantially updated systems.

As a result of the breach, Microsoft increased the isolation of the Exchange Online and Outlook systems from corporate environments, applications and users. The software giant also increased automated alerts related to key monitoring.

As of now, it appears the campaign has been blocked, but Microsoft continues to monitor Storm-0558 activity.

Arielle Waldman is a Boston-based reporter covering enterprise security news.

Dig Deeper on Cloud security

Enterprise Desktop
Cloud Computing