Microsoft Stolen Key Grants Access Beyond Government Email Inboxes

Recently, a China-based cybercrime group known by the name of Storm-0558 carried out a sophisticated yet concerning cyber-attack on Microsoft, which can lead to potential broader implications.

The breach involved the stealing of a Microsoft key that the United States Agency for International Development (USAID) used in order to sign emails securely. Initially, the breach targeted the US government email inboxes, but now experts warn that the outcome could be far-reaching, harming both public and private figures.


After finding out about the attack on June 16, 2023, Microsoft immediately initiated a thorough investigation. The company link Storm-0558’s core working hours, with operations in China to be consistent. Previous activities show that the actor mainly targeted US and European diplomatic, economic, and legislative governing bodies, along with individuals connected to Taiwan and Uyghur geopolitical interests.

Techniques and Tools Used by Storm-0558

The Storm-0558 works with technical sophistication and security, making it a terrifying threat. The group uses various techniques to acquire initial access, such as phishing campaigns and utilizing vulnerabilities in public applications. One of its most used malware families is Cigril, launched using DLL search order hijacking.

The most critical aspect of Storm-0558’s attack was token falsification. The stolen Microsoft key allowed the actor to falsify authentication tokens, giving unauthorized access to both Azure Active Directory (Azure AD) enterprise and Microsoft account (MSA) consumer services. Storm-0558 also employs PowerShell and Python scripts to carry out REST API calls to counter the OWA Exchange Store service, permitting the extraction of email data and attachments.

Once authenticated through a valid client flow, the attacker accessed the Outlook Web Access (OWA) API to restore tokens for Exchange Online from the GetAccessTokenForResource API. A flaw in the design leverages the attacker to obtain new access tokens using previously issued ones, eventually leading to unauthorized access to email accounts.

Storm-0558 supports infrastructure running SoftEther proxy software, complicating detection, and attribution. The infrastructure hosted a web panel with an authentication page for aiding actor activities. When Microsoft revoked the compromised MSA signing key, it led to the disruption of Storm-0558’s access and implemented further measures in securing key issuance systems.

Broader Implications and Response of Microsoft

While the breach initially attacked government email inboxes, later Wiz, an infosec firm, discovered that the compromised MSA key could potentially leverage the threat actor to falsify access tokens for various Azure AD applications, including Outlook, SharePoint, OneDrive, and Teams.


Wiz also raised concerns about the lack of logs associated with token verification, which might hinder customers’ ability to determine if data was stolen from their applications.

Microsoft has pushed customers to review their blogs and provided indicators of compromise (IOCs) to investigate potential breaches. And steps are being taken to expand security logging availability to customers, enabling better threat management.

And as of now, the actual method used by Storm-0558 to access the private encryption key remains unknown. Microsoft’s ongoing investigation aims to find out the full extent of the breach and whether other applications beyond email accounts were compromised.

The following incident serves as a reminder for organizations to strengthen their security measures continuously. Collaborative efforts between public and private sectors are important and needed to safeguard critical infrastructure and sensitive data from sophisticated threat actors like Storm-0558.

For more news and updates on Cybersecurity, visit The Cybersecurity Club.

Post navigation

Leave a Reply

Your email address will not be published. Required fields are marked *

Hello Cybersecuriters!

PSNI Accidentally Exposes Data of 10,000 Officers in FOI Request Mishap

Caesars Entertainment Hit by Social-Engineering Data Breach

Danish Critical Infrastructure Under Attack: An Unprecedented Cybersecurity Assault