The US Department of Homeland Security’s Cyber ​​Safety Review Board (CSRB) has released a scathing report on Microsoft’s handling of the 2023 Exchange Online attack, warning that the company must do better in securing data and be more honest about how threat actors stole an Azure. signature key.

Microsoft believes that last May’s Exchange Online hack is related to a threat actor known as ‘Storm-0558’ stealing an Azure signing key from an engineer’s laptop that was previously compromised by the hackers of an acquired company.


Storm-0558 is a China-affiliated cyber espionage player that has been active for more than two decades and targets a wide range of organizations.

Nearly ten months after Microsoft launched its investigation, the CSRB says there is no definitive evidence on how the threat actor obtained the signing key, regardless of what Microsoft previously claimed.

Warning “Big yellow taxi”.

The CSRB conducted its analysis of the 2023 Microsoft Exchange Online hack based on data obtained from affected organizations, cybersecurity companies and experts, law enforcement agencies, and meetings with Microsoft representatives.

The report notes that Microsoft became aware of the intrusion after being alerted by the US Department of State on June 16, 2023.

Signs of the breach in the State Department’s mail systems appeared a day earlier when the organization’s Security Operations Center (SOC) identified anomalous access.

The next day, multiple security alerts appeared thanks to a custom rule, internally called “Big Yellow Taxi,” to analyze the MailItemsAccessed log available through the Audit (Premium) long-term record retention service.

One capability of the MailItemsAccessed mailbox audit action is to track and record access to individual messages (bind operation).

The creation of the “Big Yellow Taxi” rule was possible because the U.S. Department of State purchased a Microsoft 365 Government G5 license that comes with enhanced logging through the premium tier of Microsoft’s Purview Audit service.

However, other breached organizations were unable to detect that their accounts had been breached because they had not purchased the premium logging features.

This led to Microsoft working with CISA to provide essential logging features for free so that all customers could detect similar attacks.

In February, Microsoft decided to expand the default log retention period from 90 to 180 days for all standard Purview Audit customers and provide additional telemetry data to federal agencies.

The forgotten key and update

Beginning in mid-May 2023, email accounts of more than 500 individuals at 22 organizations were compromised in a cyber espionage campaign by Chinese hacking group Storm-0558.

The hackers gained access to the email accounts using spoofed authentication tokens signed with a Microsoft Services Account (MSA) consumer key that the company created in 2016 and was supposed to revoke in March 2021.

The reason the key is still valid in 2021 is that at the time, key rotation was done manually for the consumer system, as opposed to the automated process for enterprises.

After a major cloud outage due to manual rotation, Microsoft halted the process completely in 2021, leaving no system to alert employees to old, active signing keys in the consumer MSA service that should be retired.

Although the 2016 MSA key was designed to only sign access tokens for consumer accounts, a previously unknown vulnerability allowed Storm-0558 to use it with corporate emails as well.

In a board meeting with CSRB, Microsoft explained that the issue was introduced with the creation of an OpenID Connect (OIDC) endpoint service that listed active signing keys for both enterprise and consumer identity systems.

Storm-0558 spoofs token using a stolen MSA key from 2016
Source: CSRB

However, the software development kits (SDKs) were not properly updated to distinguish between consumer and enterprise MSA signing keys at the endpoint.

This enabled authentication for the email application through the Microsoft Entra identity and access management system (IAM) using both key types.

It’s unclear how the threat actor discovered they could take advantage of the problem by forging tokens that worked for both consumer and enterprise accounts, but Microsoft speculates that they learned of the opportunity through trial and error.

Crash dumps from 2021

Although Microsoft said in September that the threat actor likely obtained the 2016 MSA key from crash dumps, the company updated the initial blog post three months later, on March 12, 2024, to clarify that it was a theory and did not find any evidence to support this. It.

While investigating the incident, Microsoft has been tracking this scenario, which is one in a total of 46 and involves an adversary with quantum computing capabilities that can break public key cryptography.

The theory Microsoft shared with the CSRB is that the 2023 Exchange Online hack is related to another incident in 2021 in which the same threat actor compromised its corporate network through an engineer account that had been compromised more than a year earlier, providing access to sensitive information. authentication and identity data.

When the engineer’s device was compromised, they were working for Affirmed Networks, which Microsoft acquired in 2020 to consolidate its cloud platform with “fully virtualized, cloud-native mobile network solutions” for operators looking to deploy and deploy 5G networks more easily and with greater ease. to maintain. lower costs.

After acquiring Affirmed Networks and without conducting a cybersecurity audit, Microsoft provided corporate credentials to the engineer whose device Storm-0558 had already been compromised.

However, the CSRB says that Microsoft has not been able to provide any evidence to support this theory and only updated its advice with clarifications after receiving pressure from the Board of Directors.

“Microsoft believes, although it has not provided specific evidence, that this 2021 intrusion was likely related to the 2023 Exchange Online compromise as it is the only other known Storm-0558 intrusion into Microsoft’s network in the committed memory. Microsoft believes that Storm-0558 accessed sensitive authentication and identity data during this 2021 incident” – Cyber ​​Safety Review Board

The CSRB says that to this day, Microsoft still has no conclusive evidence on how the threat actors stole the signing key, and that the investigation is ongoing.

Storm-0558 focuses on espionage

During the 2023 breach, the threat actor had access to emails of senior US government officials involved in national security matters:

  • Secretary of Commerce Gina Raimondo
  • US Ambassador to the People’s Republic of China R. Nicholas Burns
  • Congressman Don Bacon
  • Assistant Secretary of State for East Asian and Pacific Affairs Daniel Kritenbrink

Over at least six weeks, the hackers stole approximately 60,000 unclassified emails from the US Department of State.

Microsoft describes Storm-0558 as a China-based threat actor that focuses on espionage and operates as a separate group, but whose activities and methods overlap with other Chinese groups.

The targets are mainly in the US and Europe and consist of “diplomatic, economic and legislative governing bodies, and individuals linked to the geopolitical interests of Taiwan and Uyghurs.”

The company notes that the hacker group demonstrates high operational security and technical skills, a deep understanding of many authentication techniques and applications, and a good understanding of a target’s environment.

In a meeting with the CSRB, Google representatives said the Threat Analysis Group (TAG) was able to link “at least one entity” related to Storm-0558 to the group behind Operation Aurora, a 2009 cyberattack from China that affected the company’s operations. of Google jeopardized. infrastructure and resulted in the theft of intellectual property.

As part of Operation Aurora, the first large-scale, sophisticated attack on the commercial sector, more than twenty other companies were compromised, including Yahoo, Adobe, Morgan Stanley, Juniper Networks, Symantec, Northrop Grumman and Dow Chemical.

Microsoft says the goal of most Storm-0558 campaigns is to gain access to the targeted organization’s email accounts through methods ranging from credential harvesting and phishing to OAuth token attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *