The recent security breach involving Microsoft’s email infrastructure was carried out by a Chinese nation-state actor known as Storm-0558. This attack has been revealed to have a broader impact than initially thought. According to Wiz, a cloud security company, the adversaries utilized an inactive Microsoft account (MSA) consumer signing key to forge Azure Active Directory (Azure AD or AAD) tokens. This allowed them illicit access to Outlook Web Access (OWA) and Outlook.com and potentially enabled them to forge access tokens for a wide range of Azure AD applications.
These applications include those that support personal account authentication, such as OneDrive, SharePoint, and Teams, as well as customer applications with the “Login with Microsoft” functionality and multi-tenant applications under certain conditions. Ami Luttwak, chief technology officer and co-founder of Wiz, emphasized the severity of this breach by stating that an attacker with an AAD signing key could access almost any application as any user, likening this capability to a ‘shape shifter’ superpower.
Microsoft disclosed that Storm-0558 exploited this token forging technique to extract unclassified data from victim mailboxes. However, the full extent of the cyber espionage campaign remains unclear. The company is still investigating how the adversary obtained the MSA consumer signing key and whether it functioned as a master key for accessing data from nearly two dozen organizations.
Further analysis by Wiz revealed that Microsoft replaced one of the listed public keys that had been in use since at least 2016, around the time it announced the revocation of the MSA key. This finding led to the belief that the compromised key, designed for Microsoft’s MSA tenant in Azure, could also sign OpenID v2.0 tokens for various types of Azure Active Directory applications. This breach suggested that Storm-0558 had access to one of several keys intended for signing and verifying AAD access tokens, allowing them to forge tokens for any application dependent on the Azure identity platform. This ability could potentially enable malicious actors to authenticate as any user on an affected application that trusts Microsoft OpenID v2.0 mixed audience and personal-accounts certificates.
Overall, this incident highlights the significant risks associated with key compromises, especially in the context of large-scale cloud infrastructure like Microsoft Azure.