Microsoft is still conducting an investigation and has not yet disclosed how a key was obtained by China-backed hackers, allowing them to gain unauthorized access to multiple email accounts, including those belonging to several government agencies. The incident, which occurred over a month-long period, involved the forging of authentication tokens using a Microsoft signing key. Although the exact targets have not been publicly revealed, they are said to include U.S. Commerce Secretary Gina Raimondo and U.S. State Department officials. Microsoft has attributed the activity to an espionage group known as Storm-0558, believed to have ties to China. The U.S. cybersecurity agency CISA confirmed that a small number of government accounts were compromised and that some unclassified email data was exfiltrated. While the U.S. government has not officially attributed the hacks, China’s foreign ministry spokesperson denied the allegations.
Unlike previous instances where China exploited unknown vulnerabilities in Microsoft-powered email servers, this hacking group targeted new and undisclosed vulnerabilities in Microsoft’s cloud infrastructure. Microsoft initially believed that the hackers were using an acquired enterprise signing key, but later discovered they had actually used a consumer signing key to forge tokens and gain access to enterprise inboxes. The company identified a validation error in its code that allowed this to occur.
Microsoft claims to have blocked all hacker activity related to this incident and believes the threat is now over. It has taken steps to strengthen its key issuance systems to prevent similar incidents in the future. By utilizing the same key for multiple infiltrations, Microsoft was able to track the hacker’s access requests and has notified those affected.
Despite the immediate threat subsiding, Microsoft is facing scrutiny for its handling of the incident, which is considered one of the largest breaches of unclassified government data since the 2020 SolarWinds hack. Critics argue that Microsoft’s blog post on the matter downplayed the severity by avoiding terms like “zero-day” and refraining from labeling it as a vulnerability. The company is also under fire for its lack of visibility into the intrusions by government departments and its decision to reserve security logs for higher-tier government accounts.
While Microsoft’s expanded disclosure provides additional technical details and indicators of compromise for incident responders, there are still unanswered questions surrounding the incident. The company is likely to face ongoing scrutiny as the investigation continues.
