In July we released Identity Crisis in the Cloud which revealed an attack in which the Storm-0558 threat actor obtained forged access tokens. In a recent development, Microsoft has shed light on intricate details of the security incident and how they successfully leveraged a Microsoft account (MSA) consumer key to forge tokens for unauthorized access to Outlook Web Access (OWA) and Outlook.com.

This incident sent shockwaves across the cybersecurity community, highlighting the significance of securing sensitive identity provider signing keys. Microsoft’s comprehensive technical investigation into this incident uncovered crucial information, leading to a more profound understanding of how the breach occurred.

Their production environment, characterized by stringent controls such as background checks, dedicated accounts, secure access workstations, and multifactor authentication, is meticulously designed to prevent common account compromise vectors. These controls are in place to protect against threats like malware infections, phishing, and unauthorized access.

However, the investigation revealed a significant flaw in this otherwise robust system. In April 2021, a consumer signing system crash resulted in a “crash dump” which is a collection of information about the state of the machine at the time of the crash that inadvertently contained the signing key. A race condition allowed this sensitive key to be present in the crash dump, and unfortunately, this anomaly went undetected.

This crash dump, which was not initially perceived as a threat, was moved from the isolated production network to a debugging environment on the corporate network. This transition adhered to standard debugging procedures. Regrettably, the presence of the key material in the crash dump escaped detection.

The Storm-0558 actor took advantage of this vulnerability by compromising a Microsoft engineer’s corporate account, which had access to the debugging environment housing the crash dump. While specific evidence of this exfiltration is absent due to log retention policies, it is considered the most probable means by which the threat actor obtained the key.

Furthermore, Microsoft’s attempt to facilitate the convergence of consumer and enterprise applications in September 2018 inadvertently contributed to this incident. Documentation clarifying key scope validation requirements for enterprise and consumer accounts was updated, but the associated libraries were not automatically updated to perform this validation. This oversight allowed the mail system to accept requests for enterprise email using a security token signed with the consumer key.

This incident underscores the importance of diligent security practices, vigilant monitoring, and transparency in addressing evolving cyberthreats. It serves as a reminder to organizations and cloud service providers worldwide to remain proactive in safeguarding critical keys to protect user data and privacy effectively.

In Summary: Microsoft has revealed how the threat actor, Storm-0558, exploited a Microsoft account (MSA) consumer key to forge tokens for unauthorized access to Outlook Web Access and Outlook.com. This security incident exposed vulnerabilities in Microsoft’s systems, particularly related to the mishandling of a sensitive signing key, and underscores the critical importance of robust security measures.

Why It Matters: This information highlights the intricacies of a major security breach within a widely used platform like Microsoft. MSPs must stay informed about such incidents to enhance their cybersecurity practices and protect their clients’ data and systems effectively. Understanding the specifics of this breach, including the mishandling of keys and the importance of thorough security protocols, can guide MSPs in implementing more robust security measures for their clients, safeguarding against similar threats, and ensuring data privacy and integrity.

To stay up to date on all APG intel, follow them on Twitter and Reddit.