Microsoft links Outlook hack to an engineer’s corporate account

Microsoft officials said Wednesday that they had traced the source of the China-based cyberattack that accessed government email accounts supplied by the company’s software.

In a blog post, Microsoft officials said that threat actor Storm-0558 breached one of its engineer’s corporate accounts and obtained the Microsoft account consumer signing key from a snapshot of an April 2021 crash dump on the signing system.

Storm-0558 went on to use the key to forge authentication tokens and access email accounts at approximately 25 organizations through Outlook Web Access in Exchange Online and Outlook.com beginning May 15. 

Commerce Secretary Gina Raimondo, U.S. Ambassador to China Nicholas Burns, Assistant Secretary of State for East Asia Daniel Kritenbrink and Rep. Don Bacon, R-Neb., had their email accounts compromised, according to The Washington Post.

Microsoft officials began investigating in June after discovering anomalous mail activity and identified Storm-0558. The company released a public statement in July after notifying the affected account holders. 

A senior Cybersecurity and Infrastructure Security Agency official described the cyberattack as a "surgical campaign" that targeted a "small number of mailboxes" during a phone call with reporters in July.

According to Microsoft’s blog Wednesday, the April 2021 crash dump included an unredacted copy of the consumer key in its snapshot, which the company said occurred due to a software error known as a race condition. 

The company said in its blog post that the key’s presence in the crash dump was not detected by its systems, but the issue has since been corrected. 

“We found that this crash dump, believed at the time not to contain key material, was subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network. This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence,” the blog said.

The snapshot of the crash dump was on the compromised Microsoft account, ultimately providing the key to Storm-0558. 

The blog said that due to customer demand for applications that work with both consumer and enterprise applications, Microsoft introduced a common key metadata publishing endpoint in September 2018 and delineated key validation for enterprise and consumer accounts.

“Microsoft provided an [application programming interface] to help validate the signatures cryptographically but did not update these libraries to perform this scope validation automatically,” the blog said. “The mail systems were updated to use the common metadata endpoint in 2022. Developers in the mail system incorrectly assumed libraries performed complete validation and did not add the required issuer/scope validation.”

Because of this, a comprised consumer key was able to generate forged authentication tokens to access enterprise accounts. Microsoft said the issue has been corrected. 

Moving forward, the company said it is hardening its systems through a correction of the race condition; enhancing prevention, detection and response for key material included in crash dumps; scanning for exposed signing keys in its debugging environment; and has created enhanced libraries to automate key scope validation.

The Department of Homeland Security's Cyber Safety Review Board intends to investigate the attack amid growing criticism of Microsoft by some members of Congress.