Microsoft Blocks All Actor Activity after Hackers Stole Key to Forge Authentication Tokens

After announcing a hit from hackers that targeted customer email, Microsoft has yet to release more details on how the criminals penetrated the system. The company revealed the activity of the threat actor tracked as Storm-0558. Before now, hackers have targeted military and government bodies primarily in Europe, and their activities have affected the telecommunications and finance industries.

Microsoft explained that the China-based actor accessed email accounts, affecting about 25 organizations. As government agencies fall victim to this unpleasant situation, individuals likely to be related to these organizations were not left out. A few days later, the American technology company emphasized that an investigation is ongoing concerning the matter, and it has made efforts to enhance its protection of the systems involved. Microsoft further analyzed the techniques the hackers used to gain unauthorized access to email data, tools, and unique infrastructure characteristics.

Hackers Get Hold of Microsoft Consumer Signing Keys

According to Microsoft, the hackers got hold of one of its consumer signing keys, or MSA key. Meanwhile, the technology company utilizes this technology to protect consumer email accounts. At first, Microsoft assumed the hackers would forge authentication tokens with a stolen enterprise signing key, which they could use to gain control of corporate and enterprise email accounts. However, they used an acquired Microsoft account (MSA) consumer signing key to access users’ email. The team noted that this was possible “by a validation error in Microsoft code”. The criminals made a mistake, making it easy for the investigators to fish them out.

“The use of an incorrect key to sign the requests allowed our investigation teams to see all actor access requests which followed this pattern across both our enterprise and consumer systems. Use of the incorrect key to sign this scope of assertions was an obvious indicator of the actor activity as no Microsoft system signs tokens in this way,” wrote the company.

Notably, the company assured that it had applied measures to block all actor activities regarding this incident. Could Microsoft mean the storm is still and the hackers have lost access? While the team did not specify how exactly it lost control of its own keys, the good news is the company has “hardened key issuance systems”.

Even if the threat is over and the hackers have lost control, Microsoft still needs to answer to regulators. The company now faces scrutiny over its handling of the incident. According to CNN, the State Department first detected the attack, after which it reported the matter to Microsoft. Meanwhile, not all government agencies have such facilities to notice criminal activity. The Wall Street Journal explained that such a level of security logging is only available to Microsoft accounts with higher-paid tier. Microsoft is indeed looking at scrutiny coming its way following the attack.