- A China-based threat actor known as Storm-0558 gained access to a Microsoft account (MSA) cryptographic key, which was inadvertently leaked in a crash dump outside Microsoft’s protected environment in April 2021.
- Storm-0558 compromised a Microsoft engineer’s corporate account, likely with access to the debugging environment where the MSA key was stored. This allowed the threat actor to acquire the key, although there are no specific logs confirming this.
- The compromised cryptographic key was used to exploit a zero-day vulnerability, enabling the threat actor to forge signed access tokens and impersonate targeted accounts within 25 organizations, primarily gaining access to Exchange Online and Outlook. Microsoft took steps to mitigate the breach and prevent further unauthorized access. Read More