Microsoft reports on Outlook email hacking investigation – here’s what went wrong

Microsoft released a blog post explaining the behind-the-scenes acquisitions from the incident on July 11, 2023, in which a China-based threat actor named Storm-0558 compromised the security of Microsoft accounts.

The attack was massive; even the U.S. lawmaker’s accounts got hacked, as well as the email accounts of approximately 25 organizations, including U.S. government agencies.

But in April 2021, there was a computer crash, and something important called a “consumer signing key” got mixed up in the crash report. This key was not supposed to be in the crash dump but was due to a race condition. This key material was moved to the corporate network’s debugging environment without detection.

Compromise of an Engineer’s Account

After this key was moved, the group Storm-0558 could hack into an engineer’s Microsoft account. This engineer had access to the part of Microsoft’s computers with the key. The text suggests that no specific logs prove this exfiltration, but it is the most likely way the threat actor acquired the key.

Why a Consumer Key Accessed Enterprise Mail

Microsoft explains that they introduced a common key metadata publishing endpoint in September 2018 to support applications for both consumer and enterprise accounts. However, a mistake was made in updating libraries and documentation related to key scope validation. This meant the hackers could use a regular key to get into business email.

Microsoft outlines the actions taken to address the incident. These include identifying and correcting the race condition issue, enhancing prevention, detection, and response mechanisms for handling key material in crash dumps, improving credential scanning, and releasing enhanced libraries to automate key scope validation in authentication libraries.