Getty Images

How Storm-0558 hackers stole an MSA key from Microsoft

Microsoft detailed a series of errors that led to a consumer account signing key accidentally being included in a crash dump that was later accessed by Storm-0558 actors.

After weeks of uncertainty, Microsoft confirmed the consumer signing key used to breach email accounts in May was stolen from the software giant's own network.

In July, Microsoft disclosed a China-based threat actor it tracks as Storm-0558 compromised customer email accounts at approximately 25 organizations that included U.S. federal agencies. The threat actors used a stolen Microsoft account (MSA) consumer signing key to forge authentication tokens for Outlook Web Access and Outlook.com. The attackers also exploited a token validation issue to impersonate Azure Active Directory users and gain access to their email.

Fallout from the month-long attacks that began in May included criticism over Microsoft's response to the attacks, specifically a lack of information about how the MSA key was stolen. The company also faced criticism over limited logging features that hindered detection of the Storm-0558 attacks.

Nearly two months after first disclosing the attacks, Microsoft on Wednesday announced the investigation determined the key was stolen from its corporate environment thanks to a series of errors. Storm-0558 compromised a Microsoft engineer's account and then gained access to the Microsoft network and the debugging environment where the MSA key was accidentally lurking.

The MSA key ended up in the debugging environment due to several Microsoft errors. In total, there were six security mistakes Microsoft addressed in the blog that resulted in Storm-0558 gaining such privileged access.

"Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the cashed process ('crash dump'). The crash dumps, which redacts sensitive information should not include the signing key," Microsoft wrote in the blog. "In this case, a race condition allowed the key to be present in the crash dump (this issue has been corrected). The key material's presence in the crash dump was not detected by our systems (this issue has been corrected)."

Update: On March 12, 2024, Microsoft added an addendum to the blog post that said the investigation did not find the impacted key material in a crash dump. On April 2, 2024, the Department of Homeland Security's Cyber Safety Review Board issued a report on its investigation into the Storm-0558 attack. The report noted that Microsoft had no evidence that the MSA key was contained in or exfiltrated from a crash dump. Despite informing the CSRB of this in November 2023, Microsoft did not correct the inaccurate blog post until March 12, 2024.

TechTarget Editorial asked Microsoft if the race condition issue was caused by a vulnerability within a Microsoft product. A Microsoft spokesperson said this was not the case. "Vulnerability is a specific term, and we would use the term vulnerability if it was appropriate. 'Issue' in the blog refers to things such as misconfiguration, operator errors or unintended byproducts of other actions," the spokesperson said.

Because Microsoft did not believe the crash dump contained any key material, it was moved from an isolated production network into Microsoft's debugging environment, which was on the internet-connected corporate network. While the vendor's scanning methods did not detect any signing keys, Microsoft said the mistake has been corrected.

"After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer's corporate account," the blog post said.

The Microsoft spokesperson said the engineer's account was compromised through token-stealing malware but did not provide further details about the credential theft. The attackers used the account to access the debugging environment, which included the crash dump with the MSA key.

However, Microsoft acknowledged some uncertainty with its investigation. "Due to log retention policies, we don't have logs with specific evidence of this exfiltration by this actor. But this was the most probable mechanism by which the actor acquired the key," the company said.

TechTarget Editorial asked Microsoft if the Storm-0558 attackers may have obtained other sensitive information from the debugging environment or other parts of the network that the engineer account had access to. The company declined to comment further.

More Microsoft mistakes

In the wake of the Storm-0558 attacks, Microsoft was heavily criticized for what other cybersecurity described as missteps and security failings, beginning with limited logging. The threat activity was first discovered by a Federal Civilian Executive Branch (FCEB) agency, which reported the activity to Microsoft. In an advisory about the Storm-0558 attacks, CISA noted the FCEB agency was only able to detect the intrusion because it has enabled enhanced logging for Microsoft 365.

Microsoft later announced it would expand logging capabilities free of charge for customers, beginning this month. But the company also faced complaints from cybersecurity vendors and threat researchers who felt Microsoft had downplayed the token validation issue and failed to provide adequate information about the capabilities -- and potential threat -- of MSA consumer signing keys.

Wednesday's blog post added more fuel to that fire. Microsoft addressed yet another concern over why a consumer key was able to access enterprise email in the first place. The company attributed it to the introduction of a "common key metadata publishing endpoint in September 2018" that was intended to help customers who worked with consumer and enterprise applications.

Another error by Microsoft allowed the mail system to accept a request for enterprise mail using a security token signed with the consumer key.

"As part of a pre-existing library of documentation and helper APIs, Microsoft provided an API to help validate the signatures cryptographically but did not update these libraries to perform this scope validation automatically (this issue has been corrected)," the blog read.

To help prevent these kinds of attacks in the future, Microsoft said it enhanced detection and response for key material erroneously included in crash dumps and enhanced credential scanning to help detect the presence of the signing key in the debugging environment.

In addition to complaints from cybersecurity vendors, Microsoft's handling of the Storm-0558 attacks has also garnered scrutiny from the U.S. government. Last month, Oregon Senator Ron Wyden published an open letter that slammed Microsoft. Wyden asked CISA director Jen Easterly, Attorney General Merrick Garland and Federal Trade Commission chair Lina Khan and their respective agencies to "take action to hold Microsoft responsible for its negligent cybersecurity practices, which enabled a successful Chinese espionage campaign against the United States government."

Last month, the Department of Homeland Security (DHS) announced the Cyber Safety Review Board had initiated a broad review of cloud security threats and efforts to improve identity management and authentication among cloud service providers. DHS said the review will include an assessment of the Stomr-0558 attacks.

Article updated on 4/3/2024.

Arielle Waldman is a Boston-based reporter covering enterprise security news. Security news director Rob Wright contributed to this report.

Dig Deeper on Threat detection and response