Microsoft reports on Outlook email hacking investigation – here’s what went wrong

2 min. read

Published onSeptember 7, 2023

published onSeptember 7, 2023

Share this article

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

Microsoft released a blog postexplaining the behind-the-scenes acquisitions from the incident on July 11, 2023, in which a China-based threat actor named Storm-0558 compromised the security of Microsoft accounts.

The attack was massive; even theU.S. lawmaker’s accountsgot hacked, as well as theemail accounts of approximately 25 organizations, including U.S. government agencies.

But in April 2021, there was a computer crash, and something important called a “consumer signing key” got mixed up in the crash report. This key was not supposed to be in the crash dump but was due to a race condition. This key material was moved to the corporate network’s debugging environment without detection.

Compromise of an Engineer’s Account

After this key was moved, the group Storm-0558 could hack into an engineer’s Microsoft account. This engineer had access to the part of Microsoft’s computers with the key. The text suggests that no specific logs prove this exfiltration, but it is the most likely way the threat actor acquired the key.

Why a Consumer Key Accessed Enterprise Mail

Microsoft explains that they introduced a common key metadata publishing endpoint in September 2018 to support applications for both consumer and enterprise accounts. However, a mistake was made in updating libraries and documentation related to key scope validation. This meant the hackers could use a regular key to get into business email.

Microsoft outlines the actions taken to address the incident. These include identifying and correcting the race condition issue, enhancing prevention, detection, and response mechanisms for handling key material in crash dumps, improving credential scanning, and releasing enhanced libraries to automate key scope validation in authentication libraries.

Davesh Beri

User forum

0 messages

Sort by:LatestOldestMost Votes

Comment*

Name*

Email*

Commenting as.Not you?

Save information for future comments

Comment

Davesh Beri

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low#

Copilot in Outlook will generate personalized themes for you to customize the app#

Microsoft will raise the price of its 365 Suite to include AI capabilities#

Death Stranding Director’s Cut is now Xbox X|S at a huge discount#

Outlook will let users create custom account icons so they can tell their accounts apart easier#

Microsoft reports on Outlook email hacking investigation – here’s what went wrong#

Compromise of an Engineer’s Account#

Why a Consumer Key Accessed Enterprise Mail#

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low

Copilot in Outlook will generate personalized themes for you to customize the app

Microsoft will raise the price of its 365 Suite to include AI capabilities

Death Stranding Director’s Cut is now Xbox X|S at a huge discount

Outlook will let users create custom account icons so they can tell their accounts apart easier

Microsoft reports on Outlook email hacking investigation – here’s what went wrong

Compromise of an Engineer’s Account

Why a Consumer Key Accessed Enterprise Mail