Select Page

The recent attack against Microsoft’s email infrastructure by a Chinese nation-state actor referred to as Storm-0558 is said to have a broader scope than previously thought.

According to cloud security company Wiz, the inactive Microsoft account (MSA) consumer signing key used to forge Azure Active Directory (Azure AD or AAD) tokens to gain illicit access to Outlook Web Access (OWA) and could also have allowed the adversary to forge access tokens for various types of Azure AD applications.

This includes every application that supports personal account authentication, such as OneDrive, SharePoint, and Teams; customers applications that support the “Login with Microsoft functionality,” and multi-tenant applications in certain conditions.

“Everything in the world of Microsoft leverages Azure Active Directory auth tokens for access,” Ami Luttwak, chief technology officer and co-founder of Wiz, said in a statement. “An attacker with an AAD signing key is the most powerful attacker you can imagine, because they can access almost any app – as any user. This is a ‘shape shifter’ superpower.”

images from Hacker News