Microsoft on Friday said a validation error in its source code allowed for Azure Active Directory (Azure AD) tokens to be forged by a malicious actor known as Storm-0558 using a Microsoft account (MSA) consumer signing key to breach two dozen organizations.
“Storm-0558 acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and Outlook.com,” the tech giant said in a deeper analysis of the campaign. “The method by which the actor acquired the key is a matter of ongoing investigation.”
“Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been corrected.”
It’s not immediately clear if the token validation issue was exploited as a “zero-day vulnerability” or if Microsoft was already aware of the problem before it came under in-the-wild abuse.
The attacks singled out approximately 25 organizations, including government entities and associated consumer accounts, to gain unauthorized email access and exfiltrate mailbox data. No other environment is said to have been impacted.
images from Hacker News