https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/ Skip to main content [RE1Mu3b] Microsoft MSRC MSRC MSRC * Home * Report an issue + Report Security Vulnerability + Report Abuse + Report Infringement + Submission FAQs * Customer guidance + Security Update Guide + Exploitability index + Developer API documentation + Frequently Asked Questions + Technical Security Notifications * Engage + Microsoft Bug Bounty Programs + Microsoft Active Protections Program + BlueHat Security Conference + Researcher Recognition Program + Windows Security Servicing Criteria * Who we are + Mission + Cyber Defense Operations Center + Coordinated Vulnerability Disclosure + Social * Blogs + Microsoft Security Response Center + Security Research & Defense + BlueHat Conference Blog * Acknowledgments + Security Researcher Acknowledgments + Online Services Researcher Acknowledgments + Security Researcher Leaderboard * More * All Microsoft + Global o Microsoft 365 o Teams o Windows o Surface o Xbox o Deals o Small Business o Support + Software Software o Windows Apps o AI o Outlook o OneDrive o Microsoft Teams o OneNote o Microsoft Edge o Skype + PCs & Devices PCs & Devices o Computers o Shop Xbox o Accessories o VR & mixed reality + Entertainment Entertainment o Xbox Game Pass Ultimate o PC Game Pass o Xbox games o PC games o Windows digital games o Movies & TV + Business Business o Microsoft Cloud o Microsoft Security o Dynamics 365 o Microsoft 365 for business o Microsoft Power Platform o Windows 365 o Microsoft Industry o Small Business + Developer & IT Developer & IT o Azure o Developer Center o Documentation o Microsoft Learn o Microsoft Tech Community o Azure Marketplace o AppSource o Visual Studio + Other Other o Microsoft Rewards o Free downloads & security o Education o Trade-in for Cash o Gift cards o Students and parents deals o Licensing o Microsoft Experience Center + View Sitemap [ ] Search Search Microsoft.com * No results Cancel * blog * 2023 * 09 * results-of-major-technical-investigations-for-storm-0558-key-acquisition / Results of Major Technical Investigations for Storm-0558 Key Acquisition MSRC / By MSRC / September 06, 2023 / 3 min read On July 11, 2023, Microsoft published a blog post which details how the China-Based threat actor, Storm-0558, used an acquired Microsoft account (MSA) consumer key to forge tokens to access OWA and Outlook.com. Upon identifying that the threat actor had acquired the consumer key, Microsoft performed a comprehensive technical investigation into the acquisition of the Microsoft account consumer signing key, including how it was used to access enterprise email. Our technical investigation has concluded. As part of our commitment to transparency and trust, we are releasing our investigation findings. Key acquisition Key acquisition Microsoft maintains a highly isolated and restricted production environment. Controls for Microsoft employee access to production infrastructure include background checks, dedicated accounts, secure access workstations, and multi-factor authentication using hardware token devices. Controls in this environment also prevent the use of email, conferencing, web research and other collaboration tools which can lead to common account compromise vectors such as malware infections or phishing, as well as restricting access to systems and data using Just in Time and Just Enough Access policies. Our corporate environment, which also requires secure authentication and secure devices, allows for email, conferencing, web research and other collaboration tools. While these tools are important, they also make users vulnerable to spear phishing, token stealing malware, and other account compromise vectors. For this reason - by policy and as part of our Zero-Trust and "assume breach" mindset - key material should not leave our production environment. Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process ("crash dump"). The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump (this issue has been corrected). The key material's presence in the crash dump was not detected by our systems (this issue has been corrected). We found that this crash dump, believed at the time not to contain key material, was subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network. This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence (this issue has been corrected). After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer's corporate account. This account had access to the debugging environment containing the crash dump which incorrectly contained the key. Due to log retention policies, we don't have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key. Why a consumer key was able to access enterprise mail Why a consumer key was able to access enterprise mail To meet growing customer demand to support applications which work with both consumer and enterprise applications, Microsoft introduced a common key metadata publishing endpoint in September 2018. As part of this converged offering, Microsoft updated documentation to clarify the requirements for key scope validation - which key to use for enterprise accounts, and which to use for consumer accounts. As part of a pre-existing library of documentation and helper APIs, Microsoft provided an API to help validate the signatures cryptographically but did not update these libraries to perform this scope validation automatically (this issue has been corrected). The mail systems were updated to use the common metadata endpoint in 2022. Developers in the mail system incorrectly assumed libraries performed complete validation and did not add the required issuer/ scope validation. Thus, the mail system would accept a request for enterprise email using a security token signed with the consumer key (this issue has been corrected using the updated libraries). Post Incident Review Post Incident Review Microsoft is continuously hardening systems as part of our defense in depth strategy. Investments which have been made related to MSA key management are covered in the https://aka.ms/storm-0558 blog. Items detailed in this blog are a subset of these overall investments. We are summarizing the improvements specific to these findings here for clarity: 1. Identified and resolved race Condition that allowed the signing key to be present in crash dumps 2. Enhanced prevention, detection, and response for key material erroneously included in crash dumps 3. Enhanced credential scanning to better detect presence of signing key in the debugging environment 4. Released enhanced libraries to automate key scope validation in authentication libraries, and clarified related documentation * Azure AD * Identity * Investigations --------------------------------------------------------------------- Previous Post Related Posts * Azure AD apurikeshiyonniokeruTe Quan Sheng Ge noQian Zai De narisukunitsuite * Potential Risk of Privilege Escalation in Azure AD Applications * Azure ADwoShi Yong surumaruchitenantoapurikeshiyonnoCheng Ren niGuan suruGou Cheng misunoKe Neng Xing niGuan surugaidansu [ ] RSS feedSubscribe Categories * MSRC (1047) * Japan Security Team (1005) * Security Research & Defense (377) * BlueHat (187) * Microsoft Threat Hunting (4) * Bug Bounty Programs (2) * Security Research (1) Tags * sekiyuriteiQing Bao (464) * Cui Ruo Xing (248) * adobaizari (168) * Internet Explorer (IE) (156) * Security Update (140) * Security Advisory (134) * Security Bulletin (133) * Mitigations (128) * Microsoft Windows (106) * Community-based Defense (105) * View all Tags Recent Posts * Results of Major Technical Investigations for Storm-0558 Key Acquisition * Azure Serial Console Attack and Defense - Part 1 * Congratulations to the MSRC 2023 Most Valuable Security Researchers! * Updating our Vulnerability Severity Classification for AI Systems * Microsoft Bug Bounty Program Year in Review: $13.8M in Rewards Archives * September 2023 (1) * August 2023 (9) * July 2023 (10) * June 2023 (9) * May 2023 (4) * View full Archive What's new * Surface Pro 9 * Surface Laptop 5 * Surface Studio 2+ * Surface Laptop Go 2 * Surface Laptop Studio * Surface Go 3 * Microsoft 365 * Windows 11 apps Microsoft Store * Account profile * Download Center * Microsoft Store support * Returns * Order tracking * Trade-in for Cash * Microsoft Store Promise * Flexible Payments Education * Microsoft in education * Devices for education * Microsoft Teams for Education * Microsoft 365 Education * How to buy for your school * Educator training and development * Deals for students and parents * Azure for students Business * Microsoft Cloud * Microsoft Security * Dynamics 365 * Microsoft 365 * Microsoft Power Platform * Microsoft Teams * Microsoft Industry * Small Business Developer & IT * Azure * Developer Center * Documentation * Microsoft Learn * Microsoft Tech Community * Azure Marketplace * AppSource * Visual Studio Company * Careers * About Microsoft * Company news * Privacy at Microsoft * Investors * Diversity and inclusion * Accessibility * Sustainability English (United States) Your Privacy Choices Your Privacy Choices * Sitemap * Contact Microsoft * Privacy * Manage cookies * Terms of use * Trademarks * Safety & eco * Recycling * About our ads * (c) Microsoft 2023