- Aug 17, 2017
Second sourceMicrosoft reported on Tuesday that a Chinese cyberespionage group it tracks as Storm-0558 was recently spotted using forged authentication tokens to hack government email accounts. According to the tech giant, the hackers gained access to the email accounts of roughly 25 organizations, including government agencies and consumer accounts belonging to individuals associated with the targeted entities.
Microsoft’s investigation showed that the threat actor forged authentication tokens to gain access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com. Specifically, the attackers used a Microsoft account (MSA) consumer signing key to forge the tokens.
“MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems,” Microsoft explained. “The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail. We have no indications that Azure AD keys or any other MSA keys were used by this actor.”
The company pointed out that only OWA and Outlook.com were targeted using forged authentication tokens.
Microsoft said it became aware of the attacks on June 16 and an investigation showed that the activity began one month earlier.