Microsoft revealed in early July that a China-based hacking group, dubbed Storm-0558, was attempting to access email systems to gather intelligence. It said the espionage group had breached an unidentified number of email accounts associated with approximately 25 organisations, including government agencies in Western Europe and the US.
Microsoft began investigating the anomalous email activity based on information reported by customers on 16 June. The investigation found that from 15 May 2023, Storm-0558 gained access to email accounts in the public cloud.
Microsoft determined that the actor gained access to OWA and Outlook.com by spoofing authentication tokens using a Microsoft Account Consumer (MSA) signing key it had obtained. MSAs (consumer) and Azure AD (business) keys are issued and managed separately and are unique to each system. The attackers used a token validation issue to masquerade as an Azure AD user and gain access to corporate mail.
Microsoft said they had mitigated the attack for all customers. The hack involved unclassified systems, but according to the Washington Post, it did not seem to affect email accounts associated with the Department of Defense, military or intelligence agencies.