Microsoft is providing new details about the techniques used by a Chinese hacking group to infiltrate the email accounts of an estimated 25 organizations and government agencies, reportedly including the account of U.S. Commerce Secretary Gina Raimondo.
The new analysis, published Friday, includes new information about two flaws in Microsoft’s own systems and code that, unbeknownst to the company at the time, helped to open the door to the hackers.
Microsoft says it has fixed both of the problems, effectively blocked the group’s efforts to maintain ongoing access to the accounts, and taken steps to prevent such situations in the future.
However, the company is facing growing scrutiny from the Biden administration over the incident. Meanwhile, Microsoft rival Google is seizing on the hack to make the case that the U.S. government should further diversify its pool of productivity software vendors.
Microsoft says it’s still investigating how the group, which Microsoft has dubbed Storm-0558, acquired an inactive Microsoft Account (MSA) consumer signing key — the initial step that allowed the hackers to forge authentication tokens to access the email accounts.
But in the meantime, the company provided new details on two Microsoft flaws that it believes were exploited by the group to make malicious use of the MSA consumer signing key once it was acquired.
- The company says a “validation error” in Microsoft code made it possible for the group to forge Azure Active Directory tokens, normally used to access government and enterprise accounts, despite acquiring a key that was intended for Microsoft consumer accounts.
- Once the group used a forged token to gain access, it was able to obtain additional access tokens from an Outlook Web Access application programming interface (API) by presenting a token previously issued from the API “due to a design flaw,” the company says.
Microsoft says it has fixed these problems and blocked the group from further leveraging the acquired consumer signing keys. The company says it has also “substantially hardened” its MSA key issuance systems, including moving those systems to a higher-security key store used for enterprise accounts.
In addition to shedding light on these security vulnerabilities, the incident is raising questions about the company’s practice of reserving some advanced security monitoring features for the highest-priced Microsoft 365 tiers.
An agency in the Federal Civilian Executive Branch discovered the hack after detecting unusual activity in a type of audit log available only in the top Microsoft 365 tier. A senior official with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) told reporters this week that all organizations should have access to these features.
Microsoft signaled a willingness to change its approach.
“We’ve historically provided security logs to customers with options to maintain logs through Microsoft’s storage services or with other security and storage vendors based on their preferences,” a Microsoft spokesperson said in an emailed statement this week. “We are evaluating feedback and are open to other models. We are actively engaged with CISA and other agencies on this.”
