Microsoft leak led to the theft of 60,000 government emails

Chinese government-affiliated hackers Storm-0558 stole 60,000 emails from the US government in May. They did this via Microsoft’s Exchange platform.

In their hacking attack, Chinese state hackers managed to target Microsoft Outlook and gain access to the email accounts of US diplomats in East Asia, the Pacific and Europe. writes Reuters.

In addition to the 60,000 unclassified emails, Storm-0558 hackers also obtained a list of all US State Department email accounts.

The State Department has now confirmed the attack and the email theft.

Attack method

The attackers managed to obtain the emails through an attack on Microsoft Outlook. In May this year, the tech giant announced that unknown hackers had compromised Outlook accounts of 25 different organizations, including US government departments and consumer accounts that were related.

The Storm-0558 hackers first obtained a consumer signing key from a Windows crash dump. This crash dump was stolen after a Microsoft employee’s work account was compromised. This ultimately gave them access to US government email accounts.

The stolen MSA key was used to compromise Exchange Online and AD accounts by exploiting an unpatched zero-day validation vulnerability in the GetAccessTokenForResourceAPI. This allowed the hackers to generate fake signed access tokens and use them to impersonate accounts within the targets.

Microsoft response

In response, Microsoft revoked the stolen signing key. The tech giant has also concluded that there has been no unauthorized access to customer accounts via access token forgery.

Furthermore, the tech giant now allows more access to cloud logging data for free. This allows security experts to better identify potential breaches involving the use of (counterfeit) access tokens.