Security News > 2023 > July > Microsoft hit by Storm season – a tale of two semi-zero days

Another way, which is apparently what Microsoft originally investigated, is that the attackers were able to steal enough data from the authentication servers to generate fraudulent but valid-looking authentication tokens for themselves.
Microsoft ultimately determined that although the rogue access tokens in the Storm-0558 attack were legitimately signed, which seemed to suggest that someone had indeed pinched a company singing key.
Corporate accounts are supposed to be authenticated in the cloud using Azure Active Directory tokens, but these fake attack tokens were signed with what's known as an MSA key, short for Microsoft consumer account.
Loosely speaking, the crooks were minting fake authentication tokens that passed Microsoft's security checks, yet those tokens were signed as if for a user logging into a personal outlook.com account instead of for a corporate user logging into a corporate account.
The good news is that, because the crooks were using corporate-style access tokens signed with a consumer-style cryptographic key, their rogue authnetication tokens could reliably be threat-hunted once Microsoft's security team knew what to look for.
Use of the incorrect key to sign this scope of assertions was an obvious indicator of the actor activity as no Microsoft system signs tokens in this way.
News URL
Related news
- Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws (source)
- URGENT: Microsoft Patches 57 Security Flaws, Including 6 Actively Exploited Zero-Days (source)
- Microsoft patches Windows Kernel zero-day exploited since 2023 (source)
- Patch Tuesday: Microsoft Fixes 57 Security Flaws – Including Active Zero-Days (source)
- Microsoft April 2025 Patch Tuesday fixes exploited zero-day, 134 flaws (source)
- Microsoft: Windows CLFS zero-day exploited by ransomware gang (source)
- Microsoft fixes actively exploited Windows CLFS zero-day (CVE-2025-29824) (source)
- Patch Tuesday: Microsoft Fixes 134 Vulnerabilities, Including 1 Zero-Day (source)