Security News > 2023 > July > Microsoft hit by Storm season – a tale of two semi-zero days

Another way, which is apparently what Microsoft originally investigated, is that the attackers were able to steal enough data from the authentication servers to generate fraudulent but valid-looking authentication tokens for themselves.

Microsoft ultimately determined that although the rogue access tokens in the Storm-0558 attack were legitimately signed, which seemed to suggest that someone had indeed pinched a company singing key.

Corporate accounts are supposed to be authenticated in the cloud using Azure Active Directory tokens, but these fake attack tokens were signed with what's known as an MSA key, short for Microsoft consumer account.

Loosely speaking, the crooks were minting fake authentication tokens that passed Microsoft's security checks, yet those tokens were signed as if for a user logging into a personal outlook.com account instead of for a corporate user logging into a corporate account.

The good news is that, because the crooks were using corporate-style access tokens signed with a consumer-style cryptographic key, their rogue authnetication tokens could reliably be threat-hunted once Microsoft's security team knew what to look for.

Use of the incorrect key to sign this scope of assertions was an obvious indicator of the actor activity as no Microsoft system signs tokens in this way.

News URL

https://nakedsecurity.sophos.com/2023/07/18/microsoft-hit-by-storm-season-a-tale-of-two-semi-zero-days/