Security News > 2023 > September > How Chinese hackers got their hands on Microsoft’s token signing key

The mystery of how Chinese hackers managed to steal a crucial signing key that allowed them to breach Microsoft 365's email service and access accounts of employees of 25 government agencies has been explained: they found it somewhere where it shouldn't have been - Microsoft's corporate environment.

The signing key was included in the snapshot of the crashed process of a consumer signing system because of an unexpected race condition, and its presence in the crash dump wasn't detected by Microsoft's credential scanning methods.

How come a consumer key was able to grant access to enterprise mail?

The company has previously said that MSA keys and Azure AD keys are issued and managed from separate systems and should only be valid for their respective systems, but that attackers exploited a token validation issue.

"To meet growing customer demand to support applications which work with both consumer and enterprise applications, Microsoft introduced a common key metadata publishing endpoint in September 2018.

As part of this converged offering, Microsoft updated documentation to clarify the requirements for key scope validation - which key to use for enterprise accounts, and which to use for consumer accounts," the company now explained.

News URL

https://www.helpnetsecurity.com/2023/09/07/stolen-microsoft-signing-key/