Security News > 2024 > April > Microsoft still unsure how hackers stole MSA key in 2023 Exchange attack

The U.S. Department of Homeland Security's Cyber Safety Review Board has released a scathing report on how Microsoft handled its 2023 Exchange Online attack, warning that the company needs to do better at securing data and be more truthful about how threat actors stole an Azure signing key.

Almost 10 months after Microsoft started the investigation, the CSRB states there isn't any definitive evidence on how the threat actor obtained the signing key, regardless of what Microsoft previously claimed.

The CSRB conducted its analysis of the Microsoft Exchange Online hack in 2023 based on details obtained from impacted organizations, cybersecurity companies and experts, law enforcement agencies, and meetings with Microsoft representatives.

The hackers accessed the email accounts using forged authentication tokens signed with a Microsoft Services Account consumer key the company created in 2016 and which should have been revoked in March 2021.

"Microsoft believes, although it has produced no specific evidence to such effect, that this 2021 intrusion was likely connected to the 2023 Exchange Online compromise because it is the only other known Storm-0558 intrusion of Microsoft's network in recorded memory. During this 2021 incident, Microsoft believes that Storm-0558 gained access to sensitive authentication and identity data" - Cyber Safety Review Board.

The CSRB says that, to this day, Microsoft still has no conclusive evidence as to how the threat actors stole the signing key, and that the investigation is ongoing.

News URL

https://www.bleepingcomputer.com/news/security/microsoft-still-unsure-how-hackers-stole-msa-key-in-2023-exchange-attack/