https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/

  • blobjim [he/him]
    ·
    1 year ago

    This was made possible by a validation error in Microsoft code

    lol microsoft

    • blobjim [he/him]
      ·
      1 year ago

      Pretend to be someone they aren't

      An actor that can acquire a private signing key can then create falsified tokens with valid signatures that will be accepted by relying parties. This is called token forgery.

        • blobjim [he/him]
          ·
          1 year ago

          The article just says they signed authentication tokens which gave them access to outlook emails. I don't think it was code signing that would let them distribute software, and that's not what they were after.

  • Awoo [she/her]
    ·
    edit-2
    1 year ago

    I really struggle to believe that a military performing espionage actions is stupid enough to operate without spreading hours of operation in a harder to track way. But maybe they don't give a shit? Just seems like something you could easily hide.

    Show

    EDIT: Question - Why would an inactive microsoft consumer account have the ability to forge tokens for Outlook.com? Would this not limit it to a specific subset of accounts?

    We determined that Storm-0558 was accessing the customer’s Exchange Online data using Outlook Web Access (OWA).

    Ahh yes, this would be one specific customer of microsoft that was targeted. Hopefully the NSA or some shit lmao

      • Awoo [she/her]
        ·
        edit-2
        1 year ago

        Yeah you can go full conspiracy brain with this if you want to question whether microsoft and the state would collaborate for propaganda. I'm not quite so tinfoil hat but there's certainly questions.

        • hector_titucius [he/him]
          hexagon
          ·
          1 year ago

          Calling everything potential Inter-intel-agency warfare is my favorite new tinfoil one-upmanship move

          • Awoo [she/her]
            ·
            1 year ago

            The more things deteriorate the more sus everything everywhere looks.

  • dualmindblade [he/him]
    ·
    1 year ago

    I have just skimmed this so maybe it's answered, but seems the entire thing boils down to:

    Storm-0558 acquired an inactive MSA consumer signing key

    How?