https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
This was made possible by a validation error in Microsoft code
lol microsoft
Pretend to be someone they aren't
An actor that can acquire a private signing key can then create falsified tokens with valid signatures that will be accepted by relying parties. This is called token forgery.
The article just says they signed authentication tokens which gave them access to outlook emails. I don't think it was code signing that would let them distribute software, and that's not what they were after.
I really struggle to believe that a military performing espionage actions is stupid enough to operate without spreading hours of operation in a harder to track way. But maybe they don't give a shit? Just seems like something you could easily hide.
ShowEDIT: Question - Why would an inactive microsoft consumer account have the ability to forge tokens for Outlook.com? Would this not limit it to a specific subset of accounts?
We determined that Storm-0558 was accessing the customer’s Exchange Online data using Outlook Web Access (OWA).
Ahh yes, this would be one specific customer of microsoft that was targeted. Hopefully the NSA or some shit lmao
Yeah you can go full conspiracy brain with this if you want to question whether microsoft and the state would collaborate for propaganda. I'm not quite so tinfoil hat but there's certainly questions.
Calling everything potential Inter-intel-agency warfare is my favorite new tinfoil one-upmanship move
I have just skimmed this so maybe it's answered, but seems the entire thing boils down to:
Storm-0558 acquired an inactive MSA consumer signing key
How?