Microsoft says it still doesn't know how Chinese hackers stole an inactive Microsoft account (MSA) consumer signing key used to breach the Exchange Online and Azure AD accounts of two dozen organizations, including government agencies.
"The method by which the actor acquired the key is a matter of ongoing investigation," Microsoft admitted in a new advisory published today.
The incident was reported by U.S. government officials after the discovery of unauthorized access to several government agencies' Exchange Online email services.
Microsoft started investigating the attacks on June 16th and found that a Chinese cyber-espionage group it tracks as Storm-0558 breached the email accounts of roughly 25 organizations (reportedly including the U.S. State and Commerce Departments).
The threat actors used the stolen Azure AD enterprise signing key to forge new auth tokens by exploiting a GetAccessTokenForResource API flaw, providing them access to the targets' enterprise mail.
Storm-0558 can use PowerShell and Python scripts to generate new access tokens via REST API calls against the OWA Exchange Store service to steal emails and attachments. However, Redmond didn't confirm whether they used this approach in last month's Exchange Online data theft attacks.
"Our telemetry and investigations indicate that post-compromise activity was limited to email access and exfiltration for targeted users," Microsoft added today.
The company blocked the use of the stolen private signing key for all impacted customers on July 3rd and says the attackers' token replay infrastructure was shut down one day later.
MSA signing keys revoked to block Azure AD token forging
On June 27th, Microsoft also revoked all valid MSA signing keys to block all attempts to generate new access tokens and moved the newly generated ones to the key store that it uses for its enterprise systems.
"No key-related actor activity has been observed since Microsoft invalidated the actor-acquired MSA signing key," Microsoft said.
However, while Redmond has no longer detected any key-related Storm-0558 malicious activity after revoking all active MSA signing keys and mitigating the API flaw enabling, today's advisory says the attackers have now switched to other techniques.
"No key-related actor activity has been observed since Microsoft invalidated the actor-acquired MSA signing key. Further, we have seen Storm-0558 transition to other techniques, which indicates that the actor is not able to utilize or access any signing keys," Microsoft said.
On Tuesday, Microsoft also disclosed that the RomCom Russian cybercrime group exploited an Office zero-day that is yet to be patched in recent phishing attacks against organizations attending the NATO Summit in Vilnius, Lithuania.
The RomCom operators used malicious documents impersonating the Ukrainian World Congress to push and deploy malware payloads such as the MagicSpell loader and the RomCom backdoor.