Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email

Key Points:

• Microsoft has mitigated a threat from the China-based actor Storm-0558, which targeted customer email accounts using forged authentication tokens.
• The attack affected approximately 25 organizations, primarily government agencies in Western Europe, focusing on espionage and data theft through compromised Microsoft account signing keys.
• Microsoft has invalidated the acquired signing key and blocked further access attempts, advising customers to update their systems as part of routine security maintenance.

Technical Details: Storm-0558 exploited a token validation issue to forge authentication tokens using an acquired Microsoft account (MSA) consumer signing key, allowing unauthorized access to Outlook Web Access (OWA) and Outlook.com.

MITRE ATT&CK Techniques:

• T1078 - Valid Accounts (Defense Evasion)
• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)

IOCs Mentioned: None mentioned