A recent validation error in Microsoft’s Azure Active Directory (Azure AD) source code allowed threat actor Storm-0558 to forge tokens and breach 25 organizations. The attacker reportedly acquired an inactive Microsoft account (MSA) consumer signing key, using it to access various enterprise and consumer services. The key, initially intended only for MSA accounts, was trusted for Azure AD tokens due to a validation error. Microsoft has since rectified this.
The nature of the breach is still under investigation, and it’s unclear whether the token validation issue was a zero-day vulnerability or a known issue. This attack led to unauthorized email access and data exfiltration, with targets including US and European government bodies, individuals connected to Taiwan and Uyghur geopolitical interests, media companies, think tanks, and telecommunication providers.
Microsoft described Storm-0558 as displaying high technical tradecraft and operational security, with a strong understanding of various authentication techniques and applications. Microsoft has taken steps to address the breach, including identifying the root cause, disrupting malicious activities, and notifying impacted customers.
The attack highlights the ongoing challenges faced by global tech corporations in protecting their services from sophisticated threat actors. It also draws attention to broader issues of cybersecurity policy, with recent criticism of Microsoft’s decision to gate certain forensic capabilities behind additional licensing barriers.