A “cascade” of errors let Chinese hackers into US government inboxes

Microsoft still doesn’t known how Storm-0558 attackers managed to steal the Microsoft Services Account cryptographic key they used to forge authentication tokens needed to access email accounts belonging to US government officials. “The stolen 2016 MSA key in combination with [a] flaw in the token validation system permitted the threat actor to gain full access to essentially any Exchange Online account,” CISA’s Cyber Safety Review Board (CSRB) noted in a recently released Review of the Summer 2023 Microsoft Exchange Online Intrusion.

Source: Help Net Security