Review of the Summer 2023 Microsoft Exchange Online Intrusion
Outlook accounts.
153
Microsoft stated that it had notified all impacted customers and launched an investigation,
154, 155
and publicly named Commerce as an affected entity; however, the Board learned that Microsoft did not provide
Commerce forewarning that the blog post would publicly name Commerce as an affected entity.
156
Microsoft published a second blog on July 14, 2023, filling some gaps in the first blog post, including indicators and
technical details. This second post also provided insights into detecting the attacker infrastructure. Microsoft also
provided details on the scale of the intrusion, characteristics of Storm-0558’s infrastructure, and portions of the
malware the threat actor had used to conduct the intrusion.
157
Researchers in the security community scrutinized the
timing and content of Microsoft’s second blog, and identified gaps and inconsistencies in Microsoft’s public accounts of
the intrusion, including tactics, techniques, and procedures (TTPs), IoCs, and indicators of attack (IoA).
158
In response to Microsoft’s blogs, Wiz, a cloud security company, launched a limited independent review of the incident.
Wiz concluded that the compromised 2016 MSA key could sign access tokens for many types of applications, far
beyond Microsoft’s initial reporting. For Wiz, this revelation underscored the need for a broader awareness and
proactive measures across all affected stakeholders.
159
CISA also conducted an in-depth review of Microsoft’s public
statements. CISA’s findings pointed to the need for greater clarity and transparency from Microsoft about the initial
compromise’s blast radius, token scope, and impact. Specifically, CISA noted information gaps in what additional
capabilities the stolen key granted the threat actor, Microsoft’s incident response measures, and the potential for
threat actors to access internal servers or additional key material.
160
On September 6, 2023, Microsoft published a third blog, entitled “Results of Major Technical Investigations for Storm-
0558 Key Acquisition.” This blog stated that, “Our investigation found that a consumer signing system crash in April of
2021 resulted in a snapshot of the crashed process (‘crash dump’).” The blog went on to say that “a race condition
allowed the key to be present in the crash dump” and that the crash dump “was subsequently moved from the isolated
production network into our debugging environment on the internet connected corporate network.” Finally, Microsoft
said that the engineer’s account that Storm-0558 had compromised in 2021 “had access to the debugging
environment containing the crash dump which incorrectly contained the key” and while it had no logs showing the
actual exfiltration, “this was the most probable mechanism by which the actor acquired the key.”
161
As Microsoft continued to investigate, it determined that elements of the September 6 blog related to how the actor
acquired the impacted customer token signing key were likely inaccurate. Microsoft told the Board that although the
blog stated its “technical investigation has concluded,” it continued to investigate the threat actor and subsequently
determined that while a crash dump could have included key material and that such a dump could have been moved
out of the secure token signing environment, Microsoft had not found any dump containing this key material, as it had
mistakenly asserted in the September 6 blog.
162
During the Board’s interview with Microsoft in November 2023, Microsoft told the Board that it was considering issuing
a new or updated blog on its ongoing investigative findings, but that it had not yet made any decisions in that regard. In
this meeting, Microsoft confirmed that although its investigation into how the threat actor obtained the key material
had been ongoing, it had no change in the number of customers impacted, depth of impact, or time of impact. At that
time, Microsoft intended to publish an update to the blog in the near future.
163
In a written response to follow-up
questions on this topic from the Board, Microsoft responded, “We believe that describing how the company is
153
MSRC; Microsoft, “Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email,” July 11, 2023,
https://msrc.microsoft.com/blog/2023/07/microsoft-mitigates-china-based-threat-actor-storm-0558-targeting-of-customer-email/
154
Tamari, Shir; Wiz, “Compromised Microsoft Key: More Impactful Than We Thought,” July 21, 2023, https://www.wiz.io/blog/storm-0558-
compromised-microsoft-key-enables-authentication-of-countless-micr
155
Anonymized.
156
Commerce Department, Board Meeting.
157
Microsoft Threat Intelligence; Microsoft, “Analysis of Storm-0558 techniques for unauthorized email access,” July 14, 2023,
https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
158
Anonymized.
159
Tamari, Shir; Wiz, “Compromised Microsoft Key: More Impactful Than We Thought,” July 21, 2023, https://www.wiz.io/blog/storm-0558-
compromised-microsoft-key-enables-authentication-of-countless-micr
160
CISA, Board Meeting.
161
MSRC; Microsoft, “Results of Major Technical Investigations for Storm-0558 Key Acquisition,” September 6, 2023,
https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/
162
Microsoft, Board Meeting.
163
Microsoft, Board Meeting.