Storm-0558 – Compromised Engineer → Crash Dump → Stolen MSA Signing Key → Forged Tokens → Government Email Espionage
Chinese nation-state actor Storm-0558 compromised a Microsoft engineer's corporate account, discovered a consumer MSA signing key that had accidentally been included in a crash dump in a debugging environment, and used it to forge authentication tokens. A token validation bug in Exchange Online accepted these consumer tokens as enterprise credentials, enabling access to ~25 organisations' email — including 60,000 US State Department emails — for weeks before discovery.
Storm-0558 targeted an engineer whose device had been compromised prior to joining Microsoft (likely during a company acquisition). After the engineer joined Microsoft, the attackers used this foothold to access Microsoft's corporate network — where they would remain for approximately two years before exploiting the signing key.
Dwell time on Microsoft network: April 2021 – ~June 2023 (2 years)
Log retention gap: Microsoft could not confirm exfiltration due to log retention policy limits
A 2021 system crash in Microsoft's signing infrastructure generated a crash dump that, due to a race condition bug, incorrectly included consumer MSA signing key material that should never leave the isolated signing environment. The dump was copied to a debugging environment accessible to engineering accounts. Storm-0558, using the compromised engineer's account, accessed and exfiltrated the key.
How it leaked: Race condition bug caused crash dump to include signing key material
How accessed: Crash dump in debug environment — accessible via compromised engineer account
Microsoft quote: "Operational errors resulted in key material leaving the secure token signing environment"
Starting May 15, 2023, Storm-0558 used the stolen MSA consumer signing key to forge OpenID v2.0 access tokens impersonating specific users at targeted government organisations. The tokens were correctly signed — any service validating them against Microsoft's published public keys would accept them as legitimate.
Blast radius (per Wiz): Could forge tokens for any Azure AD app supporting personal account auth — not just Exchange
Services potentially at risk: OneDrive, SharePoint, Teams, any app using "Login with Microsoft"
Consumer and enterprise signing keys are separate systems and should only be valid for their respective scopes. However, the Exchange Online team had incorrectly assumed the Azure AD SDK validated token issuers by default — it didn't. This meant Exchange Online accepted the forged consumer-scoped tokens as valid enterprise credentials. An additional OWA GetAccessTokenForResource API bug let attackers generate fresh Exchange tokens from forged tokens.
OWA additional bug: GetAccessTokenForResource API issued fresh tokens from already-issued forged tokens
Result: Consumer MSA token → accepted as enterprise Exchange Online credential
Using PowerShell and Python scripts against the OWA REST API with forged tokens, Storm-0558 read and exfiltrated email from ~25 organisations including senior US State Department and Commerce Department officials. Access ran for at least 6 weeks before discovery.
State Dept loss: ~60,000 emails including communications of the US Ambassador to China
Other victims: Commerce Secretary Raimondo + senior officials across ~25 organisations
The State Dept detected the breach via a custom alert rule triggered by the MailItemsAccessed audit event — which was only available to organisations that had purchased Microsoft's E5 license tier. Organisations on lower tiers could not see this event and were unable to detect the breach independently. Following CISA pressure, Microsoft extended MailItemsAccessed to E3 customers in September 2023.
Critical licensing gap: MailItemsAccessed was E5-only at time of breach · Most victims couldn't see it
Dwell time: ~6 weeks of confirmed email access; potentially 2 months total