Decipher File · May 2023 to July 2023 (disclosure)
Storm-0558: How a Stolen Microsoft Signing Key Reached Federal Email
The Storm-0558 incident is the cybersecurity Microsoft cloud breach that put a stolen consumer signing key inside government email. From May to June 2023, the China-based threat actor Storm-0558 forged authentication tokens using an acquired Microsoft account signing key and accessed Outlook Web Access mailboxes at approximately 25 organizations including the US State Department and Department of Commerce.
Incident summary
Microsoft 365 issues authentication tokens signed by Microsoft-controlled keys to authorize access to Outlook Web Access, Exchange Online, and other mailbox APIs. On July 11, 2023, Microsoft disclosed that a China-based threat actor it tracks as Storm-0558 had acquired a Microsoft account (MSA) consumer signing key and was using it to forge tokens against enterprise customer mailboxes.
Microsoft confirmed the campaign affected approximately 25 organizations and a small number of related consumer accounts. The State Department detected the intrusion via custom audit logging it had specifically requested from Microsoft and shared the indicators with Microsoft on June 16, 2023. Without that customer-side detection capability, Microsoft would likely not have discovered the campaign on the timeline that it did.
Confirmed victim organizations included the US Department of State, the Department of Commerce (including Commerce Secretary Gina Raimondo), and at least one congressional staff office. Mailboxes belonging to State Department officials and Commerce officials engaged in pre-trip discussions ahead of Secretary Antony Blinken's June 2023 visit to China were among the accessed accounts.
Attack technique
MITRE ATT&CK does not currently have a perfect single technique for forged Microsoft cloud tokens, but T1606.002 (Forge Web Credentials), T1550.001 (Use Alternate Authentication Material), and T1078.004 (Valid Accounts: Cloud Accounts) collectively map the operation. Storm-0558 used the acquired MSA key to mint OAuth and OpenID Connect tokens that the Microsoft 365 token validation logic incorrectly accepted for enterprise mailbox access.
Per Microsoft's September 6, 2023 update, the consumer key leaked into Microsoft's corporate environment via a crash dump from a signing-system process. A token-validation flaw separately allowed consumer-issued tokens to authenticate against enterprise resources. Storm-0558 then compromised a Microsoft engineer's corporate account that had access to the debug environment containing the crash dump, and acquired the key through that path.
The CSRB report published April 2, 2024 found that Microsoft's account of the key acquisition was substantially incomplete. The board concluded that the breach was preventable, that Microsoft's security culture was inadequate, and that several Microsoft public statements during the incident were inaccurate or required later correction. The report cited the absence of automated key rotation as a contributing factor, since the consumer signing key in question had not been rotated since 2016.
Impact and consequences
Per Microsoft's disclosure, the actor accessed mailbox content for approximately 25 organizations. The State Department later confirmed that approximately 60,000 emails were accessed across 10 State Department accounts, with a focus on Indo-Pacific and East Asia diplomatic correspondence per Senate testimony in September 2023.
The CSRB report on April 2, 2024 issued 25 recommendations to Microsoft and the broader cloud industry, including mandatory automated key rotation, full audit logging available to all customers without paid upgrades, and a public root cause analysis standard for cloud security incidents. Microsoft made customer-side audit log access (Purview Audit standard) free starting October 2023 in direct response to the State Department detection precedent.
In May 2023, before this incident, Microsoft announced its Secure Future Initiative. The initiative was significantly expanded in November 2023 in response to Storm-0558 and the subsequent Midnight Blizzard incident. The expanded SFI includes hardware-backed signing keys, automated key rotation enforcement, and security as a paramount priority over feature work in Microsoft executive compensation.
Indicators of Compromise
Specific artifacts defenders should hunt for. Cross-reference these against your existing detection rules before acting on them.
- › Token validation events in Microsoft 365 against an MSA consumer signing key on Azure AD enterprise mail
- › OWA and Outlook.com authentication from accounts that had no recent successful interactive login
- › GetAccessTokenForResource API calls preceded by token signing-key enumeration
- › Forged tokens with kid (key ID) values matching the Microsoft consumer key reissued after July 2023
- › Anomalous mail-item access patterns in Purview Audit logs (where customers had Purview enabled)
Lessons for defenders
Cloud audit logging is not optional, even when the vendor charges for it. State Department detected Storm-0558 because it had requested and paid for custom audit logging that other Microsoft customers did not have. After this incident, Microsoft made Purview Audit standard logs free for all customers, but the lesson generalizes: audit log access for SaaS platforms is a control floor.
Identity provider integrity outranks endpoint posture. Storm-0558 bypassed every endpoint and network control because it forged the token at the issuer. Hardening Active Directory, Entra ID, and any token-signing infrastructure with HSM-backed keys, automated rotation, and tier-zero administrative isolation is the only durable defense.
Vendor accountability has limits, plan accordingly. The CSRB found that Microsoft's incident communications were inaccurate or incomplete in multiple instances. Customers cannot delegate verification of cloud security claims to the cloud vendor alone. Independent audit, third-party risk assessment, and contractual right-to-audit clauses help close the verification gap.
Crash dumps from signing infrastructure are crown jewels. The leaked key reached Microsoft's corporate environment because a signing process crash dump was promoted to debug environments without scrubbing cryptographic material. Crash dump scrubbing, signing infrastructure isolation from corporate networks, and ephemeral signing key designs all close this class of leakage path.
Test customer detection capability against vendor breach scenarios. The State Department detection of Storm-0558 was not luck. It was the product of a deliberate decision to request enhanced audit capability and to monitor it. Tabletop exercises that assume the cloud vendor itself is compromised expose where customer-side detection is the only line of defense.
Related career roles
The cybersecurity professionals whose day-to-day work would have detected, investigated, or contained this incident.
Related Decipher Files
Frequently asked questions
How did Storm-0558 access US government email?
Per Microsoft's September 6, 2023 root cause update, Storm-0558 acquired a Microsoft consumer (MSA) signing key that had leaked into a corporate crash dump, then used it to forge authentication tokens. A separate token-validation flaw caused Microsoft 365 to accept consumer-key-signed tokens for enterprise mailbox access. The actor reached approximately 25 organizations including State and Commerce.
What did the Cyber Safety Review Board conclude about Storm-0558?
The CSRB report on April 2, 2024 concluded that the intrusion was preventable, that Microsoft's security culture was inadequate, and that several public statements by Microsoft during the incident were inaccurate. The board issued 25 recommendations including automated key rotation, free audit logging for all customers, and an industry standard for cloud security root cause analyses.
How did the State Department detect Storm-0558 before Microsoft did?
The State Department had specifically requested enhanced audit logging from Microsoft as part of its Microsoft 365 deployment. State Department analysts identified anomalous mailbox access in those audit logs and shared indicators with Microsoft on June 16, 2023. Customers without that paid logging tier did not have the telemetry to detect the campaign. Microsoft made Purview Audit standard logs free for all customers in October 2023 as a direct response.
Sources
- Microsoft MSRC: Microsoft Mitigates China-Based Threat Actor Storm-0558 Targeting of Customer Email · Microsoft's July 11, 2023 initial disclosure
- Microsoft Security Blog: Analysis of Storm-0558 Techniques · Microsoft Threat Intelligence technical analysis
- Microsoft MSRC: Results of Major Technical Investigations for Storm-0558 Key Acquisition · September 6, 2023 root cause update
- Cyber Safety Review Board: Review of the Summer 2023 Microsoft Exchange Online Intrusion · April 2, 2024 CSRB report identifying a cascade of Microsoft security failures
- CISA Alert: Microsoft Releases Mitigations for Cloud-Based Email Compromise · CISA notification and customer guidance
- Senator Wyden Letter to DOJ, FTC, and CISA on Microsoft (July 27, 2023) · Congressional referral citing Microsoft cybersecurity practices
DecipherU is not affiliated with, endorsed by, or sponsored by any company listed in this directory. Information compiled from publicly available sources for educational purposes.
Get cybersecurity career insights delivered weekly
Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.
Get Cybersecurity Career Intelligence
Weekly insights on threats, job trends, and career growth.
Unsubscribe anytime. More options