"Stolen Microsoft Key Offered Widespread Access to Microsoft Cloud Services"
According to Wiz security researchers, the Microsoft consumer signing key stolen by Storm-0558 hackers gave them access beyond the Exchange Online and Outlook[.]com accounts that Redmond said were compromised. Redmond disclosed that the attackers had compromised the Exchange Online and Azure Active Directory (AD) accounts of about two dozen organizations. Using a now-patched zero-day validation flaw in the GetAccessTokenForResourceAPI, the attackers were able to forge signed access tokens and impersonate accounts within the targeted organizations. Shir Tamari, a security researcher with Wiz, noted that the impact extended to all Azure AD applications operating Microsoft's OpenID v2.0. The stolen key could sign any OpenID v2.0 access token for personal accounts as well as multi-tenant Azure AD applications. This article continues to discuss the widespread access to Microsoft cloud services provided by the stolen Microsoft consumer signing key.