"Chinese Cyberspies Obtained Microsoft Signing Key From Windows Crash Dump Due to a Mistake"
Microsoft announced in July that it had mitigated an email-targeting attack by a threat actor with ties to China, tracked as Storm-0558. Storm-0558 threat actors have been observed conducting cyber espionage, data theft, and credential access attacks against government agencies in Western Europe. An investigation revealed that an attack began on May 15, 2023, when Storm-0558 accessed the email accounts of about 25 organizations, including government agencies and consumer accounts associated with these organizations. The attackers forged authentication tokens to access user email with a Microsoft account consumer signing key they had acquired. Researchers discovered that the threat actors accessed email accounts through Outlook Web Access in Exchange Online and Outlook[.]com by forging authentication tokens. Microsoft has now released a comprehensive technical investigation into how attackers accessed the consumer signing key. The threat actors stole the signing key from a Windows crash dump after compromising a Microsoft engineer's corporate account. This article continues to discuss Storm-0558 stealing a signing key used to breach government email accounts from a Windows crash dump.