from Hacker News

Microsoft government email compromised (and quietly fixed)

by deckiedan on 7/12/23, 4:14 PM with 3 comments

  • by donmcronald on 7/12/23, 5:25 PM

    > They did this by using forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key.

    How does that work? Is the key part of some kind of complex auth flow where it's only allowed to sign tokens that have Exchange access?

    A compromised key that can sign authentication tokens seems like a pretty big deal.

  • by nonfamous on 7/12/23, 6:45 PM

    Actual title of linked article: "Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email"