> Microsoft investigations determined that Storm-0558 gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens to access user email.
> The actor used an acquired MSA key to forge tokens to access OWA and Outlook.com. MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems. The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail. We have no indications that Azure AD keys or any other MSA keys were used by this actor. OWA and Outlook.com are the only services where we have observed the actor using tokens forged with the acquired MSA key.
"U.S. government safeguards identified an intrusion in Microsoft’s cloud security, which affected unclassified systems. Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service,"
So Microsoft didn't have any idea they were attacked, even though their blog articles imply that they did (see sibling comment).
If they didn't even know, how could they attribute to China?
"The number of U.S. email accounts believed to be affected so far is limited, and the attack appeared targeted, though an FBI investigation is ongoing, said a person familiar with the matter who spoke on the condition of anonymity because of the matter’s sensitivity. Pentagon, intelligence community and military email accounts did not appear to be affected, the person said."
https://blogs.microsoft.com/on-the-issues/2023/07/11/mitigat...
https://msrc.microsoft.com/blog/2023/07/microsoft-mitigates-...
> Microsoft investigations determined that Storm-0558 gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens to access user email.
> The actor used an acquired MSA key to forge tokens to access OWA and Outlook.com. MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems. The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail. We have no indications that Azure AD keys or any other MSA keys were used by this actor. OWA and Outlook.com are the only services where we have observed the actor using tokens forged with the acquired MSA key.