Reseaerchers suspect China Microsoft email hackers had access to other files
Researchers from cloud security company Wiz studied the technique described by Microsoft and concluded that anyone with the signing key could have extended their access and signed into other widely used Microsoft cloud offerings including SharePoint, Teams and OneDrive.
“The compromised MSA key could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications, including every application that supports personal account authentication,” including customer applications that offer the ability to “login with Microsoft,” Wiz said in a blog post detailing its findings.
Microsoft has revoked the key, so it cannot be used in new attacks. But Wiz said the attackers might have left back doors in applications that would let them return, and it said some software would still recognize a session begun by an expired key.
Microsoft played down the likelihood that the attackers had gone beyond the email accounts of targets, who included Commerce Secretary Gina Raimondo and U.S. ambassador to China Nicholas Burns.
“Many of the claims made in this blog are speculative and not evidence-based,” said Jeff Jones, a Microsoft spokesperson.
The Cybersecurity and Infrastructure Security Agency, the Department of Homeland Security unit responsible defending civilian arms of government, said it had not seen reason to believe that the attackers had chosen to go beyond email.
“Available information indicates that this activity was limited to a specific number of targeted Microsoft Exchange Online email accounts. We continue to work closely with Microsoft as their investigation continues,” said Eric…