Microsoft has neutralized an attack by Storm-0558, a China-based cyber threat. This actor targeted customer emails, particularly of Western European government agencies. The investigation, triggered by customer reports in June 2023, found that the threat had started in May and impacted 25 organizations.
Storm-0558 accessed emails by forging authentication tokens with an acquired Microsoft consumer signing key. It was the primary method used to breach government agencies and associated consumer accounts. Microsoft has now successfully blocked this access method, securing all affected customers.
Microsoft has contacted the targeted or compromised organizations to help them further investigate and respond. Collaboration is ongoing with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and others to protect affected customers and address the issue thoroughly.
For enhancing security, Microsoft has made significant improvements to token validation for customer applications. Customers are urged to adopt these changes as part of their next security update. Meanwhile, Microsoft continues its investigation and monitoring of Storm-0558 activity.