Purloined MSA Key Used to Breach Exchange and Outlook Accounts Has Larger Implications
Researchers from Wiz say that attackers in possession of the stolen Microsoft signing key that was used to create phony access tokens for Exchange Online and Outlook accounts could also have used it to create forged access tokens for other Microsoft cloud applications, including SharePoint, Teams, and OneDrive. Microsoft has revoked the key and published indicators of compromise.
Still very little from Microsoft about what exactly happened to the key. A Microsoft spokesperson in a response to the article published by The Register stated that Wiz came to its conclusion without knowing the internals of Microsoft's Cloud environment. But the same statement did avoid calling any of Wiz's conclusions wrong.
Microsoft hasn’t replied officially to these new analyses showing broader impact of the incident, which increases the probability Microsoft will amend its earlier statements. If so, this is worth a “Key Management is Job 1” kind of company-wide edict coming from Microsoft’s CEO.
The authentication tokens worked with OpenID 2.0 apps and those supporting "login with Microsoft." Regrettably, you probably won't have the log data you need to properly detect this sort of activity until September. Realistically, any sessions signed by that key will need to be re-established. The default for MS 365 is 14 days, so if you've not increased the interval, you're good. Spend the energy on ingesting and processing the new logs to discover what you may be missing.
While most of recent discussion has been on Microsoft up-charging for additional logging data and storage, the real question is how the evil-doer got access to the signing key in the first place. Wiz’s analysis doesn’t answer that question, but it does help in understanding the potential impact the use of that key has with other Microsoft applications.
The important story of the compromise of this key has been obscured by the far less important story of the logs that led to the discovery of the compromise.
William Hugh Murray
Read more in
Bleeping Computer: Stolen Microsoft key offered widespread access to Microsoft cloud services