> They did this by using forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key.
How does that work? Is the key part of some kind of complex auth flow where it's only allowed to sign tokens that have Exchange access?
A compromised key that can sign authentication tokens seems like a pretty big deal.
Actual title of linked article: "Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email"
> They did this by using forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key.
How does that work? Is the key part of some kind of complex auth flow where it's only allowed to sign tokens that have Exchange access?
A compromised key that can sign authentication tokens seems like a pretty big deal.