Microsoft Says Chinese Hackers Compromised Exchange Email Accounts


Microsoft has disclosed that Chinese hackers breached the email accounts of US government employees. The hacking group (tracked as Storm-0558) exploited a flaw in Microsoft’s cloud email service to gain unauthorized access to email systems.

Microsoft found that the threat actors used forged authentication tokens to access affected user accounts through Outlook Web Access in Exchange Online (OWA) and The hackers first used stolen consumer (MSA) keys to forge tokens and access and OWA. Secondly, they abused a token validation flaw to impersonate Azure AD customers and get unauthorized access to enterprise mail.

Microsoft mitigates attack on Exchange Online

According to the Washington Post, the US government shared the details about the security vulnerability with Microsoft on June 16. Since then, the company has successfully mitigated the flaw for all affected customers. Microsoft confirmed that it had blocked access to compromised email accounts.

“Our telemetry indicates that we have successfully blocked Storm-0558 from accessing customer email using forged authentication tokens. No customer action is required. As with any observed nation-state actor activity, Microsoft has contacted all targeted or compromised organizations directly via their tenant admins and provided them with important information to help them investigate and respond,” the MSRC team explained.

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI said in a security advisory that Storm-0558 only managed to access unclassified email data. The hacking group didn’t breach emails connected to the intelligence community, military, and Pentagon.

CISA has not disclosed the overall impact of the security incident. However, federal agencies have urged organizations to report any malicious activities in their Microsoft 365 tenants.