In July 2023, Microsoft disclosed that Storm-0558, a threat actor attributed to China, managed to acquire a signing key that allowed them to gain illicit access to Exchange and Outlook accounts. The threat actor utilized this key in order to exfiltrate emails from multiple organizations, including US government officials.
According to Microsoft’s investigation into this incident, at some point after April 2021, Storm-0558 utilized prior access to an engineer’s device (gained during the Affirmed Networks breach) to steal an access token. This engineer had permission to access a debugging server in Microsoft’s corporate network. This debugging server may have contained a crash dump that originated in a signing system located in Microsoft’s isolated production network.
This crash dump, which was the result of a crash that occurred in April 2021, may have contained the abovementioned signing key. The inclusion of the signing key in this crash dump would have been the result of a bug, and a separate bug would have caused the signing key to remain undetected on the debugging server.
Based on all of the above, Microsoft concluded that the most likely method by which Storm-0558 acquired the signing key was through this compromised account, by accessing the debugging server and exfiltrating a crash dump that may have contained the key material.