Connect with us

Hi, what are you looking for?


Email Security

Chinese Cyberspies Used Forged Authentication Tokens to Hack Government Emails

Microsoft says a Chinese cyberespionage group tracked as Storm-0558 has used forged authentication tokens to access government emails.

Microsoft reported on Tuesday that a Chinese cyberespionage group it tracks as Storm-0558 was recently spotted using forged authentication tokens to hack government email accounts.

According to the tech giant, the hackers gained access to the email accounts of roughly 25 organizations, including government agencies and consumer accounts belonging to individuals associated with the targeted entities.

Microsoft’s investigation showed that the threat actor forged authentication tokens to gain access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Specifically, the attackers used a Microsoft account (MSA) consumer signing key to forge the tokens.  

“MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems,” Microsoft explained. “The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail. We have no indications that Azure AD keys or any other MSA keys were used by this actor.”

The company pointed out that only OWA and were targeted using forged authentication tokens. 

Microsoft said it became aware of the attacks on June 16 and an investigation showed that the activity began one month earlier. 

The company took steps to mitigate the attack, including blocking the usage of tokens signed with the compromised key and replacing the key itself. Impacted customers have been notified and provided with information needed for incident response. 

Advertisement. Scroll to continue reading.

Microsoft said the Storm-0558 group mainly targets government agencies in Western Europe, focusing on cyberespionage, data theft, and credential access. 

However, CNN learned that unclassified US government email accounts have also been targeted by the Chinese cyberspies. The vulnerability that made the attack possible was reportedly discovered by the US government, specifically the State Department, which then notified Microsoft. 

Microsoft also revealed on Tuesday, when it informed customers about over 130 new vulnerabilities, including several actively exploited zero-days, that a Russian threat actor known as Storm-0978 and RomCom had exploited a zero-day tracked as CVE-2023-36884 in attacks targeting defense and government entities in Europe and North America.

The group has been known for its cybercriminal activities, but it recently turned to espionage. It has been observed targeting NATO Summit guests and other entities supporting Ukraine. 

Related: Microsoft Outs New Russian APT Linked to Wiper Attacks in Ukraine

Related: A Year of Conflict: Cybersecurity Industry Assesses Impact of Russia-Ukraine War

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...