These two paras in https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
are very scary. (MSA is a Microsoft account, so the self-service identity you can create whenever you want, for example by creating a new mailbox on outlook.com) .
"Storm-0558 acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and Outlook.com. All MSA keys active prior to the incident – including the actor-acquired MSA signing key – have been invalidated. Azure AD keys were not impacted. The method by which the actor acquired the key is a matter of ongoing investigation. Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been corrected."
"As part of defense in depth, we continuously update our systems. We have substantially hardened key issuance systems since the acquired MSA key was initially issued. This includes increased isolation of the systems, refined monitoring of system activity, and moving to the hardened key store used for our enterprise systems. We have revoked all previously active keys and issued new keys using these updated systems."
They're not owning up to how the key was obtained. Either a Microsoft employee stuffed up, or a vital key management system was compromised. Either one is bad news.
By "inactive", do they mean they were leaving older keys lying around when they weren't actively using them, so they would be less likely to notice if an attacker had obtained that key?
It seems up until now they thought it was OK to manage their signing key for personal accounts in a sloppier way compared to the accounts within an organisation's Azure AD (Azure AD is currently being renamed to Entra). And yet that key was able to be used for signing Azure AD tokens!
I think this is a big deal and Microsoft are lucky - there could easily have been a larger and more vehement response and criticism. They really need to do better.