A Chinese hacking group has hacked into the email accounts of more than two dozen organizations around the world, including US and Western European government agencies, according to Microsoft.

The attacks were pinned to a group of threats tracked as Storm-0558believed to be a cyber espionage team focused on collecting sensitive information by breaching email systems.

Microsoft began investigating these attacks on June 16, 2023, following customer reports of unusual email activity.

The company discovered that as of May 15, 2023, Storm-0558 threat actors managed to gain access to Outlook accounts belonging to approximately 25 organizations and some consumer accounts that may be connected to these organizations.

To do this, the attackers used authentication tokens forged using a stolen Microsoft Account Consumer (MSA) signing key.

“Microsoft investigations determined that Storm-0558 gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com by falsifying authentication tokens to access emails. user emails”, Microsoft said in a blog post published late Tuesday evening.

“The actor used an acquired MSA key to forge tokens to access OWA and Outlook.com. MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid only for their respective systems. The actor exploited a token validation issue to impersonate Azure AD users and gain access to corporate email.”

Microsoft added that it found no evidence to point to further unauthorized access after it “completed mitigation of this attack.”

Discovered and reported by the US government

The incident was reported to Microsoft by US government officials last month after unauthorized access to Microsoft’s cloud-based email services was discovered.

This was confirmed by National Security Council spokesman Adam Hodge in a statement shared with CNN.

“Last month, US government safeguards identified an intrusion into Microsoft cloud security that affected unclassified systems,” Hodge said. told CNN.

“Officials immediately contacted Microsoft to find the source and vulnerability of their cloud service. We continue to hold US government procurement vendors at a high security threshold.”

On Tuesday, Microsoft also revealed that the Russian-based cybercriminal group RomCom exploited an unpatched zero-day Office in recent spear-phishing attacks targeting organizations participating in the NATO summit in Vilnius, Lithuania.