Microsoft says it still doesn’t know how Chinese hackers stole an inactive Microsoft Account (MSA) customer signing key used to breach the Exchange Online and Azure AD accounts of two dozen organizations, including government agencies.

“The method by which the actor acquired the key is under ongoing investigation,” Microsoft said. admitted in a new notice published today.

The Incident was reported by US government officials after the discovery of unauthorized access to the Exchange Online mail services of several government agencies.

Microsoft began investigating the attacks on June 16 and found that a Chinese cyber spy group it tracks as Storm-0558 hacked into the email accounts of about 25 organizations (including, it seems, United States Departments of State and Commerce).

Threat actors used the stolen Azure AD corporate signing key to forge new authentication tokens by exploiting a flaw in the GetAccessTokenForResource API, allowing them to access targets’ corporate email.

Storm-0558 can use PowerShell and Python scripts to generate new access tokens through REST API calls against the OWA Exchange Store service to steal emails and attachments. However, Redmond has not confirmed whether they used this approach during last month’s Exchange Online data theft attacks.

“Our telemetry and investigations indicate that post-compromise activity was limited to email access and exfiltration for targeted users,” Microsoft added today.

The company blocked the use of the stolen private signing key for all affected customers on July 3 and says the attackers’ token replay infrastructure was shut down a day later.

Revoked MSA signing keys to block Azure AD token tampering

On June 27, Microsoft also revoked all valid MSA signing keys to block all attempts to generate new access tokens and moved the new tokens to the keystore it uses for its enterprise systems.

“No actor activity related to the key has been observed since Microsoft invalidated the actor-acquired MSA signing key,” Microsoft said.

However, while Redmond no longer detected any malicious activity related to the Storm-0558 key after revoking all active MSA signing keys and mitigating the activation of the API flaw, today’s advisory states that attackers have now moved on to other techniques.

“No actor activity related to the key has been observed since Microsoft invalidated the MSA signing key acquired by the actor. Additionally, we have seen Storm-0558 transition to other techniques, which indicates that the actor is unable to use or access signing keys,” Microsoft said.

On Tuesday, Microsoft also revealed that the Russian cybercrime group RomCom exploited a zero-day Office that has yet to be patched in the recent phishing attacks against organizations participating in the NATO summit in Vilnius, Lithuania.

RomCom operators used malicious documents posing as the Ukrainian World Congress to push and deploy malware payloads such as MagicSpell loader and RomCom backdoor.