Information on the Microsoft Master Key Incident

On 11 July 2023, Microsoft published a report in which the company confirmed that there had been attempts by Chinese actors to hack customer email accounts. However, the company only provided limited information on the scope of the security incident. 
According to current findings, the hackers had extensive access to numerous data within Microsoft’s cloud services for several weeks on end. This involved services such as Outlook, SharePoint, Office 365, Teams, OneDrive, and also third-party applications that use the “Sign in with Microsoft” function.

To date, Microsoft has not provided any detailed information about the incident or the associated consequences. It is known that the hackers, presumably from China, who were identified by Microsoft as Storm-0558 were able to gain a privileged key (master key). With it, they had the ability to read third-party emails, among other things.
Within the Azure cloud, Microsoft acts as an identity provider and stores all user information in the Azure Active Directory (AAD). During the login process, AAD checks the password and, if necessary, additional security factors such as TOTP verification codes. If authentication is successful, the requesting application receives a token digitally signed by Microsoft, which authorises it to perform actions on behalf of the user, for example to retrieve emails. 

The hackers apparently were able to obtain such a key that was authorised to sign these tokens. With these tokens, they had access to email accounts that were stored in the Microsoft cloud, particularly from various European government agencies, for a long period without being noticed.

During the investigation of the security incident, Microsoft found that European government agencies and some private accounts, presumably in the same context, were compromised. According to Microsoft, all affected customers have been informed by this time.

The general recommendation for potentially impacted organisations is to carefully check their inbox for official communications from Microsoft regarding the incident to ensure that no relevant communications have been overlooked. In addition, it is advisable to regularly consult the specialist media and publications of the BSI in order to obtain up-to-date information regarding the “master key incident”. Apart from these measures, no further urgent technical or organisational actions or notifications to third parties seem to be necessary at present, since the data protection authorities have already been informed. However, binding statements on the required actions of individual organisations can naturally only be made by the organization’s responsible data protection officer or information security officer.

The Finlex Cyber Ecosystem offers all-round support that spans several core areas. This starts with the “smart risk assessment”, the identification and assessment of risks. This is followed by core area two, “smart protection”, which is focused on the placement of high-quality and competitive insurance solutions as well as the ongoing support and continuous monitoring of IT security. Core area three, “smarter claims support”, i.e. support in the event of a claim, rounds off the ecosystem.[/vc_column_text]

Get advice now

Sabine Sander

Sabine Sander

Non-Executive Director