Microsoft on Wednesday revealed that a China-based threat actor known as Storm-0558 acquired the inactive consumer signing key to forging tokens to access Outlook by compromising an engineer’s corporate account.
This enabled the adversary to access a debugging environment that contained a crash dump of the consumer signing system that took place in April 2021 and steal the key.
“A consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (‘crash dump’),” the Microsoft Security Response Center (MSRC) said in a post-mortem report.
“The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump. The key material’s presence in the crash dump was not detected by our systems.”