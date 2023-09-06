Microsoft has revealed how suspected Chinese hackers obtained a digital signing key that was used in the Outlook breach in July, which affected several US government agencies. The key was accidentally leaked when a company computer holding it crashed in April 2021. During the crash, a dump report was generated, but the key was not redacted from the file due to a software bug. Although the computers holding the signing keys are isolated from the internet, the unredacted file was automatically passed to a debugging computer that was connected to the internet. This allowed the Chinese hackers to acquire the key when they compromised a Microsoft engineer’s corporate account.

Once they obtained the key, the hackers were able to forge authentication tokens to gain access to customer emails on Microsoft’s Outlook service. However, the signing key was originally designed for consumer Microsoft accounts, not the enterprise Outlook accounts that the hackers targeted. Microsoft failed to update a software library to validate key signing signatures between consumer and enterprise accounts, leading to the vulnerability.

Microsoft has faced criticism for the Outlook breach, with calls for investigations into the company’s cybersecurity practices. The company has since addressed the bugs and processes that allowed the breach to occur and has strengthened its detection systems to prevent sensitive material from being included in crash dump files. However, it remains to be seen whether Microsoft’s report will alleviate concerns or fuel further criticism of its approach to security.

