> They did this by using forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key.<p>How does that work? Is the key part of some kind of complex auth flow where it's only allowed to sign tokens that have Exchange access?<p>A compromised key that can sign authentication tokens seems like a pretty big deal.