The quote in the article about what happened seems muddled. But even going to the original source [0], I don't think I understand what happened. Some of it might be because terminology differences, some because this seems to be written mainly for ass-covering. Does anyone know any more details?<p>> They did this by using forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key<p>Is this saying that the attackers got Microsoft's cookie signing private key? I don't know how else to interpret it, but "acquiring" sure ain't the language you use for that level of breach. And <i>how</i> was the key "acquired"? From a security vulnerability in their production systems? Breach of their corp network?<p>> The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail.<p>So not only did they leak the private key, but their validation code was also broken and checked the signatures against the wrong key? How does that even happen?<p>[0] <a href="https://msrc.microsoft.com/blog/2023/07/microsoft-mitigates-china-based-threat-actor-storm-0558-targeting-of-customer-email/" rel="nofollow noreferrer">https://msrc.microsoft.com/blog/2023/07/microsoft-mitigates-...</a>