Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

Microsoft reveals the sequence of events that led to a massive hacking event

Microsoft reveals the sequence of events that led to a massive hacking event

In July, Microsoft disclosed they had been breached by a Chinese hacking group, affecting over two dozen organizations. After an investigation, they now know the mistakes that allowed it to occur. 


What happened

In July, Paubox released information regarding a China-based hacking incident, later revealed to be group Storm-0558.

The incident affected 25 organizations, including the State Department and Commerce Department, and allowed access to various Outlook emails by using an unauthorized authentication key. 

Read more: China-based hacking incident reaches beyond Microsoft emails, CISA reveals


What’s new

According to Microsoft’s investigation, there were a number of events that allowed the attack to take place.

The first was allowing an authentication key to be stolen in the first place.  

The company found that the authentication key used in the attack was placed in a location it never should have been. Multiple failures allowed this to occur–the system first made a debugging snapshot of a process that had crashed. Still, it failed to strip the snapshot of sensitive information. The information was then moved to a crash dump. 

Microsoft generally has other protective measures, but unfortunately, those failed, too. Even if the sensitive information had been left in the snapshot, Microsoft’s systems should have detected the material in their crash dump, but it didn’t. 

Engineers, believing the crash dump was free of sensitive data, transferred the key to the company’s debugging environment. There, another security measure failed to detect it. 

Soon after, in another major failure, Storm-0558 was able to access an engineer’s corporate account, allowing the group to access the debugging environment that mistakenly contained the key. 

Finally, the key was a consumer key. However, it was still able to access enterprise accounts because Microsoft had failed to update certain systems to differentiate enterprise from consumer keys. 

Despite the many layers of protection Microsft had in place, Storm-0558 was then able to successfully infiltrate Microsoft Outlook. 


What they’re doing

Now, after the incident, Microsoft is vowing to improve its defense systems. They have implemented the following: 

  1. Identified and resolved conditions that allowed the key to be in crash dumps. 
  2. Enhanced prevention, detection, and response to keys placed in crash dumps.
  3. Enhanced credential scanning to detect the presence of keys.
  4. Released enhanced libraries to automate key scope validation.


The bottom line

The security failures in Microsft show the continued need for diligence in online environments, especially when sensitive information is at stake. Even seemingly secure environments can become vulnerable if systems fail to operate correctly. 

The situation underlines the importance of frequently checking security measures and improving them whenever possible, as hacking organizations become increasingly sophisticated in their technique and abilities. 

As many organizations switch to cloud-based operations, which is how Microsoft operates, they must be able to do so safely. 

Go deeper:


Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.