Microsoft has published technical details on a recently disclosed cyber-espionage campaign by a China-based threat actor it tracks as Storm-0558 in which the group breached an unidentified number of email accounts linked to around 25 organizations, including some related individual consumer accounts and government agencies in Western Europe and the US.

The threat actor leveraged forged authentication tokens to access impacted email accounts via Outlook Web Access in Exchange Online (OWA) and Outlook.com. The attacks have been taken place from May 15, 2023, to June 16 when Microsoft began its investigation following a customer report.

Microsoft says that it discovered some overlaps with other China-linked hacker groups such as Violet Typhoon (Zirconium, APT31) but it appears that Storm-0558 operates as a separate group. Previously, Storm-0558 has primarily targeted US and European diplomatic, economic, and legislative governing bodies, and individuals connected to Taiwan and Uyghur geopolitical interests.

The threat actor commonly compromises its targets using breached email accounts belonging to employees of targeted organizations.

“Storm-0558 pursues this objective through credential harvesting, phishing campaigns, and OAuth token attacks. This threat actor has displayed an interest in OAuth applications, token theft, and token replay against Microsoft accounts since at least August 2021,” the tech giant said. “Storm-0558 operates with a high degree of technical tradecraft and operational security. The actors are keenly aware of the target’s environment, logging policies, authentication requirements, policies, and procedures. Storm-0558’s tooling and reconnaissance activity suggests the actor is technically adept, well-resourced, and has an in-depth understanding of many authentication techniques and applications.”

As for the recent attacks, the Windows maker has admitted that it still doesn’t know how the threat actors have obtained an inactive Microsoft account (MSA) consumer signing key used to breach the Exchange Online and Azure AD accounts.

“The method by which the actor acquired the key is a matter of ongoing investigation,” Microsoft noted, adding that all MSA keys active prior to the incident, including the actor-acquired MSA signing key, have been invalidated. Azure AD keys were not impacted.

“No key-related actor activity has been observed since Microsoft invalidated the actor-acquired MSA signing key. Further, we have seen Storm-0558 transition to other techniques, which indicates that the actor is not able to utilize or access any signing keys. We continue to explore other ways the key may have been acquired and add additional defense in depth measures,” Microsoft said.