Microsoft Storm-0558
A Chinese group used a stolen Microsoft signing key to forge tokens for any tenant in the world. Then they read State Department email.
In July 2023, Microsoft disclosed that a Chinese intelligence actor it tracked as Storm-0558 had obtained a private cryptographic key used to sign tokens for the company's consumer identity service. Through a separate validation flaw, the actor was able to use that consumer key to mint forged access tokens for enterprise Microsoft 365 environments — for any tenant, without ever touching the customer's network.
The State Department email
The forged tokens were used to access the email accounts of roughly two dozen organizations, including the US Department of State and the office of Commerce Secretary Gina Raimondo, then in the middle of a diplomatic visit to Beijing. The State Department itself detected the activity through custom log analysis it had paid Microsoft extra for; without it, Microsoft's own default logging would not have flagged the access.
A long debate about what happened
Microsoft's initial post-mortem attributed the key compromise to a chain of failures: a crash dump that should not have contained the key, a debug environment that should not have ingested the dump, and a validation step that should not have accepted a consumer-signed token in an enterprise context. The US Cyber Safety Review Board's subsequent report was sharper, characterizing the cascade as a "cascade of avoidable errors" and a preventable intrusion.
What the chronicle remembers
Storm-0558 made cloud-identity infrastructure a topic of national debate. It also drove durable changes — free higher-tier logging for all Microsoft 365 customers, deeper review of key-management practices, and a public Secure Future Initiative aimed at structurally addressing the class of failure the CSRB had described.