A Rube Goldberg chain of failures led to breach of Microsoft-hosted government emails

Posted by
Check your BMI
Illustration of the Microsoft wordmark on a green background
Illustration: The Verge
toonsbymoonlight

In the first half of July, Microsoft disclosed that the Chinese hacking group Storm-0558 had gained access to emails from around 25 organizations, including agencies in the US government. Today, the company is explaining how that happened thanks to a series of internal errors while sharply underscoring just how serious a responsibility it is to maintain massive, growing software infrastructure in an increasingly digitally insecure world.

According to Microsoft’s investigation summary, Storm-0558 was able to gain access to corporate and government emails by obtaining a “Microsoft account consumer key,” which let them create access tokens to their targets’ accounts.

Storm-0558 obtained the key after a Rube Goldberg machine-style series of…

Continue reading…