Chinese APT Cracks Microsoft Outlook Emails at 25 Government Agencies

Foreign state-sponsored actors likely had access to privileged state emails for weeks, thanks to a token validation vulnerability.

This spring, a Chinese threat actor had access to email accounts across 25 government agencies in Western Europe and the US, including the State Department.
On July 11,
Microsoft reported having quelled a cyberespionage campaign
carried out by the group it tracks as Storm-0558. Storm-0558 is based in China and appears focused on espionage, primarily against Western government organizations.
Anonymous sources told CNN
that the campaign affected the US State Department, as well as an entity on Capitol Hill (but whether the attackers were successful against the latter is less clear). The hackers honed in on just a handful of officials email accounts at each agency in a hack aimed at specific officials, CNN reported. Its unclear what kind of sensitive information the adversaries were able to gain access to.
According to
Microsofts profile of Storm-0558
, its also known for its two custom malwares — Bling, and
Cigril
, a Trojan that encrypts files and runs them directly from system memory in order to evade detection.
In this instance, the group was able to forge authentication tokens to masquerade as authorized
Azure Active Directory (AD) users
, obtaining access to enterprise email accounts and the potentially sensitive information contained within.
Chinese cyber espionage has come a long way from the smash-and-grab tactics many of us are familiar with, said John Hultquist, Mandiant chief analyst with Google Cloud, in a written statement sent to Dark Reading. They have transformed their capability from one that was dominated by broad, loud campaigns that were far easier to detect. They were brash before, but now they are clearly focused on stealth.
Microsoft was first tipped off to anomalous mail activity on June 16. After some investigating, it became clear that a wider cyber espionage campaign was underway, and that it dated back at least a month, to May 15.
Storm-0558s espionage was enabled by stolen Managed Service Account (MSA) consumer signing keys, and a validation issue that allowed the group to forge authentication tokens, impersonating legitimate Azure AD users in order to access email accounts using Outlook.com and the
Outlook Web Access client in Exchange Online
.
Microsoft has since remediated the MSA key issue, blocking any further threat actor activity.
In all, the APT appears to have compromised 25 government agencies primarily in Western Europe, as well as personal accounts from individuals related to those agencies. As Charlie Bell, executive vice president of Microsoft Security
noted in a blog post
: These well-resourced adversaries draw no distinction between trying to compromise business or personal accounts associated with targeted organizations, since it only takes one successfully compromised account login to gain persistent access, exfiltrate information and achieve espionage objectives.
Microsoft has since contacted all known victims, it said, and noted that no further action from customers is required.
This latest novel approach to breaking sensitive systems belonging to privileged organizations is just the latest evidence that
Chinese threat actors are upgrading their tradecraft
. The reality is that we are facing a more sophisticated adversary than ever, and well have to work much harder to keep up with them, Hultquist writes.
Microsoft declined a request to comment on this story.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Chinese APT Cracks Microsoft Outlook Emails at 25 Government Agencies