Crash log exposed Microsoft Outlook keys to threat actor

A security key written to a “crash dump” and then accessed by a compromised engineer account was the root cause of a Microsoft security exposure earlier this year.

In a detailed incident post-mortem, Microsoft said the errors resulted in Chinese threat actor Storm-0558 obtaining an MSA consumer key, allowing it to forge tokens for Outlook.com and Outlook Web Access (OWA).

With access to the Microsoft account consumer signing key, Storm-0558 was able to create consumer keys signed with a token that could also be accepted by enterprise systems.

Microsoft said it has updated its libraries to prevent this in the future.

Key material is not meant to leave Microsoft’s production environment, Microsoft said.

However, “a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (“crash dump”). 

“The crash dumps, which redact sensitive information, should not include the signing key," Microsoft wrote.

“In this case, a race condition allowed the key to be present in the crash dump," the vendor said, adding the issue "has been corrected".

Furthermore, Microsoft’s systems didn’t detect the presence of the key material in the crash dump, an issue which the company said has also been fixed.

The crash dump “was subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network."

“This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence (this issue has been corrected),” the post-mortem states.

Microsoft hasn’t been able to determine exactly how the Storm-0558 actor gained access to the key, but believes it was via a compromised Microsoft engineer’s corporate account, which had access to the debugging environment containing the crash dump.

The company also said it has resolved how the race condition allowed the signing key to be part of the crash dump.