HomeWinBuzzer NewsUS Senator Calls for Investigation into Microsoft Storm-0558 Gov. Email Hack

US Senator Calls for Investigation into Microsoft Storm-0558 Gov. Email Hack

Ron Wyden asks the agencies to examine whether Microsoft's security practices allowed the breach.


US Senator Ron Wyden has requested that the Department of Justice (DOJ), the Federal Trade Commission (FTC), and the and Infrastructure Security Agency (CISA) investigate the recent hack of Microsoft email accounts. This request comes in the wake of a significant cyberattack that has raised serious concerns about the security of Microsoft's cloud services. The senator's call for action is a response to a hacking campaign that targeted organizations, including government agencies, that were customers.

Ron Wyden Questions Microsofts Role

In a detailed letter, Wyden asked the agencies to examine whether Microsoft's security practices allowed the breach ahead of a diplomatic trip to last month by officials including Commerce Secretary Gina Raimondo, Ambassador to China Nicholas Burns, and Assistant Secretary of State Daniel Kritenbrink. The senator stated, “Government emails were stolen because Microsoft committed another error.” He urged CISA to have its Cyber Safety Review Board investigate Microsoft's role, including how the company's practices went undetected during required audits.

In his letter, Wyden further elaborated on the incident, stating that the email accounts compromised include those of the Secretary of Commerce, the U.S. Ambassador to China, and the Assistant Secretary of State for East Asia. Rob Joyce, the director of cybersecurity at the National Security Agency, has publicly described this hacking campaign as “China doing espionage.”

The senator also highlighted the role of Microsoft's identity service, Microsoft Account (MSA), in the incident. MSA validates that a user is who they claim to be – for example, by verifying the password for a @hotmail.com account – and issues “authentication tokens” that confirm that a user has been validated. Consumer-facing Microsoft products, such as Outlook, verify that a token is valid by checking that a token is digitally signed using an MSA encryption key.

Wyden's letter comes as a response to the disclosure by Microsoft Security of a massive cyberattack by a Chinese group named Storm-0558. The group hacked into the email accounts of dozens of U.S. government agencies and other organizations, exploiting a flaw in Microsoft's email security service. The senator's letter also highlighted that the hack occurred because had stolen an encryption key that Microsoft had generated for its identity service, Microsoft Account (MSA).

Microsoft's Response and the Hackers' Identity

In a detailed response to the hack Microsoft Security has exposed the cyberattack, stating that the hackers exploited a flaw in its email security service to access the email accounts of about 25 organizations, including government agencies, think tanks, law firms, and NGOs. The hackers also targeted the personal accounts of some individuals associated with these organizations.

There are concerns that the stolen encryption keys may have allowed further access to federal systems. Wyden criticized Microsoft's handling of the hack, saying it failed to take responsibility for previous incidents like the 2020 SolarWinds campaign attributed to Russia. He also asked the DOJ to investigate if Microsoft violated federal law through negligent practices.

Behind the Storm-0558 attack was a compromised Microsoft key, dubbed Storm-0558, which was used to authenticate countless accounts without the need for a password or any other form of user verification. This key is part of Microsoft's SAML (Security Assertion Markup Language) system, which is used to exchange authentication and authorization data between parties. In this case, the key was being used to generate SAML tokens that were then used to authenticate Microsoft 365 accounts.

The compromised key was not just used to access individual accounts but also to gain access to entire organizations' Microsoft 365 systems. This means that the attackers could have potentially had access to a vast amount of sensitive data, including emails, documents, and other data stored in these systems.

In response to the discovery, Microsoft has revoked the compromised key and is working to strengthen its security measures. However, the damage has already been done, and it is unclear how many accounts were accessed using the compromised key. Microsoft has taken several steps to address the issue, including identifying the root cause, establishing durable tracking of the campaign, disrupting malicious activities, hardening the environment, notifying every impacted customer, and coordinating with multiple government entities.

The Future of Cybersecurity

The Storm-0558 incident is a stark reminder of the importance of robust security measures. Even the most secure systems can be compromised, and organizations must be proactive in their security measures to protect their data and their customers. In the wake of this incident, cybersecurity experts from Wiz have recommended that organizations review their security measures and ensure that they are up to date. This includes regularly updating passwords, using multi-factor authentication, and regularly monitoring for any suspicious activity. The Storm-0558 incident is a wake-up call for the cybersecurity world. It shows that even the most secure systems can be compromised and that constant vigilance is necessary to protect against these threats.


Markus Kasanmascheff
Markus Kasanmascheff
Markus is the founder of WinBuzzer and has been playing with Windows and technology for more than 25 years. He is holding a Master´s degree in International Economics and previously worked as Lead Windows Expert for Softonic.com.

Recent News