 In July of 2023, an internal Microsoft security signing key was stolen and used to break into US government email accounts. It's now September of 2023, and Microsoft shared their report on how they did it. We're going to talk about what happened and how a series of small events led to this pretty big catastrophe here. Let's dive into it. Now before we dive into the Microsoft right up on this, I want to talk about with security just for a moment. No affiliation with them. I just want to give them a shout out for having a great blog post. They have a lot of great blog posts covering Microsoft cloud security because Wiz happens to be a group of people who are former Microsoft employees, which means they kind of know where the bodies are buried and really understand the impact and scope and a good detail. And they take that technical prowess and do these nice right ups. And this right up is specifically about this key and just how impactful this can be. What does a compromise consumer signing key and what does all that mean? So I think this is great. If you want this deep technical dive, I'll leave this link down below if you want to read into this. And I seen some people previously posting was a little overblown, but based on what we've seen here with Microsoft, when we go through the right up, you'll see that, yeah, this is kind of scary that a consumer signing key was able to leverage government email accounts. And Microsoft says, yeah, there's a few flaws in the system. And you know, Wiz kind of breaks down some of that scariness here. Let's dive into the details now with Microsoft. Now this starts with a summary that on July 11 of 2023, Microsoft published a blog post which details how the China based web actor storm 0558 used and acquired to Microsoft consumer signing key to forge tokens and access outlook web access and outlook.com. Now let's go down here and talk about where the series of unfortunate security incidents led to this larger breach. Our investigation found that a consumer signing key system crash in April 2021 resulted in a snapshot of the crashed process a crash dump crash dumps in the cloud or just like the crash dumps on your computer. And they may contain sensitive information, especially when there's a race condition that doesn't redact them, they're supposed to auto redact certain things such as signing keys or special information out of this. Now what you're going to see pepper throughout this is this issue has been corrected. And then the keys material presence in the crash jump was not detected by our systems. And that issue has been corrected as well. This is stated five times because there's five separate little things that occurred. So crash dump occurs has a signing key in it. And because they didn't notice the signing key, they take it out of their production environment copied over to the debugging environment. Now the production environment is not easily accessed. That's very locked down as it should be. But the debugging environment is attached to their corporate network. But once again, they do another scan and it doesn't detect the presence of this and it's copied over to the debugging network. Then from there, a compromise of a Microsoft engineers corporate account occurs. This is interesting because somehow someone compromised this engineer's account, but then knew what to look for. That is a really interesting side of this is they started looking around what can I use for this account. And they start going through crash jumps and find a signing key. Now one of the things that's really important is the next things that happened is why a consumer signing key was able to access enterprise email, not just enterprise email, government email. You would think the consumer signing keys wouldn't be the same as the government signing keys and they aren't. That's good news. But there's a flaw that Microsoft had in their system. Once again, we're going to see one of those. This issue has been corrected because this particular key because of some misunderstanding of the Microsoft documentation by the Microsoft engineers led to developers in the mail system incorrectly assuming the libraries perform complete validation and did not add the required scope validation for the different context of whether they're the different key types. So this is really interesting because now you have an entire breakdown of one signing key that is actually able to access more than it should have been scoped for because essentially of a misreading of documentation. Now Microsoft has some post incident review, identify and resolve race conditions that allow the signing key to be present enhanced prevention detection and response of key material erroneously in crash jumps and had credential scanning to better detect presence of signing key in the debugging environment release enhanced libraries to automate key scope validation in authentication libraries and clarified related documentation. Now while I greatly appreciate Microsoft's transparency on this, this leaves us all very concerned and the problem is we can't easily move away from Microsoft. Microsoft is highly intertwined and leveraged all over these different government clouds and many of my customers. I really wish I could sell them a better solution. I wish I could tell them I was confident that the Microsoft fix these and each problems are gone and this won't happen again. But I imagine there's going to be another write up and making a lot of noise at least seems to move the bar a little bit and Microsoft goes well we don't like that noise so we'll get a little bit better. They're not really going to get better until there's a competitor for them because why would they I've covered this many times before when I talked about the print nightmare or when I've talked about the hafnium exchange problem. Both of those are easy examples of you're not going to switch all of your clients away from windows. So we're going to just deal with the problem for nine months while Microsoft fiddles around and maybe gets it fixed and the exchange one they were pre notified on and well they eventually fixed it. It just took them a while to patch it properly and their own instructions were fairly poor. But why would they need to be great? What are you going to do? Move away from exchange to their cloud system? So Microsoft kind of knows they have you over a barrel but this is why I preach about this. This is why I try to push people to think about other solutions. It's going to take the entire community not just me ranting about it or many others like me ranting about it. It's going to take some more community engagement to slowly try to figure out ways we can deal with Microsoft try to make them better. There's already a really good write up and I will leave a link to it from the Tenable CEO that's actually causing some government action and some more oversight that Microsoft's being pressured into and it's because more of us are raising awareness that you can't just behave badly Microsoft. At some point you need to do these things right. Nonetheless, love hearing from all of you. Leave your thoughts on Microsoft to whether you love or hate them or if you're one of those people that tell me Tom quit yelling at Microsoft quit being mean to them and I don't really understand the Microsoft defenders but hey I'm always willing to listen to your perspective. Maybe I'm wrong about that. Either way let me know down in the comments below. If you want to see more content like this, like and subscribe. It is greatly appreciated and if you want to contact me head over to the forums forums.learnsystems.com or just head to learnsystems.com and connect with me on whatever socials I'm available when you're watching this video. All right and thanks.