Microsoft Storm-0558 signing-key theft and US government email access (2023)
China-based Storm-0558 forged authentication tokens using a stolen Microsoft consumer signing key and read email at approximately 25 organisations — including the US State Department, the Department of Commerce, and the U.S. Ambassador to China. The 'cascade of errors' that enabled it became a defining case for cloud-provider key custody.
- Victim
- Microsoft customers (US State Department, Department of Commerce, ~25 organisations)