> They did this by using forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key.

How does that work? Is the key part of some kind of complex auth flow where it's only allowed to sign tokens that have Exchange access?

A compromised key that can sign authentication tokens seems like a pretty big deal.

It would be pretty interesting if they shared some more detail on this indeed. I was wondering the same when I read “forged” elsewhere.

How can you forge a token? Did they use quantum machinery to retrieve a JWT Private Key? Did they factor RSA keys?

But no, they used a bug/weakness to exchange a token.

Actual title of linked article: "Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email"