Storm-0558
PRC-attributed intrusion set identified by Microsoft in July 2023 after it forged authentication tokens using a stolen Microsoft MSA consumer signing key, enabling access to the Exchange Online mailboxes of approximately 25 organizations including the U.S. State Department and Commerce Department. The Cyber Safety Review Board's April 2024 report concluded Microsoft's security culture was inadequate and that the intrusion was 'preventable'. Microsoft revoked the compromised key and migrated Exchange Online token signing to more secure infrastructure. The exact method by which the adversary obtained the signing key has not been fully disclosed publicly.
Aliases
Motivations
Target sectors
Target countries
Diamond Model
Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.
MITRE ATT&CK techniques
Timeline
0 eventsIndicators of compromise
0 indicatorsRelated actors
shared ATT&CK techniques- CN · ChinaAPT101 shared technique
- RU · RussiaAPT291 shared technique
- CN · ChinaAPT311 shared technique
- IR · IranAPT331 shared technique
- IR · IranAPT341 shared technique
- CN · ChinaAPT401 shared technique
References
- Microsoft investigates Storm-0558 claims to access Outlook.com accountsMicrosoft Security Response Center · 2023-07-11
- Mitigation for China-based threat actor Storm-0558Microsoft · 2023-07-11
- CSRB Review of the Summer 2023 Microsoft Exchange Online IntrusionCyber Safety Review Board / CISA · 2024-04-02
cite this page
Threat Intel Tracker. (2026-05-19). Storm-0558 — actor profile. Retrieved from https://threatintel.local/actors/storm-0558