> Storm-0558 acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and Outlook.com. All MSA keys active prior to the incident – including the actor-acquired MSA signing key – have been invalidated. Azure AD keys were not impacted. The method by which the actor acquired the key is a matter of ongoing investigation. Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been corrected.
So the attackers found a valid private key for MSA (undetermined how, the theory was that it was scraped from a debug dump that was moved from high privilege prod to someone's low privilege shared drive). They then used that key to sign invalid tokens for AAD and the validating side incorrectly accepted those tokens. In this case, the validating side would be Exchange / OWA. Azure AD seems to not be implicated in the security issues, since it was MSA that leaked the key and OWA that failed to properly validate it.
That's my interpretation of the text anyway. It also aligns with my own understanding from a brief time at MS that Azure is much better at security than the rest of MS and that Exchange is a dumpster fire because of decades of cruft and evolution of systems.
