Microsoft Storm-0558: A Single Signing Key Across 25 Organisations

In June 2023, an actor Microsoft tracks as Storm-0558 was observed accessing Outlook Web Access and Outlook.com mailboxes belonging to approximately 25 organisations, including US government entities. The intrusion was traced to a stolen Microsoft Service Account (MSA) consumer-key that the actor used to forge access tokens for Outlook Web Access.

The chain that made the impact disproportionate was not the original token forgery — that should have been limited to consumer accounts. It was a validation flaw in the token-handling library Microsoft's enterprise stack used: scopes that should have rejected consumer-signed tokens did not, so a key intended for the consumer mail tenant produced tokens accepted by enterprise email infrastructure.

The Cyber Safety Review Board's 2024 report on the incident concluded that the breach was preventable and pointed to systemic issues in Microsoft's signing-key custody, rotation cadence, and identity-token validation. From an identity-architecture standpoint, three takeaways:

Machine-identity key custody belongs in the identity-architecture risk register, not in an unnamed infrastructure team's checklist. The blast radius of a compromised root or intermediate signing key is the entire trust domain that key signs.

Cross-tenant token validation has to be tested adversarially. Bug-for-bug compatibility in token libraries silently widens the trust boundary for years.

Logging that captures token issuance, validation, and consumption — across both consumer and enterprise planes — is the only forensic basis for understanding the blast radius after a compromise.