|
|
|
|
|
|
by donmcronald
1079 days ago
|
|
|
> They did this by using forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key. How does that work? Is the key part of some kind of complex auth flow where it's only allowed to sign tokens that have Exchange access? A compromised key that can sign authentication tokens seems like a pretty big deal. |
|
|
How can you forge a token? Did they use quantum machinery to retrieve a JWT Private Key? Did they factor RSA keys?
But no, they used a bug/weakness to exchange a token.