[planetjones]

None of the reports mention if two stage authentication or any other extra factor authentication that enterprise accounts would be secured with were bypassed too. Am I right to assume that because the attacker had the signing key all of the extra authentication mechanisms that would have been enabled on accounts were bypassed by the attacker (because the attacker could create a token that bypassed all the extra authentication methods)?

And I presume there has been no known dump of e-mails exfiltrated during this attack?

[SgtBastard]

Because it was a signing key that was stolen, the attackers could move straight to the post-authentication phase and forge authorization tokens.

Those email accounts could have had multiple authentication factors enabled, other conditional access policies applied (geo-location, device trust, time of day etc)… all of which were skipped over.

[ShadowRegent]

> Am I right to assume that because the attacker had the signing key all of the extra authentication mechanisms that would have been enabled on accounts were bypassed by the attacker...?

That's my understanding.

[bobalob_wtf]

With the signing key they could mint the same type of token you get once you pass all of the authentication steps.