{
	"id": "e915c45f-46cd-4370-9379-b2e0cedcb3ac",
	"created_at": "2026-04-06T00:21:00.690435Z",
	"updated_at": "2026-04-10T03:25:20.288662Z",
	"deleted_at": null,
	"sha1_hash": "49cf3eab6693965771ead2def4d4851e258bfcde",
	"title": "Microsoft breach led to theft of 60,000 US State Dept emails",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2768898,
	"plain_text": "Microsoft breach led to theft of 60,000 US State Dept emails\r\nBy Sergiu Gatlan\r\nPublished: 2023-09-28 · Archived: 2026-04-05 14:06:38 UTC\r\nChinese hackers stole tens of thousands of emails from U.S. State Department accounts after breaching Microsoft's cloud-based Exchange email platform in May.\r\nDuring a recent Senate staff briefing, U.S. State Department officials disclosed that the attackers stole at least 60,000 emails\r\nfrom Outlook accounts belonging to State Department officials stationed in East Asia, the Pacific, and Europe, as Reuters\r\nfirst reported.\r\nAdditionally, the hackers managed to obtain a list containing all of the department's email accounts. The compromised State\r\nDepartment personnel primarily focused on Indo-Pacific diplomacy efforts.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-breach-led-to-theft-of-60-000-us-state-dept-emails/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-breach-led-to-theft-of-60-000-us-state-dept-emails/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"We need to harden our defenses against these types of cyberattacks and intrusions in the future, and we need to take a hard\r\nlook at the federal government's reliance on a single vendor as a potential weak point,\" Senator Eric Schmitt said in a\r\nstatement.\r\nThe reports were also confirmed by State Department spokesperson Matthew Miller in a press briefing on Thursday.\r\n\"Yes, it was approximately 60,000 unclassified emails that were exfiltrated as a part of that breach. No, classified systems\r\nwere not hacked. These only related to the unclassified system,\" Miller told reporters.\r\n\"We have not made an attribution at this point, but, as I said before, we have no reason to doubt the attribution that\r\nMicrosoft has made publicly. Again this was a hack of Microsoft systems that the State Department uncovered and notified\r\nMicrosoft about.\"\r\nEmail breaches linked to Storm-0558 Chinese cyberspies\r\nIn July, Microsoft revealed that beginning on May 15, 2023, threat actors successfully breached Outlook accounts associated\r\nwith approximately 25 organizations. The compromised organizations include the U.S. State and Commerce Departments\r\nand certain consumer accounts presumably linked to them.\r\nMicrosoft did not disclose specific details regarding the affected organizations, government agencies, or countries impacted\r\nby this email breach.\r\nThe company attributed the attacks to a cyber-espionage collective known as Storm-0558, suspected of being focused on\r\nobtaining sensitive information by infiltrating the email systems of their targets.\r\nEarlier this month, Microsoft disclosed that the threat group first obtained a consumer signing key from a Windows crash\r\ndump, a breach facilitated after compromising the corporate account of a Microsoft engineer, which enabled access to the\r\ngovernment email accounts.\r\nThe stolen Microsoft Account (MSA) key was employed to compromise Exchange Online and Azure Active Directory (AD)\r\naccounts by exploiting a previously patched zero-day validation vulnerability in the GetAccessTokenForResourceAPI. The\r\nflaw allowed the attackers to generate counterfeit signed access tokens, which allowed them to impersonate accounts within\r\nthe targeted organizations.\r\nIn response to the security breach, Microsoft revoked the stolen signing key and, following investigations, found no\r\nadditional instances of unauthorized access to customer accounts through the same method of access token forgery.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-breach-led-to-theft-of-60-000-us-state-dept-emails/\r\nPage 3 of 4\n\nUnder pressure from the Cybersecurity and Infrastructure Security Agency (CISA), Microsoft has also agreed to broaden\r\naccess to cloud logging data at no cost, which would help network defenders identify potential breach attempts of a similar\r\nnature in the future.\r\nPreviously, such logging capabilities were exclusively accessible to customers with Purview Audit (Premium) logging\r\nlicenses. Because of this, Microsoft faced criticism for impeding organizations from promptly detecting Storm-0558's\r\nattacks.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/microsoft-breach-led-to-theft-of-60-000-us-state-dept-emails/\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-breach-led-to-theft-of-60-000-us-state-dept-emails/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/microsoft-breach-led-to-theft-of-60-000-us-state-dept-emails/"
	],
	"report_names": [
		"microsoft-breach-led-to-theft-of-60-000-us-state-dept-emails"
	],
	"threat_actors": [
		{
			"id": "86fb4ddd-989e-4613-8db8-ca646c553aae",
			"created_at": "2023-11-01T02:00:07.404201Z",
			"updated_at": "2026-04-10T02:00:03.381034Z",
			"deleted_at": null,
			"main_name": "Storm-0558",
			"aliases": [],
			"source_name": "MISPGALAXY:Storm-0558",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "1c762729-56f7-48d5-8fb0-b64a43716319",
			"created_at": "2023-09-07T02:02:47.944899Z",
			"updated_at": "2026-04-10T02:00:04.907587Z",
			"deleted_at": null,
			"main_name": "Storm-0558",
			"aliases": [
				"Antique Typhoon"
			],
			"source_name": "ETDA:Storm-0558",
			"tools": [
				"CHINACHOPPER",
				"China Chopper",
				"SinoChopper"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434860,
	"ts_updated_at": 1775791520,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/49cf3eab6693965771ead2def4d4851e258bfcde.pdf",
		"text": "https://archive.orkl.eu/49cf3eab6693965771ead2def4d4851e258bfcde.txt",
		"img": "https://archive.orkl.eu/49cf3eab6693965771ead2def4d4851e258bfcde.jpg"
	}
}