Threat Intelligence Tarot
Vol. II · 88
China (MSS - suspected)
★★★★★
risk 5/5
✦ The Key Forger ✦
Storm-0558
Violet Typhoon subset
Government email systemsUS State DepartmentWestern European governmentsMicrosoft cloud customers
Active since ~2021 · Espionage, Email intelligence collection
The Key Forger does not pick the lock but recreates the key itself, forging authentication tokens so perfect that even the vault cannot tell them from the real. It walks through the front door of cloud sovereignty.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1539
Steal Web Session Cookie
Credential Access
T1078.004
Cloud Accounts
Defense Evasion
T1528
Steal Application Access Token
Credential Access
T1114.002
Remote Email Collection
Collection
T1550.001
Use Alternate Authentication Material
Defense Evasion
T1078
Valid Accounts
Defense Evasion
T1041
Exfiltration Over C2 Channel
Exfiltration
Notable Operations
- ◆Forged Microsoft authentication tokens to access US government email (2023)
- ◆US State Department breach: 60,000+ emails exfiltrated
- ◆Microsoft Exchange Online compromise
- ◆Undetected access for over a month before discovery via log review
Defenses
- ▸Cloud audit logging enabled for all authentication events with long retentionCIS Control 8 ↗
- ▸Conditional access policies restricting access by device compliance and locationNIST CSF: PR.AC ↗
- ▸Anomaly detection on mail access patterns and unusual geo-locationsNIST CSF: DE.AE ↗
- ▸Token lifetime limits and continuous access evaluation in cloud identity providersCIS Control 6 ↗
Reversed: Their Weakness
Microsoft's subsequent enforcement of signing key controls and expanded logging closed the exact vulnerability exploited. Robust cloud audit logging and anomaly detection for authentication events are its primary countermeasures.
Share this adversary profile
Compare →swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.