However, cybersecurity researcher Shir Tamari from Wiz contradicted Microsoft’s claim, asserting that all Azure AD applications using OpenID v.2.0 were affected, as the key utilized by the attackers could have signed any OpenID v.2.0 access token.
According to Tamari, this included various managed Microsoft applications like Outlook, SharePoint, OneDrive, Teams, and customer applications supporting Microsoft Account authentication with “Login with Microsoft” functionality.
Microsoft firmly denies this assertion, stating that the claims made in the research are speculative and lack evidence. The company maintains that after invalidating the stolen signing key, there has been no evidence of the attackers using the same technique to access additional accounts. Microsoft suggests that Storm-0558 altered its tactics, rendering the signing keys ineffective. Furthermore, the flaw reportedly only impacted applications that accepted personal accounts and experienced validation errors.
