Forged from 2016: How Storm-0558 Turned One Stolen Signing Key into U.S. Government Email Access
A 2016 consumer Microsoft signing key, never rotated, forged tokens that read U.S. government email for six weeks before a paying customer noticed. A technical reconstruction.