The unauthorized access to the accounts was discovered by the US government, not Microsoft. National Security Council spokesman Adam Hodges said in a statement that, "Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service ... We continue to hold the procurement providers of the U.S. government to a high security threshold."
The hackers used forged Microsoft account (MSA) authentication tokens to gain access to email accounts through Outlook Web Access in Exchange Online (OWA) and Outlook.com(Opens in a new window). Microsoft issues and manages MSA (consumer) and Azure AD (enterprise) keys using separate systems and they should only be valid for their respective systems. However, the hackers were able to impersonate legitimate users by exploiting a token validation issue.