The US Cyber Safety Review Board recently revealed that a significant security breach involving US government emails via Microsoft Exchange Online software could have been prevented.
This breach was orchestrated by Chinese state-sponsored hackers and was the result of a “cascade of security failures” at Microsoft. The hackers gained access to the online email inboxes of 22 organizations, impacting over 500 individuals, including US government employees engaged in national security tasks.
The US Department of Homeland Security released a report harshly critiquing Microsoft for its preventable missteps and for fostering a corporate culture that placed low priority on security investments and strict risk management.
The attack method involved the hackers utilizing a stolen Microsoft account consumer key to forge tokens for accessing Outlook on the web and Outlook.com. Despite Microsoft’s uncertainty about how the key was initially compromised — suspecting it might have been part of a crash dump —they’ve acknowledged their theory’s limitations.
In addressing the breach, Microsoft initially disseminated inaccurate information via a September 2023 blog post, which it only corrected in March 2023 after persistent inquiries from the Cyber Safety Review Board. This delay in correction and the full cooperation provided during the board’s investigation spotlighted the necessity for a significant revamp in Microsoft’s security culture.
The Cyber Safety Review Board has concluded that not only was the intrusion preventable but also that Microsoft’s security measures were severely lacking, emphasizing the need for an overhaul given Microsoft’s pivotal role in the technology ecosystem:
“The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations,” the report reads.
In response to the breach and subsequent cybersecurity incidents, Microsoft is taking steps to substantially improve its software security through the introduction of the Secure Future Initiative (SFI). Its changes also include the launch of Copilot for Security, an AI-powered chatbot aimed at aiding cybersecurity professionals.