Dive Brief:
- The state-linked intrusion on Microsoft Exchange Online that led to the theft of about 60,000 U.S. State Department emails last summer "was preventable and should never have occurred", the Cyber Safety Review Board said Tuesday in a report.
- A series of operational and strategic decisions by Microsoft pointed to a corporate culture that deprioritized investments in enterprise security and rigorous risk management, despite the central role the company plays in the larger technology ecosystem, the report said.
- The CSRB urged Microsoft to publicly share its plans to make fundamental, security focused reforms across the company and its suite of products. The board also recommended that all cloud services providers and government partners enact security-focused changes.
Dive Insight:
The China-affiliated threat actor Microsoft identifies as Storm-0558 compromised the Microsoft Exchange Online mailboxes of 22 organizations and more than 500 individuals in the attacks, which began in May 2023.
The attacks compromised the individual mailboxes of key U.S. officials, including Commerce Secretary Gina Raimondo, Rep. Don Bacon, R-Neb., and Nicholas Burns, the U.S. ambassador to China.
The report highlights the need to overhaul not only security practices within Microsoft, but the larger body of cloud services that serve a critical role for companies, government agencies and other organizations across the U.S.
“Cloud computing is some of the most critical infrastructure we have, as it hosts sensitive data and powers business operations across our economy,” Rob Silvers, under secretary of policy at the Department of Homeland Security and chair of the CSRB, said in the announcement. “It is imperative that cloud service providers prioritize security and build it in by design.”
Tenable CEO Amit Yoran, a long-time critic of Microsoft’s security practices, praised the work of the board and pointed to the need for industry-wide reforms.
“This is not some watered down, wishy-washy document full of government speak and platitudes,” Yoran said. “After a thorough investigation, this body of august experts issued a powerful document that should serve as a wake-up call to cloud providers that cybersecurity must be a priority.”
The State Department was alerted to the attack before Microsoft because it created a custom rule called “Big Yellow Taxi” from a special Microsoft data log, according to the report. The State Department had a special G5 license in Microsoft Purview Audit, which provides enhanced logging for a premium price.
Microsoft was publicly rebuked by lawmakers for making customers pay extra for logging, which led the company to reverse its policies and offer enhanced logging for free in July 2023.
Microsoft announced plans in November to enact massive reforms in its security culture following public backlash over the attacks. Yet, the company’s security lapses were further exposed in January when it disclosed an attack by Midnight Blizzard, a Russia-linked threat group, that stole emails from top Microsoft executives through a password spray attack.
Microsoft thanked the CSRB for its work and acknowledged the need for significant changes in its security culture, as noted when it announced its Secure Future Initiative.
“While no organization is immune to cyberattack from well resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes and enforce security benchmarks,” a Microsoft spokesperson said via email. “Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber armies of our adversaries.”