Microsoft’s ‘Inadequate’ Security Behind Cloud Email Breach: U.S. Review Board

The 2023 compromise of email accounts belonging to multiple U.S. government agencies ‘was preventable and should never have occurred,’ according to a new report from the federal Cyber Safety Review Board.

The Microsoft cloud email breach that impacted multiple federal agencies in 2023 “was preventable and should never have occurred,” according to a new report released by the U.S. Cyber Safety Review Board (CSRB).

The U.S. Department of Homeland Security board said it determined that “Microsoft’s security culture was inadequate and requires an overhaul”—an urgent issue “in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.”

[Related: CrowdStrike CEO George Kurtz: Microsoft’s ‘Failures’ Put Everyone At Risk]

The Microsoft cloud email breach, first discovered in June 2023, saw the compromise of email accounts belonging to multiple U.S. government agencies. The attack is known to have impacted the emails of Commerce Secretary Gina Raimondo and other officials in the Commerce Department, as well as U.S. Rep. Don Bacon and U.S. Ambassador to China Nicholas Burns.

The incident—attributed to a China-linked threat actor tracked as “Storm-0558”—has been under investigation by the CSRB since last August. The board doesn’t have regulatory powers and is not an enforcement authority.

‘Cascade Of Errors’

The CSRB’s 34-page report examines, in the authors’ words, a “cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed.”

Failures attributed to Microsoft include its inability to “detect the compromise of its cryptographic crown jewels on its own, relying instead on a customer to reach out to identify anomalies the customer had observed;” the company’s “failure to detect a compromise of an employee's laptop from a recently acquired company prior to allowing it to connect to Microsoft’s corporate network in 2021;” and “Microsoft’s decision not to correct, in a timely manner, its inaccurate public statements about this incident.”

Notably, the CSRB said it also assessed “security practices at other cloud service providers, which maintained security controls that Microsoft did not.”

CRN has reached out to Microsoft for comment.

A total of 60,000 emails were stolen from 10 U.S. State Department accounts in the compromise, according to previous reports.

“Storm-0558 had access to some of these cloud-based mailboxes for at least six weeks,” the CSRB report found.

Major Changes Needed

The CSRB ultimately found that Microsoft is no longer making security a top priority as laid out in Bill Gates’ famous 2002 memo on “Trustworthy Computing,” which is quoted at length in the CSRB report.

The conclusion, according to the report, is that “Microsoft has drifted away from this ethos and needs to restore it immediately as a top corporate priority.” The report noted that the CSRB is “aware of Microsoft’s recent changes to its security leadership and the ‘Secure Future Initiative’ that it announced in November 2023.”

Microsoft announced at the time that it would be rolling out an array of major changes to its software engineering process aimed at improving the security of its widely used platforms.

The CSRB indicated that the initiative is not sufficient in its current form to address the company’s security issues. “The Board believes that these and other security-related efforts should be overseen directly and closely by Microsoft’s CEO and its Board of Directors, and that all senior leaders should be held accountable for implementing all necessary changes with utmost urgency,” the report said.