Microsoft Slammed By U.S. Board Over Cloud Email Breach: 5 Things To Know

A Homeland Security review board found that the 2023 China-linked attack succeeded due to a ‘cascade of Microsoft’s avoidable errors.’

The new U.S. review board report on the 2023 Microsoft cloud email breach confirmed what many in the cybersecurity industry have been saying for nearly a year: The China-linked attack was successful in large part because of lax security practices at the tech giant.

The U.S. Cyber Safety Review Board (CSRB), which was appointed by the Department of Homeland Security, ultimately found in the 34-page report that Microsoft needs to reprioritize its security in a much bigger way.

[Related: CrowdStrike CEO George Kurtz On Microsoft’s ‘Murky’ Breach Details, Palo Alto Networks Platform Debate]

The Microsoft Exchange Online breach was first discovered in June 2023 and saw the compromise of email accounts belonging to multiple U.S. government agencies. The attack is known to have impacted the emails of Commerce Secretary Gina Raimondo and other officials in the Commerce Department, as well as U.S. Rep. Don Bacon and U.S. Ambassador to China Nicholas Burns.

A total of 60,000 emails were stolen from 10 U.S. State Department accounts in the compromise, and the attackers “had access to some of these cloud-based mailboxes for at least six weeks,” according to the report.

The incident—attributed to a China-linked threat actor tracked as “Storm-0558”—has been under investigation by the CSRB since last August. The board, which released its report Tuesday evening, doesn’t have regulatory powers and is not an enforcement authority.

The CSRB’s report examines, in the authors’ words, a “cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed.”

What follows are five big things to know about the CSRB’s report on the 2023 Microsoft cloud email breach.

Latest In Series Of Incidents

The backdrop to the CSRB report is that, for Microsoft, the 2023 Exchange Online breach has been just one in a series of major security incidents. Since the incident came to light, in fact, Microsoft has already seen another high-profile breach that has prompted even greater scrutiny—the hack of senior executive accounts disclosed in January.

Other widely felt attacks that have exploited alleged security shortcomings in Microsoft’s technology have included the SolarWinds Orion compromise of 2020 and the massive wave of Exchange Server attacks in 2021 that exploited critical zero-day vulnerabilities.

Last year’s Microsoft cloud email breach was reminiscent of the SolarWinds attack in one key sense—the sizable impact on the U.S. government—which is undoubtedly what prompted the CSRB report.

Ultimately, the success of the Exchange Online attack “was preventable and should never have occurred,” the board found in its report.

“Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations,” the report said.

Report Echoes Industry Critics

The criticisms echoed those aired by top security industry executives in the wake of the incident, which was first discovered in June 2023.

CrowdStrike CEO George Kurtz, for instance, said during a 2023 interview with CRN that the cloud email breach was an example of how “Microsoft’s failures” on security have put the U.S. government and businesses at risk.

Ultimately, Microsoft security issues “are putting millions and millions—tens of millions—of customers at risk,” Kurtz said at the time.

Tenable CEO Amit Yoran, meanwhile, has pointed to a “pattern of behavior” from Microsoft that “undermines security,” while Wiz CTO Ami Luttwak has said that Microsoft still has many troubling questions to answer over the breach.

The review board’s scrutinizing look at the cloud email breach suggests that the many critics of Microsoft’s security have not been off base in their assessments. In other words, while those that have repeatedly slammed Microsoft in the past may not be unbiased as competitors to the company, that doesn’t necessarily mean they’re wrong.

Trailing Other Cloud Providers

One significant aspect of the CSRB report is its comparison of Microsoft’s security with that of other major cloud providers. The review board said its findings are based in part on its “assessment of security practices at other cloud service providers, which maintained security controls that Microsoft did not.”

The major focus here, according to the report, should be on deploying stronger identity and access security measures such as those implemented by Google and Amazon Web Services.

For instance, Google has “re-worked its identity system to rely as much as possible” on a highly secure credentialing method known as “stateful tokens,” the report said.

Google has also implemented “fully automatic key rotation where possible and tightened the validation period for stateless tokens” and undertaken “a comprehensive overhaul of its infrastructure security,” including implementing “zero trust” security on its networks along with rolling out hardware-based multi-factor authentication methods for logins, according to the review board.

AWS, meanwhile, with its IAM Signature Version 4 (SigV4) protocol, “provides each customer with unique authentication keys for each of their users or roles, but these keys are not bearer tokens nor are they used directly for signing. Having no tokens, these credentials are not susceptible to token replay.”

Instead, the AWS approach relies on “highly compartmentalized signing keys [that] are cryptography-derived, and each request is signed in a way that can only authorize the same specific action, which can be safely retried.”

Ultimately, the board determined that in the wake of attacks such as the 2009 Operation Aurora attack against Google, other cloud service providers “recognized the importance of addressing this threat model by implementing different approaches to secure their identity systems” than did Microsoft.

Still Unclear How It Started

Microsoft had previously said the attack stemmed from a stolen Azure Active Directory key, which was misused to forge authentication tokens and gain access to emails.

The company has since provided why the attack was possible—a flaw caused the key to be improperly captured and stored in a file following a Windows system crash in 2021—it has remained unclear how and when the theft of the key occurred.

The CSRB report indicates that this crucial aspect of the attack is still a mystery, pointing to “Microsoft’s inability to determine how and when the adversary was able to steal its signing key.”

As a result, “all CSPs should review and revise as appropriate their logging and overall forensics capabilities around their identity systems and other systems that enable environment-level compromise,” the review board wrote.

‘Trustworthy Computing’ 2.0 Needed

The CSRB ultimately found that Microsoft is no longer making security a top priority as laid out in Bill Gates’ famous 2002 memo on “Trustworthy Computing,” which is quoted at length in the CSRB report.

The conclusion, according to the report, is that “Microsoft has drifted away from this ethos and needs to restore it immediately as a top corporate priority.” The report noted that the CSRB is “aware of Microsoft’s recent changes to its security leadership and the ‘Secure Future Initiative’ that it announced in November 2023.”

Microsoft said at the time that it would be rolling out an array of major changes to its software engineering process aimed at improving the security of its widely used platforms.

The CSRB indicated that the initiative is not sufficient in its current form to address the company’s security issues. “The Board believes that these and other security-related efforts should be overseen directly and closely by Microsoft’s CEO and its Board of Directors, and that all senior leaders should be held accountable for implementing all necessary changes with utmost urgency,” the report said.

In one of its recommendations, the CSRB said that Microsoft leadership “should consider directing internal Microsoft teams to deprioritize feature developments across the company’s cloud infrastructure and product suite until substantial security improvements have been made.”

“In all instances, security risks should be fully and appropriately assessed and addressed before new features are deployed,” the report said.

In a statement provided to CRN, Microsoft said it appreciates the work of the CSRB and agrees that “recent events have demonstrated a need to adopt a new culture of engineering security in our own networks.”

Pointing to its Secure Future Initiative, Microsoft said that it has “mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks.”

“Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries,” Microsoft reportedly said in the statement. “We will also review the final report for additional recommendations.”