Connect with us

Hi, what are you looking for?


Cloud Security

Microsoft’s Security Chickens Have Come Home to Roost

News analysis: SecurityWeek editor-at-large Ryan Naraine reads the CSRB report on China’s audacious Microsoft’s Exchange Online hack and isn’t at all surprised by the findings.


The US government’s public documentation of Microsoft’s shoddy cybersecurity practices, lax corporate culture and untruthfulness in public communications should come as no surprise to anyone. 

There were dark patterns everywhere. For years, we collectively groaned and rolled our eyes as Microsoft shipped faulty and incomplete patches, gutted its Patch Tuesday bulletins into irrelevance, fought with hackers reporting security problems, and made baffling trade-offs around cybersecurity transparency.

Even the ‘/security’ page, for years used as a place to simplify the distribution of security warnings, mitigation guidance and software patches, morphed into a landing page to hawk Microsoft’s newly “AI-powered” cybersecurity products.

On the flip side, every communication out of Microsoft is meant to project cybersecurity power, with constant reminders that cybersecurity is big business in Redmond, generating $20 billion a year today while it builds a so-called “AI-based cyber shield” to protect the world.  

This “dangerous addition to security revenue,” as Alex Stamos just described it, gets even uglier when Microsoft’s own security problems are used to upsell customers and important mitigation technologies are only available in expensive licensing packages.

In its review of the Microsoft Exchange Online hack, the government’s Cyber Safety Review Board (CSRB) called out “a cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed” and warned that a second nation state-backed hacking team (Russia) have also been rummaging through highly-sensitive Microsoft corporate email accounts, source code repositories, and internal systems. 

“The Board finds that this intrusion was preventable and should never have occurred,” the CSRB said, bluntly.  “Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.” 

The CSRB, which styles itself as an independent investigative agency similar to the NTSB, said it found “a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management.”

Advertisement. Scroll to continue reading.

It goes further, pointing the finger directly at CEO Satya Nadella and calling on Redmond’s leadership to “directly focus” on the company’s security culture and to develop and share publicly a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products.  

Microsoft has already pre-empted the CSRB’s findings with the announcement of a Secure Future Initiative promising faster cloud patches, better management of identity signing keys and products with a higher default security bar but the CSRB wants Nadella to direct internal Microsoft teams to deprioritize feature developments across its cloud infrastructure and product suite until security risks are fully addressed.

While unsurprising, the CSRB findings should scare us all. Microsoft is too big to fail, with its OS and cloud technologies powering some of the most critical and essential services on earth. It’s not quite a monoculture from the Dan Geer era but it’s near impossible to avoid interacting with Microsoft’s ecosystems, whether it’s Azure, M365, LinkedIn or XBox today.

As the report notes, Microsoft and cloud service providers (CSPs) are custodians of nearly unimaginable amounts of data, from consumer personal information to communications of U.S. diplomats and other senior government officials, as well as commercial trade secrets and intellectual property.

Important businesses large and small have made the bet to become “Microsoft shops,” adding to supply chain risks while large parts of the anti-malware world are dependent on Defender detections and discoveries from the company’s (very strong!) threat intelligence research teams.

For those deeply entrenched in Microsoft’s world, security costs can add up significantly, especially for granular logging to help with security incident detection, investigation, and response. “This course of business should stop,” the CSRB notes, arguing that security-related logging should be a core element of cloud offerings.  

The CSRB report is a remarkable document providing a blow-by-blow into one of the most daring APT attacks in history against a company that somehow blew a decade’s worth of goodwill and completely lost its way in security.

Very few should be surprised.

Related: US Gov Rips Microsoft for Shoddy Security, Poor Response to Chinese Hack

Related: After Major Cloud Hacks, Microsoft Unveils ‘Secure Future Initiative’

Related: Microsoft Cloud Hack Exposed More Than Exchange, Outlook Emails

Related: Microsoft Hires New CISO in Major Security Shakeup

Related: Chinese Cyperspies Use Stolen Microsoft Key to Hack Gov Emails

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.