Connect with us

Hi, what are you looking for?


Cloud Security

US Senator Wyden Accuses Microsoft of ‘Cybersecurity Negligence’

Redmond is accused of “negligent cybersecurity practices” that enabled a successful Chinese hack of the United States government.

Microsoft addresses Cobalt Strike abuse

Oregon senator Ron Wyden wants the U.S. government to hold Microsoft responsible for what he describes as “negligent cybersecurity practices” that enabled “a successful Chinese espionage campaign against the United States government.”

In a strongly worded letter to Attorney General Merrick Garland and the heads of CISA and the FTC, Wyden said the software giant “bears significant responsibility” for the M365 cloud hack that started with the theft of a Microsoft encryption key.

“Since the hackers stole an MSA encryption key, the hackers could create fake authentication tokens to impersonate users and gain access to Microsoft-hosted consumer accounts, even if a user’s account was protected with multi-factor authentication and a strong password,” Wyden noted.

“Government emails were stolen because Microsoft committed another error,” Wyden declared.

When Microsoft acknowledged the hack and the stolen MSA key, the software giant said and Exchange Online were the only applications known to have been affected via the token-forging technique but new research shows that the stolen key gave Chinese hackers access to data beyond Exchange Online and

The hack, which led to the theft of email from approximately 25 organizations, turned into a bigger embarrassment for Microsoft when customers complained they had zero visibility to investigate because they were not paying for the high-tier E5/G5 license. After intense public pressure, the company announced it would expand logging defaults for lower-tier M365 customers.

According to Senator Wyden, Microsoft never took responsibility for its role in the SolarWinds hacking campaign and instead blamed federal agencies and customers while using the incident to promote its Azure AD product. 

Advertisement. Scroll to continue reading.

While noting Microsoft public boasts of raking in $20 billion a year in cybersecurity revenue, Wyden called for a “whole of government effort” to hold Microsoft responsible for its alleged cybersecurity negligence.

He called on CISA director Jen Easterly to direct the Cyber Safety Review Board (CSRB) to investigate the latest hack and look at whether Microsoft stored the stolen encryption key in an HSM, a best practice recommended by the National Security Agency.

“The Board should also examine why Microsoft’s negligence was not discovered during the external audits that were required to obtain certification for government use under the FedRAMP program, or during Microsoft’s own internal security reviews,” Wyden added.

Related: Microsoft Bows to Pressure to Free Up M365 Security Logs

Related: Microsoft Warns of Office Zero-Days, No Patch Available

Related: Microsoft M365 Exposed More Than Exchange, Outlook Emails

Related: Chinese APT Use Stolen Microsoft Key to Hack Gov Emails

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...