Cyber Safety Review Board slams Microsoft security failures

The U.S. Department of Homeland Security's Cyber Safety Review Board said Microsoft's security culture is "inadequate and requires an overhaul" in a report published Tuesday.

The Cyber Safety Review Board (CSRB) initiated an investigation following a high-profile cyberattack Microsoft disclosed in July 2023. In the attack, a Chinese nation-state threat actor tracked as Storm-0558  breached email accounts at 22 organizations, which included some federal agencies. The threat actors accessed the email accounts using Outlook Web Access in Exchange Online and Outlook.com by forging authentication tokens via a stolen Microsoft account (MSA) signing key.

In a CISA advisory published at the time, the U.S. cyber agency said a federal civilian executive branch agency detected suspicious activity in its Microsoft 365 environment sometime the previous month; the breach was detected only because government 365 licenses include enhanced cloud logging features that were at the time available at only the highest and most expensive subscription level. Microsoft addressed the latter issue in September and made premium logging features more widely available.

The CSRB report, dated March 20 and publicly released Tuesday evening, was conducted in order to learn more about the incident and why it occurred. The primary finding of the CSRB was that "this intrusion should never have happened."

"Storm-0558 was able to succeed because of a cascade of security failures at Microsoft, as outlined in this report," CSRB chair Robert Silvers and deputy chair Dmitri Alperovitch wrote in the report's introduction. "Today, the Board issues recommendations to Microsoft to ensure this critical company, which sits at the center of the technology ecosystem, is prioritizing security for the benefit of its more than one billion customers."

As part of its conclusion, the board determined that "Microsoft's security culture was inadequate and requires an overhaul." This is based on, the CSRB argues, Microsoft's "failure to detect the compromise of its cryptographic crown jewels" and instead relying on a customer -- in this case, the U.S. State Department – to inform the company of Storm-0558's activity.

The CSRB also based its conclusions on Microsoft's lack of security controls that other cloud providers have; the Russian nation-state attack that Microsoft suffered in January; and Microsoft's responsibility, given its ubiquitous and critical line of products.

One of the most significant aspects of the CSRB's findings was that according to the report, Microsoft still does not know how or when the MSA signing key was stolen. Furthermore, the board criticized the company for making inaccurate public statements about the attack and how the key was stolen.

Microsoft claimed in a September blog post that the MSA key was incorrectly included in a crash dump of a consumer signing system inside the company network; the blog post said Storm-0558 actors obtained a Microsoft engineer's credentials and used the account to access a debugging environment that contained the key. However, the CSRB investigation found "Microsoft has no evidence or logs showing the stolen key's presence in or exfiltration from a crash dump." Microsoft's blog post, however, was not updated until March 12.

"Microsoft's decision not to correct, in a timely manner, its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion when in fact, it still has not; even though Microsoft acknowledged to the Board in November 2023 that its September 6, 2023 blog post about the root cause was inaccurate, it did not update that post until March 12, 2024, as the Board was concluding its review and only after the Board’s repeated questioning about Microsoft's plans to issue a correction," the report read.

Although some details in the report are new, many of the criticisms of Microsoft's security practices are not. Last year, infosec professionals shared their frustrations regarding Microsoft's security practices with TechTarget Editorial. Experts criticized the company over a lack of transparency, bypassed and incomplete patches and rocky communication practices with security researchers.

And in January, executives slammed Microsoft for its handling of this year's breach at the hands of Midnight Blizzard, a Russian nation-state group also known as Cozy Bear and APT29. Infosec experts called attention to the lack of multifactor authentication on the compromised test tenant account at the center of the attack and Microsoft's apparent upselling of security products in a disclosure blog post.

Microsoft's apparent prioritization on business over security is also referenced in the CSRB report.

"Throughout this review, the Board identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management…" the report read. "Microsoft leadership should consider directing internal Microsoft teams to deprioritize feature developments across the company's cloud infrastructure and product suite until substantial security improvements have been made in order to preclude competition for resources."

In a statement shared with TechTarget Editorial, a Microsoft spokesperson said the company appreciates the work of the CSRB and will continue to adopt a new culture of engineering per the Secure Future Initiative announced last fall. The complete statement reads as follows.

"We appreciate the work of the CSRB to investigate the impact of well-resourced nation state threat actors who operate continuously and without meaningful deterrence. As we announced in our Secure Future Initiative, recent events have demonstrated a need to adopt a new culture of engineering security in our own networks. While no organization is immune to cyberattack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes and enforce security benchmarks. Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber armies of our adversaries. We will also review the final report for additional recommendations."

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.