Risk & Repeat: Cyber Safety Review Board takes Microsoft to task

The U.S. Department of Homeland Security's Cyber Safety Review Board said Microsoft's security culture requires an "overhaul" in a report published Tuesday.

The CSRB report is based on an investigation into a breach Microsoft suffered last summer. Starting in May 2023, a Chinese nation-state threat actor tracked as Storm-0558 breached email accounts at 22 organizations, including multiple federal agencies. Threat actors gained access to email accounts by forging authentication tokens with a stolen Microsoft account (MSA) signing key.

Over the course of its investigation, the CSRB determined that the attack "should never have happened" and occurred because of a cascade of security failures on the part of Microsoft. Moreover, the report said Microsoft still did not know how the MSA key was stolen, contrary to statements the tech giant made in September, and that the company only corrected the record on this point last month.

Reactions to the CSRB report have been largely positive. Tenable CEO Amit Yoran called the report "masterful," while Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative, praised the thoroughness of the document. Adam Meyers, CrowdStrike senior vice president of counter adversary operations, called Microsoft a "national security risk."

On this episode of the Risk & Repeat podcast, TechTarget editors Rob Wright and Alex Culafi discuss the Cyber Safety Review Board report and recent security criticisms leveled against Microsoft.

Subscribe to Risk & Repeat on Apple Podcasts.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.