Risk & Repeat: Digging into Microsoft security criticisms

Microsoft faced a wave of criticism following its reaction to the Storm-0558 attacks last month, but security complaints with the tech giant go back much further.

Last week, TechTarget Editorial chronicled recent frustrations with Microsoft's security organization that go well beyond recent news. Cybersecurity executives, researchers and former Microsoft employees covered issues, including a lack of transparency, inconsistent communication practices, patch bypasses and a general decline in the tech giant's security initiatives.

These new criticisms come after Microsoft disclosed last month a threat campaign operated by a China-affiliated threat actor, designated Storm-0558. The threat actor breached 25 organizations -- several that are affiliated with the U.S. government -- by exploiting what Microsoft described as a "token validation issue."

The campaign was first discovered by a Federal Civilian Executive Branch (FCEB) agency of the U.S. government, which had enhanced logging enabled through the highest-tier license agreement for Microsoft 365. In an advisory about the attacks, CISA emphasized the FCEB agency was only able to detect the intrusion because the enhanced logging provided signs of compromised email accounts.

Though Microsoft made strides to rectify this and plans to greatly widen logging access next month, the company also faced criticism for seemingly downplaying the scope of the cloud flaws involved, as well as a lack of transparency into how the threat actor obtained the stolen Microsoft signing key that led to the attacks.

On this episode of the Risk & Repeat podcast, TechTarget editors Rob Wright and Alex Culafi discuss new and old criticisms of Microsoft's security practices and the company's response.

Subscribe to Risk & Repeat on Apple Podcasts.

Alexander Culafi is a writer, journalist and podcaster based in Boston.