- A review of the attack on Microsoft’s Exchange Online hosted email service found that the incident could have been prevented in addition to Microsoft’s lax information security culture.
- Microsoft has been criticized for its slow efforts to correct the public record.
- Microsoft does not appear to have given sufficient priority to rebuilding its legacy infrastructure to meet the current threat landscape.
Cyber raids can be prevented
A review of the June 2023 attack on Microsoft’s Exchange Online hosted email service found that the incident could have been prevented if not for Microsoft’s lax information security culture and subpar cloud security precautions.
The review, conducted by the US government’s Cybersecurity and Infrastructure Security Agency’s Cybersecurity Review Board (CSRB), called for “rapid cultural change” at Microsoft. The Board’s recommendations include:
Microsoft’s customers will benefit from its CEO and board of directors focusing directly on the security culture and developing and publicly sharing plans with specific timelines to make fundamental, security-focused changes to the entire business and its suite of products;
The CEO should hold senior officials accountable for the implementation of the program;
Microsoft leadership should consider directing internal teams to de-prioritize feature development for cloud infrastructure and product suites until substantial security improvements are made to eliminate competition for resources;
Security risks should be fully and appropriately assessed and addressed before new capabilities are deployed.
The strong language came in response to the attack, which it attributed to a “litany of avoidable mistakes by Microsoft.”
Also read: Microsoft and Epic reduce investments in independent games
Place to blame for the attack
The CSRB report [PDF] blamed the attack on key rotation practices used to protect Microsoft Service Accounts (MSA) – the identity management system that powers the software giant’s cloud services for consumers.
MSA was designed in the early 2000s with no automatic signing key rotation or deactivation process. As a result, Microsoft manually managed keys – but stopped doing so in 2021 after the practice led to major cloud outages.
So when Storm-0558 got a key created in 2016 (which should have been deactivated), it gained the ability to Access the version of Outlook Web Access provided to consumers. Things escalated from there, as a flaw in Microsoft’s system meant that the 2016 MSA key could create tokens that allowed access to corporate email accounts, not just consumer services managed by MSA creation. As a result, Storm-0558 is able to create tokens that give it access to Microsoft clients, such as the U.S. State Department. The gang did just that, stealing about 60,000 emails from the department, along with a list of email addresses for all employees.
The report notes that while other cloud providers are better at key rotation and implementing other security controls, Microsoft is not. As a result, the report criticizes Microsoft for not being able to detect the leak of its keys.
Microsoft has also been criticized for its slow efforts to correct the public record. Redmond claimed the attack was possible because a gold encryption key was present in a fault dump that went into a debug environment connected to the Internet. But Microsoft has never proven this theory.
Disregarding security risk management
Another theme of the report is that Microsoft “does not put security risk management at a level commensurate with the threat or the critical importance of Microsoft technology to its more than 1 billion customers worldwide.”
The investigators considered Microsoft’s multi-cloud peers and found them to be more cautious than the Windows giant. “Microsoft has not sufficiently prioritized rebuilding its legacy infrastructure to meet the current threat landscape,” the authors found.