At Microsoft, years of security debt come crashing down
This audio is auto-generated. Please let us know if you have feedback.
Years of accumulated security debt at Microsoft are seemingly crashing down upon the company in a manner that many critics warned about, but few ever believed would actually come to light.
Microsoft is an entrenched enterprise provider, owning nearly one-quarter of the global cloud infrastructure services market and, as of Q1 last year, nearly 20% of the worldwide SaaS application market, according to Synergy Research Group.
Though not immune to scandal, in the wake of two major nation-state breaches of its core enterprise platforms, Microsoft is facing one of its most serious reputational crises.
“It’s certainly not the first time a nation-state adversary has breached Microsoft’s cloud environments and after so many instances, empty promises of improved security are no longer enough,” Adam Meyers, SVP of counter adversary operations at CrowdStrike, said via email.
In January, Microsoft said a Russia-backed threat group called Midnight Blizzard, gained access to emails, credentials and other sensitive information from top Microsoft executives, certain corporate customers and a number of federal agencies.
Then in early April, the federal Cyber Safety Review Board released a long-anticipated report which showed the company failed to prevent a massive 2023 hack of its Microsoft Exchange Online environment. The hack by a People’s Republic of China-linked espionage actor led to the theft of 60,000 State Department emails and gained access to other high-profile officials.
Just weeks ago, the Cybersecurity and Infrastructure Security Agency issued an emergency directive, which orders federal civilian agencies to mitigate vulnerabilities in their networks, analyze the content of stolen emails, reset credentials and take additional steps to secure Microsoft Azure accounts. While the order only applies to Federal Civilian Executive Branch agencies, CISA warned other organizations could be impacted.
For many critics of Microsoft, the events of the past nine months are the logical conclusion of a company that has ridden the wave of market dominance for decades and ignored years of warnings that its product security and practices failed to meet the most basic standards.
“In a healthy marketplace, these would be fireable offenses,” said AJ Grotto, director of the Program of Geopolitics, Technology and Governance at the Stanford Cyber Policy Center and a former White House director for cyber policy. “Regrettably, the marketplace is far from healthy — Microsoft has the government locked in as a customer, so the government’s options for forcing change at Microsoft are limited, at least in the short term.”
The concern was, and is, that Microsoft's security gaps would potentially lead to catastrophic outcomes.
Microsoft needs to dedicate its internal resources towards zero-trust initiatives and make new investments in its infrastructure, according to Karan Sondhi, CTO, public sector at Trellix.
“Currently, Microsoft directs the vast majority of their security investments in revenue generating roles instead of internal security roles,” Sondhi said via email.
Microsoft has a considerable stake in the cloud security space. Not only is Microsoft one of the world’s largest cloud providers, but it is also a major security provider to the enterprise. Microsoft has more than 1 million security customers, with 700,000 using four or more of its security products, CEO Satya Nadella said during the company’s fiscal second quarter conference call in January.
The company generates more than $20 billion in revenue per year from its security business.
Vulnerable ecosystem
The state-linked activity targeting Microsoft systems also impacted on other companies that use Microsoft products — Hewlett Packard Enterprise disclosed it was impacted by ongoing activity from the threat group as well.
HPE in January said Midnight Blizzard gained access to a small number of company mailboxes dating back to May 2023, stealing data from executives in cybersecurity and other key departments, in a filing with the Securities and Exchange Commission. The activity appears to be related to the access and exfiltration of SharePoint files, according to the filing.
HPE in January told Cybersecurity Dive the threat actor “used a compromised account to gain unauthorized access to the Office 365 email environment." HPE has declined to comment further on the Midnight Blizzard threat activity beyond its SEC filings.
Microsoft in a March filing with the SEC, said Midnight Blizzard was trying to use various secrets it stole from the company. Microsoft said it had shared secrets with certain customers via email, and was reaching out to those customers to help them take mitigation steps.
“In a healthy marketplace, these would be fireable offenses. Regrettably, the marketplace is far from healthy — Microsoft has the government locked in as a customer, so the government’s options for forcing change at Microsoft are limited, at least in the short term.”
AJ Grotto
Director of the Program of Geopolitics, Technology and Governance at the Stanford Cyber Policy Center and a former White House director for cyber policy
Midnight Blizzard has repeatedly launched attacks against Microsoft customers using a variety of means, including password spray attacks and social engineering.
CISA and other officials are still assessing the ongoing threat from the Midnight Blizzard attacks to federal agencies and other Microsoft customers.
The Center for Internet Security, through the Multi-State Information Sharing and Analysis Center, provided “intelligence and response information regarding the campaign of activity targeting Microsoft products,” said Randy Rose, VP of security operations and intelligence at CIS.
Rose confirmed a “low number” of MS-ISAC participants were notified that they were likely impacted. However, there were no reports of external activity linked to this and no reports of incident response.
Indeed, the CSRB report laid out a blistering assessment of a corporate culture that has failed for years to take cybersecurity seriously.
The report was designed to assess the company’s response to the summer 2023 breach from the People’s Republic of China-linked threat actor that breached the company’s Microsoft Online Exchange environment.
However, it also laid out a security culture that failed to adhere to the most basic standards, given the enormous market power that Microsoft yields across modern business applications in government and the private sector.
One of the more damaging findings was that Microsoft learned of the attacks only because the State Department had set up an internal alert system after purchasing a G5 license from the company. Customers who failed to purchase the enhanced license, were not able to see the extensive logging capabilities that would have alerted them to a breach.
Failure of accountability
Many in the security community see the CSRB report and the recent CISA emergency directive as direct indictments not only of Microsoft’s security culture, but a government that has allowed Microsoft to maintain lucrative government contracts with no fear of competition across many of its services.
“The federal government gets off the hook a little easy in this report,” said Mark Montgomery, senior director at the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies. “Despite significant encouragement from outside experts, the Biden administration, and its predecessors, have failed to treat cloud computing as a national critical infrastructure, that is itself critical to maintaining the security of our national critical infrastructures.”
Sen. Ron Wyden, D-Ore., who called for a federal investigation following the State Department email hack, said the federal government shared responsibility for the negligent behavior disclosed in the report.
Wyden said Microsoft has been rewarded with billions of dollars in federal contracts, while not being held to account for even the most basic security standards.
“Many switched to Exchange Online or Microsoft 365 to get away from on-premise servers and [managed service providers]. If the other choice is going 'back' — or a potentially disruptive switch to another platform like Google Workspace — they most often just ride it out and trust Microsoft to fix the issues.”
Dante Stella
Attorney at Dykema
“The government’s dependence on Microsoft poses a serious national security threat, which requires strong action,” Wyden told Cybersecurity Dive after the CSRB report was released earlier this month.
Technology vendors should be held to strict cybersecurity standards, use independent audits to make sure vendors are adhering to those standards and if violated, the company and senior executives must be held accountable, Wyden said.
Microsoft officials said they understand the larger concerns raised by the summer 2023 attacks and the continued threat from Midnight Blizzard and other nation-state actors. The company is working to make extensive changes in its engineering processes, improve its relationships with the security community and its responsiveness to customer needs.
“We are energized and focused on executing Microsoft’s Secure Future Initiative commitments,” Bret Arsenault, corporate VP and chief cybersecurity advisor at Microsoft, said in a statement. “And this is just the beginning. We commit to sharing transparent learnings and future milestones as part of our efforts to strengthen all systems against attacks.”
As part of the larger shakeup of Microsoft’s security operations, Microsoft in December named Igor Tsyganskiy to take over as the new global CISO effective Jan. 1, moving Arsenault out of that role after 14 years.
Aresenault pointed out that since launching the company’s Secure Future Initiative in November, the company has sped up related engineering work in several areas:
- Microsoft has accelerated the lifecycle management of tenants, with a focus on either unused or older systems. The company eliminated more than 1.7 million Entra ID systems related to used, aging or legacy technology. It has also made multifactor authentication enforcement automatic across more than 1 million Entra ID tenants.
- More than 730,000 apps have been removed across production and corporate tenants that were either out of lifecycle or not meeting current SFI standards.
- New employees and vendors are given short-term credentials to make impersonation and credential theft more difficult. More than 270,000 have been implemented thus far.
- The company’s internal MFA implementation using Microsoft authenticator has been enhanced, by eliminating a call feature and relying on an in-app login feature. This change covers more than 300,000 employees and vendors.
Customer renewal or rejection
How private industry and government agencies respond to these security challenges is a near-term concern for Microsoft.
Dante Stella, an attorney at Dykema and specialist in incident response, says enterprise customers do not usually walk away in the face of nation-state threats against Microsoft, in part due to its enormous presence as a cloud provider.
“Many switched to Exchange Online or Microsoft 365 to get away from on-premise servers and [managed service providers]," Stella said via email. “If the other choice is going 'back' — or a potentially disruptive switch to another platform like Google Workspace — they most often just ride it out and trust Microsoft to fix the issues.”
Attacks like these will spur proactive security measures at many companies, for example increasing employee training, upgrading email security to an E5 level, adopting the use of audit logs and increasing the use of encryption during file transfers, Stella said.
E5 is considered the premium tier for Microsoft 365 customers, offering enhanced security and other services, he said.
Though Nadella says security is Microsoft's No. 1 priority, the company also has raced to develop artificial intelligence and incorporate it into its products.
Microsoft has placed a major bet that customers will embrace its effort to incorporate AI into its security product platforms. Microsoft said, after months of testing with customers, that Security Copilot helped security analysts be 22% faster and 7% more accurate.
In addition, the company sees a larger number of Microsoft 365 customers embracing E5, which provides enhanced security protection and is reflected in higher average revenue per user.
Microsoft made Security Copilot generally available earlier this month and is offering the technology on a pay as you go basis to make it more affordable to a wider range of customers.