Feds to Microsoft: Clean Up Your Cloud Security Act Now

A federal review board demanded that the tech giant prioritize its inadequate security posture, putting the blame solely on the company for last years Microsoft 365 breach that allowed Chinas Storm-0558 to hack the email accounts of key government officials.

A federal review board has called on Microsoft to prioritize its approach to cloud security and stop pushing the burden of it onto customers in the wake of a
July 2023 cyberattack
that let Chinese threat actors breach Microsoft 365 accounts to spy on key
US government officials
.
A report
released on April 2 by the independent Department of Homeland Security (DHS) Cyber Safety Review Board offered an incendiary review of Microsofts security culture, putting the blame
squarely on the company
and a cascade of security failures for the
cyber espionage attack
by China-based threat group Storm-0558, which never should have happened.
The board — which was investigating the breach
at the behest
of President Joe Biden — demanded that the technology giant put cybersecurity at the top of its agenda. It also should be held to strict account to make significant revisions to its cloud-security position, even prioritizing these changes ahead of new product features and development.
To drive the rapid cultural change that is needed within Microsoft, the board believes that Microsoft’s customers would benefit from its CEO and Board of Directors directly focusing on the companys security culture and developing and sharing publicly a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products, officials said in the report.
As part of its review, the board made a series of recommendations to this end, including that top executives not only develop this plan but also hold leaders at all levels across the company accountable for implementing it.
Microsoft leadership also should consider directing internal Microsoft teams to deprioritize feature developments across the companys cloud infrastructure and product suite until substantial security improvements have been made, instead assessing and addressing security before deploying any new features, the board concluded.
Given the dependence on the security of Microsofts cloud-based services and infrastructure, the software giant and other CSPs also need to take more accountability overall for the security outcomes of their customers. An action item at the top of this list is to halt the practice of making customers pay for security-related logging, making it a core element of cloud offerings instead of an add-on service for an extra fee.
Microsoft already relented and
dropped fees
associated with expanded logging access for all levels of 365 license holders shortly after the breach following complaints that it was effectively levying a
logging tax
on customers.
The overall finding of the board is that the blame for the breach — which allowed Storm-0558 to
gain access to email accounts
across 25 government agencies in Western Europe and the US — is solely with Microsoft, and was directly due to a series of security failings on the part of the company.
As the fallout from the breach intensified in the weeks after its initial detection, Microsoft eventually in September 2023
owned up
to a series of mistakes that led to Storm-0558 using a Microsoft account (MSA) consumer signing key to forge Azure AD tokens for accessing enterprise email accounts. MSA consumer keys are typically used to cryptographically sign into a Microsoft consumer application or service such as Outlook.com, OneDrive, and Xbox Live.
The company said at the time that a race condition resulted in the signing key being present either in a crash dump or a snapshot of the crashed system. The key eventually ended up with the debugging team on Microsofts Internet-connected corporate network, where threat actors likely picked it off.
However, government officials held executives feet to the fire over the companys failure to detect the compromise of its cryptographic crown jewels on its own, as it was a customer — a
human rights organization
who
did not have access
to advanced cloud security logging — that first alerted the company to a potential issue.
Moreover, Microsoft has never proven that the key used by attackers ended up in any crash dump or snapshot, and failed to correct statements claiming this as the root cause in a timely manner. Indeed, Microsoft did not roll back its story on how the key got into the hands of Storm-0558 until last month, when it amended
its blog post
and acknowledged it never located a crash dump containing the key.
Finally, Microsoft is generally lax in comparison to other cloud service providers (CSPs) when it comes to cloud security, failing to keep security controls to a similar standard, the board found. The company must level up immediately given that its ubiquitously used products underpin essential services that support national security, the foundations of our economy, and public health and safety, which in turn, requires Microsoft to demonstrate the highest standards of security, accountability, and transparency, officials concluded.
A Microsoft spokesperson said that the company appreciates the work of the board to investigate the attack, and that in its aftermath the company has recognized a

a need to adopt a new culture of engineering security in our own networks.
To that end, Microsoft unveiled what its calling a
Secure Future Initiative
, to mobilize its engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks.
Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries, the spokesperson said, adding that Microsoft will also take into consideration any additional recommendations by the board.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Feds to Microsoft: Clean Up Your Cloud Security Act Now