Microsoft Accused of 'Cascade of Errors' in 2023 Chinese Outlook Attack

A federal review board concluded that lax security practices by Microsoft contributed to the Outlook hack by a Chinese hacker group last year in a comprehensive 34-page report.

In July of 2023, the China-affiliated hacker group named "Storm-0558" infiltrated the Microsoft Exchange Online email accounts belonging to 22 organizations and over 500 individuals globally. Among the prominent targets was Nicholas Burns, the U.S. ambassador to China. The attackers managed to gain access to several cloud-based email inboxes for a duration of at least six weeks, during which they downloaded approximately 60,000 emails from the State Department alone.

After a thorough investigation, a report overseen by the U.S. Department of Homeland Security (DHS) and issued by the Cyber Safety Review Board was publicly released on Tuesday that found Microsoft's lack of focus when it comes to both internal and customer security played a major factor in the incident. "Throughout this review, the Board identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management," read the report.

The breach was initially detected by the State Department's security operations through suspicious access patterns and confirmed through a specialized alert system dubbed "Big Yellow Taxi." Microsoft, on the outset, said that the attack was conducted through traditional hacking methods, but later a company investigation revealed that Storm-0558 exploited an outdated Microsoft Services Account cryptographic key to forge authentication tokens, gaining unauthorized access to email accounts.

Despite intensive investigations, Microsoft struggled to understand how the attackers obtained the key and to fully mitigate the breach's impact, according to the report. The incident, according to the Cyber Safety Review Board, revealed significant security vulnerabilities within Microsoft Exchange Online’s token validation logic and prompted an ongoing, high-priority investigation by Microsoft, alongside efforts to notify and protect affected organizations and individuals.

"Cloud computing is some of the most critical infrastructure we have, as it hosts sensitive data and powers business operations across our economy," said DHS Under Secretary of Policy and CSRB Chair Robert Silvers, in a press release. "It is imperative that cloud service providers prioritize security and build it in by design."

While the report reads as critical towards Microsoft, the report did thank the company for its assistance in the investigation, and praised the company for helping to shed light on the Chinese government-backed hacker group. The report also pointed out that Microsoft has taken steps to increase security, including reworking how key tokens are authenticated and plugging a hole that gave access to enterprise data through fraudulent keys.

The report also provided a list of four recommendations specifically for Microsoft to implement:

  • Microsoft should enhance its security culture with direct involvement from its CEO and Board of Directors, developing and publicly sharing a detailed plan for comprehensive security reforms across all products.
  • Microsoft should focus on bolstering security across its portfolio before rolling out new cloud-based features and services.
  • Microsoft should make security a "design requirement" across all its products and services.
  • Microsoft and other cloud providers should implement stronger security logging to help identify breaches and increase transparency to customers.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube