2024-04-03
CISAs Cyber Safety Review Board Report on 2023 Microsoft Exchange Online Intrusion
The US Cybersecurity and Infrastructure Security Agency's (CISAs) Cyber Safety Review Board (CSRB) has released a report on the Microsoft Exchange Online intrusion that occurred last summer. The threat actor accessed Microsoft Exchange mailboxes of high-level officials in the US government using authentication tokens that were signed by a key Microsoft had created in 2016. Microsoft does not know how the threat actor obtained the key. CSRB report finds that the intrusion was preventable, and concludes that Microsofts security culture was inadequate.
Editor's Note
I think this quote from the CSRB report sums it up: Throughout this review, the Board identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management. During this review time frame Microsoft announced their Secure Future Initiative focusing on the required internal culture change is a pre-requisite for that being anything more than a marketing campaign.
John Pescatore
Security culture (or lack thereof) was emphasized in the report at least 12 times. Security is no longer just a technical issue but a people and ultimately cultural issue. Kudos to Microsoft for being so open and cooperative with the CSRB in creating the report.
Lance Spitzner
This was not a single event but a combination of events, from a compromised laptop in an acquired company which wasn't verified prior to connection to the corporate network to those old MFA tokens. Take the issues outlined in the report and see if you have any similar gaps. Don't omit culture from your consideration. Not just secure day one but remaining so always, with verification and incentives if possible.
Lee Neely
This is an excellent report and I encourage you to read it. It highlights to me that Microsoft need to have another Bill Gates Trustworthy Computing moment but focused on Trustworthy Cloud Computing.
Brian Honan
Read more in
Read more in:
CISA: Review of the Summer 2023 Microsoft Exchange Online Intrusion (PDF)
Cyberscoop: Cyber review board blames cascading Microsoft failures for Chinese hack
Security Week: Microsoft's Security Chickens Have Come Home to Roost
Bleeping Computer: Microsoft still unsure how hackers stole MSA key in 2023 Exchange attack
The Register: Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online
SC Magazine: Review board slams Microsoft's lax security practices and culture
Ars Technica: Microsoft blamed for a cascade of security failures in Exchange breach report
The Record: DHS blames cascade of security failures at Microsoft for China hack on US