In May and June 2023, a threat actor compromised the Microsoft Exchange Online mailboxes of 22 organizations and over 500 individuals around the world. The actor—known as Storm-0558 and assessed to be affiliated with the People’s Republic of China in pursuit of espionage objectives—accessed the accounts using authentication tokens that were signed by a key Microsoft had created in 2016. This intrusion compromised senior United States government representatives working on national security matters, including the email accounts of Commerce Secretary Gina Raimondo, United States Ambassador to the People’s Republic of China R. Nicholas Burns, and Congressman Don Bacon.
[…]The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.
Cyber Safety Review Board’s report
The Cyber Safety Review Board reviewed the attack on Microsoft Exchange from last year, with Microsoft’s cooperation, and it turns out it was kind of a complete and utter shitshow inside Microsoft – a cascade of failures, as the report calls it – and concludes that it was an entirely preventable attack. The report is not kind to Microsoft, and it’s a very interesting read if you’re into this sort of post mortems of security breaches.
Recall all the comments in favor of proprietary software after the xz hack.
Makes sense. We use Microsoft Office at work and a few months ago had to go through cybersecurity training as a request from Microsoft. The training itself was a bunch of nonsense, such as how to identify spam and phishing emails, but really dumbed down. I thought the timing was a little strange… just a few months after that very public breach. Now it all makes sense, Microsoft wants to put that kind of stuff on their customers, so they can rake in the money and blame you when things go wrong.
“The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul,”
This has been true since the early ‘80s so nothing has changed. Security is always been crappy on windows.