Microsoft blamed for "a cascade of security failures" in Exchange breach report

The linked story from 2023 has insane details. I’m pretty sure I had heard this before, but blocked it out due to some sort of normalcy bias.<p>This plus the latest State Dept. hack deserves pulling the CEO in front of Congress. It is known that there used to be a saying at Microsoft ~”Don’t get Bill pulled in front of Congress“ to avoid making bad decisions. That should be a thing again.<p>&gt; He also faulted Microsoft for waiting five years to refresh the signing key abused in the attacks, saying best practices are to rotate keys more frequently. He also criticized the company for allowing authentication tokens signed by an expired key, as was the case in the attack.<p><a href="https:&#x2F;&#x2F;arstechnica.com&#x2F;security&#x2F;2023&#x2F;08&#x2F;microsoft-cloud-security-blasted-for-its-culture-of-toxic-obfuscation&#x2F;" rel="nofollow">https:&#x2F;&#x2F;arstechnica.com&#x2F;security&#x2F;2023&#x2F;08&#x2F;microsoft-cloud-sec...</a>

Notice how little scrutiny Microsoft has been getting by Congress, DOJ, FTC, etc. despite these many huge security blunders and whatever is going on between them and OpenAI.<p>This might be because it is almost impossible to tell where Microsoft starts and the government ends these days. Also remember that Microsoft was basically the pilot program for Prism.

There are still things that feel murky from reading the CISA report.<p>For example, it notes that Microsoft do not know for certain how the attacker got in in the first place, but they and the government suspect (see 1.2.4 of the CISA report) it was a compromise of a laptop owned by an employee of Affirmed Networks, who Microsoft bought in 2021.<p>Are they saying, then, that the attacker was in their network for two years? Or that the attacker was someone able to leap from this laptop to Microsoft&#x27;s identity systems (which would be very odd, since Affirmed were not in that business, so there would have been no reason for such a laptop to be anywhere close to Azure&#x27;s insides).<p>One bright spot in the report, deserving of kudos, is that the folks at the State Department understood their monitoring tools and used them very well to uncover the anomaly that led to the discovery of this compromise.

&gt; Once Microsoft realized that the intruders had used a theoretically expired 2016 consumer signing key to forge tokens for an enterprise customer, it launched an &quot;all-hands-on-deck&quot; investigation that went through the night, June 26–27. The company arrived at 46 hypotheses for the intrusion, including &quot;a theoretical quantum computing capability to break public-key cryptography.&quot;<p>I feel like this is a twist on the denial stage of grief. Sure, our house is on fire...but maybe it is because a asteroid just struck the earth.

<a href="https:&#x2F;&#x2F;www.cisa.gov&#x2F;sites&#x2F;default&#x2F;files&#x2F;2024-04&#x2F;CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf" rel="nofollow">https:&#x2F;&#x2F;www.cisa.gov&#x2F;sites&#x2F;default&#x2F;files&#x2F;2024-04&#x2F;CSRB_Review...</a>

Related official report:<p><i>CISA Releases Report on Microsoft Online Exchange Incident from Summer 2023</i><p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=39922066">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=39922066</a>

If it’s Boeing …