Microsoft Exchange breach from 2023 was Microsoft’s fault

In May and June 2023, a threat actor compromised the Microsoft Exchange Online mailboxes of 22 organizations and over 500 individuals around the world. The actor—known as Storm-0558 and assessed to be affiliated with the People’s Republic of China in pursuit of espionage objectives—accessed the accounts using authentication tokens that were signed by a key Microsoft had created in 2016. This intrusion compromised senior United States government representatives working on national security matters, including the email accounts of Commerce Secretary Gina Raimondo, United States Ambassador to the People’s Republic of China R. Nicholas Burns, and Congressman Don Bacon.

[…]

The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.
↫ Cyber Safety Review Board’s report

The Cyber Safety Review Board reviewed the attack on Microsoft Exchange from last year, with Microsoft’s cooperation, and it turns out it was kind of a complete and utter shitshow inside Microsoft – a cascade of failures, as the report calls it – and concludes that it was an entirely preventable attack. The report is not kind to Microsoft, and it’s a very interesting read if you’re into this sort of post mortems of security breaches.