Microsoft Accused of Negligence in Recent Email Compromise

Written by

A US Senator has demanded that the Whitehouse holds Microsoft to account for a Chinese cyber campaign that compromised US government emails.

In an open letter, Senator Ron Wyden, a Democrat representing Oregon, said that Microsoft should be held “responsible for its negligent cybersecurity practices, which enabled a successful Chinese espionage campaign against the US government.”

The letter, dated July 27, 2023, was addressed to Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), Lina Khan, Chair of the Federal Trade Commission and Merrick B. Garland, Attorney General at the US Department of Justice.

The letter relates to the discovery of a hacking campaign that led to the exfiltration of Exchange Online Outlook data. On July 12, CISA and the FBI released a joint advisory to provide guidance to critical infrastructure organizations on enhancing monitoring of Microsoft Exchange Online environments following this discovery.

Shortly after, Microsoft published its investigation into malicious mail activity, which found that the Chinese threat actor group Storm-0558 had gained access to customer email accounts from May 15, including US government agencies.

Storm-0558 is known for targeting government agencies in Western Europe and focuses on espionage, data theft and credential access.

Microsoft explained that the threat actors were able to access customer email accounts via Outlook Web Access in Exchange Online (OWA) and by forging authentication tokens using an acquired Microsoft encryption key.

It added that it had mitigated the issue by blocking the use of tokens signed with the acquired MSA key in OWA, replacing the key to prevent the hackers from using it to forge more tokens, and blocking the use of tokens issued with the key for all impacted consumer customers.

Read here: OpenAI, Microsoft, Google and Anthropic Form Body to Regulate AI

Wyden wrote in the letter that “government emails were stolen because Microsoft committed another error.”

Although the stolen encryption key was for consumer accounts, “a validation error in Microsoft code” allowed the hackers to also create fake tokens for Microsoft-hosted accounts for government agencies and other organizations, and thereby access those accounts, said Wyden.

He argued that Microsoft should not have had “a single skeleton key” that would enable attackers to access customers’ private communications if stolen. Wyden also raised questions about how the encryption key was stored.

Wyden added that Microsoft did not take responsibility for its role in the SolarWinds supply chain incident in 2020, in which Russian state-sponsored attackers stole encryption keys and forged Microsoft credentials to gain access to sensitive information.

As a result, Wyden urged for a “whole of government” effort to hold Microsoft responsible for its “negligence.” He asked each of the agencies to examine Microsoft’s security and privacy practices, and ascertain whether these violated federal law.

On July 26, it was reported that the Wuhan Earthquake Monitoring Center in China was hit by a cyber-incident perpetuated by a hacker group with an “overseas government background.”

Image credit: Golden Brown /

What’s hot on Infosecurity Magazine?