United States of America: Issued Cyber Safety Review Board findings following investigation into Microsoft Online Exchange incident

On 2 April 2024, the United States Cyber Safety Review Board (CSRB) published a report concluding its investigation into a Microsoft Online Exchange incident from the summer of 2023. The report attributes the significant cybersecurity incident in 2023 to a Chinese hacking group known as Storm-0558, which compromised Microsoft Exchange Online mailboxes of various organisations and individuals, including high-level US government officials, by exploiting a stolen cryptographic signing key from Microsoft. The CSRB conducted an investigation and found that the intrusion was preventable, citing Microsoft's inadequate security culture, failure to detect the compromise, and a series of avoidable errors. The CSRB recommends that Microsoft examine its security practices, prioritise security over new features, and increase transparency and accountability. Additionally, the CSRB provides recommendations for improving cloud identity and authentication security practices across government agencies, cloud service providers, and their customers.