US cyber board blames Microsoft for May Storm-0558 hack

US cyber board blames Microsoft for May Storm-0558 hack

The DHS Cyber Safety Review Board (CSRB) has released a report on Microsoft's hack by the Chinese threat actor Storm-0558 in May 2023, in which the hackers breached an unidentified number of email accounts linked to around 25 organizations, including some related individual consumer accounts and government agencies in Western Europe and the US.

The threat actor leveraged forged authentication tokens to access impacted email accounts via Outlook Web Access in Exchange Online (OWA) and Outlook.com.

CSRB’s report found Microsoft at fault for the intrusion, which officials said was “preventable” and that “Storm-0558 was able to succeed because of a cascade of security failures at Microsoft.”

In its report, the board highlighted a series of decisions made by Microsoft that have had detrimental effects on enterprise security, risk management, and customer trust in safeguarding their data and operations.

The board has concluded that Microsoft's security culture is insufficient and necessitates a comprehensive overhaul, particularly given the company's pivotal role in the technology ecosystem and the significant trust customers place in it to protect their data and operations.

The board's conclusion is based on several key factors:

  • The succession of avoidable errors made by Microsoft that allowed the he intrusion to succeed.

  • Microsoft's failure to independently detect the compromise of its critical cryptographic assets, instead relying on a customer to report anomalies they had observed.

  • A comparative evaluation of security practices at other cloud service providers revealed disparities where Microsoft lacked certain security controls.

  • Microsoft's inability to detect a compromise of an employee's laptop from a recently acquired company before allowing it to connect to the corporate network in 2021.

  • Delays in rectifying inaccurate public statements made by Microsoft regarding the incident, despite acknowledging the inaccuracies in November 2023. The correction was not issued until March 12, 2024, after repeated inquiries from the board regarding Microsoft's plans for addressing the issue.

Additionally, the board noted a separate incident disclosed by Microsoft in January 2024, which fell outside the scope of the board's review. This incident revealed a compromise that granted access to highly sensitive Microsoft corporate resources, including email accounts, source code repositories, and internal systems, to a different nation-state actor.


Back to the list

Latest Posts

RVTools official website compromised to distribute malware-laced installer

RVTools official website compromised to distribute malware-laced installer

The malware in question was the Bumblebee loader used in various high-profile cyberattacks to deploy additional payloads.
20 May 2025
New Linux cryptojacking campaign RedisRaider exploits public Redis servers

New Linux cryptojacking campaign RedisRaider exploits public Redis servers

The campaign uses legitimate Redis configuration commands to inject malicious cron jobs on vulnerable systems.
20 May 2025
China-aligned UnsolicitedBooker hackers target Saudi org with new MarsSnake backdoor

China-aligned UnsolicitedBooker hackers target Saudi org with new MarsSnake backdoor

The group’s toolset includes known Chinese cyber-espionage malware such as Chinoxy, DeedRAT, Poison Ivy, and BeRAT.
20 May 2025