Report on the Microsoft Online Exchange Incident from Summer 2023.
I was honored to be part of the US Government Cyber Safety Review Board where we studied the Summer 2023 Microsoft Exchange Online intrusion. This review examined how a Chinese state-affiliated group, Storm-0558, was able to breach Microsoft systems and access sensitive data. The Board concluded the intrusion was preventable and pointed to Microsoft’s operational and strategic decisions that deprioritized enterprise security as a root cause. I’ve seen significant effort by Microsoft to eliminate tech debt and improve foundational security. As part of its broader strategic response, Microsoft launched the Secure Future Initiative (SFI). This framework was designed to overhaul its security model across the cloud ecosystem, prioritizing robust identity and credential protections, faster patching, and enhanced threat detection capabilities.
During this study, the CSRB gathered input from 20 organizations, experts, and affected companies. Our findings led to a set of recommendations for both industry and government aimed at strengthening cloud security, transparency, and victim notification. Among them: improving baseline cybersecurity practices for cloud providers, adopting stronger audit logging and identity standards, and updating federal security frameworks to keep pace with evolving threats.
This report, the third from the CSRB since its founding in 2022, reinforces a critical message—cloud services are core national infrastructure. Nation-state actors are targeting them aggressively, and both government and industry must raise the bar for security by design.
Read the full document here:
Report on the Microsoft Online Exchange Incident from Summer 2023.
