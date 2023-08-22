The infosec community has voiced its frustration with Microsoft, accusing the tech giant of failing to meet its security commitments. This backlash follows a recent breach in which a Chinese nation-state threat actor gained access to 25 organizations, including U.S. government agencies, by exploiting a “token validation issue” in Microsoft’s Outlook Web Access in Exchange Online and Outlook.com.

What stood out about this breach was that it was initially detected by the U.S. government, not by Microsoft itself. The Cybersecurity and Infrastructure Security Agency (CISA) disclosed that the breach was only identified because the Federal Civilian Executive Branch had enabled enhanced logging for its Microsoft 365 environment. This raised questions about Microsoft’s own security measures and detection capabilities.

In response to the breach, Microsoft has announced plans to enhance its cloud logging capabilities and provide a wider range of logs to standard subscribers. These enhancements aim to improve visibility and enable customers to detect and respond to threats more effectively. Microsoft also faced criticism for its lack of transparency in disclosing technical details about the breach and the underlying vulnerability.

This incident is not an isolated event for Microsoft. The company has been subject to ongoing criticism regarding its transparency and communication practices. Security professionals, including Amit Yoran, chairman and CEO of Tenable, have called out Microsoft for silently patching vulnerabilities and downplaying their severity. Yoran highlighted a repeated pattern of behavior from Microsoft compared to other organizations that have demonstrated exemplary disclosure practices.

Yoran also criticized Microsoft for its response to vulnerabilities discovered by Tenable researchers, claiming that the company delayed implementing fixes and failed to disclose critical issues. He argued that Microsoft’s message of trust falls flat when it comes to disclosing risks to customers using their cloud infrastructure.

The lack of transparency and disclosure guidelines for cloud vulnerabilities has been a long-standing concern among security researchers. While many cloud providers issue incomplete security advisories or none at all, Microsoft’s critics argue that the company needs to do better in informing customers about risks they may be facing.

Overall, these incidents and criticisms highlight the need for Microsoft to improve its security practices and communication with the infosec community. Transparency, timely disclosure, and collaboration are essential for building trust and maintaining strong security standards.

