As per reports, Microsoft is under scrutiny for its attempts to understate the gravity of a massive email breach that resulted in Chinese hackers gaining unauthorized access to sensitive email accounts of about 25 organizations. Among these organizations, it is reported to encompass the US Departments of State and Commerce, thus sounding the alarm across the cybersecurity sector.
A subtle play on semantics
Notably, in the aftermath of the breach, Microsoft appears to have avoided directly acknowledging that the exploitation of zero-days, vulnerabilities that hackers can take advantage of before they’re discovered by the vendor, were the core of this breach. Instead, the tech giant seemed to use more vague terms such as “issue,” “error,” and “flaw” when attempting to explain the hacker’s path of infiltration.
An undisclosed security loophole
Microsoft’s Threat Intelligence team has identified the alleged culprits as Storm-0558, a China-based hacking group reportedly conducting espionage on behalf of the Chinese government. The hackers leveraged an acquired Microsoft account consumer signing key due to a validation error in Microsoft’s code. This allowed them to forge Azure AD tokens, breaching the robust cloud service. This service contains keys for managing logins across thousands of organizations, both internal and cloud-based.
The premium price of protection
In the aftermath of the breach, Microsoft’s purported “pay-to-play” security model has come under criticism, where essential details to identify the breach were exclusively available to customers who chose the pricier “E5” enterprise license. However, critics assert that this method effectively blindsides organizations to potential breaches, should they be subscribed to a more affordable license.
Table breakdown: E5 vs. E3 licenses
| E5 License | E3 License | |
|---|---|---|
| Cost per month per user | $57 | $36 |
| Access to audit logs | Yes | No |
A call for greater transparency
Following the incident, experts have consequently called on Microsoft to provide more transparency on its vulnerabilities and their handling. A request for a Common Vulnerabilities and Exposures (CVE) system tracking designation is included. This method is a common practice among other cloud companies.
As of now, Microsoft maintains the stance that there’s no concrete evidence of a zero-day being exploited in this case. However, the critics argue that the tech giant’s usage of the term ‘exploit’ indirectly points towards vulnerabilities.
An open invitation for your thoughts
What are your thoughts on Microsoft’s handling of the breach and the aftermath? We would love to hear your opinions on this critical issue. Please share your thoughts with us in the comment section below!
