Microsoft has worked hard to establish itself as the world’s largest private cyber police force. Though best known for the ubiquity of its Windows operating system and software platforms, the US multinational is also a formidable cybersecurity watchdog, parsing billions of data points feeding in from its products around the world to surveil and defend against the daily activities of the world’s pre-eminent cybercriminals. As such, its threat intelligence reports are regarded with the utmost seriousness by politicians and industry analysts alike, while its core cybersecurity business continues to ascend on an upward trajectory, surpassing $20bn in revenue last year.
Microsoft seems intent on doubling down on that success, promising to invest a similar sum to deliver more advanced defensive software by 2026. That’s likely to have implications not only for a plethora of private companies, but nation-states, too. In Ukraine, for example, Microsoft’s early interventions helped counteract the noxious impact of destructive malware that had been planted inside Ukrainian IT systems as early as January 2022 — a whole month before the official beginning of Russia’s full-scale war. The firm also helped to exfiltrate data from several Ukrainian government departments into its cloud, thus sparing all-important information from being destroyed by a cruise missile that Russia fired at one of Ukraine’s most important data centres.
But Microsoft is also grappling with its own cybersecurity demons. Following a breach of Microsoft’s platforms by suspected Chinese hackers in July, which exposed email accounts operated by various government agencies, it’s under fire in the US Congress for what Senator Ron Wyden has called ‘negligent cybersecurity practices.’
Part of Microsoft’s cybersecurity dilemma comes down to its immense size. Its platforms are used by everyone from schoolteachers and wine sommeliers to trapeze artists, dog groomers, and high-ranking government agents. With more than a billion users apiece on Windows and Office — and more than 500 million active users on cloud computing platform Azure — Microsoft’s systems represent a highly-valuable target for would-be cybercriminals, and as such are under near-constant attack. Equally, the firm is capable of mustering immense computational and financial resources — not to mention an extensive dataset of cyberattacks mounted against its products — to shore up its defences against unwanted intrusions.
“You can’t overestimate how important they are,” says Jamie Moles, a cybersecurity expert and technical marketing manager at ExtraHop. “If I was a hacker and I was looking to spread my malware the furthest, there are two companies I would want to target. For commercial reasons: Microsoft. For consumer devices: Apple,” says Moles. “If I could get onto their update servers and have those servers distribute my malware, I would infect the whole world in an hour – which would be an incredible achievement for any hacker out there, and an absolute disaster for the rest of us.”
Microsoft’s cyber woes
Bill Gates and Paul Allen founded Microsoft — short for micro-computer software — in Albuquerque in 1975. The software development firm released its crowning achievement, the first version of the still-popular Windows, in 1983 and its iconic Office suite in 1989. Microsoft’s first forays into cybersecurity came in the ’90s, when it started releasing security patches for its flagship operating systems. Throughout the following decade, as cyberattacks became an increasingly bothersome plague, the company started acquiring an array of existing security vendors — a practice it’s kept up over the past two decades. Investments in cloud security, designed to protect flagship platform Azure, helped Microsoft gain a firm foothold in this emerging arena of cybersecurity.
Microsoft’s recent cybersecurity demons, however, risk unsettling its hard-won progress toward establishing itself as a trusted figure in the global security landscape. It’s currently taking a lot of heat from the US Congress, especially Democratic Senator Ron Wyden, who chairs the Senate Finance Committee. He’s accused Microsoft of twice failing to prevent state-sponsored hackers from breaching US government systems: first during the Russia-linked hack of SolarWinds in 2020, which compromised a raft of government agencies, and most recently, during attacks on Microsoft Outlook and Azure, which enabled China-linked hackers to breach government-linked email accounts.
In a blog post in July, Microsoft revealed that a China-based hacking group, which the company calls ‘Storm-0558’, appears intent on ‘gaining access to email systems for intelligence collection.’ The company admitted, moreover, that the hackers had acquired a ‘Microsoft account (MSA) consumer signing key’ which could be exploited to forge authentication tokens for enterprise accounts in Outlook. This ultimately enabled the hackers to breach an unidentified number of email accounts linked to around 25 different organisations — including government agencies in the US and Europe.
The hack was first uncovered by the US State Department, not Microsoft, in June. Officials in Washington DC quickly got in touch with their counterparts at Redmond to try to dig into the source of the breach. (‘We continue to hold the procurement providers of the US government to a high-security threshold,” a spokesperson for the National Security Council said in a statement at the time.) The hack reportedly affected unclassified systems and doesn’t seem to have compromised any email accounts linked to the military or intelligence community, sources told the Washington Post.
At the end of July, Sen. Wyden asked the Justice Department, the Federal Trade Commission, and the cybersecurity agency CISA to open a probe into Microsoft’s ‘negligent cybersecurity practices’ which ‘enabled a successful Chinese espionage campaign against the United States government.’
“This incident demonstrates the evolving challenges of cybersecurity in the face of sophisticated attacks,” a Microsoft spokesperson said at the time. “We continue to work directly with government agencies on this issue, and maintain our commitment to continue sharing information at Microsoft Threat Intelligence blog.”
Amit Yoran, CEO of cybersecurity company Tenable, has also taken aim at the Redmond-based firm. In a post on LinkedIn at the beginning of August, Yoran accused Microsoft of engaging in a ‘repeated pattern of negligent cybersecurity practices.’ He said that the company had taken ‘more than 90 days to implement a partial fix’ after Tenable raised the alarm about a cybersecurity flaw in Microsoft Azure.
Tenable says it initially uncovered the flaw in March and found that it could give would-be hackers access to a company’s sensitive data. Microsoft says it resolved the problem shortly after his post attracted widespread attention on LinkedIn, but Yoran still isn’t satisfied — arguing that the long wait before Microsoft implemented its fix left Tenable’s customers vulnerable. “It now appears that it was either fixed [last week] or we were blocked from testing,” he says. “We don’t know the fix, or mitigation, so hard to say if it’s truly fixed or if Microsoft had put a control in place like a firewall rule or ACL to block us.”
For Yoran, Microsoft’s closed-off model is inherently untrustworthy. “When we find [vulnerabilities] in other products, vendors usually inform us of the fix so we can validate it effectively. With Microsoft Azure that doesn’t happen, so it’s a black box, which is also part of the problem. The ‘just trust us’ lacks credibility with the current track record.”
A Microsoft spokesperson told Tech Monitor: “We appreciate the collaboration with the security community to responsibly disclose product issues. We follow an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications. Ultimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximised customer protection with minimised customer disruption.”
A honeypot for hackers
With great market power comes great responsibility, explains Liam Follin, who works at cybersecurity and penetration test provider Pentest People. “Attacks against Microsoft infrastructure form a part of most breaches,” he continues. “Whether it’s attacking exchange servers to gain a foothold on a network, or traversing across one using MS17-010, MS exploitation is part of every hacker’s toolkit.”
That means Microsoft needs to continue investing heavily in its own cyber-resilience. “An organisation of this size is fighting an uphill battle at every stretch,” says Follin. “Every new patch is decompiled and pored over to try and find the next exploit.”
As such, argues Moles, Microsoft’s dominance in IT is a double-edged sword for cybersecurity. It’s subject to an immense flow of inbound attacks, but it’s also got a huge pool of data with which to shore up its defences. The popular uptake of email platform Outlook, for example, means that Microsoft’s machine-learning systems see more phishing emails, one of the most common cyberattacks, than those of almost any other company. Over time, that has made the company more adept at thwarting such attacks, simply because they’ve been trained on more data. Microsoft might have “a big bullseye on them,” says Moles, “but there’s a trap behind that bullseye that’s catching all of the attacks, analysing them and then using that information to protect their customers.”
Microsoft also has hefty resources to fuel its responses to cyberattacks. Distributed Denial-of-Service (DDoS) attacks, like the ones that struck Microsoft in June and caused intermittent outages of Outlook, are getting more pervasive and more sophisticated, says Moles, but companies “are getting better at defending against them.” Microsoft might have got hit, but it recovered very quickly — thanks in part to the company’s sheer scale and financial might. “They’ve got the money and they’ve got the resources to protect against that,” says Moles. “Smaller companies would be overwhelmed and just wouldn’t cope.”
Microsoft’s position as a honeypot for hackers might give it unique opportunities for growth and cybersecurity research. Regardless, it’s still open season on Microsoft in Congress right now, as investigators from the Department of Homeland Security’s Cyber Safety Review Board (CSRB) examine whether Microsoft bears responsibility for the China-linked email breach. Where does the company go from here? Microsoft is trusted by the world’s largest enterprises — in part due to its promise of security — and that’s not something it’ll want to lose. If it can’t clean up enough to deter future accusations of sloppy cybersecurity, Microsoft risks damaging the very security that’s become a large foundation of its business.
But whatever accusations get batted around in Congress, says Moles, the company remains in a strong position — even though rival operating systems like Linux have been gaining ground in recent years. “Microsoft is everywhere now,” he says. “They’re not going anywhere fast.”