Microsoft Exchange Online Breach Receives U.S. Review Board Scrutiny

The Microsoft Exchange Online breach from July is under scrutiny by a United States Department of Homeland Security board, which plans to “conduct a broader review of issues relating to cloud-based identity and authentication infrastructure affecting applicable” cloud service providers and their customers.

The Cyber Safety Review Board (CSRB) plans to develop actionable recommendations to advance cybersecurity practices for cloud computing customers and cloud service providers (CSP), sharing those findings with President Joe Biden, Secretary of Homeland Security Alejandro Mayorkas and Infrastructure Security Agency Director Jen Easterly, according to a statement Friday. 

The board doesn’t have regulatory powers and is not an enforcement authority.

Microsoft Exchange Online Breach

CRN has reached out to Microsoft and the department for comment. 


Back in July, Redmond, Wash.-based Microsoft revealed that an application programming interface (API) flaw enabled a threat actor to compromise certain customer cloud email accounts, including those used by multiple U.S. government agencies.

Microsoft said at the time a stolen Azure Active Directory (AD) key was misused to forge authentication tokens and gain access to emails from an estimated 25 organizations. Attackers accessed customers’ Exchange Online data through Outlook Web Access.

Microsoft has attributed the breach to a hacking group working on behalf of the Chinese government, which the company tracks under the identifier “Storm-0558.”

Also in July, U.S. Senator Ron Wyden – a Democrat from Oregon – asked the U.S. Federal Trade Commission, the Cybersecurity and Infrastructure Security Agency and the Justice Department to “take action” against Microsoft because of the breach, according to Reuters. 

The board previously reviewed Log4j vulnerabilities and activities associated with threat actor group Lapsus$. The Lapsus$ review was released Thursday with 10 recommendations for how organizations can better protect against the group and others. 

The CSRB was created through an executive order in 2022. The board includes public sector and private sector individuals, but no Microsoft executives are listed as board members. 

Private sector individuals on the board include:

*Heather Adkins, vice president, security engineering, Google

*Dmitri Alperovitch, co-founder and chairman, Silverado Policy Accelerator, and co-founder and former chief technology officer of CrowdStrike

*Wendi Whitmore, senior vice president, Unit 42, Palo Alto Networks

*Katie Moussouris, founder and CEO, Luta Security

*Jerry Davis, founder, Gryphon X

Other major breaches this year include the MOVEit cyberattack campaign and one against T-Mobile that affected tens of millions of individuals.

Leave a Reply

Your email address will not be published. Required fields are marked *