The US Department of Homeland Security (DHS) released the Cyber Security Review Board’s (CSRB) report on its independent review of the ‘Summer 2023 Microsoft Exchange Online Intrusion’, which was a cyber attack on Microsoft Exchange Mailboxes of over 500 individuals, including many who were members of the American government. The report attributed the success of the attack to a “cascade of avoidable errors” on the part of Microsoft and presents recommendations to help ensure that such incidents are not repeated in the future. According to the report, in May and June 2023 a threat actor known as Storm-0558 gained access to the Microsoft Exchange Online Mailboxes of over 500 individuals and 22 organisations including highly ranked officials such as Commerce Secretary Gina Raimondo, United States Ambassador to the People’s Republic of China R. Nicholas Burns, and Congressman Don Bacon. Storm-0558 was claimed by the report to be affiliated with the People’s Republic of China and working on espionage-related activities. The threat actor accessed these accounts through authentication tokens that were signed by a security key created by Microsoft in 2016. Signing keys are used for secure authentication into systems. A valid signing key can grant a user access to any information within that key's domain. Recommendations to enhance the security of Microsoft products The report criticised Microsoft’s “inadequate security culture” which prevented Microsoft from detecting the compromised key on its own, and its decision not to correct incorrect public statements about the incident. It described “decision-making processes within the company…

