Email Hacking Campaign Ups Pressure on Microsoft Over Fees for Critical Security Features

A newly revealed hacking campaign targeting Microsoft’s email system which compromised multiple US government agencies underscores the need for Microsoft and other tech giants to offer more basic security features for free, the Biden administration argued on Wednesday.

The email hacking campaign, which Microsoft linked to Chinese operatives, was stealthy enough that only Microsoft customers who paid extra fees for the company’s advanced activity-logging feature could possibly have spotted it. One of the government victims paid for the feature, spotted the suspicious activity, and alerted Microsoft in mid-June, prompting a scramble to kick the hackers out of email systems belonging to roughly 25 organizations.

During a briefing for reporters on Wednesday, a senior official at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency noted that most Microsoft customers didn’t pay the premium for the logging feature that revealed the attack and described Microsoft’s practice of charging for this feature as unacceptable.

“We believe that model is not yielding the sort of security outcomes that we seek,” said the senior CISA official, who spoke on the condition of anonymity according to the agency's policy. “We cannot rely upon organizations to pay more for better logging. That is a recipe for inadequate visibility and adversaries having unnecessary levels of success in targeting American organizations.”

The Biden administration has launched a campaign to convince tech companies to offer more security features for free and by default — instead of making users opt into them or pay extra for them. Offering adequate free log data is one of the areas where tech firms like Amazon, Google and Microsoft continue to dodge those recommendations.

The newly disclosed intrusions could increase pressure on Microsoft and its competitors to make more of their advanced security features available as part of their basic service tiers, given how important those features are to detecting sophisticated cyberattacks.

The US government has been “working closely with Microsoft to ensure the availability of this necessary logging for all organizations, federal and non-federal, without added charge,” the official said, “and we anticipate highly positive announcements soon” regarding the addition of more logging features for all customers.

The suspected Chinese hacking campaign compromised three federal agencies, with the hackers accessing 10 or fewer individual accounts at each agency, The Messenger previously reported.

The US State Department confirmed in a statement that it was one of the affected agencies. CNN first reported that the department was the victim that detected the intrusion and reported it to Microsoft. The Commerce Department is another one of the victims, CNN reported.

Of the estimated 25 victims, the number of compromised US organizations “is in the single digits,” the senior CISA official said, with only “a small number” of affected accounts at each organization.

Senior CISA and FBI officials said the rapid discovery and remediation of the intrusions represented “a notable improvement” over responses to previous cyberattacks, including the SolarWinds breach perpetrated by Russian intelligence operatives in 2020.

A senior FBI official speaking at the same briefing said the government wouldn’t have a clear sense of the scope of this latest attack “without Microsoft's collaboration and sharing of intelligence.”

Still, it remains unclear how the hackers acquired the Microsoft authentication key that they used to break into victims’ email systems. The senior CISA official described that as “an area of urgent focus.”