Email Hacking Campaign Ups Pressure on Microsoft Over Fees for Critical Security Features
Government officials say Microsoft needs to provide more security data to customers without charging them extra
A newly revealed hacking campaign targeting Microsoft’s email system which compromised multiple US government agencies underscores the need for Microsoft and other tech giants to offer more basic security features for free, the Biden administration argued on Wednesday.
The email hacking campaign, which Microsoft linked to Chinese operatives, was stealthy enough that only Microsoft customers who paid extra fees for the company’s advanced activity-logging feature could possibly have spotted it. One of the government victims paid for the feature, spotted the suspicious activity, and alerted Microsoft in mid-June, prompting a scramble to kick the hackers out of email systems belonging to roughly 25 organizations.
During a briefing for reporters on Wednesday, a senior official at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency noted that most Microsoft customers didn’t pay the premium for the logging feature that revealed the attack and described Microsoft’s practice of charging for this feature as unacceptable.
“We believe that model is not yielding the sort of security outcomes that we seek,” said the senior CISA official, who spoke on the condition of anonymity according to the agency's policy. “We cannot rely upon organizations to pay more for better logging. That is a recipe for inadequate visibility and adversaries having unnecessary levels of success in targeting American organizations.”
The Biden administration has launched a campaign to convince tech companies to offer more security features for free and by default — instead of making users opt into them or pay extra for them. Offering adequate free log data is one of the areas where tech firms like Amazon, Google and Microsoft continue to dodge those recommendations.
The newly disclosed intrusions could increase pressure on Microsoft and its competitors to make more of their advanced security features available as part of their basic service tiers, given how important those features are to detecting sophisticated cyberattacks.
The US government has been “working closely with Microsoft to ensure the availability of this necessary logging for all organizations, federal and non-federal, without added charge,” the official said, “and we anticipate highly positive announcements soon” regarding the addition of more logging features for all customers.
- Pressured By Recent Hacks, Microsoft Makes Key Security Features Completely Free
- Democratic Senator Angry About Microsoft Email Hacks Presses White House To Investigate
- Microsoft May Face FTC Investigation Over Chinese Email Hack (Exclusive)
- Microsoft Fortifies Sensitive Customer Data To Stop Repeat of Major Chinese Hack
- Suspected Chinese Email Hacks Compromised A Republican Congressman
- Why Amazon, Google and Other Tech Giants Are Flouting Some New Government Cybersecurity Recommendations
The suspected Chinese hacking campaign compromised three federal agencies, with the hackers accessing 10 or fewer individual accounts at each agency, The Messenger previously reported.
The US State Department confirmed in a statement that it was one of the affected agencies. CNN first reported that the department was the victim that detected the intrusion and reported it to Microsoft. The Commerce Department is another one of the victims, CNN reported.
Of the estimated 25 victims, the number of compromised US organizations “is in the single digits,” the senior CISA official said, with only “a small number” of affected accounts at each organization.
Senior CISA and FBI officials said the rapid discovery and remediation of the intrusions represented “a notable improvement” over responses to previous cyberattacks, including the SolarWinds breach perpetrated by Russian intelligence operatives in 2020.
A senior FBI official speaking at the same briefing said the government wouldn’t have a clear sense of the scope of this latest attack “without Microsoft's collaboration and sharing of intelligence.”
Still, it remains unclear how the hackers acquired the Microsoft authentication key that they used to break into victims’ email systems. The senior CISA official described that as “an area of urgent focus.”
- Tetris Creator Stuns 13-Year-Old Who Beat the Game With Surprise Zoom Call: ‘This Is So Cool’Tech
- Apple May Face Sweeping Antitrust Lawsuit From Justice Department Over iPhone: ReportBusiness
- Elon Musk’s Take on DEI Slammed by Azealia Banks: ‘No, Stupid’Entertainment
- A Real-Life Spider-Man? This Engineer Made Amazing, Spectacular Web ShootersTech
- This $2,149 Smart Toilet Seat Brings Alexa Into Your BathroomTech
- Why the Next Moon Landing May Be the Most Important Since Apollo 11Tech
- How My AI Coach Helps Me Stay on TrackBusiness
- The BlackBerry Dream Lives On in This iPhone Keyboard CaseTech
- You Can Buy Your Own Custom Version of ChatGPT Next WeekTech
- Mesmerizing Videos Reveal Stormy Weather on a Hellish Planet Where It Rains IronTech
- Largest Known Male of World’s Deadliest Spider Captured in AustraliaTech
- There’s a New ‘Jaws’ Pinball Machine, and We’re Going to Need a Bigger BallTech