A review of the June 2023 attack on Microsoft's Exchange Online hosted email service – in which accounts used by senior US officials were compromised by a China-linked group called "Storm-0558" – has found that the incident would have been preventable except for Microsoft's lax infosec culture and cloud security measures that fall short of them.

The review, conducted by the US government's Cybersecurity and Infrastructure Security Agency's Cyber Safety Review Board (CSRB), calls for "rapid cultural change" at Microsoft. Among the board's recommendations:

The strong language was offered in light of the attack, which it attributed to a "cascade of Microsoft's avoidable errors."

The CSRB report [PDF] pins the attack on key rotation methods used to secure the Microsoft Services Account (MSA) — the identity management system that underpins the software giant's consumer cloud services.