Google has released a paper directly challenging Microsoft over a series of security lapses in recent months, suggesting enterprises and public sector organizations need a more secure alternative.
The tech giant appears to be capitalizing on what has been a difficult year for Microsoft from a security standpoint, after the firm suffered a litany of high profile security gaffes involving its enterprise solutions.
The paper castigates Microsoft for the “inadequate security culture” identified in an investigation by the US Cyber Security Review Board (CSRB), aiming to present itself as the enterprise option with a culture that prioritizes security.
In particular, the CSRB report focused on the Summer 2023 Microsoft Exchange Online Intrusion, in which Chinese-affiliated threat actors known as Storm-0558 were able to access the email accounts of top US Government officials.
The attack was carried out using a stolen signing key that “permitted Storm-0558 to gain full access to essentially any Exchange Online account anywhere in the world”.
US lawmakers described a “cascade of security failures” that led up to the incident, which when taken together, “point to a failure of Microsoft’s organizational controls and governance, and of its corporate culture around security”.
Google also pointed to another cyber incident that occurred just a few months later, in which a Russian-linked threat group – Midnight Blizzard – compromised a series of Microsoft's corporate email accounts including those of senior leaders, as well as their security and legal teams.
It highlighted the fact that Microsoft stated the attack was still ongoing five months after the initial breach, citing the tech firm’s own security update that failed to give a timeline for the incident to be resolved.
Google smells blood in the water
In terms of specific criticism of Microsoft’s actions, the CSRB paper was particularly scathing about the firm’s inability to provide details on how exactly the group was able to infiltrate its systems and gain access to this ‘master key’.
Google showed it had no qualms attacking Microsoft along similar lines, questioning whether Microsoft would be able to ensure this type of incident won’t happen again if it still doesn’t know how Storm-0558 obtained the 2016 MSA key.
It made sure to also raise the other two major criticisms of the report regarding Microsoft’s failure to prioritize security and risk management, which described the company’s security culture as ‘inadequate’, and its failure to correct inaccurate public statements.
Microsoft was found to have made a “decision not to correct, in a timely manner, its inaccurate public statements about this incident”, noting only after repeated questioning from the Board did the tech giant plan to issue a correction.
Contrasting this response to its own reaction to a major cyber attack, Operation Aurora carried out by a state-linked threat actor in 2009, in which it was the only company to confirm it was a victim of a cyber attack and disclosed to the public that certain Gmail accounts had been compromised.
"While no organization is immune to being the target of highly sophisticated adversaries, there is a clear pattern of evidence that suggests Microsoft is unable to keep their systems and therefore their customers’ data safe," Google said.
Google says it should be the trusted security partner
Google argued it’s already learned the lessons from this event, such as being more transparent around security incidents, as well as some fundamental dos and don'ts concerning security architecture.
The primary aim of the paper is to make the case for Google’s own enterprise productivity suite, Workspace, which it argues presents a fundamentally different and more secure approach to that of Microsoft.
"We believe Google Workspace is a safer alternative, with a proven track record of engineering excellence, deep investment in cutting-edge defenses, and a transparent culture that treats providing security for our customers as a profound responsibility," the firm said.
RELATED WHITEPAPER
The tech giant launched its Secure Alternative Program alongside this paper on 20 May 2024, which will offer organizations who make the switch discounted rates on its Google Workspace Enterprise Plus package and on its Mandiant incident response service.
This appears to be a direct challenge to Microsoft’s Secure Future Initiative, which it initially unveiled in November 2023.
Microsoft outlined plans to overhaul its security practices in the aftermath of the email security breach.
ITPro has approached Microsoft for comment.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Foreign AI model launches may have improved trust in US AI developers, says Mandiant CTO – as he warns Chinese cyber attacks are at an “unprecedented level”News Concerns about enterprise AI deployments have faded due to greater understanding of the technology and negative examples in the international community, according to Mandiant CTO Charles Carmakal.
-
So long, Defender VPN: Microsoft is scrapping the free-to-use privacy tool over low uptakeNews Defender VPN, Microsoft's free virtual private network, is set for the scrapheap, so you might want to think about alternative services.
-
Hackers are on a huge Microsoft 365 password spraying spree – here’s what you need to knowNews A botnet made up of 130,000 compromised devices has been conducting a huge password spraying campaign targeting Microsoft 365 accounts.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Microsoft is increasing payouts for its Copilot bug bounty programNews Microsoft has expanded the bug bounty program for its Copilot lineup, boosting payouts and adding coverage of WhatsApp and Telegram tools.
-
Hackers are using this new phishing technique to bypass MFA
News Microsoft has warned that a threat group known as Storm-2372 has altered its tactics using a specific ‘device code phishing’ technique to bypass MFA and steal access tokens.
-
A new phishing campaign is exploiting Microsoft’s legacy ADFS identity solution to steal credentials and bypass MFANews Researchers at Abnormal Security have warned of a new phishing campaign targeting Microsoft's Active Directory Federation Services (ADFS) secure access system.
-
Hackers are using Microsoft Teams to conduct “email bombing” attacksNews Experts told ITPro that tactics like this are on the rise, and employees must be trained effectively
