Google says Microsoft can’t be trusted after email security blunders

Google has released a paper directly challenging Microsoft over a series of security lapses in recent months, suggesting enterprises and public sector organizations need a more secure alternative. 

The tech giant appears to be capitalizing on what has been a difficult year for Microsoft from a security standpoint, after the firm suffered a litany of high profile security gaffes involving its enterprise solutions.

The paper castigates Microsoft for the “inadequate security culture” identified in an investigation by the US Cyber Security Review Board (CSRB), aiming to present itself as the enterprise option with a culture that prioritizes security.

In particular, the CSRB report focused on the Summer 2023 Microsoft Exchange Online Intrusion, in which Chinese-affiliated threat actors known as Storm-0558 were able to access the email accounts of top US Government officials.

The attack was carried out using a stolen signing key that “permitted Storm-0558 to gain full access to essentially any Exchange Online account anywhere in the world”.

US lawmakers described a “cascade of security failures” that led up to the incident, which when taken together, “point to a failure of Microsoft’s organizational controls and governance, and of its corporate culture around security”.

Google also pointed to another cyber incident that occurred just a few months later, in which a Russian-linked threat group – Midnight Blizzard – compromised a series of Microsoft's corporate email accounts including those of senior leaders, as well as their security and legal teams.

It highlighted the fact that Microsoft stated the attack was still ongoing five months after the initial breach, citing the tech firm’s own security update that failed to give a timeline for the incident to be resolved. 

Google smells blood in the water

In terms of specific criticism of Microsoft’s actions, the CSRB paper was particularly scathing about the firm’s inability to provide details on how exactly the group was able to infiltrate its systems and gain access to this ‘master key’.

Google showed it had no qualms attacking Microsoft along similar lines, questioning whether Microsoft would be able to ensure this type of incident won’t happen again if it still doesn’t know how Storm-0558 obtained the 2016 MSA key.

It made sure to also raise the other two major criticisms of the report regarding Microsoft’s failure to prioritize security and risk management, which described the company’s security culture as ‘inadequate’, and its failure to correct inaccurate public statements.

Microsoft was found to have made a “decision not to correct, in a timely manner, its inaccurate public statements about this incident”, noting only after repeated questioning from the Board did the tech giant plan to issue a correction.

Contrasting this response to its own reaction to a major cyber attack, Operation Aurora carried out by a state-linked threat actor in 2009, in which it was the only company to confirm it was a victim of a cyber attack and disclosed to the public that certain Gmail accounts had been compromised.

"While no organization is immune to being the target of highly sophisticated adversaries, there is a clear pattern of evidence that suggests Microsoft is unable to keep their systems and therefore their customers’ data safe," Google said. 

Google says it should be the trusted security partner

Google argued it’s already learned the lessons from this event, such as being more transparent around security incidents, as well as some fundamental dos and don'ts concerning security architecture.

The primary aim of the paper is to make the case for Google’s own enterprise productivity suite, Workspace, which it argues presents a fundamentally different and more secure approach to that of Microsoft.

"We believe Google Workspace is a safer alternative, with a proven track record of engineering excellence, deep investment in cutting-edge defenses, and a transparent culture that treats providing security for our customers as a profound responsibility," the firm said.

The tech giant launched its Secure Alternative Program alongside this paper on 20 May 2024, which will offer organizations who make the switch discounted rates on its Google Workspace Enterprise Plus package and on its Mandiant incident response service. 

This appears to be a direct challenge to Microsoft’s Secure Future Initiative, which it initially unveiled in November 2023. 

Microsoft outlined plans to overhaul its security practices in the aftermath of the email security breach. 

ITPro has approached Microsoft for comment.