Microsoft compromise by Russian hackers due to negligence, says senator

CyberScoop reports that Microsoft has been accused of negligence by Sen. Ron Wyden, D-Ore., following the recent hack of its corporate email accounts by Russian state-sponsored threat operation APT29, also known as Cozy Bear. Such a compromise was facilitated by a password spraying attack against a "legacy non-production test tenant account," which could have been averted through mandatory multi-factor authentication. "It is inexcusable that Microsoft still hasn't required multi-factor authentication, which is cybersecurity 101 and would have prevented this latest attack," said Wyden, who noted that the intrusion, which comes months after several U.S. officials had their Microsoft email accounts compromised as a result of a stolen signing key, should prompt the U.S. government to re-examine its use of Microsoft products. Meanwhile, former cybersecurity official Andrew Grotto said that the elevated prevalence and severity of attacks impacting Microsoft, compared with other corporate networks suggest "deeper" cybersecurity issues within the company.