Home Microsoft releases major security improvements in wake of Chinese email hacking scandal

Microsoft releases major security improvements in wake of Chinese email hacking scandal

TLDR

  • Microsoft enhanced security after a Chinese hacking group exploited a cloud vulnerability in 2023.
  • New measures include rotating token keys, limiting access tokens, and removing inactive accounts.
  • Security improvements are ongoing, with employee training and leadership accountability increased.

Microsoft has shared progress on its security updates after Chinese hackers used vulnerability gaps to hack government emails last year.

The three trillion dollar company has introduced significant improvements to ensure its identity verification tool is more secure. This comes after a Chinese hacking group known as Storm-0558 used an overlooked vulnerability in Microsoft’s cloud email service to access the accounts of thousands of government workers in the United States in July 2023.

Now, Microsoft’s executive vice president of security Charlie Bell has outlined the new security measures in a public blog post, intending to prevent any other groups from doing the same again.

The company’s CEO Satya Nadella took to X to emphasize that security is Microsoft’s “top priority”.

What security updates has Microsoft made?

The new improvements include automatically generating, storing, and rotating token signing keys for US government and public sector cloud accounts, with those keys now stored in a customer’s ‘hardware secure module.’ This should make it almost impossible for other accounts to access them.

What’s more, Microsoft has also limited the access tokens of internal employees to seven days, meaning that even if a bad actor managed to get their virtual hands on them, they wouldn’t help in gaining unlawful access to those accounts. Last but not least, the company has removed an estimated 730,000 unused apps from user accounts, while also removing 5.75 million inactive users. Hacking groups have been known to use inactive accounts or apps to break through companies’ security.

Microsoft maintains these are not one-and-done measures but rather one part of ongoing security improvements the company is working on.

“In security, consistent progress is more important than ‘perfection’ and this is reflected in the scale of resources mobilized to achieve our SFI objectives,” wrote Bell. “The collective work we are doing to continually increase protection, eliminate legacy or non-compliant assets, and identify remaining systems for monitoring conclusively measures our success. As we look ahead, we remain committed to ongoing improvement.”

Putting action behind the words, the company has also linked security performance to senior leadership’s compensation and all employees’ performance reviews. A newly launched Security Skilling Academy aims to improve the security-focused internal training for all Microsoft employees.

Featured image: Unsplash

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Rachael Davies
Tech Journalist

Rachael Davies has spent six years reporting on tech and entertainment, writing for publications like the Evening Standard, Huffington Post, Dazed, and more. From niche topics like the latest gaming mods to consumer-faced guides on the latest tech, she puts her MA in Convergent Journalism to work, following avenues guided by a variety of interests. As well as writing, she also has experience in editing as the UK Editor of The Mary Sue , as well as speaking on the important of SEO in journalism at the Student Press Association National Conference. You can find her full portfolio over on…

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.