In December on the heels of its SFI announcement, Microsoft appointed Tsyganskiy, a relative newcomer to the company, to replace former and longtime CISO Bret Arsenault, who transitioned to an adviser position.

Ongoing security struggles

Around the same time — but unbeknownst to Microsoft until January — a Russia-based threat group Midnight Blizzard, also known as Nobelium, was hacking the emails of Microsoft employees, including senior staff. The attack was the second known attack on Microsoft by the group; last year Microsoft had accused it of using social engineering to carry out a cyberattack on Microsoft Teams.

The US Cybersecurity and Infrastructure Security Agency (CISA) later warned in mid-April that Midnight Blizzard exploited the compromise to steal the emails of government agencies, advising agencies to urgently check their email systems for signs of compromise.

If these weren’t troublesome enough for the company, Microsoft also had faced a scathing assessment by a federal review board earlier in April for another state-sponsored cyber-attack that affected the federal government. This one occurred in July 2023 when Chinese threat actors breached Microsoft 365 accounts to target key US government officials.

The report released on April 2 by the independent Department of Homeland Security (DHS) Cyber Safety Review Board offered an incendiary review of Microsoft’s security culture and blamed the company for the attack by the group Storm-0558 that the board said easily could have been avoided.

On the right course

Microsoft’s revamped security strategy shows the company incorporating feedback and taking corrective steps forward to improve the overall security posture of the company and its products, particularly as external pressure mounts.