In July of 2023, Microsoft disclosed a compromise of Exchange Online that targeted “25 organizations … including government agencies as well as related consumer accounts of individuals likely associated with these organizations.” The vector of compromise was several validation flaws in the Microsoft-hosted Exchange Online and AzureAD services.
As part of the Cyber Safety Review Board investigation of this incident, CISA issued a number of findings citing Microsoft’s negligence in securing their cloud infrastructure and make recommendations to both Microsoft and all cloud service providers.
From the CISA press-release:
“Cloud computing is some of the most critical infrastructure we have, as it hosts sensitive data and powers business operations across our economy,” said DHS Under Secretary of Policy and CSRB Chair Robert Silvers. “It is imperative that cloud service providers prioritize security and build it in by design."