It's 2024 and #Outlook has seen its worst email hack ever.
When will they start listening to their founder Bill Gates?
A lax security culture made attacking Outlook so easy for China - you won't believe it! Find out what made the hack possible via this thread:👇
🧵1/7
Tuta
in reply to Tuta • • •1. Microsoft lost a general login key to its entire email system which enabled China to siphon off ~60,000 emails from the US State Department, the US ambassador to China, and other US government officials.
But what made this hack possible? 👇
🧵2/7
Tuta
in reply to Tuta • • •2. The old signing key used by the Chinese hackers to break into the system should have been disabled in 2016 already.
🧵3/7
Tuta
in reply to Tuta • • •3. Microsoft should have switched from manual to an automated key rotation - which would have automatically disabled the old key - but didn't.
🧵4/7
Tuta
in reply to Tuta • • •4. The key worked like a backdoor to consumer and business networks, which is in violation of security protocols.
🧵5/7
Tuta
in reply to Tuta • • •5. One engineer from a firm acquired by Microsoft in 2020 was working on a compromised laptop and in 2021 accessed the corporate network from that machine. It's not certain that this laptop was the root cause, but Microsoft published an update in March 2024 which stated a “compromised engineering account” is the “leading hypothesis” for the cause of the breach.
🧵6/7
Tuta
in reply to Tuta • • •6. Instead of letting this compromise go unnoticed, Microsoft should have run a proper security assessment of the firm's network after its acquisition - which it didn't.
More on this hack and what the US government has to say about it: tuta.com/blog/microsoft-china-…
🧵7/7
US government asks Microsoft to get its security right - before adding any new features.
Tutanota