Microsoft, touting what it calls “the largest cybersecurity engineering project in history,” says it has moved every Microsoft Account and Entra ID token‑signing key into hardware security modules or Azure confidential VMs with automatic rotation, an overhaul meant to block the key‑theft tactic that fueled an embarrassing nation‑state breach at Redmond.
Just 18 months after rolling out a Secure Future Initiative in response to the hack and a scathing US government report that followed, Microsoft security chief Charlie Bell said five of the program’s 28 objectives are “near completion” and that 11 others have made “significant progress.”
In addition to the headline fix to put all Microsoft Account and Entra ID token‑signing keys in hardware security modules or Azure confidential virtual machines, Bell said more than 90 percent of Microsoft’s internal productivity accounts have moved to phishing‑resistant multi factor authentication and that 90 percent of first‑party identity tokens are validated through a newly hardened software‑development kit.
“We’ve applied new defense-in-depth protections in response to our Red Team research and assessments, migrated the MSA signing service to Azure confidential VMs, and are migrating Entra ID signing service to the same,” Bell said.
He noted that each of these improvements help mitigate the attack vectors that we suspect the actor used in a Chinese APT attack on Microsoft.
Microsoft has publicly blamed the incident on a crash dump stolen from a hacked engineer’s corporate account. The crash dump, which dated back to April 2021, contained a Microsoft account (MSA) consumer key that was used to forge tokens to break into OWA and Outlook.com accounts.
On the architecture side, Bell reported the purging of 6.3 million dormant Azure tenants to protect cloud tenants and isolate production systems.
Microsoft also reported the migration of 88 percent of active resources into Azure Resource Manager for tighter policy enforcement and the segmenting of 4.4 million managed identities so they can authenticate only from approved network locations.
The Secure Future Initiative was publicly rolled out in November 2023 with a promise to deliver faster cloud patches, better management of identity signing keys and a commitment to ship software with a higher default security bar.
Microsoft has itself faced intense criticism for its own approach to third-party vulnerability research of its cloud products and continues to struggle with faulty and incomplete patches and a surge in Windows zero-day attacks.
Related: Crash Dump Error: How Chinese Hackers Exploited Microsoft’s Mistakes
Related: The Chaos (and Cost) of the Lapsus$ Hacking Carnage
Related: US Senator Accuses Microsoft of ‘Cybersecurity Negligence’
Related: Chinese APT Use Stolen Microsoft Key to Hack Gov Emails
Related: Microsoft Bows to Pressure to Free Up Cloud Security Logs
