Microsoft has made critical updates to its identity verification tools after a breach last summer that saw Chinese hackers infiltrate U.S. government email accounts, including those of high-ranking officials. The changes aim to prevent future cyberattacks like the one that compromised sensitive emails, including those tied to the State Department and Commerce Secretary Gina Raimondo.
The company’s recent progress report outlines several new security measures. U.S. government and public sector cloud accounts will now have token signing keys automatically generated, stored and rotated. These keys are housed in a hardware security module, making it extremely difficult for anyone to gain unauthorized access. Additionally, the lifespan of access tokens has been reduced to seven days, further limiting the window of opportunity for potential attackers.
Another significant update is the removal of nearly 730,000 inactive apps and 5.75 million unused cloud tenants, closing a common loophole that hackers use to infiltrate systems. This effort follows last year’s hack, where Chinese hackers exploited a vulnerability in a Microsoft cloud service, gaining access to government emails by obtaining a signing key.
Microsoft’s new measures also include establishing an internal cybersecurity council led by its Chief Information Security Officer (CISO), Igor Tsyganskiy. The company has also tied security performance to leadership compensation and employee evaluations, demonstrating a commitment to ongoing cybersecurity improvements.
The company’s Secure Future Initiative, launched last November and expanded in May, continues to address the challenges posed by nation-state cyberattacks, including recent incidents involving Russian hackers.