A U.S. review board tasked with investigating major cybersecurity incidents said it will begin looking at the recent intrusion of U.S. government email systems provided by Microsoft, whose handling of the incident drew ire and scrutiny from federal lawmakers and the wider security community.
The Cyber Security Review Board, or CSRB, said Friday that its latest investigation will include a “broader review of issues relating to cloud-based identity and authentication infrastructure.”
The board said it began considering an investigation after learning of the Microsoft cloud breach, which saw China state-backed hackers break into government email accounts, including the inbox of U.S. Commerce Secretary Gina Raimondo, several officials at the U.S. State Department, and other organizations not yet publicly named.
According to the slow-drip of information about the incident, Microsoft said China-backed hackers stole a sensitive signing key that allowed unauthorized access to enterprise and government email inboxes hosted by the technology giant. That stolen key, coupled with a flaw that Microsoft has since patched, allowed the forging of authentication tokens that the hackers used to access the target’s email accounts as if they were the rightful owners.
The intrusions began in mid-May but were not detected until a month later, when State Department officials detected the breach and notified Microsoft. It was only because the State Department used a higher-paid tier account that allowed access to logs that Microsoft keeps, which first revealed the hacks. Other departments with a lower paid tier were not given access to logs that may have spotted the intrusions sooner.
Following criticism, Microsoft capitulated soon after, saying it would make logs available for customers at no additional cost from September.
Ron Wyden, a Democratic lawmaker on the Senate Intelligence Committee, blasted Microsoft in a scathing letter to government agencies requesting an investigation into whether “lax cybersecurity practices” enabled Chinese hackers to spy on high-ranking federal government officials.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
Wyden also called on the CSRB to investigate the incident.
In carrying out a post-mortem of the hack, Homeland Security secretary Alejandro Mayorkas said in remarks it was “imperative” to understand the vulnerabilities in cloud technologies that are relied on by U.S. organizations.
“Actionable recommendations from the CSRB will help all organizations better secure their data and further cyber resilience,” said Mayorkas.
This is the CSRB’s third investigation since it was founded by executive order in 2021 by President Biden. The board, which includes representatives from government and cybersecurity experts in the private sector, serves to review major cybersecurity events and identify recommendations to prevent future incidents.
The CSRB’s first investigation looked at the fallout from the Log4j vulnerability in 2020, and its second — published this week — examined recent attacks by the Lapsus$ hacking group,
