Google Warns That Microsoft Can’t be Trusted After Numerous Email Security Violations

By: James Dorman | Published: Jun 24, 2024

Google has publicly challenged Microsoft’s security capabilities. This challenge comes after a number of recent high-profile breaches.

The challenge warns that businesses might wish to consider a more secure alternative, like Google Workspace.

Google Has Released a Security Paper

Google has released a paper that begins with a very blunt statement targeted directly at Microsoft: “In the wake of significant cybersecurity incidents with Microsoft, Google Workspace offers a safer choice.”

A close up shot of two pairs of men’s hands resting on a desk in a business setting. The men are holding pencils and appear to be reviewing a document of handwritten notes and figures. Two open laptops sit upon the desk in front of each man, as well as two pens and a partially obscured wireless mouse.

Source: Scott Graham/Unsplash

With the timing of this paper, Google is looking to capitalize on Microsoft’s misfortunes. It has been a challenging year for Microsoft, as the tech giant has experienced a series of well-publicized breaches involving its enterprise solutions.


U.S. Cyber Security Review Board Ruling

The U.S. Department of Homeland Security’s Cyber Safety Review Board (CSRB) investigated Microsoft in the wake of these security incidents.

Close-up, side-on view of a partially closed laptop in a dark room. The screen is angled at roughly 45 degrees; the glow of the screen illuminates the keyboard

Source: Philipp Katzenberg/Unsplash

While Microsoft looks to position its enterprise solutions as being security conscious, the CSRB report instead speaks to prolonged, systemic issues and a corporate culture that deprioritizes both “enterprise security investments and rigorous risk management.”

The Storm-0558 Incident

The report particularly highlights Microsoft’s failings during the Storm-0558 incident in the summer of 2023.

Top-down view of a pair of hands using a laptop. The room is dark, the screen illuminates a pair of hands in fingerless gloves typing on the keyboard.

Source: Towfiqu barbhuiya/Unsplash

In this cyber attack, a state-backed Chinese threat actor group known as Storm-0558 carried out a hacking campaign that targeted government officials. They successfully compromised the accounts of senior U.S. and U.K. government officials, gaining access to the mailboxes of 22 organizations and more than 500 individuals. This gave them sight of tens of thousands of emails.

Multiple Security Failures

This was obviously a huge, potentially damaging failure. The independent review commissioned by President Biden was heavily critical of Microsoft.

A large glass office building with the Microsoft windows logo and the word “Microsoft” in large white letters on the building front.

Source: Matthew Manuel/Unsplash

The crux of the attack was that Storm-0558 acquired a stolen signing key that essentially granted them access to any Exchange Online account they wished. The report describes a “cascade of failures” on Microsoft’s part and a “lax corporate culture” regarding security as contributing to the incident.

These Aren’t Microsoft’s Only Security Incidents

The Storm-0558 attack wasn’t the only high-profile Microsoft data breach that Google highlighted in its paper. A separate Microsoft data breach occurred just a few months later.

Close-up of the email application on a smartphone. The icon shows a white envelope in the middle of a blue square with the number “2” in white writing in a red circle in the top-right corner of the icon.

Source: Brett Jordan/Unsplash

The Google paper criticized Microsoft for the infiltration by Midnight Blizzard, a Russian-linked group, just a few months after the Storm-0558 incident. Midnight Blizzard successfully compromised a number of Federal Civilian Executive Branch (FCEB) agency email accounts.


An Ongoing Security Failure

The report highlighted that Microsoft stated this attack was still ongoing five months after the initial breach. When giving a security update on the matter, Microsoft was unable to provide a timeline for resolution.

Angled close-up of a computer screen displaying the text “Please wait while we install a system update.” Above this is an orange progress bar above the white Windows logo.

Source: Clint Patterson/Unsplash

This left top-tier Microsoft communications exposed to attackers for months. What’s painfully ironic is that Microsoft itself put out a warning about Midnight Blizzard as far back as 2021.


Google’s Criticism of Microsoft

Google has not held back with its criticism of Microsoft’s failures, but all these failures fall in line with the CSRB’s own concerns.

Lines of computer code in orange, white and green text on a black computer screen.

Source: Mohammad Rahmani/Unsplash

The CSRB paper noted that Microsoft was unable to provide details of how Storm-0558 was able to infiltrate its systems. Google questions whether Microsoft can ensure an incident like this won’t happen again if they can’t even say how it happened in the first place.


Keeping the Public Informed

The CSRB report also highlighted a lack of transparency from Microsoft in its response to the Storm-0558 intrusion. Beyond this, the report states they failed to correct inaccurate public statements.

A blurry, out-of-focus image of the Google logo - the word “Google” in multicolored letters.

Source: Mitchell Luo/Unsplash

Google’s paper raises both of these criticisms over communication. In stark contrast, Google disclosed to the public that certain Gmail accounts had been compromised when they were the victim of a major cyber attack in 2009.


A Safer Path With Google Workspace

There is an obvious motive behind Google creating a paper to highlight Microsoft’s security failings — to position its own enterprise suite, Workspace, as the better, more secure alternative.

A top-down view of a laptop on a circular white desk. A person’s hands type on the laptop keyboard. To the right of the laptop on the table is an aloe vera plant on top of a pile of books, a pair of glasses, a smartphone and two pencils.

Source: Corinne Kutz/Unsplash

They describe Workspace as a safer alternative to Microsoft, citing a proven track record of engineering excellence and a transparent culture that accepts the “profound responsibility” of ensuring security for customers.


Microsoft’s Secure Future Initiative

This language in particular seems a pointed attack at Micosoft, mirroring the language used in the CSRB report. This isn’t the only such direct posturing against Microsoft from Google.

A flat-screen computer monitor with the white Windows logo in the middle of the screen. Below is a swirling progress indicator and the text “Getting ready,” both in white.

Source: Johnyvino/Unsplash

Google launched its Secure Alternative Program alongside the paper. This offers discounted rates on the Google Workspace Enterprise Plus package and the AI-powered Mandiant incident response service to customers who make the switch. The name seems a direct challenge to Microsoft’s AI-driven Secure Future Initiative.


A Win for Google Over Microsoft?

Google has been extremely opportunistic with this paper, looking to gain a reputational advantage over Microsoft off the back of recent high-profile security failings.

A glass-fronted building. Above a pair of revolving doors is the word “Google” in large white lettering. On either side of the path leading up to the doors are green trees. The trees on the right are bathed in sunlight.

Source: Johnny Gios/Unsplash

But Google isn’t saying anything that isn’t true. Microsoft has had security issues and faced government criticism for its handling of these incidents. Couple that with Google’s positive track record in handling cyber-security incidents, and they might be able to influence public perception. People may think that Microsoft perhaps can’t be fully trusted to secure customer data and that Google is indeed a safer alternative.