CSRB on Storm-0558: "A Cascade of Avoidable Errors"

On 2 April 2024 the US Cyber Safety Review Board (CSRB) published its review of the 2023 Microsoft Exchange Online intrusion attributed to Storm-0558. The report concluded that the breach was preventable, and detailed a chain of decisions inside Microsoft — around signing-key handling, key-rotation cadence, audit-log retention, and the design of cross-tenant token validation — that allowed a single compromised consumer key to forge tokens accepted by enterprise email infrastructure.

The CSRB's framing is important for two reasons that apply far beyond Microsoft. First, it positioned the failures as basic hygiene applied to high-consequence machine identities, not as exotic engineering problems. Second, it made signing-key handling a publicly auditable category of identity control, which raises the bar for every vendor and every enterprise that holds keys with that kind of blast radius.

For identity-architecture practice the CSRB report is one of the clearest external signals available that machine-identity custody, rotation cadence, audit-log retention, and cross-tenant scope validation are first-class architectural concerns that supervisors are now willing to publish findings on.