May 21, 2024 Google has publicly criticized Microsoft for a series of security missteps, suggesting that organizations might consider more secure alternatives. This criticism follows a number of high-profile security incidents at Microsoft, including breaches that allowed unauthorized access to email accounts of high-level US government officials and Microsoft’s own corporate accounts.

According to a paper released by Google, these incidents demonstrate a “cascade of security failures” at Microsoft, undermining the tech giant’s security culture and governance. Google’s report leverages findings from the US Cyber Security Review Board (CSRB), which highlighted significant shortcomings in Microsoft’s response to the intrusions.

One notable breach involved Chinese-affiliated hackers known as Storm-0558, who exploited a stolen signing key to access Microsoft Exchange Online accounts globally. Another breach, attributed to the Russian-linked group Midnight Blizzard, involved the compromise of Microsoft’s internal email accounts, including those of its security and legal teams. Google’s report criticizes Microsoft for the ongoing nature of these breaches and for its delayed corrective actions.

In contrast, Google touts its own security measures, citing its transparent and proactive response to the 2009 Operation Aurora attack, which targeted Gmail accounts. Google is positioning its Workspace products as a more secure alternative, highlighting its commitment to security transparency and risk management.

Google’s new Secure Alternative Program offers discounted rates for its Google Workspace Enterprise Plus and Mandiant incident response services, directly challenging Microsoft’s Secure Future Initiative aimed at overhauling its security practices following these incidents.