A federal review board has issued a critical report on Microsoft's handling of a significant security breach in 2023, involving the theft of a signing key used to spy on senior U.S. officials through the Exchange Online service. The Cyber Safety Review Board (CSRB) found Microsoft's security culture to be 'inadequate' and highlighted that the intrusion, attributed to a Chinese espionage campaign known as Storm-0558, was preventable. This campaign was linked to the same group responsible for Operation Aurora in 2009. The board criticized Microsoft for not prioritizing security appropriately and called for internal accountability. The report also noted that Microsoft has yet to determine how the attackers obtained the signing keys, which affected over 22 sensitive organizations, despite a March 12 clarification about not finding a crash dump file with a key in it. The CSRB's findings have prompted calls for Microsoft to overhaul its security measures, especially given the company's central role in the technology sector.