Microsoft said Monday it has reached additional milestones in a multiyear effort to strengthen its product development, threat detection and corporate governance structure under a program called the Secure Future Initiative.
The company has now rolled out a secure-by-design toolkit to 22,000 employees involved in product development, linked employee performance reviews to adoption of security standards and named a deputy CISO for business applications, among other changes.
“We have made progress across culture and governance by fostering a security-first mindset in every employee and investing in holistic governance structures to address cybersecurity risk across our enterprise,” Charlie Bell, executive vice president, security at Microsoft, wrote in a blog post.
Out of 28 objectives outlined in the SFI plan, which was first announced in 2023, the company said it is near completion on five and has made significant progress on 11.
Among the new SFI developments:
- About 92% of employee productivity accounts are now using phishing-resistant multifactor authentication.
- The company now has a 73% success rate in addressing cloud vulnerabilities under its reduced time-to-mitigate window. Microsoft did not specify what the new time frame is.
- The company has removed more than 6.3 million legacy tenants, including more than 550,000 since September 2024.
The company launched SFI after a China-linked threat group hacked into the Microsoft Exchange Online environments of at least 22 customers.The hack led to the exfiltration of more than 60,000 emails from the U.S. State Department, and the threat group gained access to other highly sensitive accounts, including Commerce Secretary Gina Raimondo.
Microsoft was widely condemned in a 2024 report by the Cyber Safety Review Board, which said the Exchange attack was entirely preventable. The company faced sharp criticism for prioritizing speed to market and “cool” product features over ensuring its products were built using secure development practices.
The report also faulted Microsoft for a separate attack by Midnight Blizzard, a Russia-backed threat group that launched a massive password-spray attack against the company in 2023. The attackers stole emails from top Microsoft executives and later stole credentials from U.S. federal agencies after those credentials were exchanged over email with Microsoft.
