• ProPublica and Microsoft: ProPublica is a nonprofit newsroom that investigates power abuses. Microsoft hired Andrew Harris for his hacking prevention skills. He discovered a serious security flaw in Microsoft's Active Directory Federation Services (AD FS) product.

  • The Flaw: The product allowed attackers to masquerade as legitimate employees and access sensitive data in the cloud without triggering alarms. It affected millions of users and was a threat to national security.
  • Internal Struggles: Harris alerted his supervisors but faced resistance. The Microsoft Security Response Center (MSRC) had issues with addressing the problem due to internal cultural conflicts between security researchers and product managers.
  • Business Considerations: There were concerns about the business impact on Microsoft, including potential losses in government contracts and competition with Okta. The product team prioritized business over security.
• CyberArk and the Widespread Warning: CyberArk published a blog post about the flaw (Golden SAML), but it initially received little attention. Harris tried to get Microsoft to address the issue, but the MSRC remained firm in its stance.
• The SolarWinds Breach: In 2020, Russian hackers exploited the Golden SAML flaw during the SolarWinds attack, stealing sensitive data from various federal agencies and Microsoft itself. Microsoft later advised customers to disable seamless SSO to mitigate the risk.
• Aftermath and Testimony: Harris took his frustration public on social media and in his blog. Brad Smith testified before Congress about SolarWinds, downplaying the significance of the Golden SAML weakness. Microsoft won a Defense Department cloud contract and its stock has since surged. In 2021, Smith published a book praising Microsoft's response to the attack.

Overall, the story highlights the tension between business and security at Microsoft and the consequences of a significant security flaw that led to a major cyberattack.