So far, 2021 has proved to be somewhat of a security annus horribilis for tech giant Microsoft, with numerous vulnerabilities impacting several of its leading services, including Active Directory, Exchange, and Azure. Microsoft is no stranger to being targeted by attackers seeking to exploit known and zero-day vulnerabilities, but the rate and scale of the incidents it has faced since early March has put the tech giant on its back foot for at least a moment or two.What follows is a timeline of the significant security events that have afflicted Microsoft in 2021, why it remains susceptible to serious vulnerabilities and attacks, and an assessment of its response according to experts from across the cybersecurity sector.March 2: Microsoft Exchange Server vulnerabilityThe first notable security incident occurred in March, when Microsoft announced vulnerability CVE-2021-26855 in its Exchange Server. The vulnerability was remotely executable and exploitable at the protocol level across one or more routers. While it classified attack complexity as low, Microsoft stated that CVE-2021-26855 was being actively exploited and that attackers did not require authorizations or access to files\/settings.What\u2019s more, the vulnerability could be exploited without any interaction from a user and lead to both total loss of confidentiality and protection. On its vulnerability update page, Microsoft wrote: \u201cThis vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange Server from external access.\u201d However, this would only protect against the initial portion of the attack and other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file, it added. Microsoft released and advised urgently installing updates on externally facing Exchange Servers.June 8: Microsoft patches six zero-day security vulnerabilitiesMicrosoft released patches for security issues impacting various Windows services, with six serious vulnerabilities already being actively targeted by attackers. As reported by security researcher Brian Krebs, the six zero days were:CVE-2021-33742: A remote code execution bug in a Windows HTML componentCVE-2021-31955: An information disclosure bug in the Windows KernelCVE-2021-31956: An elevation of privilege flaw in Windows NTFSCVE-2021-33739: An elevation of privilege flaw in the Microsoft Desktop Window ManagerCVE-2021-31201: An elevation of privilege flaw in the Microsoft Enhanced Cryptographic ProviderCVE-2021-31199: An elevation of privilege flaw in the Microsoft Enhanced Cryptographic ProviderJuly 1: Windows Print Spooler vulnerabilityAttackers were detected exploiting a vulnerability in Microsoft\u2019s Windows Print Spooler service, dubbed PrintNightmare. The remote code execution vulnerability, CVE-2021-34527, involved improper privileged file operations in the service and was exploitable with basic user capabilities and required no user interaction. \u201cAn attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,\u201d Microsoft wrote.Advised mitigation included immediately installing security updates, along with ensuring the following registry settings were set to \u201c0\u201d (zero) or are not defined:HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTPrintersPointAndPrintNoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)UpdatePromptSettings = 0 (DWORD) or not defined (default setting)August: Researchers disclose Microsoft Exchange Autodiscover vulnerabilityResearchers from security vendor Guardicore discovered and publicly disclosed a design issue in Microsoft Exchange Autodiscover with the potential to cause Outlook and other third-party Exchange client applications to leak plaintext Windows domain credentials to external servers. \u201cThis is a problem with both the design of how Microsoft initially implemented that [protocol] and a problem in how third parties are implementing it. It\u2019s a two-fold issue: It\u2019s both a design issue and an implementation issue,\u201d commented Amit Serper, VP of security research.Meanwhile, Microsoft began investigating and taking steps to mitigate the threat to protect customers. \u201cWe are committed to coordinated vulnerability disclosure, an industry standard, collaborative approach that reduces unnecessary risk for customers before issues are made public. Unfortunately, this issue was not reported to us before the researcher marketing team presented it to the media, so we learned of the claims today,\u201d said Jeff Jones, senior director at Microsoft, in an emailed statement. Serper explained that Guardicore had indeed not contacted Microsoft as the underlying problem with how Autodiscover builds URLs was not a zero-day vulnerability and has been known since 2017.August 26: Researchers access data of several thousand Microsoft Azure customersResearchers at Wiz gained complete, unrestricted access to the accounts and databases of several thousand Microsoft Azure customers due to a series of flaws that affect Azure\u2019s flagship database service, Cosmos DB. Dubbed ChaosDB by the researchers, the vulnerability allowed any user to download, delete, or manipulate a large collection of commercial databases trivially and without other credentials.\u201cMicrosoft\u2019s security team deserves enormous credit for taking immediate action to address the problem,\u201d the researchers wrote. \u201cWe rarely see security teams move so fast! They disabled the vulnerable notebook feature within 48 hours after we reported it. It\u2019s still turned off for all customers pending a security redesign.\u201dHowever, customers may remain vulnerable since their primary access keys were potentially exposed, they added. \u201cMicrosoft notified over 30% of Cosmos DB customers that they need to manually rotate their access keys to mitigate this exposure. Microsoft only emailed customers that were affected during our short (approximately weeklong) research period. However, we believe many more Cosmos DB customers may be at risk. The vulnerability has been exploitable for at least several months, possibly years.\u201dSeptember 7: Microsoft MSHTML vulnerabilityIn what turned out to be the first of several significant security issues in the space of a month for Microsoft, the tech giant warned of a remote code execution vulnerability (CVE-2021-40444) impacting MSHTML (aka Trident) being actively exploited in the wild. Trident is a proprietary browser engine for the Microsoft Windows version of Internet Explorer and was under threat from attacks using specially crafted Microsoft Office documents hosting the browser rendering engine.\u201cThe attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,\u201d Microsoft wrote. Exploitation was described as low in complexity and repeatable, with the capability to impact resources beyond the security scope managed by the security authority of the vulnerable component. Microsoft released security updates to address the vulnerability on September 14 and urged customers to keep anti-malware products up to date.September 14: Microsoft discloses several non-exploited vulnerabilitiesOn the same day it released security updates to mitigate the Trident flaw, Microsoft issued details on a raft of non-exploited (at the time of disclosure) vulnerabilities across its services.CVE-2021-36968: An elevation of privilege vulnerability in Windows DNS. Microsoft said the vulnerable component was not bound to the network stack and the attacker\u2019s path is via read\/write\/execute capabilities. \u201cEither the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH); or the attacker relies on user interaction by another person to perform actions required to exploit the vulnerability (e.g., tricking a legitimate user into opening a malicious document).\u201d Microsoft warned of the potential for total loss of availability as the result of attack, granting an attacker the ability to fully deny access to resources in the impacted component.CVE-2021-38647: A vulnerability affecting Open Management Infrastructure (OMI) via some Azure products. \u201cSome Azure products, such as Configuration Management, expose an HTTP\/S port listening to OMI (typically port 5986),\u201d Microsoft wrote. \u201cThis configuration where the HTTP\/S listener is enabled could allow remote code execution. It is important to mention that most Azure services that use OMI deploy it without exposing the HTTP\/S port. An attacker could send a specially crafted message via HTTPS to port listening to OMI on a vulnerable system.\u201d Microsoft warned that the remotely exploitable vulnerability was low in attack complexity, required no user interaction, and could potentially lead to the full denial of access to resources in the impacted component. A fix was issued on GitHub on August 11 to allow users to mitigate risks before full CVE details were made public by Microsoft.CVE-2021-36965: A vulnerability affecting Windows WLAN AutoConfig services. Microsoft said the vulnerability was \u201cbound to the network stack, but the attack is limited at the protocol level to a logically adjacent topology.\u201d This means an attack must be launched from the same shared physical or logical network, or from within a secure or otherwise limited administrative domain. Threatening a total loss of confidentiality and integrity, an exploit is limited to resources managed by the same security authority. According to Microsoft, a complete vendor fix solution is available.CVE-2021-36952: This remote code execution Visual Studio vulnerability was described by Microsoft as not bound to the network stack, with an attacker\u2019s path via read\/write\/execute capabilities. CVE-2021-36952 could rresult in an attacker fully denying access to resources in the impacted component.CVE-2021-38667: Two months after CVE-2021-34527, a new elevation of privilege vulnerability affecting Windows Print Spooler was disclosed. \u201cThe attacker is authorized with (i.e., requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with low privileges may have the ability to cause an impact only to non-sensitive resources,\u201d Microsoft wrote.CVE-2021-36975 and CVE-2021-38639: Two new elevation of privilege vulnerabilities, this time impacting Win32k, were also shared by Microsoft. Both had the potential to be successfully exploited repeatedly by an attacker.September 16: APT actors exploit vulnerability in ManageEngine ADSelfService PlusA joint advisory from the FBI, United States Coast Guard Cyber Command (CGCYBER), and the CISA warned of cyber threats associated with active exploitation of a new vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution. While the risks posed were third-party related rather than directly aligned with Microsoft itself, they do present notable threat to Microsoft Active Directory.September 27: APT29 targets Active Directory Federation ServicesSecurity researchers flagged a notorious cyberespionage group with ties to the Russian government deploying a new backdoor designed to exploit Active Directory Federation Services (AD FS) and steal configuration databases and security token certificates. Microsoft attributed the malware program FoggyWeb to the group NOBELIUM (also known as APT29 or Cozy Bear)\u2014believed to be behind the SUNBURST backdoor. Microsoft stated it had notified all customers observed being targeted or compromised by this activity, recommending users to:Audit on-premises and cloud infrastructure, including configuration, per-user and per-app settings, forwarding rules, and other changes the actor might have made to maintain access.Remove user and app access, review configurations for each, and re-issue new, strong credentials following documented industry best practices.Use a hardware security module (HSM) as described in securing AD FS servers to prevent the exfiltration of secrets by FoggyWeb.Microsoft added that its security products had implemented detections and protections against the malware.Microsoft remains a significant attack targetAs the incidents of the last several months show, Microsoft services remain a significant target for attack and exploitation, while vulnerabilities within them continue to come to light. \u201cMicrosoft apps and systems continue to be high-value targets for hackers because they are so widely deployed across the globe,\u201d Forrester research director and principal analyst Merritt Maxim tells CSO.Maxim estimates that approximately 80% of enterprises use Microsoft Active Directory \u201cglobally in some shape or form. Given that Active Directory serves as the repository for user authentication credentials (among other features) and that authentication credentials are a highly valuable data source for hackers, it is only natural that hackers continue to target Microsoft systems because any exploit that can be developed can be attempted against a broad number of sources.\u201d\u201cAttackers choose their targets based on value, and the more popular a system or program is, the more valuable it is to a hacker,\u201d says Eugene Kolodenker, staff security intelligence engineer and research team member at Lookout. \u201cAdditionally, due to Microsoft\u2019s sophistication and complexity, it has a large attack surface, much of which is remotely accessible. A combination of popularity and a large remote accessible attack surface creates a perfect target.\u201dMartin Jartelius, CSO at Outpost24, adds: \u201cThe fact is that it\u2019s rarely these products that are the source of the breach; a breach occurs elsewhere and then attackers move toward these most important integral parts of the organization.\u201dMicrosoft\u2019s response to security incidentsReflecting on Microsoft\u2019s response to and handling of security incidents, John Bambenek, principal threat hunter at Netenrich, says the company generally does a good job. \u201cIf anything, they probably have the finest-honed product security process around.\u201dMaxim concurs. \u201cGiven the ubiquity of their systems, keeping track of every possible vulnerability is an impossible task. Microsoft continues to invest in the security capabilities in its native offerings and through things like the Microsoft Threat Intelligence Center they continue to provide detailed analysis and investigations of emerging malware affecting their platform to keep enterprises informed and protected.\u201dHowever, while Microsoft has rapidly responded and promptly attempted to patch vulnerabilities, several recent patches have been incomplete, and this has led to widespread exploitation until successful completion of the patch, says Kolodenker. \u201cMany Microsoft high-level vulnerabilities were discovered by legitimate security professionals, and only after initial patch release did rampant exploitation by attackers begin. This has been further exacerbated by public proof of concepts released before widespread adoption of the patch.\u201dThis serves as an example of why organizations cannot solely rely on security updates and fixes from service providers, no matter how much clout they carry. Instead, they must bear some of the responsibility themselves, applying security to mitigate the risks of vulnerability-focused exploits and attacks.Jartelius champions a combination of preventative and reactive methods. \u201cJust as we test our fire alarm systems on a recurring basis, we should test those security defenses and assumptions.\u201d Companies that employ either internal or external teams to simulate real attacks while simultaneously practicing observing and responding to them often discover flaws that can be prevented relatively easily before they are targeted in the real world. \u201cMost organizations struggle in keeping an experienced adversary, simulated or not, at bay,\u201d he says.