A hot potato: Microsoft has long said that security is a top priority at the company, but a US senator is far from convinced. Democrat Ron Wyden requested that the FTC investigate the Redmond firm for its alleged negligent role in several cyberattacks over the last few years, including the ransomware incident against Ascension in 2024.
In a letter sent to FTC chair Andrew Ferguson, Wyden said that Microsoft should be held responsible for "its gross cybersecurity negligence."
Wyden highlighted the ransomware attack on healthcare provider Ascension as an example of Microsoft's failings. Ascension, which operates 118 hospitals and hundreds of other facilities nationwide, revealed in December 2024 that 5.6 million people had their personal and medical data exposed in a cyberattack earlier that year. Hackers were potentially able to access a slew of sensitive information, including payment details, insurance information, Social Security numbers, addresses, and dates of birth.
The attack was enabled through a classic technique: a contractor accidentally downloaded a malicious file disguised as legitimate.
While Ascension said the incident was "an honest mistake," Wyden argues that Microsoft was to blame.
The senator writes that an Ascension contractor using one of the company's laptops conducted a search via Bing, the default engine used by Edge. The contractor clicked on a malicious link from one of the search results, which caused them to inadvertently download and open malware. This allowed hackers to infiltrate Ascension's network and install the ransomware.

Wyden said that the hack could have been avoided if Microsoft had patched a vulnerability called Kerberoasting, which is an attack on Active Directory that abuses Kerberos service tickets. Attackers request tickets encrypted with an account's RC4-HMAC hash, extract them, and then crack the hashes offline to recover service account passwords – often with elevated privileges.
The letter blames Microsoft's continuing support for RC4 encryption. It notes that the threat can be mitigated by setting long passwords that are at least 14 characters long, but Microsoft's software does not require such a length for privileged accounts.
Following the disclosure of the Ascension breach, Wyden said his staff met with Microsoft in July 2024 and urged the company to alert enterprise customers about the Kerberoasting threat. Microsoft eventually did so in October through a post, which also noted plans to deprecate RC4 and disable it by default in "a future update to Windows 11 24H2 and Windows Server 2025."
In his letter, however, Wyden criticized Microsoft for failing to deliver the promised update nearly a year later. He also said the company did little to publicize its Kerberoasting advisory, leaving "most companies, government agencies, and nonprofits that are Microsoft customers" likely still exposed.
Responding to the letter, Microsoft said that RC4 is an old standard that makes up less than 0.1% of its traffic, and it discourages its use both in how it engineers software and in its documentation to customers.
"However, disabling its use completely would break many customer systems," the company added. "For this reason, we're on a path to gradually reduce the extent to which customers can use it, while providing strong warnings against it and advice for using it in the safest ways possible. We have it on our roadmap to ultimately disable its use. We've engaged with the senator's office on this issue and will continue to listen and answer questions from them or others in government."
Microsoft said that RC4 will be disabled by default in any new installations of Active Directory Domains using Windows Server 2025 starting in the first quarter of 2026. "We plan to include additional mitigations for existing in-market deployments with considerations for compatibility and continuity of critical customer services," it added.
It was reported last year that Microsoft was so concerned about its security issues following the CrowdStrike fiasco and other incidents that it was binding employee bonuses to their security performance.