A recent call from U.S. Senator Ron Wyden has renewed scrutiny of Microsoft’s cybersecurity practices, urging the Federal Trade Commission (FTC) to investigate the tech company over what he describes as systemic security weaknesses with national security implications.
In a letter dated September 10 to FTC Chairman Andrew Ferguson, Wyden cited Microsoft’s long-standing dominance in enterprise IT and claimed that default configurations and outdated security protocols in its software have contributed to major cybersecurity breaches. He pointed to a 2024 ransomware attack on Ascension, a large U.S. hospital network, as a particularly stark example.
According to Wyden, the breach originated when a contractor clicked a malicious link via Microsoft’s Bing search engine. That initial compromise allowed attackers to gain access to Ascension’s Microsoft Active Directory system, which manages user authentication across the organization. The result was the exposure of sensitive health and insurance data of nearly 5.6 million individuals.
This is not the first time Wyden has criticized Microsoft’s handling of cybersecurity. He has previously highlighted the company’s role in other major incidents, including the 2023 SolarWinds breach linked to Chinese state-sponsored hackers.
The Senator claims Microsoft’s continued support for legacy encryption protocols, specifically RC4, enabled the attack vector used in the Ascension incident. Although RC4 has been widely deprecated in the security community, it remains an option in some Microsoft products. Wyden argues that Microsoft hasn’t done enough to phase it out or guide users toward safer alternatives.
According to Reuters, in response, Microsoft acknowledged that RC4 now accounts for less than 0.1% of its traffic and said it advises customers against its use. The company explained that a full disablement would disrupt many customer environments, but confirmed plans to turn off RC4 by default in certain Windows products starting early 2026. Additional mitigations will also be implemented for existing systems, according to the company.
