A US Senator is demanding a federal investigation into Microsoft’s security practices after default system configurations were blamed for a devastating ransomware attack that paralyzed one of America’s largest hospital networks.

Senator Ron Wyden (D-OR) fired off a letter to Federal Trade Commission chair Andrew Ferguson on September 10, 2025, urging the agency to open a formal probe into whether Microsoft shipped “dangerous, insecure software” that materially enabled the 2024 breach at Ascension, a Catholic nonprofit operating 140 hospitals nationwide. The attack disrupted surgeries, forced clinicians back to pen and paper, and exposed personal and medical data belonging to roughly 5.6 million patients.

Wyden’s letter paints Microsoft not just as a careless vendor, but as a threat to national security. “I urge the FTC to investigate Microsoft and hold the company responsible for the serious harm it has caused by delivering dangerous, insecure software to the US government and to critical infrastructure entities, such as those in the US healthcare sector,” he wrote.

The Ascension Attack: A Chain Reaction of Default Failures

Details obtained by Wyden’s office from Ascension reveal how a relatively mundane user action cascaded into a systemic crisis. A contractor using a company laptop clicked on a malicious search result while using Bing, which downloaded malware onto the device. From that initial foothold, the attackers exploited default Windows and Active Directory configurations to escalate privileges, move laterally across the network, and eventually deploy ransomware across thousands of machines.

The impact was immediate and severe. Surgeries were cancelled or delayed, emergency rooms diverted patients, and medical staff reverted to handwritten notes for critical care functions. In the aftermath, Ascension disclosed that sensitive data—including medical histories, treatment records, and personal identifiers—was stolen for 5.6 million individuals, making it one of the largest healthcare data breaches in recent history.

Wyden’s letter asserts that the breach was not an isolated failure but a symptom of a “culture of negligent cybersecurity” at Microsoft, amplified by the company’s de facto monopoly in enterprise operating systems. Because Windows and Active Directory underpin much of the nation’s critical infrastructure, he argues, insecure defaults set a dangerously low security baseline for healthcare, government, and other vital sectors.

Kerberoasting and the RC4 Encryption Problem

At the technical core of Wyden’s complaint is a decades-old attack technique known as Kerberoasting. In Active Directory environments, service accounts are associated with Service Principal Names (SPNs) that allow clients to request Kerberos service tickets. An attacker with any valid domain account can request a ticket for a target SPN, extract it from memory, and then brute-force the service account’s password offline—because the ticket is encrypted using a key derived from that password.

The speed and feasibility of such attacks depend heavily on the encryption algorithm protecting the ticket. Microsoft continues to support the RC4 stream cipher as a default or allowable encryption type for Kerberos, despite years of warnings from cryptographers. RC4 is known to be weak, with well-documented biases that make offline cracking dramatically faster than with modern alternatives like AES. Security researchers and industry standards bodies deprecated RC4 for TLS and other protocols long ago, yet it persists in Windows environments largely for backward compatibility.

Wyden’s letter highlights that Microsoft acknowledged the risk in October 2024, publishing guidance on mitigating Kerberoasting and stating an intention to disable RC4 by default in future Windows updates. However, nearly a year later, no such update has materialized for all supported versions. Critics say the promised patch is still “forthcoming,” leaving countless organizations exposed.

The senator also criticized Microsoft for burying that guidance in what he described as an obscure Friday blog post rather than proactively warning all affected customers—especially those in healthcare and critical infrastructure—about the active threat.

Why Defaults Are the Real Battlefield

In enterprise IT, defaults are destiny. Overstretched administrators rarely change settings that ship out of the box, especially when altering them might break legacy applications. Active Directory environments are particularly prone to this inertia: many organizations have decades-old service accounts, third-party integrations that require older Kerberos encryption types, and password policies that fall short of what’s needed to resist modern brute-force attacks.

Kerberoasting exploits all three of these gaps at once. RC4’s cryptographic weaknesses reduce the time needed to crack a service account password from weeks or months to minutes or hours. If that password is short, common, or rarely rotated—and Microsoft’s default password policies do not mandate the 25+ character, randomly generated credentials needed to withstand such attacks—the network is effectively wide open once an attacker gains a low-privilege initial foothold.

Microsoft’s own guidance has long advised administrators to audit SPNs, enforce AES encryption types, and rotate service account credentials frequently. But these remain manual, programmatic interventions that require deep expertise and constant vigilance. The gap between vendor recommendation and customer implementation is precisely what Wyden says leaves critical services at systemic risk.

Microsoft’s Response and the Secure Future Initiative

Redmond has not been silent. In 2025, the company launched its Secure Future Initiative (SFI), a high-profile, multi-year effort to embed “secure by design, secure by default, and secure operations” into its engineering culture. Company progress reports tout new threat-modeling toolkits, governance reforms, and product changes that aim to raise the security floor across Windows, Azure, and Microsoft 365.

On the RC4 issue specifically, Microsoft has said that RC4 traffic now represents only a tiny fraction of overall Kerberos usage and that it is proceeding with a phased plan to disable the cipher by default. The company points to detailed technical documentation that helps customers manually migrate to AES and notes that newer Windows releases already discourage RC4 in certain scenarios.

But Wyden and other critics argue that voluntary, gradual, and largely customer-driven mitigation is insufficient when market dominance magnifies every flaw. They contend that Microsoft should have shipped a forced, default-disable update for RC4 across all supported platforms immediately after acknowledging the risk—and should have sent plain-English warnings to every healthcare and government customer describing the threat and required actions.

Regulatory Firestorm and the FTC’s Role

Wyden’s letter marks a sharp escalation from technical criticism to legal accountability. He asks the FTC to determine whether Microsoft’s product defaults and disclosure practices constitute unfair or deceptive acts under Section 5 of the FTC Act. If the commission opens an investigation and ultimately takes enforcement action, it could compel binding changes to how Microsoft ships software—mandating secure defaults, enforced timelines for removing legacy crypto, and transparent, direct-to-customer advisories when known risks affect critical infrastructure.

Such a move would shatter the traditional hands-off approach to software vendor liability. It would also build on a growing body of government scrutiny. In 2024, the Cyber Safety Review Board issued a blistering report on a 2023 Chinese state-sponsored hack of US government email accounts, concluding that “inadequate” security culture at Microsoft had worsened the incident’s fallout. Wyden’s letter explicitly cites that report as evidence that internal reform efforts have not gone far enough or fast enough.

The senator also drew a provocative analogy likening Microsoft to “an arsonist selling firefighting services,” pointing to the company’s multibillion-dollar cybersecurity add-on business. While Microsoft disputes this characterization, the rhetorical jab underscores a broader critique: that dominant platform vendors may have perverse incentives to maintain enough baseline insecurity to sustain demand for premium security products.

What Can Be Done: Technical and Policy Fixes

Whether driven by regulation or market pressure, experts agree a credible remediation path must combine immediate operational steps with longer-term platform changes.

Product-level changes:
- Disable RC4 by default across all supported Windows Server and client versions, with clear group policy toggles for legacy compatibility.
- Ship mandatory, post-installation security baseline prompts that guide administrators through hardening AD environments.
- Provide automated scanning and one-click remediation for common Kerberoasting vulnerabilities via tools like Microsoft Defender for Identity or Azure AD.

Operational controls for customers:
- Audit and eliminate unnecessary SPNs and restrict service account privileges.
- Enforce long, complex, machine-generated passwords for all service accounts and rotate them automatically.
- Move toward passwordless authentication, managed identities, and Just-in-Time access where feasible, reducing reliance on crackable secret-based credentials.

Regulatory and transparency measures:
- Mandate binding timelines for phasing out insecure defaults when a vendor holds market power that affects critical infrastructure.
- Require plain-language, directly delivered advisories to sector-specific administrators (healthcare, energy, government) when vendor defaults or known vulnerabilities create systemic risk.
- Improve disclosure requirements so that compatibility-driven security trade-offs are transparently documented and justified, rather than buried in technical white papers.

Stakes for Healthcare and Critical Infrastructure

For hospital systems, the Ascension breach is a harrowing reminder that cybersecurity is a patient safety issue. When surgeries are cancelled and electronic health records become inaccessible, the danger is immediate. Vendor defaults that make lateral movement easier are not abstract engineering choices—they are design decisions with direct, often devastating, human consequences.

If the FTC acts, the precedent would extend far beyond Microsoft. It would signal that any software provider whose product underpins critical services must accept a higher duty of care, shipping secure defaults and proactively warning users about residual risks. If the agency declines to open an investigation, the onus falls back on individual organizations to harden systems that are often too complex and under-resourced to do so effectively.

The Wyden letter thus crystallizes a governance question that has been building since the SolarWinds and Colonial Pipeline incidents: when a single company’s design choices shape the security posture of millions of organizations, should regulators compel a higher baseline? The answer will influence not just Microsoft’s product roadmap, but the very structure of accountability in the software industry for years to come.