Last month the Russian state-sponsored hacking group “Midnight Blizzard” gained access to the email accounts of Microsoft leadership, even exfiltrating documents and messages. The group reportedly used a simple brute-force style attack to access a forgotten test account and then exploited the permissions on that account to access the emails of employees in the cybersecurity and legal teams.

Microsoft succumbing to a cyberattack due to vulnerabilities its own products is no surprise. The company has a history of failing to protect customers in the digital world it helped build. Why has Microsoft, a software pioneer and the most valuable company in the world, been able to neglect its cybersecurity responsibilities? One key reason: its size.

Today, millions of businesses both large and small, federal agencies included, rely on Microsoft products to perform the same basic tasks: send emails, manage spreadsheets, store files, and write documents. In 2022, Microsoft controlled nearly half of the business software market, with 80% of Fortune 500 companies using their products. Another study found that Microsoft represents 85% of public sector productivity software, a quarter of which it does not even compete for.

A single cyberattack can have devasting consequences for an enterprise. The 2021 ransomware attack against the Colonial Pipeline forced it to pause operations. Entire hospitals closed their doors for good due to cyberattacks. And the personal details of every security clearance holder were stolen from the federal government.

Think about the magnitude of damage if hackers get deeper into Microsoft’s systems. The repercussions could be catastrophic.

Unfortunately, this is not a far-fetched hypothetical. Despite Microsoft’s dominance in enterprise software, its market cap, and apparent sophistication in AI, the company’s products have been defeated by hackers in a series of high-stakes cyberattacks over the past few years:

• Last year, Chinese hackers exploited a “fundamental gap” in Microsoft’s cloud, which allowed them to access the emails of top U.S. government officials, including Secretary of Commerce Gina Raimondo.
• A 2021 hack against Microsoft Exchange allowed exfiltrated emails from government agencies around the world.
• In the 2020 SolarWinds breach, Midnight Blizzard, the same group behind this latest attack was able to prolong the event by exploiting a compromised Microsoft device.
• In 2017, a vulnerability in the Windows operating software allowed a worm called “WannaCry” to infect 300,000 devices, causing billions in damages.
• Since 2014, Microsoft products have been responsible for 46% of zero-day vulnerabilities discovered.

There are many reasons that might explain Microsoft’s apparent cavalier attitude towards cybersecurity. But when a firm reaches a certain market size, it doesn’t have to compete as vigorously and can raises prices, degrade quality, or reduce innovation. That’s how a three-trillion dollar company that is seen a global leader in AI can keep profiting from buggy products like Office 365. If you’ve ever tried searching your Outlook email, “innovative” would not be the word that comes to mind.

The problem is compounded by Microsoft’s “vendor lock-in” strategy, where the company offers a “suite” of fully integrated products, which make it cumbersome to use non-Microsoft products, or impose prohibitively high switching costs. That’s why the European Union is currently investigating the company’s bundling of its videoconferencing software Teams with Office 365. It’s also why the Federal Trade Commission is scrutinizing Microsoft’s dominance in video games and generative AI.

Regulators must ensure a competitive marketplace not just to uphold the principles and laws of antitrust, but to address the consumer harm from the lax cybersecurity practices downstream of market dominance. While it’s critical for businesses of any size to practice cyber hygiene, regulators must consider whether companies like Microsoft have become too large and consolidated to care.