There was a recent incident where Microsoft somehow allegedly blocked a mailbox of a sanctioned individual. Any organization highly depending on MS products that might come into the crosshair should ask - can this happen to me? What would be the cost? How much I invest into prevention of this scenario? In this article I try to get the facts straight and use a return on security investment calculation to try and judge this situation in a rational way. Let’s grab our tinfoil hats and find out if it’ll be fine.

I don’t like to cover recent news. But I do want to take a moment and consider a couple of implications of the recent alleged blocking of Microsoft services for the ICC.

For better or for worse, availability and business continuity usually fall under the security umbrella. That’s why I want to have a clear reference of this situation and some organized thoughts.

I will try and stick to the facts and hypotheticals. If you catch me having and voicing an opinion, please let me know and I’ll try and adjust accordingly. Alternatively, feel free to take a drink whenever you spot an opinion and then blame your drunkness on this article. For legal reasons that’s a joke.

I have these questions:

• What happened?

• What is the probability of an MS cutoff?

• What is the cost of an MS cutoff?

• How much should I invest to prevent this?

I’ll try to answer each of those in a separate section.

Microsoft blocked ICC employee mailbox?

The story summarized for a tweet is basically: Trump introduced sanctions against ICC and Microsoft disabled an account of at least one of such officials, locking them out of their work mailbox.

Sources supporting the claim:

• Trump’s sanctions on ICC prosecutor have halted tribunal’s work (Associated Press, 15-05-2025)

• Microsoft's ICC email block triggers Dutch concerns over dependence on U.S. tech (NL Times, 20-05-2025)

Sources disputing the claim:

• Microsoft didn’t cut services to International Criminal Court, its president says (Politico, 04-06-2025)

  • Here there’s a claim that only a single person was targeted, rather than the whole court. But they don’t dispute the single person target in the article.

  • Critical part:

    Microsoft declined to comment further in response to questions regarding the exact process that led to Khan's email disconnection, and exactly what it meant by “disconnection.” The ICC declined to comment.

Other sources:

• Microsofts Lösung für das Trump-Problem (Wirtschafts Woche, 05-06-2025)

• Danish department determined to dump Microsoft (The Register, 13-06-2025)

There is a non-zero chance of this event repeating

The chain of events observed is roughly:

1. USA imposes sanctions

2. Microsoft complies with said sanctions by blocking their customer.

I am not a lawyer, so I won’t go into any detail of whether this is legal. I’d rather argue that by the time legality is established, the damage has already been done. No doubt that plenty of requests will be perfectly legal.

No reason required to impose sanctions

I have to talk about the current US president, since it seems that he has massive power over this process.

The Trump politics are, for a lack of a better publishable word, unpredictable. This is even worse than if he was straight up hostile to everyone, because then it would be easier to justify a very costly change. Check this for further explanation, especially:

Ironically, Trump’s additional goal of “reshoring” manufacturing to the U.S. is undercut by his own tariff unpredictability. Both domestic and foreign investors are loath to invest in reshored or new U.S. industries when there is no way to know what the specific tariffs will be for each product and each country.

There seems to be no clear way of knowing whether you or your company will be at odds with Trump (and, by extension, with USA) in near future.

Ok, so a decision to impose sanctions was made. Can it be executed? It seems so that yes.

Surely, this is temporary - after all, it’s his second term and that will end one day. Or not - Trump Says He Will ‘Negotiate’ Third Term Because He’s ‘Entitled’ To It. That will be decided in 2028, which is sort of far away1.

If you’d like to oppose the observation that Trump will impose sanctions in a wildly unpredictable manner, be my guest. I am not saying that it will happen every day, I am saying that it takes one bad public remark from one of the company leaders and the whole company might be a target (example 1, example 2 (from 2018!)).

There is some silver lining though. The fact that this isn’t happening very often. It’s not a small thing to observe, as we’ll see. Should this mechanism prove effective, we might see an acceleration, should Microsoft push back more, we might not.

Continuing our hypothetical, the sanctions go live, let’s see what would MS do.

Microsoft seems to be able and willing to comply with sanctions

This is the real story in my opinion (I know, erasing, getting back to facts).

It’s no secret that MS has billions of USD contracted with various USA departments. Example contract with a ceiling of 9 billion dollars, further commentary by the Register.

If I would want to convince Microsoft to do something, I would threaten to pull my contracts with them. If you think this is irrational, please refer to previous section.

The MS now has a decision to make. No matter what they do, they are bound to anger someone. Moreover, it can be hard to predict who, how and for how long (rarely indefinitely). What’s easier to predict is whether you are losing some amount of money or possibly an absolute ludicrous amount of money.

That’s why I argue it’s likely that MS will comply with requests of the US government. And let’s not forget that plenty of those requests might be perfectly legal and binding.

Again, silver lining - you’d argue that this rarely happens and you’re right. The chances of this happening are very slim, but the consequences are so dire. There’s no doubt to me that a vast majority of companies will be able to sit through this with no harm at all.

To comply with sanctions, you need levers. MS has them.

Let me offer another perspective and that is that the software world has changed. Here I’ll argue that software companies have a new ability (and responsibility) to enable/disable their software. Remember keygens2?

You see, if I walked to the Microsoft with a demand to shut down a company in 1999, it might not be possible to do so. They would have their own email servers, backups and MS software that would continue working offline as there was no server to disable them.

Today, everybody knows that they can cut the lifeline to all of their products, completely disabling them in the process. The MS 365 being the most obvious example, anything Azure being a close second. A final example here is a feature I was looking forward to for some time - Python in Excel. I was horrified to learn that there’s an Azure container behind every cell of a spreadsheet executing the python code instead of… you know, my PC doing the work.

To provide the opposite view, there are cases when Microsoft absolutely should refuse to provide their services. I am surprised that the law enforcement isn’t asking them to pull the plug more often (at least I don’t know about such cases).

And to conclude with a number, there are more than 2 million companies in the world that use Microsoft 365 products. So let’s just say that your chance in being selected in a given year is 1 in 2 million. Of course, this probability might go up and down, but let’s say that it’s not likely to jump by several orders of magnitude.

If you critically depend on MS services, losing them really hurts

Two steps again, let’s find out:

1. how do companies depend on MS,

2. how does a full MS outage look like.

To give credit to Microsoft, rarely do their services fail completely. There isn’t a whole lot of data for these cases (AFAIK, please send some if you have them).

Companies critically depend on Microsoft

To me, this is a no-brainer (is that an opinion?). It’s a good place to mention the famous Embrace, Extend, Estinguish slogan of MS. I was trying quite hard to find any kind of sources on this, but they are surprisingly scarce (reddit agrees).

I thought that a percentage of OSes observed would showcase this well, but no, Android wins ~46% to ~25% of Windows (did you know that there are more mobile phone owners than tootbrush owners?). The last trick I have is to go to any PC vendor. Nearly all have windows pre-installed - check this very limited list of non-windows PC vendors.

IT is not only the workstations. If you imagine a typical MS enabled IT department, you’d find:

• Communication through MS Exchange and MS Teams,

• Intranet in MS Sharepoint,

• Documents in MS Office,

• MS Active Directory variant for identity management and auth,

• Backups in MS Azure and/or MS OneDrive,

• Windows in employee workstations.

This dependency on MS services further increases when using their MS 365 suite, which provides cloud SaaS backend for the above.

From these, the email point seems to be most critical. In 2025, you really want a big provider to handle your emails - this point is so non-controversial that you have hosting companies advocating against hosting your own email. While it seems that the Android phones strike again (you pretty much need a Gmail account to use them) the Outlook is in second place for business usage (also quite hard to find some good sources).

Outages are bad and expensive (duh)

Imagine, that suddenly none of this works. Good luck getting any work done. Arguing that workers need to communicate and process documents for a company to function is out of scope of this article.

As a recent example, the Crowdstrike incident of July 2024 lasted about a day and costed the average Fortune 500 company 44 million dollars. Since it was a windows based solution, I’d say it closely resembles a full MS outage. You might say it’s not a lot of money, but imagine if the issue stayed for a week or a month and perhaps longer.

Another source points at a conservative estimate of 1670 USD per minute of outages for SMBs and up to 16700 USD per minute per server (!) for enterprises (yes, its 100k USD per hour and a 1 million per hour, I saw that). A 2014 study by Gartner puts the average to a 5600 USD per minute, which is aligned with the previous numbers.

If MS decided to cut you off, it would take some time to regroup. Try and be honest with yourself. Can you build a whole new IT stack in a company in 14 days? Let’s say that yes. The cost is still ridiculous - 33 667 200 for our SMB example, around 113 million USD with the Gartner estimate. For huge enterprises? The sky is the limit.

How much is rational to invest in prevention?

I finally have an excuse to write about return on security investment (ROSI). Businesses love the return on investment formula (ROI) and this is an attempt to modify it to be more applicable for security purposes. The issue is, that security doesn’t generate any profits whatsoever. We are in the business of loss-prevention. If we have greater loss reduction than security investment, we’re winning.

To fully utilize the formula, we need to define a couple of terms:

• Single Loss Expectancy: The thing happens once, how much does it cost? Let’s start with the lower bound of 34 million USD.

• Annual Rate of Occurence: How often does the thing happen? Previously we guesstimated 1 / 2 000 000.

• Annual Loss Expectancy: Multiply the above together and you’re getting how much you’re losing on average. In our case that’s 17 USD a year (hold on…).

• Mitigation Ratio: How effective is the change that we’ve introduced? Say that we’ve migrated to Linux and this risk is now zero. That means mitigation ratio is 100% which translates to 1 in such formulas. In reality, the chance of your company failing to maintain a fleet of linux machines is probably higher than 1 in 2 million.

• Solution Cost: The cost of the security solution. Usually an input, but since in this case it’s quite hard to calculate, I’ll turn the formula around and solve for this variable and we’ll get a maximum effective budget.

• Return on security investment: Finally, we’ll use all of the data above to calculate ROSI.

Turning the formula around, solving for solution cost:

Let’s assume that ROSI isn’t -100% (still equal to -1) - that would mean that either the annual loss expectancy is 0 (nothing to do) or the solution mitigated nothing.

Let’s also say that we want a ROSI of 100% - the solution should pay for itself in a year. We’re getting a measly 8.50 USD as a maximum budget for a perfect SMB solution. But hey, the MS licenses and service fees we’ve cut should be added on top of it!

Enterprises might have some more space to manoeuver. Recall the 16 700 USD per minute per server, imagine a deployment of 1000 servers and you’re looking at a maximal budget of about 84 168 USD in a year. That’s… one DevOps engineer? Maybe two? Handling all of the IT of a large enterprise? I don’t think that’s going to work either.

But wait! We forgot to add the MS services and licenses we’re dumping. Now we have something to work with - there is a single report noting that Walmart spent 580 million USD on MS services (see - this is approximately 5% of US Gov spend on MS). With that budget, you can certainly try and build your own cloud. You’d still have to be more efficient than Microsoft though - that’s a challenge. And train all of your users to use something else. Good luck.

Wait, what? This doesn’t make any sense.

The issue with this approach is that it’s only as good as the data you put inside. Tweaking the variables gets you nowhere really - the probability of this occurring is so small, that unless you have some confidence that the US government would be out to get you through MS products it will just drown any costs.

Getting good data is tough. Take a good look at how many assumptions we’ve made along the way. There is not a single one solid number anywhere to be found in the process. This issue is bigger than you’d think and I hate to conclude that these calculations are practically impossible. Blessed are the lawyers for they shall inherit cybersecurity (go read this, seriously).

What does this say about security? We just can’t seem to find good enough data to model the situations we’re facing. On one hand it shows the immaturity of the field. Arsonists were burning buildings for thousands of years, while the internet is not even a hundred years old! On the other hand, we all know that the field is changing rapidly and it’s hard to keep up with all the advances. Of course that it’s hard to get a solid dataset when the attackers shift their attack tactics by the month.

Taking a look at the single incident cost - it doesn’t feel right to ignore it either. A single incident cost in millions of dollars is a death sentence for most small companies. Alas, it’s the rational thing to do. And that’s why risk management is hard and non-intuitive. Leave your emotions at the door and embrace the cold touch of numbers and logic3.

Calm down and think

Look, when I’ve read the news, I nearly jumped from my chair. Surely, I thought, MS went too far this time. Surely, the rational customer would realize that the risk this causes is unacceptable and surely, there’s a method to prove it precisely.

Seems that none of the above is supported by facts. It is even more important to approach the issue rationally with a clear head, unless you want to recommend an insane solution to a problem that doesn’t exist in the eyes of other people. It doesn’t matter that you’re right, it matters that you’re seemingly insane.

To give more credit to MS, the Embrace, Extend, Extinguish strategy is working well. If you’ve ever tried to teach linux to a family member, you know what I am talking about. The cost of switching away is so prohibitive, that Microsoft can do pretty much anything they like.

I’ve got one last twist for you. Not all organizations care about costs. Denmark government is seriously considering dumping Microsoft. For a government agency, there are other values than profit. That’s good.

It’ll be fine - Ça Ira. Yes, I am not passing an opportunity to recommend this iconic Gojira performance (metal ahead):