The Information Highway

The Information Highway

Font size: +
3 minutes reading time (525 words)

Microsoft expands free logging capabilities after May breach

Microsoft has expanded free logging capabilities for all Purview Audit standard customers, including U.S. federal agencies, six months after disclosing that Chinese hackers stole U.S. government emails undetected in an Exchange Online breach between May and June 2023.


The company has been working with CISA, the Office of Management and Budget (OMB), and the Office of the National Cyber Director (ONCD) since it disclosed the incident to ensure that federal agencies now have access to all logging data needed to detect similar attacks in the future.

"Beginning this month, expanded logging will be available to all agencies using Microsoft Purview Audit regardless of license tier," a press release issued today reads

"Microsoft will automatically enable the logs in customer accounts and increase the default log retention period from 90 days to 180 days. Also, this data will provide new telemetry to help more federal agencies meet logging requirements mandated by OMB Memorandum M-21-31."

The new change also aligns with CISA's Secure by Design guidance, which says that all technology providers should provide "high-quality audit logs" without requiring additional configuration or extra charges.

"Last summer, we were glad to see Microsoft's commitment to make necessary logging available to federal agencies and the broader cybersecurity community. I am pleased that we have made real progress toward this goal," said Eric Goldstein, CISA's Executive Assistant Director for Cybersecurity.

"Every organization has the right to safe and secure technology, and we continue to make progress toward this goal."

Outlook accounts breached for at least 25 organizations

In July, Microsoft disclosed that a Chinese hacking group tracked as Storm-0558 accessed and stole Exchange Online Outlook data from roughly 25 organizations, including U.S. and Western European government agencies.

As later revealed, the threat actors used a Microsoft account (MSA) consumer key stolen from a Windows crash dump to forge authentication tokens and access targeted email accounts via Outlook Web Access in Exchange Online (OWA) and Outlook.com.

While the hackers mostly evaded detection, some affected U.S. federal agencies identified the malicious activity using enhanced logging (i.e., MailItemsAccessed events).

However, these advanced logging capabilities were only available to customers with Microsoft's Purview Audit (Premium) logging licenses, which led to Redmond facing criticism for hindering organizations from promptly detecting Storm-0558's attacks.

Following the incident disclosure and pressured by CISA, Microsoft agreed to broaden access to logging data for free to allow network defenders to spot similar breach attempts in the future.

Months after the incident, U.S. State Department officials disclosed that the Chinese Storm-0558 hackers stole at least 60,000 emails from Outlook accounts belonging to State Department officials after breaching Microsoft's cloud-based Exchange Online email platform.

"Microsoft doesn't deserve any praise for caving to pressure and announcing that it will no longer gouge its customers for additional fees for basic features like security logs," U.S. Senator Ron Wyden told CyberScoop today.

"Like an arsonist selling firefighting services, Microsoft has profited from the vulnerabilities in its own products and built a security business generating tens of billions of dollars a year. There is no clearer example of the need to hold software companies liable for their negligent cybersecurity." 

Massive AT&T outage impacts US mobile subscribers
KeyTrap attack: Internet access disrupted with one...

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Monday, 23 December 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023