Following the May Breach, Microsoft Expands Free Logging Capabilities

Six months after revealing that Chinese hackers had secretly taken emails belonging to the United States government during an Exchange Online breach that occurred between May and June 2023, Microsoft has increased the amount of free logging capabilities for all Purview Audit standard customers, including federal agencies in the United States.

Since disclosing the incident, the company has collaborated with CISA, the Office of Management and Budget (OMB), and the Office of the National Cyber Director (ONCD) to guarantee that government agencies are now in possession of all the logging data required to identify such assaults in the future.

New Modifications in Microsoft’s Extended Logging

According to a press release, “Extended logging will be available to all agencies using Microsoft Purview Audit starting this month, regardless of license tier. Microsoft will raise the default log retention term from 90 - 180 days and automatically enable logs in customer accounts. Additionally, this data will offer fresh telemetry to support more federal agencies in fulfilling OMB Memorandum M-21-31's logging obligations.”

The new modification also conforms to the Secure by Design guidelines published by CISA, which stipulate that all technology suppliers must offer "high-quality audit logs" at no additional cost or configuration.

"We were happy to see Microsoft's pledge last summer to provide government agencies and the larger cybersecurity community with access to the essential logs.”We have made significant progress toward this goal, which I am happy about. Every organization has the right to safe and secure technology, and we continue to make progress toward this goal," stated Eric Goldstein, the Executive Assistant Director for Cybersecurity at CISA.

Outlook accounts for a minimum of 25 companies were compromised. Microsoft said in July that around twenty-five companies, including government institutions in the United States and Western Europe, had their Exchange Online Outlook data compromised by a Chinese hacking gang known as Storm-0558.

What Happened Next?

As it was subsequently discovered, the threat actors gained access to targeted email accounts through Outlook Web Access (OWA) in Exchange Online and Outlook.com by forging authentication tokens using a Microsoft Account (MSA) consumer key that they had taken from a Windows crash dump.

Even though the hackers largely avoided discovery, increased logging (i.e., MailItemsAccessed Events) was used by a few federal agencies in the United States to identify the malicious behavior.

But these enhanced logging features were restricted to those with Microsoft Purview Audit (Premium) logging licenses, therefore Redmond came under fire for impeding businesses' ability to quickly identify Storm-0558's attacks.

What Happened the Event was Made Public

After the event was made public and under pressure from CISA, Microsoft consented to provide more free access to logging data so that network defense teams might identify similar hack attempts in the future.

After infiltrating Microsoft's cloud-based Exchange Online email platform, the Chinese Storm-0558 hackers stole at least 60,000 emails from State Department officials' Outlook accounts, according to information released by U.S. State Department authority months after the event.

According to U.S. Senator Ron Wyden, “Microsoft doesn't deserve any praise for caving in to pressure and announcing that it will no longer gouge its customers for additional fees for basic features like security logs,” the company announced today.

“Microsoft has made millions of dollars a year from its security business by taking advantage of flaws in its products, much like an arsonist offering firefighting services. Nothing demonstrates more strongly the necessity of holding software corporations accountable for their careless cybersecurity than this.”