Six months after revealing that Chinese hackers stole U. S. government emails covertly during an Exchange Online breach between May and June 2023, Microsoft has increased free logging capabilities for all Purview Audit standard customers, including federal agencies in the United States.
Since the incident was made public, the company has collaborated with CISA, OMB, and the Office of the National Cyber Director ( ONCD ) to give federal agencies access to all logging information required to prevent future attacks of a similar nature.
According to a press release released today, all organizations using Microsoft Purview Audit will have access to expanded logging starting this month, regardless of license tier.
” Microsoft will increase the default log retention period from 90 days to 180 days and automatically enable the logs in customer accounts.” Additionally, this information will offer new telemetry to assist more federal agencies in adhering to OMB Memorandum M-21-31’s logging requirements.
The new modification also complies with CISA’s Secure by Design recommendations, which mandate that all technology providers offer “high-quality audit logs” without the need for additional setup or fees.
We were pleased to see Microsoft’s commitment to provide federal agencies and the larger cybersecurity community with the necessary logging last summer. Eric Goldstein, the executive assistant director for cybersecurity for CISA, expressed his satisfaction with the real progress we have made toward this objective.
” Every organization has the right to secure technology, and we’re working hard to achieve this.”
At least 25 organizations had their Outlook accounts compromised.
Microsoft revealed in July that roughly 25 organizations, including U.S. and Western European government agencies, had Exchange Online Outlook data accessed and stolen by a Chinese hacking group known as Storm-0558.
The threat actors forged authentication tokens and used Outlook Web Access in Exchange Online ( OWA ) and Outlook .com to access targeted email accounts, as later revealed. They did this using a Microsoft account ( MSA ), consumer key that they had obtained from e-mail.
Some affected U.S. federal agencies used enhanced logging, such as MailItemsAccessed events, to identify the malicious activity, though the hackers largely evaded detection.
Redmond came under fire for preventing organizations from quickly identifying Storm- 0558’s attacks because these sophisticated logging capabilities were only made available to customers with Microsoft Purview Audit ( Premium ) licensing licenses.
Microsoft consented to increase free access to logging data in response to the incident disclosure and CISA’s pressure to do so in order to help network defenders identify potential future breaches.
Officials from the U.S. State Department revealed months after the incident that Microsoft’s cloud-based Exchange Online email platform had been breached by Chinese Storm-0558 hackers, who had stolen at least 60,000 emails from state department officials ‘ Outlook accounts.
U.S. Senator Ron Wyden stated to CyberScoop today that Microsoft “does n’t deserve any praise for giving in to pressure and announcing that it will stop charging customers more for basic features like security logs.”
Microsoft has built a security business that generates tens of billions in revenue, much like an arsonist selling firefighting services, by taking advantage of product flaws. There is no better illustration of the need to hold software companies accountable for careless cybersecurity.
Update , February 21, 21:04 EST: The article and title have been updated to accurately reflect the expanded logging feature’s availability to all Audit standard users.