More than six months after a cyber espionage campaign involving two dozen organizations that was linked to China came to light, Microsoft has made free logging available to all U.S. federal agencies using Microsoft Purview Audit regardless of the license tier.
According to the U.S. Cybersecurity and Infrastructure Security Agency ( CISA ), Microsoft will automatically enable customer account logs and lengthen the default log retention period from 90 days to 180 days.
Additionally, this information will offer new telemetry to assist more federal agencies in adhering to the logging standards set forth by Memorandum M-21-31 of the Office of Management and Budget.
In July 2023, Microsoft announced that a China-based nation-state activity group called Storm-0558 had gained unauthorized access to about 25 entities in the United States and Europe, as well as some related individual consumer accounts.
The company stated that” Storm- 0558 operates with a high degree of technical tradecraft and operational security.” ” The actors are very conscious of the target’s surroundings, logging policies, policies and procedures for authentication.”
A U.S. federal agency, later identified as the State Department, discovered suspicious activity in unclassified Microsoft 365 audit logs and reported it to Microsoft. The campaign is thought to have started in May 2023, but it was n’t discovered until a month later.
Using Microsoft Purview Audit’s enhanced logging, specifically the MailItemsAccessed mailbox-auditing action that is typically available for Premium subscribers, the breach was discovered.
The Windows manufacturer later admitted that Storm- 0558 was able to forge Azure Active Directory ( Azure AD ) tokens using a Microsoft account ( MSA ) consumer signing key and use them to access mailboxes due to an error in the source code.
According to a Reuters report from September 2023, the attackers are thought to have stolen at least 60,000 unclassified emails from State Department officials stationed in East Asia, Pacific, and Europe’s Outlook accounts. The accusations have been refuted by Beijing.
Additionally, it came under intense scrutiny for depriving entities on the more expensiveE5 or G5 plan of essential logging capabilities, which prompted the company to change.
According to Microsoft’s Candice Ling, “advanced logging plays a crucial role in enabling federal agencies to detect, respond to, and prevent even the most sophisticated cyberattacks from well-resourced, state-sponsored actors.” We have been working with the federal government to make access to sophisticated audit logs available for this reason.