Microsoft on Wednesday announced that it was expanding its cloud logging capabilities to help organizations investigate cybersecurity incidents and gain more visibility after facing criticism following a recent campaign of espionage attacks targeting its email infrastructure.
The tech giant said it was making changes in direct response to the increasing frequency and evolution of nation-state cyber threats. This is expected to roll out from September 2023 to all government and commercial customers.
“Over the coming months, we will be adding access to a broader cloud security log for our customers worldwide at no additional cost,” Vasu Jakkal, corporate vice president of security, compliance, identity, and management at Microsoft, said. “As these changes go into effect, customers can use Microsoft Purview Audit to centrally visualize a wider variety of cloud log data generated across their enterprise.”
As part of this change, users are expected to receive access to email access detail logs and more than 30 other types of log data that were previously only available at the Microsoft Purview Audit (Premium) subscription level. Additionally, Windows maker says it’s extending the default retention period for Audit Standard customers from 90 days to 180 days.
The US Cyber Security and Infrastructure Agency (CISA) welcomed the move, state “Having access to key logging data is critical to rapidly reducing cyber intrusions” and that this is a “significant step forward towards improving security by design principles”.
Developments occur after disclosure that a threat actor operating outside of China, dubbed Storm-0558, had penetrated 25 organizations by exploiting a validation error in the Microsoft Exchange environment.
The US Department of State, which is one of the affected entities, said it could detect malicious mailbox activity in June 2023 due to increased logs in Microsoft Purview Audit, specifically using MailItemsAccessed mailbox audit action, prompting Microsoft to investigate the incident.
But the other affected organizations said they couldn’t detect they had been breached because they weren’t customers of the E5/A5/G5 license, which comes with high access to multiple types of logs that would be crucial for investigating hacks.
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
The attack the actor mounted is said to have started on May 15, 2023, despite Microsoft noting that adversaries have shown a penchant for OAuth apps, token theft, and token replay attacks against Microsoft accounts since at least August 2021.
Microsoft, meanwhile, is continuing to investigate the intrusion, but to date the company has not explained how hackers could obtain inactive Microsoft account consumer signing keys (MSA) to forge authentication tokens and gain restricted access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com.
“The goal of most Storm-0558 campaigns is to gain unauthorized access to email accounts belonging to employees of targeted organizations,” Microsoft revealed last week.
“Once Storm-0558 has access to the desired user’s credentials, the actor logs into the compromised user’s cloud email account with valid account credentials. The actor then collects information from the email account via a web service.”