Microsoft expands free logging capabilities after May breach

Microsoft has expanded free logging capabilities for all Purview Audit standard customers, including U.S. federal agencies, six months after disclosing that Chinese hackers stole U.S. government emails undetected in an Exchange Online breach between May and June 2023.

The company has been working with CISA, the Office of Management and Budget (OMB), and the Office of the National Cyber Director (ONCD) since it disclosed the incident to ensure that federal agencies now have access to all logging data needed to detect similar attacks in the future.

"Beginning this month, expanded logging will be available to all agencies using Microsoft Purview Audit regardless of license tier," a press release issued today reads.

"Microsoft will automatically enable the logs in customer accounts and increase the default log retention period from 90 days to 180 days. Also, this data will provide new telemetry to help more federal agencies meet logging requirements mandated by OMB Memorandum M-21-31."

The new change also aligns with CISA's Secure by Design guidance, which says that all technology providers should provide "high-quality audit logs" without requiring additional configuration or extra charges.

"Last summer, we were glad to see Microsoft's commitment to make necessary logging available to federal agencies and the broader cybersecurity community. I am pleased that we have made real progress toward this goal," said Eric Goldstein, CISA's Executive Assistant Director for Cybersecurity.

"Every organization has the right to safe and secure technology, and we continue to make progress toward this goal."

Outlook accounts breached for at least 25 organizations

In July, Microsoft disclosed that a Chinese hacking group tracked as Storm-0558 accessed and stole Exchange Online Outlook data from roughly 25 organizations, including U.S. and Western European government agencies.

As later revealed, the threat actors used a Microsoft account (MSA) consumer key stolen from a Windows crash dump to forge authentication tokens and access targeted email accounts via Outlook Web Access in Exchange Online (OWA) and Outlook.com.

While the hackers mostly evaded detection, some affected U.S. federal agencies identified the malicious activity using enhanced logging (i.e., MailItemsAccessed events).

However, these advanced logging capabilities were only available to customers with Microsoft's Purview Audit (Premium) logging licenses, which led to Redmond facing criticism for hindering organizations from promptly detecting Storm-0558's attacks.

Following the incident disclosure and pressured by CISA, Microsoft agreed to broaden access to logging data for free to allow network defenders to spot similar breach attempts in the future.

Months after the incident, U.S. State Department officials disclosed that the Chinese Storm-0558 hackers stole at least 60,000 emails from Outlook accounts belonging to State Department officials after breaching Microsoft's cloud-based Exchange Online email platform.

"Microsoft doesn't deserve any praise for caving to pressure and announcing that it will no longer gouge its customers for additional fees for basic features like security logs," U.S. Senator Ron Wyden told CyberScoop today.

"Like an arsonist selling firefighting services, Microsoft has profited from the vulnerabilities in its own products and built a security business generating tens of billions of dollars a year. There is no clearer example of the need to hold software companies liable for their negligent cybersecurity."

Update February 21, 21:04 EST: The article and title have been revised to accurately indicate that all Audit standard customers will have access to the expanded logging feature.