Thanks Storm-0558! Microsoft to expand default access to cloud logs

Starting in September 2023, more federal government and commercial Microsoft customers will have access to expanded cloud logging capabilities at no additional charge, Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA) have announced on Wednesday.

The announcements come in the wake of last week’s revelation that sophisticated hackers have compromised email accounts of employees at 25 organizations and government agencies. They did it by exploiting a token validation issue to create valid authentication tokens, which allowed them to gain access to the accounts via Outlook Web Access in Exchange Online (OWA) and Outlook.com.

Extended cloud logging defaults for lower-tier Microsoft customers

The intrusion, which Microsoft pinned on Chinese state-sponsored attackers, lasted for a month before a US Federal Civilian Executive Branch agency detected it after finding suspicious log events.

While Microsoft still doesn’t say (or know) how the attackers got their hands on the MSA consumer signing key they used to create the tokens, it has obviously realized – after an online outcry by the infosec community – that making customers pay for logs that are crucial for identifying sophisticated attacks creates bad publicity for the company.

“Over the coming months, we will include access to wider cloud security logs for our worldwide customers at no additional cost,” the company announced.

The cloud log data generated across customer organizations are viewable via Microsoft Purview Audit.

“Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded and retained in customers unified Purview Audit logs,” the company explained.

“As our expanded logging defaults roll out, Microsoft Purview Audit (Standard) customers will receive deeper visibility into security data, including detailed logs of email access and more than 30 other types of log data previously only available at the Microsoft Purview Audit (Premium) subscription level. In addition to new logging events becoming available, Microsoft is also increasing the default retention period for Audit Standard customers from 90 days to 180 days.”

“While vendors can offer wider logging access at specific cloud licensing levels, this approach makes it harder to investigate intrusions. Asking organizations to pay more for necessary logging is a recipe for inadequate visibility into investigating cybersecurity incidents and may allow adversaries to have dangerous levels of success in targeting American organizations,” commented Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA.

“We believe that every organization deserves to have products that are secure by design and come with necessary security data ‘out of the box.’ Microsoft’s announcement today is an important step forward in advancing the security of our communities, companies, and country, recognizing our shared work yet to come.”