Microsoft has announced that it will provide customers with a wider range of cloud logging data at no additional cost. This decision comes in response to criticism the company faced over the past week regarding a lack of logging data for certain cloud licenses. The criticism arose following a series of cyberespionage attacks from a China-based threat actor that targeted email accounts of approximately 25 organizations, including several U.S. federal agencies.
The threat actor, known as Storm-0558 according to Microsoft, used a stolen Microsoft account (MSA) key to forge access tokens, which allowed them to gain unauthorized access to email accounts in Outlook Web Access in Exchange Online and Outlook.com. The attacks were initially discovered by an unnamed federal civilian executive branch (FCEB) agency, which promptly reported the incident to Microsoft.
In response to the attacks, the Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory recommending that organizations implement enhanced logging for their Microsoft 365 services to detect similar malicious activity. The advisory emphasized that the FCEB agency was only able to detect the intrusion because it had enabled enhanced logging, which provided relevant data about the compromised email accounts. CISA also urged critical infrastructure organizations to follow the logging recommendations in their advisory to enhance their cybersecurity posture.
However, the enhanced cloud logging data was only available to organizations with E5 or G5 license agreements, which are the top and most expensive subscription levels for Microsoft services. This led to criticism from infosec experts and government officials, including former National Cyber Director Chris Inglis, who called on Microsoft to provide additional free cloud logging capabilities to customers so they could better defend themselves against cyberthreats.
Microsoft responded to these calls by announcing that, starting in September, standard subscribers will have access to a wider range of cloud logs within Microsoft Purview Audit. This includes more detailed logs for email access as well as 30 other types of log data that were previously limited to premium subscribers. Additionally, Microsoft will increase the default log retention period for Purview Audit standard customers from 90 days to 180 days.
Vasu Jakkal, corporate vice president of security, compliance, identity, and management at Microsoft, emphasized that this decision was a result of the company’s partnership with CISA and its commitment to addressing the evolving security needs of the modern world. Jakkal stated that the move reflects Microsoft’s dedication to engaging with customers, partners, and regulators to better protect against potential cyberattacks.
CISA director Jen Easterly praised Microsoft’s decision and announced the important milestone on Twitter. She highlighted the collaboration with Microsoft and expressed her excitement about making logging more accessible for government and commercial entities. This move is seen as a significant step toward improving cyber defense and incident response for all Microsoft customers.
Eric Goldstein, executive assistant director for cybersecurity at CISA, wrote in a blog post that the agency has been working with Microsoft over the past several months to identify the types of logs necessary to identify cyber attacks. Goldstein commended Microsoft’s decision, stating that it aligns with the agency’s “secure-by-design” principle and will enhance cyber defense and incident response for every Microsoft customer.
Overall, Microsoft’s decision to provide customers with a wider range of cloud logging data at no additional cost is seen as a positive step in improving cybersecurity. By offering these enhanced logging capabilities to standard subscribers, Microsoft is enabling organizations of all sizes to better detect and respond to cyberthreats. This move is a result of collaboration between Microsoft and CISA and reflects a commitment to addressing the evolving cybersecurity landscape.