In a recent incident, a human rights organization discovered that it was compromised in a July email breach attributed to Storm-0558. However, despite being notified by Microsoft about unauthorized access, the organization could not find any evidence of compromise in its logs. The reason behind this inconsistency was revealed to be the lack of access to logging for Microsoft customers who do not have premium E3 licenses.
Steven Adair with Volexity brought attention to this issue on Twitter, highlighting the limitations faced by the majority of Microsoft customers without E3 licenses. Volexity, a cybersecurity firm, frequently investigates incidents and suspicious activities in Microsoft 365 and Azure AD. Adair expressed puzzlement over the incident involving the human rights organization, stating that despite the notification from Microsoft, they were unable to find any corroborating evidence of the breach.
The problem arose from the fact that the Volexity team did not have access to the necessary logging evidence due to the organization’s E3 license. Adair explained that the attacker had gained access to emails, and this level of activity was logged under the “MailItemsAccessed” operation. However, this specific log operation is not available to E3 licenses and requires additional logging that is only provided by more expensive E5/G5 plans.
Adair pointed out that email logging should be considered fundamental given the current threat landscape. The Cybersecurity and Infrastructure Security Agency (CISA) even issued guidance in July recommending the enabling of premium E5-level logging to detect advanced persistent threat (APT)-level activity. Despite this, Microsoft’s Office 365 E3 license, priced at $23 per user per month, does not include the necessary logging capabilities provided by the more expensive E5 license, which costs $38 per user per month. This pricing difference makes it cost-prohibitive for many organizations to upgrade to the E5 license.
When approached for comment, Microsoft did not immediately respond.
This incident highlights an ongoing issue that cybersecurity expert Jake Williams refers to as the “logging tax.” Williams explains that the availability of enhanced logging, only accessible with an E5 license or the Security and Compliance add-on license with E3, has been a challenge for incident responders and breach coaches for years. Organizations affected by business email compromise (BEC) attacks expect to have visibility into the messages viewed by threat actors, but without the enhanced logging, this visibility is limited.
Furthermore, there can be discrepancies in the level of logging available on a per-account basis. Some accounts may have E5 licensing, while others do not, leading to inconsistencies in the activities that can be monitored.
Williams emphasizes that premium logs alone would not have detected the specific malicious activity exhibited in the Storm-0558 breach. However, Adair from Volexity revealed that the breach was uncovered by an FCEB Agency through anomalous activity related to MailItemsAccessed log operations. As a result, Williams anticipates that Microsoft will face scrutiny over its logging surcharge in the aftermath of this incident.
Williams believes that a logging tax should not exist, especially for something as foundational as email. He suggests that Microsoft executives may have to answer uncomfortable questions during future Congressional hearings regarding this matter.