The logging in place when the Chinese attacker accessed Exchange Online proved to be a crucial element in detecting the breach. The available logging in that version of Exchange Online allowed administrators to determine that the attackers had infiltrated the system.
According to documentation from the Cybersecurity and Infrastructure Security Agency (CISA), an FCEB agency noticed suspicious activity in the Microsoft 365 audit logs. They observed “MailItemsAccessed” events with an unexpected “ClientAppID” and “AppID.” The “MailItemsAccessed” event is generated when licensed users access items in Exchange Online mailboxes using any connectivity protocol from any client. The agency found it suspicious because the observed “AppID” was not typically associated with accessing mailbox items in their environment. As a result, they reported the activity to Microsoft and CISA.
Further investigation revealed that the attackers somehow obtained a consumer-level Microsoft account signing key, which they then used to create an enterprise authentication token. Microsoft swiftly acted by revoking these compromised keys and implementing measures to prevent consumer-level access from being used to forge authentication to Enterprise assets. The company also announced plans to review and strengthen processes to prevent similar incidents in the future.
The breach highlighted the need for improved logging capabilities for all Microsoft customers. Microsoft acknowledged this and made the decision to provide access to enhanced logging without additional costs. In a news release on July 19, 2023, Microsoft announced that it would be gradually rolling out wider cloud security logs to customers worldwide for free.
The implementation of these logging enhancements is set to begin in September. However, customers who suspect a breach and do not currently have access to these logs can take advantage of trial options to evaluate the information in the meantime. Microsoft advises using the 90-day Microsoft Purview solutions trial to explore additional capabilities that can assist organizations in managing data security and compliance needs. This trial can be accessed through the Microsoft Purview compliance portal trials hub.
It is important to note that even if organizations have E5 licenses for some users, the licensing is per mailbox. Shared mailboxes, for example, will require either an E5 license or a trial license to enable logging for those mailboxes.
By expanding access to logging and making it available for free, Microsoft aims to empower all customers to effectively monitor and identify potential breaches. This move underscores the company’s commitment to enhancing the security and resilience of its services.