Microsoft Boosts Cloud Logging Services in Response to Exchange Servers Hit by Cybersecurity Vulnerabilities

Microsoft customers are set to benefit from enhanced cloud logging features at no extra cost, as announced by the tech giant on Wednesday. This initiative is in response to cybersecurity specialists advocating for the provision of free logging data to all customers utilizing Microsoft's cloud services.

This news follows last week's revelation from Microsoft that a probable China-based hacker had recently fabricated authentication tokens to breach the email of approximately 25 entities.

Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), expressed her satisfaction with Microsoft's move to make critical log types accessible to the wider cybersecurity community without any extra charges. "Although this will take some time to deploy, it is certainly a leap forward towards more companies adopting the Secure by Design principles. We will persist in our efforts to cooperate with all technology manufacturers, including Microsoft, to discover methods to augment visibility into their products for all customers."

Vasu Jakkal, Microsoft’s Corporate Vice President for Security, Compliance, Identity, and Management, stated, "This announcement is the outcome of our close collaboration with CISA, who have been urging the industry to step up its defenses against potential cyber-attacks. It also showcases our dedication to working with customers, partners, and regulators to meet the dynamic security requirements of today's world."

In the upcoming months, Microsoft intends to grant customers access to a broader range of cloud security logs without any additional charges, according to a company blog. IT administrators will use Microsoft Purview Audit to examine an extended array of cloud log data produced across their enterprises.

Purview Audit (Standard) subscribers will enjoy enhanced access to security data, inclusive of detailed email access logs and over 30 other types of log data previously exclusive to those with Purview Audit (Premium) E5/G5 licences. Microsoft will also extend the default retention period for Audit Standard users from 90 days to 180 days in addition to making new logging events available.

This move by Microsoft and CISA to extend logging data to cloud users, a work in progress for a year, follows cybersecurity experts' call to action in the wake of the email hack facilitated by counterfeited authentication keys.

Johannes Ullrich, dean of research at the SANS Institute, wrote in the organization's weekly news summaries, "Log information should not be compartmentalized. It should be universally available, ideally with the option of direct transmission to your SIEM/SOAR (security information and event management/security orchestration automation and response) platform."

Security Magazine reported that the departments targeted by the hackers included the U.S. State and Commerce Departments, and one of the email accounts infiltrated belonged to Secretary of Commerce Gina Raimondo.

Steven Adair, president of Volexity, underscored the visibility problem on Twitter, stating that his firm could not find any evidence to support the unauthorized access notification from Microsoft.

Starting from May 15, Microsoft reported that a group known as Storm-0558 used fabricated authentication tokens to access user emails from about 25 organizations. The report added that this threat actor has shown interest in OAuth applications, token theft, and token replay against Microsoft accounts since at least August 2021.

According to the report, authentication tokens validate the identity of entities asking for resources like email. If a private signing key is obtained, an actor can create falsified tokens with valid signatures, accepted by relying parties. 

The SANS commentators emphasized that not only Microsoft but all cloud service providers should give their customers access logs. In a press call, an official from CISA affirmed that "Every organization using a technology service like Microsoft 365 should have access to logging and other security data right off the bat."

Post a Comment