Microsoft Reacts to Major Breach by Unlocking Logging Security Tools for Everyone

Microsoft has announced the enhancement of its free logging services for users of Purview Audit standard, a move that comes six months following the revelation that hackers from China had managed to infiltrate U.S. government email systems through an unnoticed breach in Exchange Online that occurred in May to June 2023.

In response to this cybersecurity incident, Microsoft has been in close collaboration with key federal cybersecurity and management bodies, including the Cybersecurity and Infrastructure Security Agency (CISA), the Office of Management and Budget (OMB), and the Office of the National Cyber Director (ONCD). This partnership aims to bolster the logging capabilities available to federal agencies, ensuring they possess the necessary tools to identify and mitigate such cyber threats in the future.

The expansion of logging capabilities is set to be implemented across all tiers of the Microsoft Purview Audit service. According to a statement released by the company, this upgrade will automatically activate in customer accounts, extending the default period for log retention from 90 to 180 days. This enhancement is designed to offer additional telemetry data, aiding more federal agencies in meeting the logging standards mandated by the OMB Memorandum M-21-31.

This strategic move is in line with CISA's Secure by Design principles, advocating for the provision of comprehensive audit logs by technology providers at no extra cost or need for additional configuration. Eric Goldstein, CISA's Executive Assistant Director for Cybersecurity, expressed his satisfaction with Microsoft's commitment to improving logging access for federal agencies and the broader cybersecurity community, emphasizing the progress towards ensuring that all organizations have access to secure and reliable technology.

The necessity for such enhanced logging capabilities was underscored in July, when Microsoft reported a breach by the Chinese-affiliated hacking group known as Storm-0558. This group successfully accessed and exfiltrated data from the Exchange Online Outlook accounts of approximately 25 organizations, including those of U.S. and Western European government agencies. Investigations revealed that the hackers utilized a stolen Microsoft account consumer key from a Windows crash dump to create fraudulent authentication tokens. This breach allowed them unauthorized access to email accounts via Outlook Web Access in Exchange Online and, primarily avoiding detection.

Despite some U.S. federal agencies managing to spot the unauthorized activities through the use of advanced logging features, such as MailItemsAccessed events, these capabilities were previously only accessible to customers subscribed to Microsoft's Purview Audit Premium logging licenses. This limitation drew criticism towards Microsoft, as it was perceived to obstruct timely detection and response to the Storm-0558 cyberattacks.

In the wake of these events and under pressure from CISA, Microsoft committed to expanding access to essential logging data at no extra charge, a decision aimed at empowering network defenders with the tools necessary to detect and counteract similar cyber intrusions moving forward.

Subsequent disclosures revealed the extent of the breach, with U.S. State Department officials reporting that the Storm-0558 hackers had exfiltrated at least 60,000 emails from Outlook accounts of State Department personnel through the compromised Exchange Online platform.

This decision by Microsoft to waive additional charges for vital security features like logging has elicited mixed reactions. While some view it as a positive step towards enhancing cybersecurity resilience, others, like U.S. Senator Ron Wyden, critique the company for profiting from its own vulnerabilities. Senator Wyden likened Microsoft's initial stance to an "arsonist selling firefighting services," pointing to the billions of dollars the company earns from its security business as indicative of a broader issue concerning accountability and liability for software companies in matters of cybersecurity negligence.

As of February 21, Microsoft has clarified that the enhanced logging feature will be available to all Audit standard customers, marking a pivotal moment in the ongoing effort to secure digital infrastructures against sophisticated cyber threats. This development not only reflects the growing recognition of the critical importance of cybersecurity in the digital age but also underscores the collaborative efforts between the private sector and government agencies to fortify the nation's cyber defenses.

Post a Comment