Microsoft has expanded free logging capabilities to all US federal agencies that use Microsoft Purview Audit regardless of license level, more than six months after a China-linked cyber espionage campaign targeting two dozen companies came to light. organizations.
“Microsoft will automatically enable logs in customer accounts and increase the default log retention period from 90 days to 180 days,” the US Cybersecurity and Infrastructure Security Agency (CISA) said.
“Additionally, this data will provide new telemetry to help more federal agencies meet mandated registration requirements [Office of Management and Budget] Memorandum M-21-31.”
Microsoft, in July 2023, disclosed that a China-based state-owned business group known as Storm-0558 gained unauthorized access to approximately 25 entities in the United States and Europe, as well as a small number of individual Microsoft accounts. related consumers.
“Storm-0558 operates with a high level of technical proficiency and operational safety,” the company noted. “Actors are acutely aware of the target’s environment, logging policies, authentication requirements, policies and procedures.”
The campaign is believed to have begun in May 2023, but was only detected a month later, after a US federal agency, later revealed to be the State Department, discovered suspicious activity in unclassified Microsoft 365 audit logs and reported it to Microsoft.
The breach was discovered by leveraging advanced logging in Microsoft Purview Audit, specifically using the MailItemsAccessed mailbox audit action generally available to Premium subscribers.
The Windows maker later acknowledged that a validation error in its source code allowed Storm-0558 to forge Azure Active Directory (Azure AD) tokens using a Microsoft Account (MSA) consumer signing key and then use them to penetrate inboxes.
The attackers are estimated to have stolen at least 60,000 unclassified emails from Outlook accounts belonging to State Department officials stationed in East Asia, the Pacific and Europe, Reuters reported in September 2023. Beijing has denied the allegations.
It also faced intense scrutiny for denying basic but crucial logging capabilities to entities that signed up for the more expensive E5 or G5 plan, prompting the company to make changes.
“We recognize the vital importance that advanced logging plays in enabling federal agencies to detect, respond to, and prevent even the most sophisticated cyberattacks by well-resourced, state-sponsored actors,” said Candice Ling of Microsoft. “For this reason, we have worked across the federal government to provide access to advanced audit records.”