Adrian Johnson
TLDR:
- Microsoft has expanded free logging capabilities for all U.S. federal agencies using Microsoft Purview Audit.
- The move comes after a China-linked cyber espionage campaign targeted two dozen organizations.
Microsoft has increased the default log retention period from 90 to 180 days, providing new telemetry to help agencies meet logging requirements mandated by the Office of Management and Budget. The company disclosed unauthorized access by a China-based nation-state group known as Storm-0558, which stole at least 60,000 emails from State Department officials. The breach was detected using enhanced logging in Microsoft Purview Audit and was caused by a validation error in the source code that allowed attackers to forge Azure AD tokens. Beijing denied the allegations, prompting Microsoft to make changes, providing advanced logging capabilities for all federal agencies, regardless of license tier.
Full Article:
Microsoft has expanded free logging capabilities to all U.S. federal agencies using Microsoft Purview Audit irrespective of the license tier, more than six months after a China-linked cyber espionage campaign targeting two dozen organizations came to light. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) stated that Microsoft will automatically enable the logs in customer accounts and increase the default log retention period from 90 days to 180 days. This data will provide new telemetry to help more federal agencies meet logging requirements mandated by [Office of Management and Budget] Memorandum M-21-31.
Microsoft disclosed in July 2023 that a China-based nation-state activity group known as Storm-0558 gained unauthorized access to approximately 25 entities in the U.S. and Europe, as well as a small number of related individual consumer accounts. The breach was detected by leveraging enhanced logging in Microsoft Purview Audit, specifically using the MailItemsAccessed mailbox-auditing action. The attackers were able to forge Azure AD tokens and penetrate the mailboxes using a Microsoft account (MSA) consumer signing key.
The breach resulted in the theft of at least 60,000 unclassified emails from Outlook accounts belonging to State Department officials stationed in East Asia, the Pacific, and Europe. Despite the allegations, Beijing denied any involvement in the cyber espionage campaign. Microsoft faced criticism for withholding logging capabilities to entities on more expensive plans, prompting the company to provide access to advanced audit logs for all federal agencies.
Microsoft’s Candice Ling emphasized the importance of advanced logging in enabling federal agencies to detect, respond to, and prevent cyberattacks from well-resourced state-sponsored actors. The company has been collaborating with the federal government to provide access to advanced audit logs to enhance cybersecurity measures.
