Microsoft Expands Cloud Logging to Counter Rising Nation-State Cyber Threats
20.7.23  Security  The Hacker News
Microsoft on Wednesday announced that it's expanding cloud logging capabilities to help organizations investigate cybersecurity incidents and gain more visibility after facing criticism in the wake of a recent espionage attack campaign aimed at its email infrastructure.

The tech giant said it's making the change in direct response to increasing frequency and evolution of nation-state cyber threats. It's expected to roll out starting in September 2023 to all government and commercial customers.

"Over the coming months, we will include access to wider cloud security logs for our worldwide customers at no additional cost," Vasu Jakkal, corporate vice president of security, compliance, identity, and management at Microsoft, said. "As these changes take effect, customers can use Microsoft Purview Audit to centrally visualize more types of cloud log data generated across their enterprise."

As part of this change, users are expected to receive access to detailed logs of email access and more than 30 other types of log data previously only available at the Microsoft Purview Audit (Premium) subscription level. On top of that, the Windows maker said it's extending the default retention period for Audit Standard customers from 90 days to 180 days.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) welcomed the move, stating "having access to key logging data is important to quickly mitigating cyber intrusions" and that it's "a significant step forward toward advancing security by design principles."

The development comes in the aftermath of disclosures that a threat actor operating out of China, dubbed Storm-0558, breached 25 organizations by exploiting a validation error in the Microsoft Exchange environment.

The U.S. State Department, which was one among the affected entities, said it was able to detect the malicious mailbox activity in June 2023 due to enhanced logging in Microsoft Purview Audit, specifically using the MailItemsAccessed mailbox-auditing action, prompting Microsoft to investigate the incident.

But other impacted organizations said they were unable to detect that they were breached because they were not subscribers of E5/A5/G5 licenses, which come with elevated access to various kinds of logs that would be crucial to investigate the hack.
Attacks mounted by the actor are said to have commenced on May 15, 2023, although Redmond said that the adversary has displayed a propensity for OAuth applications, token theft, and token replay attacks against Microsoft accounts since at least August 2021.

Microsoft, in the meanwhile, is continuing to probe the intrusions, but to date the company hasn't explained how the hackers were able to acquire an inactive Microsoft account (MSA) consumer signing key to forge authentication tokens and obtain illicit access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com.

"The objective of most Storm-0558 campaigns is to obtain unauthorized access to email accounts belonging to employees of targeted organizations," Microsoft revealed last week.

"Once Storm-0558 has access to the desired user credentials, the actor signs into the compromised user's cloud email account with the valid account credentials. The actor then collects information from the email account over the web service."