Microsoft to expand free cloud logging following recent hacks

In response to recent cyberespionage attacks, Microsoft Wednesday said it will provide customers a wider range of cloud logging data at no additional cost.

Microsoft's announcement came in response to criticism the software giant faced over the past week regarding a lack of logging data for certain cloud licenses. The criticism stemmed from a series of attacks from a China-based threat actor that breached email accounts of approximately 25 organizations, including several U.S. federal agencies.

The threat actor, which Microsoft dubbed Storm-0558, used a stolen Microsoft account (MSA) key to forge access tokens that enabled the attacker to gain access to email accounts in Outlook Web Access in Exchange Online and Outlook.com. The threat activity was initially discovered in June by an unnamed federal civilian executive branch (FCEB) agency, which reported the attack to Microsoft.

In an advisory about the attacks, CISA noted that the FCEB agency was only able to detect the intrusion because it had enabled enhanced logging for its Microsoft 365 services, which provided the agency's security team with relevant data about the compromised email accounts.

"CISA and FBI are not aware of other audit logs or events that would have detected this activity," the advisory said. "Critical infrastructure organizations are strongly urged to implement the logging recommendations in this advisory to enhance their cybersecurity posture and position themselves to detect similar malicious activity."

However, that enhanced cloud logging data was only available to organizations with E5 or G5 license agreements -- the top and most expensive subscription level for Microsoft services. As a result, many infosec experts and government officials, including former National Cyber Director Chris Inglis, pushed Microsoft to provide additional free cloud logging capabilities to customers so that they could better defend themselves against cyberthreats.

Microsoft responded with a blog post Wednesday from Vasu Jakkal, corporate vice president of security, compliance, identity and management at Microsoft. Jakkal said that starting in September, the company will provide standard subscribers a wider range of cloud logs within Microsoft Purview Audit, including more detailed logs for email access as well as 30 other types of log data that were previously limited to premium subscribers. He also said Microsoft will increase the default log retention period for Purview Audit standard customers from 90 days to 180 days.

"Today's news comes as a result of our close partnership with CISA, which has called for the industry to take action in order to better protect itself from potential cyberattacks," Jakkal said. "It also reflects our commitment to engaging with customers, partners, and regulators to address the evolving security needs of the modern world."

CISA director Jen Easterly applauded Microsoft's move. "Through close collaboration with our partners at @Microsoft, I'm excited to announce that we've reached an important milestone in making logging more accessible for government & commercial entities," she said in a tweet.

Eric Goldstein, executive assistant director for cybersecurity at CISA, wrote in a blog post that the agency has been working with Microsoft over the "past several months" to identify the types of logs necessary to identify cyber attacks.

"While vendors can offer wider logging access at specific cloud licensing levels, this approach makes it harder to investigate intrusions," he said. "Asking organizations to pay more for necessary logging is a recipe for inadequate visibility into investigating cybersecurity incidents and may allow adversaries to have dangerous levels of success in targeting American organizations."

Goldstein applauded the move and said it was a significant step toward the "secure-by-design" principle touted by the agency. "While we understand it will take time to roll out such a major step, this effort will enhance cyber defense and incident response for every Microsoft customer," he said.

Rob Wright is a longtime technology reporter who lives in the Boston area.