Microsoft Reinforcing Cloud-logging for a Better Security Posture

Microsoft made an important announcement about expanding its cloud logging capabilities to handle cybersecurity incidents better and improve visibility. 

This decision comes after criticism due to a recent espionage attack campaign targeting its email infrastructure.

“Microsoft has mitigated an attack by a China-based threat actor Microsoft tracks as Storm-0558 which targeted customer emails. Storm-0558 primarily targets government agencies in Western Europe and focuses on espionage, data theft, and credential access.”

The motive behind the development

This change responds to the increasing frequency and sophistication of nation-state cyber threats. 

Starting in September 2023, all government and commercial customers will have access to broader cloud security logs at no extra cost. 

Microsoft will also provide users with detailed logs of email access and more than 30 other types of log data previously only available with the Microsoft Purview Audit (Premium) subscription.

Tried my hand at sketching out Storm-0558's email access flow based on my current understanding of@MsftSecIntel's latest blogpost (h/t @NightmareJS), though I'm still a bit fuzzy on the precise relationship between OWA, Outlook[dot]com and Exchange Online in this scenario. https://t.co/pRPsrkHqme pic.twitter.com/8CAlU6Vjkf

— Amitai Cohen (@AmitaiCo) July 17, 2023

Additionally, the default retention period for Audit Standard customers will be extended from 90 to 180 days. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) welcomed this move, emphasizing the importance of having access to key logging data to address cyber intrusions quickly.

“We applaud Microsoft’s announcement to make necessary logs identified by CISA and our partners as critical to identifying cyber-attacks available to customers without additional cost.”

“While we understand it will take time to roll out such a major step, this effort will enhance cyber defense and incident response for every Microsoft customer. As a founding partner in the Joint Cyber Defense Collaborative (JCDC), Microsoft’s decision is also a significant step toward creating a world where technology is safe and secure by design.”

Storm-0558: A trigger 

This decision was triggered by the Storm-0558 threat actor from China, who breached 25 organizations by exploiting a validation error in the Microsoft Exchange environment.

The US State Department, an affected entity, detected the malicious mailbox activity in June 2023, thanks to enhanced logging in Microsoft Purview Audit. 

However, other impacted organizations were unaware of the breach because they didn’t have the necessary subscription licenses.

The attacks by Storm-0558 are believed to have started on May 15, 2023, and the threat actor had previously engaged in OAuth applications, token theft, and token replay attacks against Microsoft accounts since August 2021.

Source: Microsoft

Read more: Microsoft Repelled Chinese Spies

Microsoft is investigating the intrusions but hasn’t disclosed how the hackers acquired an inactive Microsoft account (MSA) consumer signing key to forge authentication tokens and gain unauthorized access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com.

The primary objective of the Storm-0558 campaigns is to gain unauthorized access to email accounts belonging to employees of targeted organizations. Once access is obtained, the actor collects information from the compromised email accounts over the web service.

Concluding thought: Microsoft is making us win

Steps for the community by tech giants are something that needs applause. Microsoft has proved that every organization is part of the ecosystem and everybody counts when it comes to cyber security.