Microsoft has expanded free logging capabilities to all U.S. federal agencies using Microsoft Purview Audit irrespective of the license tier, more than six months after a China-linked cyber espionage campaign targeting two dozen organizations came to light.
"Microsoft will automatically enable the logs in customer accounts and increase the default log retention period from 90 days to 180 days," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said.
"Also, this data will provide new telemetry to help more federal agencies meet logging requirements mandated by [Office of Management and Budget] Memorandum M-21-31."
Microsoft, in July 2023, disclosed that a China-based nation-state activity group known as Storm-0558 gained unauthorized access to approximately 25 entities in the U.S. and Europe as well as a small number of related individual consumer accounts.
"Storm-0558 operates with a high degree of technical tradecraft and operational security," the company noted. "The actors are keenly aware of the target's environment, logging policies, authentication requirements, policies, and procedures."
The campaign is believed to have commenced in May 2023, but detected only a month later after a U.S. federal agency, later revealed to be the State Department, uncovered suspicious activity in unclassified Microsoft 365 audit logs and reported it to Microsoft.
The breach was detected by leveraging enhanced logging in Microsoft Purview Audit, specifically using the MailItemsAccessed mailbox-auditing action that's typically available for Premium subscribers.
The Windows maker subsequently acknowledged that a validation error in its source code allowed for Azure Active Directory (Azure AD) tokens to be forged by Storm-0558 using a Microsoft account (MSA) consumer signing key, and then use them to penetrate the mailboxes.
The attackers are estimated to have stolen at least 60,000 unclassified emails from Outlook accounts belonging to State Department officials stationed in East Asia, the Pacific, and Europe, Reuters reported in September 2023. Beijing has denied the allegations.
It also faced intense scrutiny for withholding basic-yet-crucial logging capabilities to entities that are on the more expensive E5 or G5 plan, prompting the company to make changes.
"We recognize the vital importance that advanced logging plays in enabling federal agencies to detect, respond to, and prevent even the most sophisticated cyberattacks from well-resourced, state-sponsored actors," Microsoft's Candice Ling said. "For this reason, we have been collaborating across the federal government to provide access to advanced audit logs."