Microsoft has extended its free logging features to all U.S. federal agencies using Microsoft Purview Audit, regardless of their license tier. This move comes after a China-linked cyber espionage campaign targeted two dozen organizations, with Microsoft’s new offering aimed at helping agencies meet logging requirements mandated by the Office of Management and Budget Memorandum M-21-31.
As part of this expansion, Microsoft will automatically enable logs in customer accounts and extend the default log retention period from 90 days to 180 days, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
The decision to enhance logging capabilities follows Microsoft’s disclosure in July 2023 of a China-based nation-state activity group, Storm-0558, gaining unauthorized access to about 25 entities in the U.S. and Europe, as well as a small number of related individual consumer accounts.
Storm-0558’s operations were marked by a high degree of technical sophistication and operational security. The actors demonstrated a keen awareness of the target’s environment, logging policies, authentication requirements, and procedures, Microsoft noted.
The campaign is believed to have started in May 2023 but was detected only a month later after the State Department, one of the affected agencies, identified suspicious activity in unclassified Microsoft 365 audit logs and reported it to Microsoft.
The breach was detected through enhanced logging in Microsoft Purview Audit, specifically utilizing the MailItemsAccessed mailbox-auditing action typically available for Premium subscribers.
Microsoft acknowledged that a validation error in its source code allowed Storm-0558 to forge Azure Active Directory tokens using a Microsoft account (MSA) consumer signing key, enabling them to access mailboxes.
The attackers reportedly stole at least 60,000 unclassified emails from Outlook accounts belonging to State Department officials stationed in East Asia, the Pacific, and Europe. Beijing has denied these allegations.
Microsoft had faced criticism for limiting basic logging capabilities to entities on more expensive E5 or G5 plans. However, the company has since made changes to provide enhanced logging features to federal agencies, recognizing the importance of such capabilities in detecting, responding to, and preventing sophisticated cyberattacks.
