After CISA report on Storm-0558 hack, Microsoft provides customers with enhanced cloud logging

[German]At the suggestion of the U.S. National Security Agency (CISA), Microsoft will provide its customers with enhanced cloud logging capabilities at no additional cost. This is intended to improve cyber defenses and incident response and is in response to the successful attack by Chinese hackers (Storm-0558) on Outlook Online accounts, which only attracted the attention of a U.S. agency because of such logging capabilities.


The Outlook Online account hack

A suspected China-based hacking group, called as Storm-0558 by Microsoft, had succeeded in June 2023 in gaining access to email accounts of about 25 organizations stored in the Microsoft cloud. These include government agencies (U.S. State Department), as well as corresponding private accounts of individuals likely associated with these organizations.

Access was gained with a Microsoft account (MSA) customer key that was used to forge tokens. I reported on this in the blog post China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud. And I provided further details in the blog post Follow-up to the Storm-0558 cloud hack: Microsoft is still in the dark.

In the former blog post, I had referred to a CISA (US Cybersecurity and Infrastructure Security Agency) report that revealed more details. For example, a federal civilian executive branch (FCEB) had detected suspicious activity in its Microsoft 365 (M365) cloud environment in June 2023.

Specifically, the federal agency in question noticed MailItemsAccessed events with an unexpected ClientAppID and AppID in the M365 audit logs. The MailItemsAccessed event is generated when licensed users access items in Exchange Online mailboxes via any connection protocol from any client. The agency in question considered this activity suspicious because the observed AppId does not normally access mailboxes in their environment, and reported the activity to Microsoft and CISA.

So it was effectively a find by chance because the federal agency in question was using advanced logging, specifically MailItemsAccessed events and an established baseline of normal Outlook activity (e.g., expected AppID), which allowed them to be classified as suspicious. The MailItemsAccessed event enables detection of otherwise difficult-to-detect hostile activity.


The CISA report says, that other logs probably would not have enabled detection. The federal agency in question was allowed to use advanced logging, also known as Purview Audit (Premium) logging, to monitor activity in the cloud and on email accounts, which made it possible to detect that activity. A few years ago, there was a major public dispute between the U.S. government and Microsoft over the cost of access to Purview Audit (Premium).

The Agreement between CISA and Microsoft

First, the cyber incident did not make Microsoft look good, as I traced in the linked posts. In addition, it became clear that Microsoft was only providing Purview Audit (Premium) logging to its cloud customers for cash.

CISA about extended logging in Microsoft 365

In the above tweet, CISA reports progress in cloud security that Microsoft is now enabling for Microsoft 365 customers. In the post CISA and Microsoft Partnership Expands Access to Logging Capabilities Broadly we can read, that Microsoft has made a big move.

The CISA announcement states that based on a joint partnership between the Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft, many customers will now have access to expanded cloud logging capabilities at no additional cost. This is expected to improve cyber defense and incident response. Microsoft's decision is a significant step in advancing the principles of security by design and a good example of an effective partnership leading to better cybersecurity on a national scale, the CISA release said.

Microsoft published the blog pos Chief information security officer collaborating with practitioners in a security operations center. as of July 19, 2023, which confirms the CISA message. As IT applications move to the cloud, meaningful log data plays an important role in incident response, as outlined above.

Centralized security monitoring provides detailed, auditable insight into how different identities, applications and devices access a customer's cloud services. While these logs themselves do not prevent attacks, they can be useful in digital forensics and incident response when investigating how an intrusion may have occurred, such as an attacker impersonating an authorized user.

In the coming months, Microsoft plans to grant cloud customers worldwide access to more cloud security logs at no additional cost. Once these changes take effect, customers will be able to use Microsoft Purview Audit to centrally visualize more types of cloud log data generated within their organization, Microsoft writes in the post linked above.

Microsoft Purview Audit enables customers to centrally visualize cloud log data generated in the enterprise. This helps effectively respond to security events, forensic investigations, internal investigations and compliance obligations. Thousands of user and administrative events performed across dozens of Microsoft 365 services and solutions are captured, recorded and retained in customers' unified Purview Audit logs.

Commercial and government customers with E5/G5 licenses already using Microsoft Purview Audit (Premium) will continue to have access to all available audit logging events. This includes smarter insights to help determine the scope of potential compromises using the Audit Log Search in the Microsoft Purview Compliance Portal and the Office 365 Management Activity API. Additional Audit Premium features include longer default retention periods and automation support for importing log data into other tools for analysis. And all of this ultimately as a consequence of the security incident outlined above.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Cloud, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *