Microsoft on Wednesday launched its cloud security services to help organizations investigate cybersecurity incidents and gain greater visibility after facing criticism following a recent spying campaign that targeted the company’s email infrastructure. Announced that the logging function will be expanded.
The tech giant said it is making changes in direct response to the frequency and evolution of nation-state cyber threats. It will be rolled out to all government and commercial customers from September 2023.
“In the coming months, we plan to give our customers around the world access to a broader set of cloud security logs at no additional cost,” said Vasu Jakkal, corporate vice president of security, compliance, identity and management at Microsoft. It is.” “Once these changes take effect, customers will be able to use Microsoft Purview Audit to centrally visualize more types of cloud log data generated across their enterprise.”
As part of this change, users will now be able to access detailed logs of email access and over 30 other types of log data previously only available with the Microsoft Purview Audit (Premium) subscription level. increase. In addition to that, the Windows maker has announced that he will extend the default retention period for Audit Standard customers from 90 days to 180 days.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) welcomed the move, stating that “having access to key logging data is critical to quickly mitigating cyber intrusions,” and that “it is important to improve security by design principle.” It’s an important step forward,” he said.
This development follows revelations that an actor operating out of China dubbed Storm-0558 exploited a validation error in a Microsoft Exchange environment to compromise 25 organizations.
One of the affected organizations, the U.S. Department of State, was able to detect malicious mailbox activity in June 2023 by using Microsoft Purview Audit logging enhancements, specifically the MailItemsAccessed mailbox audit action. , urging Microsoft to investigate the incident.
However, other affected organizations said they were unable to detect the breach because they were not subscribers of E5/A5/G5 licenses that come with elevated access to various types of logs essential to hack investigations. Stated.
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
join today
Although attacks by this actor are said to have started on May 15, 2023, Microsoft says the attackers have been active in OAuth applications, token theft, and token replay attacks against Microsoft accounts since at least August 2021. was showing.
Meanwhile, Microsoft continues to investigate the intrusion, but at this time the company is trying to figure out how hackers obtained consumer signing keys for inactive Microsoft accounts (MSA), forged authentication tokens, and They did not explain why they were able to gain unauthorized access to their emails. Accounts that use Outlook Web Access with Exchange Online (OWA) and Outlook.com.
“The goal of most Storm-0558 campaigns is to gain unauthorized access to email accounts owned by employees of targeted organizations,” Microsoft revealed last week.
“Once Storm-0558 gains access to the desired user credentials, the attackers will use valid account credentials to sign into the compromised user’s cloud email account. We collect information from your email account through the Service.”
