Microsoft responds to Nation-State cybersecurity risks with Cloud logging expansion

Microsoft recently announced an expansion of its cloud logging capabilities which aims to assist organisations in investigating cybersecurity incidents and enhancing visibility following a recent espionage attack on its email infrastructure.

The decision comes in response to the growing rate of nation-state cyber threats. The rollout is set to begin in September 2023 for all government and commercial customers.

Vasu Jakkal, corporate vice president of security, compliance, identity, and management at Microsoft, stated that over the coming months, they will offer wider cloud security logs to worldwide customers at no extra cost. This update will enable customers to use Microsoft Purview Audit to visualise a broader range of cloud log data across their enterprise.

With these changes, users will gain access to detailed logs of email activity and more than 30 other types of log data that were previously limited to Microsoft Purview Audit (Premium) subscribers. Additionally, Microsoft is extending the default retention period for Audit Standard customers from 90 days to 180 days.

The move has been praised by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which acknowledged the importance of key logging data in swiftly mitigating cyber intrusions and commended Microsoft's efforts to advance security by design principles.

This development follows revelations that a threat actor known as Storm-0558 targeted 25 organisations by exploiting a validation error in the Microsoft Exchange environment. While the U.S. State Department was able to detect the malicious mailbox activity in June 2023 using enhanced logging in Microsoft Purview Audit, other affected entities lacked the necessary subscription levels for access to crucial logs, leaving them unaware of the breach.

The attacks reportedly began on May 15, 2023, and Microsoft highlighted their preference for OAuth applications, token theft, and token replay attacks against Microsoft accounts since at least August 2021.

Microsoft is actively investigating the intrusions but has not yet disclosed how the hackers acquired an inactive Microsoft account (MSA) consumer signing key to forge authentication tokens and gain unauthorised access to customer email accounts through Outlook Web Access in Exchange Online (OWA) and Outlook.com.

Overall, the main objective of most Storm-0558 campaigns is to gain unauthorised access to email accounts belonging to employees of targeted organisations. Once access to desired user credentials is obtained, the actor signs into the compromised user's cloud email account and collects information via the web service.