Microsoft Expands Free Logging Capabilities for all U.S. Federal Agencies

Microsoft Expands Free Logging Capabilities for all U.S. Federal Agencies

Microsoft has expanded free logging capabilities to all U.S. federal agencies using Microsoft Purview Audit irrespective of the license tier, more than six months after a China-linked cyber espionage campaign targeting two dozen organizations came to light.

“Microsoft will automatically enable the logs in customer accounts and increase the default log retention period from 90 days to 180 days,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said.

Microsoft, in July 2023, disclosed that a China-based nation-state activity group known as Storm-0558 gained unauthorized access to approximately 25 entities in the U.S. and Europe as well as a small number of related individual consumer accounts.

The breach was detected by leveraging enhanced logging in Microsoft Purview Audit, specifically using the MailItemsAccessed mailbox-auditing action that’s typically available for Premium subscribers.

The Windows maker subsequently acknowledged that a validation error in its source code allowed for Azure Active Directory (Azure AD) tokens to be forged by Storm-0558 using a Microsoft account (MSA) consumer signing key, and then use them to penetrate the mailboxes.

It also faced intense scrutiny for withholding basic-yet-crucial logging capabilities to entities that are on the more expensive E5 or G5 plan, prompting the company to make changes.

“We recognize the vital importance that advanced logging plays in enabling federal agencies to detect, respond to, and prevent even the most sophisticated cyberattacks from well-resourced, state-sponsored actors,” Microsoft’s Candice Ling said. “For this reason, we have been collaborating across the federal government to provide access to advanced audit logs.”