Under CISA pressure collab, Microsoft makes cloud security logs available for free

Microsoft announced on Wednesday it would provide all customers free access to cloud security logs – a service usually reserved for premium clients – within weeks of a reveal that government officials' cloud-based emails were targets of an alleged China-based hack.

Microsoft wrote on its blog it was expanding the service's access beginning in September 2023 to "increase the secure-by-default baseline" of its cloud platforms "in response to the increasing frequency and evolution of nation-state cyber threats."

Subscribers to the standard version of Microsoft Purview Audit will also have their default retention period extended from 90 to 180 days.

The cloud Goliath theorized that, while logs don’t prevent attacks, they are useful in digital forensics and incident responding. They provide insight into legitimate versus abnormal user behavior.

• Linux has nearly half of the desktop OS Linux market
• Someone just blew over $190k on a 4GB first-gen iPhone
• Unidentified object on Australian beach may be part of Indian rocket launcher
• Tesla board members to return $735M in compensation settlement
• Mint 21.2 is desktop Linux without the faff

The move is the result of close coordination with commercial and government customers, as well as the Cybersecurity and Infrastructure Security Agency (CISA), said Microsoft. It added that CISA called for more accountability from industry regarding cyber security.

CISA director Jen Easterly called the decision "a step in the right direction."

In a blog post on the CISA website praising the decision, the org's executive assistant director for cyber security Eric Goldstein cited the recent Microsoft Exchange Online security breach.

According to Goldstein, a federal agency used logging data to detect that breach of Microsoft's cloud-based email services and take action to limit the damage. He said charging for logging data was "a recipe for inadequate visibility into investigating cyber security incidents."

The cyberattack – which Microsoft has called espionage-focused and attributed to a China-based threat actor it tracks as Storm-O558 – was uncovered by that civilian government agency. Among the reported victims are US commerce secretary Gina Raimondo and other State and Commerce Department officials. The threat actors had access to accounts for around a month before being detected on June 16, 2023.

The Windows giant said it had determined miscreants had "forged" Azure Active Directory (AD) tokens using an acquired Microsoft account (MSA) consumer signing key, which was made possible by a validation error in Microsoft code. The use of an incorrect key allowed Microsoft's crack team of boffins to track all access requests from the threat actor.

On Friday, Microsoft admitted it still didn't know how the hackers gained access to the signing key needed to access accounts, and said its investigation was "ongoing."

It also revealed that it had seen Storm-0558 transition to other techniques – indicating the gang's ability to use signing keys has been disrupted by cyber security measures. ®