Connect with us

Hi, what are you looking for?


Cloud Security

Microsoft Bows to Pressure to Free Up Cloud Security Logs

Facing intense pressure after Chinese APT hack, Microsoft plans to expand logging defaults for lower-tier M365 customers.

NET vulnerability CVE-2023-38180 exploited

Facing intense pressure to free up access to cloud security logs, Microsoft on Wednesday said it would expand logging defaults for lower-tier M365 customers and increase the duration of retention for threat-hunting data.

The move is a direct response to widespread criticism of Microsoft’s M365 licensing structure that essentially charges extra for customers to access forensics data during active malware investigations.

The issue came to a head this week when Microsoft confirmed that Chinese hackers were caught forging authentication tokens using a stolen Microsoft security key to break into M365 email inboxes.

The hack, which led to the theft of email from approximately 25 organizations, turned into a bigger embarrassment when customers complained they had zero visibility to investigate because they were not paying for the high-tier E5/G5 license.

Starting in September, Microsoft said it would now expand the logging defaults for lower-tier customers to receive “deeper visibility into security data, including detailed logs of email access and more than 30 other types of log data previously only available at the Microsoft Purview Audit (Premium) subscription level.”

In addition, Microsoft vice president Vasu Jakkal said Redmond plans to increase the default forensics data retention period for Audit Standard customers from 90 days to 180 days.

“Over the coming months, we will include access to wider cloud security logs for our worldwide customers at no additional cost. As these changes take effect, customers can use Microsoft Purview Audit to centrally visualize more types of cloud log data generated across their enterprise,” Jakkal added in a statement announcing the changes.

Advertisement. Scroll to continue reading.

Jakkal said the licensing modifications were made after negotiations with the U.S. government’s cybersecurity agency CISA. During the recent Chinese APT hack, CISA issued an advisory that noted the absence of logging for lower-priced M365 licenses.

CISA director Jen Easterly welcomed the move. “After working collaboratively for over a year, I am extremely pleased with Microsoft’s decision to make necessary log types available to the broader cybersecurity community at no additional cost,” Easterly said. 

“While we recognize this will take time to implement, this is truly a step in the right direction toward the adoption of Secure by Design principles by more companies. We will continue to work with all technology manufacturers, including Microsoft, to identify ways to further enhance visibility into their products for all customers,” the CISA boss added.

Related: Microsoft Warns of Office Zero-Day Attacks, No Patch Available

Related: Chinese APT Used Forged Microsoft Authentication Tokens to Hack Gov Emails

Related: Microsoft Outs New Russian APT Linked to Wiper Attacks in Ukraine

Related: Microsoft Blames Russian APT for Outlook Zero-Day Exploits

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Data Breaches

A group of hackers has leaked Atlassian employee records and floorplans, information that was obtained from third-party workplace platform Envoy.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Data Breaches

AT&T is notifying millions of wireless customers that their CPNI was compromised in a data breach at a third-party vendor.