Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

Microsoft Expands Logging Access After Chinese Hack Blowback

E3 Licensees Unlock Access to More Cloud Logs After Only E5 Clients Could Spot Hack
Microsoft Expands Logging Access After Chinese Hack Blowback

Microsoft customers will gain access to expanded cloud logging capabilities at no additional cost just days after lower-level customers were unable to detect a Chinese cyberattack.

See Also: Enhancing Cyber Defense with AI-Powered SOCs

The U.S. Cybersecurity and Infrastructure Security Agency has identified several security logs - critical for detecting and preventing threat activity - that currently cost extra for firms using the Microsoft basic enterprise license, known as E3 for commercial customers or G3 for government customers. Starting in September, the additional logging capabilities will debut at no extra cost for government and commercial customers.

"Asking organizations to pay more for necessary logging is a recipe for inadequate visibility into investigating cybersecurity incidents," CISA Executive Assistant Director Eric Goldstein wrote in a blog post. "We believe every organization deserves to have products that are secure by design and come with necessary security data 'out of the box.' Microsoft's announcement today is an important step."

'Charging Extra for Seat Belts and Air Bags'

Microsoft's capitulation comes less than a week after critical logging information needed to detect a technically sophisticated Chinese espionage campaign was available only to purchasers of Microsoft's top-tier cloud service, known as E5 for commercial customers or G5 for government customers. The E5 Microsoft 365 licensing costs about 60% more than the E3 package, The Wall Street Journal reported.

"Asking organizations to pay more for necessary logging is a recipe for inadequate visibility."
– Eric Goldstein, executive assistant director, CISA

Going forward, Microsoft Corporate Vice President Vasu Jakkal wrote in a blog post, all Microsoft Purview Audit customers will get deeper visibility into security data, including detailed logs of email access and more than 30 other types of log data. Jakkal also wrote that Microsoft has increased its default retention period for customers with E3 or G3 licenses from 90 days to 180 days.

"Log data plays an important role in incident response because it provides granular, auditable insight into how different identities, applications and devices access a customer's cloud services," Jakkal wrote. "These logs themselves do not prevent attacks, but they can be useful in digital forensics and incident response when examining how an intrusion might have occurred."

The Chinese exploitation of a zero-day vulnerability in Microsoft Office was disclosed July 11. It affected 25 different organizations worldwide, including the U.S. State and Commerce departments. CISA's first recommendation to critical infrastructure organizations in a cybersecurity advisory issued July 12 was to "enable Purview Audit (Premium) logging." But as CISA said, that logging requires an E5 or G5 license (see: Hacker Stole Signing Key, Hit US Government's Microsoft 365).

"Offering insecure products and then charging people for premium features necessary to not get hacked is like selling a car and then charging extra for seat belts and air bags," Sen. Ron Wyden, D-Ore., told The Wall Street Journal last week.

'The Incident Was Invisible to Us With the Data at Our Disposal'

But even after the changes, E5 and G5 customers will get access to logging capabilities that aren't available to their E3 or G3 counterparts. Perks available only to premium-level customers will include longer default retention periods, automatic support for importing log data into other tools for analysis, and intelligent insights, which help determine the scope of potential compromise, according to Jakkal.

Once Microsoft became aware of the recent Chinese hacking campaign, The Wall Street Journal said, it was able to identify victims even if the targeted organizations didn't have an E5 or G5 license. But even after Microsoft told Volexity that one of its customers had been a victim of the hack, President Steven Adair wrote on Twitter on July 12 that the cybersecurity firm had been unable to find any corroborating evidence (see: China-Based Hacker Hijacked EU, US Government Emails).

"It turns out our investigation turned up nothing because there was nothing for us to find," Adair wrote. "The incident was invisible to us with the data at our disposal and this was due to the customer's M365 license level: E3. It turns out the attacker was accessing emails. Generally speaking, this log operation is not available to E3 licensees and requires additional logging available from more expensive E5/G5 plans."

This isn't the first time that Microsoft has come under fire for charging more for security features that lawmakers or regulators deem essential. After the SolarWinds campaign - in which Russian hackers tricked Microsoft's cloud platform into giving them access to federal workers' emails - CISA moved to spend "a significant portion" of the $650 million it got in COVID-19 relief funds to upgrade its Microsoft licenses.

An aide to then-House Homeland Security Chair Benny Thompson told Politico in March 2021 that he had "serious concerns about making basic security features an add-on," particularly if additional fees are profit-driven as opposed to cost-driven. "As far as we know, Boeing doesn't charge extra for the black box," the aide told Politico.

About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.