Microsoft‘s Logging Discrepancies: A Breach and a Thorn in the Side
A Costly Compromise
Recently, a human rights organization experienced a breach that raised serious concerns about the accessibility of logging data for Microsoft customers. The organization, alerted by Microsoft about unauthorized access as part of a July email breach attributed to Storm-0558, found no evidence of compromise in their logs. The reason behind their inability to detect the breach? The organization did not have an E5-level license, which would have granted them access to critical logging evidence.
Steven Adair, from the cybersecurity firm Volexity, highlighted this issue on Twitter. He emphasized that the lack of logging access for the majority of Microsoft customers using E3 licenses is a significant hurdle. Adair stated, “Investigating incidents and suspect activity in Microsoft 365 and Azure AD is something we do frequently. However, despite a notification from Microsoft regarding unauthorized access, we could not find any corroborating evidence.” It was later revealed that the attacker had gained access to emails, an activity that would have been logged under the “MailItemsAccessed” operation. Unfortunately, this log operation is not available to E3 licenses and requires additional logging only accessible through more expensive E5/G5 plans.
Logging as a Necessity
Adair rightfully pointed out that email logging should be a standard practice given the current threat landscape. This sentiment was echoed by the Cybersecurity and Infrastructure Security Agency (CISA), which, in its July 12 guidance for detecting APT-level (Advanced Persistent Threat) activity, recommended enabling premium E5-level logging. Yet, the cost of an E5 license, at $38 per user, per month, renders it prohibitive for many organizations compared to the $23 monthly cost of an E3 license.
This issue, highlighted by the Storm-0558 breach, is not new, according to cybersecurity expert Jake Williams. The enhanced logging capabilities available only with an E5 license or the Security and Compliance add-on license with E3 has been an ongoing frustration for incident responders and breach coaches. Williams explains, “Organizations hit with a BEC (business email compromise) expect to be able to see what messages the threat actor viewed but can’t without the enhanced logging.” Furthermore, discrepancies can exist regarding the availability of logging on a per-account basis, where an organization might only have E5 licensing on certain accounts, leading to inconsistency in activity visibility.
Microsoft‘s Logging Tax
Williams emphasizes that premium logs alone would not have detected the malicious activity of Storm-0558 with specificity. However, the fact that a government agency uncovered the operation due to anomalous activity related to MailItemsAccessed log operations puts Microsoft in a precarious position. There is increasing scrutiny over the logging surcharge, and Microsoft may soon face uncomfortable questions in congressional hearings about its logging policies. Williams argues that there should not be a logging tax, especially for a foundational service like email.
Microsoft‘s response to these concerns has not yet been provided. The repercussions of this breach and the ongoing issue of logging discrepancies bring to light the importance of accessible and comprehensive logging for all customers, regardless of their licensing level. The ability to detect and respond to security incidents is crucial for organizations of all sizes, and denying this capability based on pricing tiers perpetuates a disparity in cybersecurity defenses.
Advice: Investing in Logging Capabilities
Organizations must prioritize logging as part of their cybersecurity strategy. While premium logging may be costly, it is essential for detecting and mitigating the risks posed by advanced threat actors. Understanding the specific logging capabilities provided by different licensing levels is crucial. Organizations should evaluate their needs and consider investing in higher-tier licenses or add-on options, such as the Security and Compliance add-on license with an E3 license, to ensure access to comprehensive logging data.
Additionally, organizations can explore third-party solutions that offer logging and monitoring services. These solutions can provide the necessary visibility and insights, regardless of the Microsoft licensing level, helping to bridge the gap and ensure robust cybersecurity defenses.
In conclusion, the Storm-0558 breach and subsequent revelations regarding logging discrepancies have shed light on an ongoing issue with Microsoft‘s licensing system. The lack of accessible logging for all customers poses significant challenges in identifying and responding to cybersecurity incidents effectively. Microsoft must address this issue to ensure that organizations of all sizes have the necessary tools to defend against evolving threats.
<< photo by Daniel Josef >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- AI-Augmented Threat Intelligence: Enhancing Security Measures with Artificial Intelligence
- Microsoft’s Patch Tuesday: Key Insights and Learnings
- The Escalation of Cloud Credential Stealing: From AWS to Azure and Google Cloud
- C-Suite Leaders: Unveiling the Power of XDR
- Demystifying MITRE ATT&CK: A Practical Guide for Implementing it in Your Organization
- UCLA Cyberattack: Unveiling the Mysterious Intrusion
- White House Struggles to Overcome Roadblocks in Implementing Cybersecurity Strategy
- The Evolving Landscape of Cybersecurity: Unveiling the White House’s National Strategy
- QuickBlox Framework’s API Flaw: A Dangerous Leak of Millions of User’s Personal Information
- The Hidden Dangers of Secondhand Cellphones: Unveiling Privacy Risks at Police Auctions
