Facing intense pressure to free up access to cloud security logs, Microsoft on Wednesday said it would expand logging defaults for lower-tier M365 customers and increase the duration of retention for threat-hunting data.
The move is a direct response to widespread criticism of Microsoft’s M365 licensing structure that essentially charges extra for customers to access forensics data during active malware investigations.
The issue came to a head this week when Microsoft confirmed that Chinese hackers were caught forging authentication tokens using a stolen Azure AD enterprise signing key to break into M365 email inboxes.
The hack, which led to the theft of email from approximately 25 organizations, turned into a bigger embarrassment when customers complained they had zero visibility to investigate because they were not paying for the high-tier E5/G5 license.
Starting in September, Microsoft said it would now expand the logging defaults for lower-tier customers to receive “deeper visibility into security data, including detailed logs of email access and more than 30 other types of log data previously only available at the Microsoft Purview Audit (Premium) subscription level.”
In addition, Microsoft vice president Vasu Jakkal said Redmond plans to increase the default forensics data retention period for Audit Standard customers from 90 days to 180 days.
“Over the coming months, we will include access to wider cloud security logs for our worldwide customers at no additional cost. As these changes take effect, customers can use Microsoft Purview Audit to centrally visualize more types of cloud log data generated across their enterprise,” Jakkal added in a statement announcing the changes.
Jakkal said the licensing modifications were made after negotiations with the U.S. government’s cybersecurity agency CISA. During the recent Chinese APT hack, CISA issued an advisory that noted the absence of logging for lower-priced M365 licenses.
CISA director Jen Easterly welcomed the move. “After working collaboratively for over a year, I am extremely pleased with Microsoft’s decision to make necessary log types available to the broader cybersecurity community at no additional cost,” Easterly said.
“While we recognize this will take time to implement, this is truly a step in the right direction toward the adoption of Secure by Design principles by more companies. We will continue to work with all technology manufacturers, including Microsoft, to identify ways to further enhance visibility into their products for all customers,” the CISA boss added.
Related: Microsoft Warns of Office Zero-Day Attacks, No Patch Available
Related: Chinese APT Used Forged Microsoft Authentication Tokens to Hack Gov Emails
Related: Microsoft Outs New Russian APT Linked to Wiper Attacks in Ukraine
Related: Microsoft Blames Russian APT for Outlook Zero-Day Exploits
