Microsoft responds to online Exchange fiasco: more logs for everyone
Previously, M365 customers could only access limited logging data: extensive log data, for example on access to mailboxes, cost extra.
(Bild: IB Photography/Shutterstock.com)
Last week, it came to light that Chinese attackers probably had access to the online Exchange accounts of various government agencies. However, Microsoft did not notice this itself, but customers alerted the company to strange activity in their mailboxes. However, they were only able to detect this using "premium log data", for which Microsoft charges extra. Microsoft is now planning to stop this practice and wants to grant all Microsoft 365 customers free access to the log data from September.
Over the coming months, customers will be given access to logged access to their emails via the standard Microsoft Purview Audit package, which was previously reserved for the paid Purview Audit Premium package. This change is not entirely voluntary. Even if both sides are now selling this as a joint result, you can read quite clearly between the lines of the publications by CISA and Microsoft that the US security authority has put pressure on them. Incidentally, nothing at all was heard from the European security authorities on the subject, although according to Microsoft, Western European governments made up the majority of the victims.
A series of embarrassments
The attack by the Chinese hacking group "Storm-0558", according to Microsoft, reveals a whole series of extremely embarrassing security problems in Microsoft's cloud flagship Microsoft 365, starting with the fact that the attackers apparently succeeded in stealing a signature key, which they could then use to issue themselves access tokens. These then enabled, among other things, script-controlled access to Exchange online accounts and thus the secret reading of victims' emails.
One month after the start of the investigation, Microsoft apparently still does not know how such an important signature key could have been stolen: "The method by which the actor acquired the key is a matter of ongoing investigation" - this is still the subject of the investigation, according to Microsoft's analysis. It is clear that the signature key was inadequately secured; Microsoft therefore intends to store it in the better-secured Azure AD key store in future.
Then comes the second embarrassment: the signature key should not actually have issued any valid access tokens, as it was not responsible for the online exchange located in the business area of the Azure AD world. It was a key for signing Microsoft accounts in the consumer area (MSA - equivalent to what used to be Microsoft Live). It is also unclear why this master key still worked in the Azure AD business service. Microsoft succinctly refers to this as a "validation issue" - and is thus only poorly concealing a declaration of bankruptcy. Validation of valid access data is the central task of authentication; if invalid credentials also work, this is a failure of the most important function.
And then Microsoft itself apparently did not notice the attack. In June, a civilian US federal agency noticed suspicious activity in its Microsoft 365 cloud environment using the separately licensed premium log data and reported it to Microsoft and the responsible supervisory authority CISA. This triggered the subsequent activities that ultimately led to the attackers being locked out. As a consequence, Microsoft intends to better monitor key activities in the future and, in particular, improve the associated monitoring and alerting. This can certainly be read as an admission that not enough has been done so far.
Monitor online exchange
Anyone wondering whether their own company was affected by these problems will either have to be satisfied with Microsoft's explanation that they have notified all affected customers ("If you have not been contacted, our investigations indicate that you have not been impacted."). Or you can search for clues yourself. In collaboration with the FBI, CISA has compiled the Cybersecurity-Advisory Enhanced Monitoring to Detect APT Activity Targeting Outlook Online, which explains how to do this.
Incidentally, CISA and the FBI also clearly state in the first paragraph which product is actually involved: in Microsoft's own analyses on the topic, the product names "Microsoft 365" and "M365" do not appear. It's a prankster who assumes that Microsoft wants to prevent these embarrassing security failures from tarnishing the image of its prominent cloud flagship.
(ju)
