Microsoft expanded free logging capabilities after the May breach

These advanced logging capabilities were exclusive to customers with Microsoft's Purview Audit

Microsoft has broadened its free logging features for all Purview Audit standard users, including U.S. federal agencies, six months after revealing that Chinese hackers accessed U.S. government emails undetected during an Exchange Online breach from May to June 2023. Following the incident disclosure, the company collaborated with CISA, the Office of Management and Budget (OMB), and the Office of the National Cyber Director (ONCD) to ensure federal agencies have access to necessary logging data to identify similar attacks in the future. A press release issued today announced that expanded logging will now be accessible to all agencies using Microsoft Purview Audit, irrespective of license tier. Microsoft will activate the logs in customer accounts automatically and extend the default log retention period from 90 to 180 days.

This data will also aid more federal agencies in meeting the logging requirements outlined in OMB Memorandum M-21-31. The update is in line with CISA's Secure by Design guidance, advocating for technology providers to supply "high-quality audit logs" without extra configuration or charges. Microsoft's disclosure last July revealed that a Chinese hacking group, identified as Storm-0558, infiltrated and pilfered Exchange Online Outlook data from about 25 organizations, including government agencies in the U.S. and Western Europe. The threat actors utilized a stolen Microsoft account (MSA) consumer key from a Windows crash dump to forge authentication tokens and access targeted email accounts via Outlook Web Access in Exchange Online (OWA) and Outlook.com.