Microsoft Logging Tax Hinders Incident Response, Experts Warn

  /     /     /  
Publicated : 23/11/2024   Category : security


Microsoft Logging Tax Hinders Incident Response, Experts Warn


A recent email compromise by Chinese APT group Storm-0558 highlights a lack of access to security logging by many Microsoft 365 license holders, prompting calls from researchers to abolish it.



A human rights organization was alerted by Microsoft that it was compromised as part of a
July email breach attributed to Storm-0558
, but the organization couldnt find any evidence of compromise in their logs. Why? It didnt pay Microsoft a premium for an E5-level license.
Thats the story Steven Adair with Volexity took to Twitter to tell, highlighting the
lack of access to logging
for the vast majority of Microsoft customers who dont have E3 licenses.
This incident was a real head-scratcher for us, Adair wrote. Investigating incidents and suspect activity in
Microsoft 365
and
Azure AD
is something we (at Volexity) do frequently. However, despite a notification from Microsoft regarding unauthorized access, we could not find any corroborating evidence.
The problem? The Volexity team didnt have access to the logging evidence with the human rights organizations E3 license.
It turns out the attacker was accessing emails, and this level of activity was logged to the MailItemsAccessed operation, he added. However, generally speaking, this log operation is not available to E3 licenses and required additional logging available only from more expensive E5/G5 plans.
Adair noted that email logging should be table stakes given the threat landscape, as evidenced by CISAs July 12 guidance for detecting APT-level activity that recommends 
enabling premium E5-level logging
. Yet, according to Microsoft, an
Office 365 E3 license
runs $23 per user, per month, while the E5 costs $38 per user, per month, which Adair pointed out is prohibitive for many organizations.
Microsoft did not immediately respond to Dark Readings request for comment.
While the recent
Storm-0558 breach
highlights the data discrepancies between the cybersecurity haves which can afford an E5 license, and those have nots, like the human rights group targeted, the problem isnt new, according to cybersecurity expert Jake Williams. But Microsoft may soon feel pressured to do something about it in the wake of that latest campaign, which also affected 25 US federal government agencies. 
The enhanced logging only available with an E5 license (or the Security and Compliance add-on license with E3) has been a thorn in the side of incident responders and breach coaches for years, Williams explains to Dark Reading. Organizations hit with a BEC (business email compromise) expect to be able to see what messages the threat actor viewed but cant without the enhanced logging.
He adds that in some instances, there can also be discrepancies on whats available on a per account basis:  An organization may only have E5 licensing on some accounts, leading to a lack of consistency in what activities they can see on a per-account basis.
Williams stresses that premium logs alone would not have detected Storm-0558s malicious activity with specificity. Nonetheless, Volexitys Adair explained that this whole operation was uncovered by an FCEB Agency [due to] anomalous activity related to MailItemsAccessed log operations, and as such, Williams doesnt expect Microsoft to be able to avoid scrutiny over its logging surcharge going forward.
There shouldnt be a logging tax, especially for something so foundational as email, Williams adds. I suspect Microsoft executives will be answering some really uncomfortable questions at yet-to-be-scheduled Congressional hearings over this.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Logging Tax Hinders Incident Response, Experts Warn