Since Microsoft can’t figure out how it got hacked, it lets customers see M365 logs for free

Microsoft said on Wednesday that it will broaden logging settings for lower-tier M365 customers and prolong the time of retention for threat-hunting data in response to significant demand to open up access to cloud security logs. The company has been under great pressure to open up access to cloud security logs.

This action is a direct reaction to the extensive criticism that has been directed against the licensing structure of Microsoft’s M365 product, which, in essence, levies additional fees for users to access forensics data while they are actively investigating malware.

The situation reached a climax last week when Microsoft acknowledged that Chinese hackers were discovered forging authentication tokens using a stolen Azure AD enterprise signing key in order to sneak into M365 email inboxes. last revelation brought the matter to a head.

The attack, which resulted in the theft of email from roughly 25 different businesses, became an even larger humiliation when customers complained that they had no visibility to investigate the matter since they were not paying for the high-tier E5/G5 license. This caused the incident to become an even worse public relations disaster. Microsoft was unable to determine how it was hacked, and it seems that the company is now leaving it up to its users to determine whether or not the M365 accounts they use were also compromised by Chinese hackers.

According to Microsoft, “

Today we are expanding Microsoft’s cloud logging accessibility and flexibility even further. Over the coming months, we will include access to wider cloud security logs for our worldwide customers at no additional cost. As these changes take effect, customers can use Microsoft Purview Audit to centrally visualize more types of cloud log data generated across their enterprise.

Microsoft Purview Audit enables customers to centrally visualize cloud log data generated across their enterprise, thus helping them effectively respond to security events, forensic investigations, internal investigations and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded and retained in customers unified Purview Audit logs. 

As our expanded logging defaults roll out, Microsoft Purview Audit (Standard) customers will receive deeper visibility into security data, including detailed logs of email access and more than 30 other types of log data previously only available at the Microsoft Purview Audit (Premium) subscription level. In addition to new logging events becoming available, Microsoft is also increasing the default retention period for Audit Standard customers from 90 days to 180 days.

Commercial and government customers with E5/G5 licenses already using Microsoft Purview Audit (Premium) will continue to receive access to all available audit logging events, including intelligent insights, which help determine the scope of potential compromise by using the Audit log search in the Microsoft Purview compliance portal and the Office 365 Management Activity API. Additional Audit Premium features include longer default retention periods and automation support for importing log data into other tools for analysis. “

In September 2023, Microsoft will begin rolling out these logging improvements to all of its clients, including commercial and government organizations.However, this does not imply that Microsoft Purview Audit (Premium) will be discontinued. Licensed customers will continue to have increased access to data, increased access to APIs, and access to the AI-powered Intelligent Insights forensics tool from Microsoft.