Microsoft Concurs with CISA, Expands Audit Capabilities in Purview Product

Microsoft last week announced that it is expanding some baseline security aspects for its cloud-based services in response to "nation-state cyberthreats" as part of a communication with the U.S. government's Cybersecurity and Infrastructure Security Agency (CISA).

The expanded baseline security changes, as described, appeared to mostly affect users of the Microsoft Purview Audit Standard product. Microsoft is promising to expand the log data types monitored by the Standard edition, plus increase its log storage duration "from 90 days to 180 days."

Here's how the announcement characterized the coming changes to Microsoft Purview Audit Standard:

As our expanded logging defaults roll out, Microsoft Purview Audit (Standard) customers will receive deeper visibility into security data, including detailed logs of email access and more than 30 other types of log data previously only available at the Microsoft Purview Audit (Premium) subscription level. In addition to new logging events becoming available, Microsoft is also increasing the default retention period for Audit Standard customers from 90 days to 180 days.

The increased log data retention period for Microsoft Purview Audit Standard will begin taking effect after Microsoft rolls out an update. This update will be coming "in September 2023 to all government and commercial customers."

There was no information provided on how the longer log durations might affect data storage costs for organizations, but Microsoft suggested that customers would figure it out.

"We know customers have multiple issues to consider, including data storage capacity and which Microsoft or third-party log management tools they want to use, and our newly expanding, flexible logging options help customers decide what is best for their requirements," the announcement indicated.

CISA Praises Microsoft
CISA Director Jen Easterly expressed support for Microsoft's changes, which she suggested would come at no extra cost for Microsoft's customers (although Microsoft's announcement did not mention the cost aspects).

"After working collaboratively for over a year, I am extremely pleased with Microsoft's decision to make necessary log types available to the broader cybersecurity community at no additional cost," Easterly said in a released statement, published by Microsoft.

Based on this context, CISA apparently had been asking for broader monitoring capabilities and longer data storage periods, which Microsoft is now starting to implement, after more than a year. However, it's unclear if Microsoft is actually meeting the longer audit data storage period that was requested, since CISA's current recommendation for government agencies and organizations is to use Microsoft Purview Audit Premium logging, which offers one year of log data storage (not 180 days). CISA issued this recommendation in a July 12 cybersecurity advisory after a recent Outlook e-mail hack affected U.S. government agencies, leading to data exfiltration, which Microsoft attributed to a China-affiliated attack group (called "Storm-0558," by Microsoft).

The Microsoft Purview Audit Premium offering, which comes with Microsoft Purview licensing, has an audit log retention period of one year and other capabilities lacking in the Standard edition, as described in this Microsoft Learn document. It's a top-tier product offering.

Response to China Hack?
So, what prompted Microsoft to bolster some capabilities in the Microsoft Purview Audit Standard product at no extra cost? And why was CISA mentioned in Microsoft's announcement?

Veteran Microsoft reporter Mary Jo Foley, a writer with independent consultancy Directions on Microsoft, posited an explanation of Microsoft's decision. It's maybe a Microsoft response to the Storm-0558 Outlook hack targeting U.S. government agencies. Microsoft recently published its analysis of that attack in this July 14 research post.

In essence, Storm-0558 was able to forge tokens via a Microsoft account consumer signing key and use it to access e-mail from "approximately 25 organizations, including government agencies and related consumer accounts in the public cloud," Microsoft's research post explained. The attack began on May 15, 2023 and Microsoft identified the campaign on June 16, 2023. This particular attack campaign is now considered "blocked" by Microsoft. No customer actions are required, Microsoft indicated. However, the analysis admitted that Microsoft did not know how the attackers obtained the consumer signing key.

CISA's Past Complaints
There was no explicit acknowledgment in Microsoft's announcement that it was expanding some capabilities of Microsoft Purview Audit Standard in response to CISA's advisory about the purported China Outlook hack. But CISA has long dropped non-subtle hints that it hasn't been happy about security solutions being offered at top prices, and in an à la carte fashion.

For instance, last year, during the FIDO Alliance's keynote speech, Bob Lord, senior technical advisor of the cybersecurity division at CISA, critiqued pricing for security solutions in general (without naming Microsoft):

There are other pricing schemes where you have to pay more for logs, you pay more for security features. Security features are customer rights. They're not luxury goods. And so, we need to normalize the idea that they're built-in and that you don't have to know to go get them, and you don't have to pay more for them.

The notion that strong security should be a standard feature in all technology products also was echoed by Easterly in this Feb. talk.

CISA had specifically called out log limitations for organizations using Microsoft 365 services, particularly the E3 plans. For instance, with regard to the Exchange Online e-mail exfiltrations that happened after a SolarWinds Orion supply-chain attack a couple of years ago, CISA expressed remorse that "threat actor activity that is more than 90 days old is unlikely to have been saved by traditional sources or be visible with the Microsoft M365 Management API or in the UAL [User Access Logging]."

More Than Outlook Compromised?
While Microsoft indicated that it had blocked this attack route for Outlook, it's possible that Storm-0558 had the ability to compromise other apps that use Azure Active Directory and work with OpenID v2.0, according to July 21 analysis by Wiz Inc., a provider of security solutions.

The compromised Microsoft account key (MSA) could have been used by Storm-0558 more broadly than just with Outlook, the Wiz suggested:

Our researchers concluded that the compromised MSA key could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams, OneDrive, customers' applications that support the "login with Microsoft" functionality, and multi-tenant applications in certain conditions.

Wiz researchers suggested that organizations could still be vulnerable if they use a "cached version of the Microsoft OpenID public certificates," in which case they should "refresh the cache." Organizations should also use Microsoft's latest Azure SDK, which adds "additional verifications." As for detecting the use of compromised key in a computing environment, Wiz researchers suggested that organizations will need to review "application-specific logs for potentially affected AAD apps."

However, reviewing application-specific logs might be a problem, the researchers indicated:

Unfortunately, there is a lack of standardized practices when it comes to application-specific logging. Therefore, in most cases, application owners do not have detailed logs containing the raw access token or its signing key. As a result, identifying and investigating such events can prove exceedingly challenging for app owners.

The analysis by Wiz researchers included a couple of scripts to find Azure AD apps that "might be affected."

Microsoft Denies Wiz Claims
Microsoft told The Information that Wiz researcher claims that applications other than Outlook may have been compromised by attackers having a Microsoft account consumer signing key are "speculative and not evidence based."

However, Wiz researchers claimed to be baffled by this assertion, since Microsoft had collaborated with them on the technical aspects of their blog post before publication.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube