After the activities of the China-based hacking group Khina Storm-0558, which infiltrated numerous corporate and state accounts on Exchange and Microsoft 365 in July, Microsoft Corporation has implemented enhanced security measures.
Among the affected organizations were various governmental bodies in the United States and Western Europe, including the United States State Department and the Department of Trade. In a recent announcement, the State Department revealed that over 60,000 emails were stolen from Outlook accounts operating in East Asia, the Pacific region, and Europe.
According to Microsoft, the attackers gained access to sensitive information by obtaining the client’s cryptographic key, which was obtained after compromising the corporate account of a Microsoft engineer. With this key, the hackers successfully infiltrated Exchange Online and Azure Active Directory (AD) accounts, ultimately gaining access to government emails.
Today, Microsoft has announced changes to their audit log retention policies. These changes will be rolled out in the coming weeks, and Microsoft Purview Audit customers with standard licenses will be the first to benefit, starting in October for corporate clients and November for state customers.
“In October 2023, we will begin implementing changes that will allow for an extended default storage period of up to 180 days for audit logs created by Audit (Standard) customers. Audit (Premium) customers will continue to have a default period of 1 year and the option to extend it for up to 10 years,” stated a Microsoft Purview representative.
Under pressure from the cybersecurity agency and infrastructure protection (CISA), Microsoft has expanded access to cloud log data without requiring additional payment. This will assist security specialists in identifying future hacking attempts. Previously, this feature was only available to customers with paid Purview Audit (Premium) licenses. Microsoft had received criticism for limiting organizations’ capabilities to detect attacks like Storm-0558.
Starting in December 2023, customers with Purview Audit (Standard) licenses will also have access to additional email access logs and 30 other event logs for Yammer/Viva Engage, Teams, Exchange, and SharePoint. Previously, these logs were only accessible to customers with Premium licenses.
Audit (Premium) licenses will still have a longer default storage period, broader data export access, high-speed API and log access, and improved AI-driven intelligence features from Microsoft.