Microsoft is now letting all federal agencies check their activity logs for free

Activity logs helped the State Department spot an intrusion

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

To help US government agencies defend against foreign state-sponsored adversaries,Microsoftis expanding its free logging features in some products.

A Cybersecurity and Infrastructure Security Agency (CISA) announcement revealed reported all US federal agencies using Microsoft Pureview Audit will be granted the upgrade, regardless of their license tier.

The move comes in response to a cyberattack against U.S. government agencies that was discovered last summer.

Logs to the rescue

In July 2023, the US State Departmenttipped Microsoft off on a cyber-espionage campaignthat leveraged forged authentication tokens for Outlook Web Access in Exchange Online, and Outlook.com.

Microsoft later attributed the attack to Storm-0558, allegedly a Chinese state-sponsored threat actor usually engaged in cyber-espionage against Western organizations and governments. Storm-0558 gained access to more than two dozen email accounts and obtained an unknown amount of sensitive information.

The US State Department was able to discover the attack by analyzing unclassified Microsoft 365 audit logs, available in Microsoft Pureview Audit for Premium subscribers.

“Storm-0558 operates with a high degree of technical tradecraft and operational security,” Microsoft explained. “The actors are keenly aware of the target’s environment, logging policies, authentication requirements, policies, and procedures.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

China denied any wrongdoing, and called the US “the world’s biggest hacking empire and global cyber thief.” The Chinese added it was “high time that the U.S. explained its cyber attack activities and stopped spreading disinformation to deflect public attention.”

Storm-0558 apparently used twomalware, Bling and Cigril, with the latter being described as a trojan capable of decrypting encrypted files and running them directly from system memory on the target endpoint.

ViaTheHackerNews

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Windows PCs targeted by new malware hitting a vulnerable driver

Dangerous Android banking malware looks to trick victims with fake money transfers

ChatGPT just got easier to find when you’re searching for something