Microsoft expands access to cloud logs after hacker forged tokens to get Exchange Online email

Many Microsoft customers will soon have access to expanded cloud logging capabilities at no additional charge, the company said Wednesday, after cybersecurity experts called on it to offer free logging data to organizations using any of its cloud services.

This comes after Microsoft admitted last week that a likely China-based threat actor recently forged authentication tokens to access user email of approximately 25 organizations.

“After working collaboratively over the past year, I am extremely pleased with Microsoft’s decision to make necessary log types available to the broader cybersecurity community at no additional cost,” said Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA). “While we recognize this will take time to implement, this is truly a step in the right direction toward the adoption of Secure by Design principles by more companies. We will continue to work with all technology manufacturers, including Microsoft, to identify ways to further enhance visibility into their products for all customers.”

“Today’s announcement comes as a result of our close partnership with CISA, who have called for the industry to take action in order to better protect itself from potential cyber-attacks,” said Vasu Jakkal, Microsoft’s corporate vice-president for security, compliance, identity, and management. “It also reflects our commitment to engaging with customers, partners, and regulators to address the evolving security needs of the modern world.”

Over the coming months Microsoft will include access to a wider variety of cloud security logs for customers at no additional cost, the company said in a blog. IT managers will use Microsoft Purview Audit to see more types of cloud log data generated across their enterprise.

Purview Audit (Standard) customers will receive deeper visibility into security data, including detailed logs of email access and more than 30 other types of log data previously only available to those with Purview Audit (Premium) subscriptions with E5/G5 licences. In addition to new logging events becoming available, Microsoft is also increasing the default retention period for Audit Standard customers from 90 days to 180 days.

Although the CISA and Microsoft have been working for a year on expanding logging data to cloud users, the announcement also comes after experts called for action following last week’s announcement of the email hack aided by forged authentication keys.

“Log information should not be tiered,” Johannes Ulrich, dean of research at the SANS Institute wrote this week in the organization’s weekly news summaries. “It should be available at all license levels, ideally with options to send it straight to your SIEM/SOAR  [security information and event management/security orchestration automation and response] platform.”

Even if they don’t store any logs or make you pay for extra storage, the logs should be available and exportable to everyone, added Lee Neely, a SANS Instructor. “This level of goodwill will go a long way.”

Security Magazine said the agencies targeted by the attackers reportedly include the U.S. State and Commerce Departments. Among the email accounts accessed was one belonging to Secretary of Commerce Gina Raimondo.

The visibility problem was highlighted by Steven Adair, president of Volexity, who said on Twitter, that despite a notification from Microsoft to one of his firm’s clients regarding unauthorized access, “we could not find any corroborating evidence … The incident was invisible to us with the data at our disposal and this was due to the customer’s M365 license level: E3,” he said.

Microsoft first issued an alert on the attack early last week. On Friday it followed up with a more detailed analysis.  Beginning May 15, a group it calls Storm-0558 used forged authentication tokens to access user email from approximately 25 organizations, including government agencies and related consumer accounts in Microsoft’s public cloud. It says “with moderate confidence” that Storm-0558 is a China-based threat actor.

What happened, Microsoft says, was Storm-0558 “acquired an inactive MSA [Microsoft  account] consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and”

“The method by which the actor acquired the key is a matter of ongoing investigation. Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens, Microsoft said.

Forging Azure AD tokens using an acquired consumer signing key and then using it to access Azure AD enterprise and “was made possible by a validation error in Microsoft code,” the company admitted.

Once authenticated through a legitimate client flow leveraging the forged token, Microsoft said, the threat actor accessed the OWA [Outlook Web Access] API to retrieve a token for Exchange Online from the GetAccessTokenForResource API used by OWA. The actor was able to obtain new access tokens by presenting one previously issued from this API due to the design flaw. The actor used these tokens to retrieve mail messages from the OWA API.

This flaw has since been fixed to only accept tokens issued from Azure AD or MSA respectively, Microsoft said. Azure AD keys were not impacted.

This threat actor has displayed an interest in OAuth applications, token theft, and token replay against Microsoft accounts since at least August 2021, the report adds.

The issue of visibility comes out in the Microsoft report, which says the use of an incorrect key to sign access requests allowed its investigation teams to see all of this actor’s access requests, which followed this pattern across both Microsoft’s enterprise and consumer systems.

Authentication tokens are used to validate the identity of entities requesting access to resources such as email, Microsoft says. These tokens are issued to the requesting entity (such as a user’s browser) by identity providers like Azure AD. To prove authenticity, the identity provider signs the token using a private signing key. The relying party validates the token presented by the requesting entity by using a public validation key. Any request whose signature is correctly validated by the published public validation key will be trusted by the relying party. An actor that can acquire a private signing key can then create falsified tokens with valid signatures that will be accepted by relying parties.

It’s not only Microsoft that should provide access logs to its cloud customers, the SANS commentators point out, but all cloud providers. in a press call, SANS said an official of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said that “Every organization using a technology service like Microsoft 365 should have access to logging and other security data out of the box.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.