微软为美国联邦机构提供免费日志功能

Microsoft has expanded free logging capabilities to all U.S. federal agencies using Microsoft Purview Audit irrespective of the license tier, more than six months after a Country-linked cyber espionage campaign targeting two dozen organizations came to light.

微软已经将免费日志记录功能扩展到所有使用Microsoft Purview Audit的美国联邦机构，无论许可证层级如何，这是在某国相关的网络间谍活动针对两打组织曝光六个多月后。

"Microsoft will automatically enable the logs in customer accounts and increase the default log retention period from 90 days to 180 days," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said.

"微软将自动在客户帐户中启用日志，并将默认日志保留期从90天增加到180天，"美国网络安全和基础设施安全局（CISA）表示。

"Also, this data will provide new telemetry to help more federal agencies meet logging requirements mandated by [Office of Management and Budget] Memorandum M-21-31."

"此外，这些数据将提供新的遥测数据，帮助更多的联邦机构满足[管理和预算办公室]规定的日志记录要求 M-21-31备忘录。"

Microsoft, in July 2023, disclosed that a nation-state activity group known as Storm-0558 gained unauthorized access to approximately 25 entities in the U.S. and Europe as well as a small number of related individual consumer accounts.

2023年7月，微软披露，一个名为Storm-0558的国家行动组织未经授权地访问了美国和欧洲的大约25个实体，以及少量相关的个体消费者账户。

"Storm-0558 operates with a high degree of technical tradecraft and operational security," the company noted. "The actors are keenly aware of the target's environment, logging policies, authentication requirements, policies, and procedures."

公司指出：“Storm-0558具有很高的技术手艺和操作安全性。袭击者对目标的环境、日志政策、认证要求、政策和程序非常了解。”

The campaign is believed to have commenced in May 2023, but detected only a month later after a U.S. federal agency, later revealed to be the State Department, uncovered suspicious activity in unclassified Microsoft 365 audit logs and reported it to Microsoft.

据信，这次攻击活动始于2023年5月，但直到一个月后才被检测到，之后一家美国联邦机构，后来被揭示为国务院，在未分类的Microsoft 365审计日志中发现了可疑活动，并将其报告给了微软。

The breach was detected by leveraging enhanced logging in Microsoft Purview Audit, specifically using the MailItemsAccessed mailbox-auditing action that's typically available for Premium subscribers.

通过使用Microsoft Purview Audit中的增强日志记录来检测到这次入侵，具体是使用通常提供给高级订阅用户的MailItemsAccessed邮箱审计操作。

The Windows maker subsequently acknowledged that a validation error in its source code allowed for Azure Active Directory (Azure AD) tokens to be forged by Storm-0558 using a Microsoft account (MSA) consumer signing key, and then use them to penetrate the mailboxes.

随后，Windows制造商承认，其源代码中的验证错误允许Storm-0558使用Microsoft账户（MSA）消费者签名密钥伪造Azure Active Directory（Azure AD）令牌，并使用它们进入邮箱。

The attackers are estimated to have stolen at least 60,000 unclassified emails from Outlook accounts belonging to State Department officials stationed in East Asia, the Pacific, and Europe, Reuters reported in September 2023.

据路透社报道，袭击者据信至少从驻扎在东亚、太平洋和欧洲的国务院官员的Outlook账户中窃取了至少6万封未分类的电子邮件。

It also faced intense scrutiny for withholding basic-yet-crucial logging capabilities to entities that are on the more expensive E5 or G5 plan, prompting the company to make changes.

微软因为没有向E5或G5计划中更昂贵的实体提供基本但至关重要的日志记录功能而受到严厉审查，促使该公司做出改变。

"We recognize the vital importance that advanced logging plays in enabling federal agencies to detect, respond to, and prevent even the most sophisticated cyberattacks from well-resourced, state-sponsored actors," Microsoft's Candice Ling said. "For this reason, we have been collaborating across the federal government to provide access to advanced audit logs."

"我们认识到先进日志记录在使联邦机构能够检测、响应和防止来自资源充足的国家赞助的攻击者的最复杂的网络攻击中所扮演的至关重要的作用，"微软的Candice Ling表示。"因此，我们一直在与联邦政府合作，以提供对高级审计日志的访问。"

原文始发于微信公众号（知机安全）：微软为美国联邦机构提供免费日志功能