Fortunately for the rest of us, this logging was in place when the Chinese attacker accessed Exchange Online. The logging that was available in that version of Exchange Online allowed them to know that the attackers had been in the system.
Attackers gained access through a consumer-level account
As noted in the CISA documentation, “An FCEB agency observed MailItemsAccessed events with an unexpected ClientAppID and AppID in Microsoft 365 audit logs. The MailItemsAccessed event is generated when licensed users access items in Exchange Online mailboxes using any connectivity protocol from any client. The FCEB agency deemed this activity suspicious because the observed AppID did not normally access mailbox items in their environment. The agency reported the activity to Microsoft and CISA.”
It has come to light that the attackers somehow gained access to a consumer-level Microsoft account signing key that they then used to build an enterprise authentication token. Microsoft has since revoked these keys and put in place an infrastructure to ensure that consumer-level access can’t be used to forge authentication to Enterprise assets. It also appears that they will be reviewing additional processes to ensure this doesn’t happen again in the future.
Microsoft has expanded access to logging
This has also pushed Microsoft to take the bold step of ensuring every customer has this level of logging available without having to pay for a premium level to gain access. The ability to know whether you truly had a breach is a key element of any service and should not be limited to those who can pay for such levels of information. On July 19, 2023, Microsoft announced that it will be phasing in access to wider cloud security logs for worldwide customers at no additional cost.
Microsoft will begin rolling out these logging enhancements starting in September but there are ways you can get access to these log files now and evaluate their information in the meantime. First, use a trial: if you think you’ve had a breach and do not have this licensing in place, you will still want to be aware that the logging is available so you can then sign up for a trial.
As Microsoft itself advises: “If you’re not an E5 customer at this time, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub.” Even if you do have E5 for some of your users, be aware that it’s licensed per mailbox. So, for example, shared mailboxes will need either an E5 or a trial license turned on for even shared mailboxes.