Microsoft 'Logging Tax' Hinders Incident Response, Experts Warn

A human rights organization was alerted by Microsoft that it was compromised as part of a July email breach attributed to Storm-0558, but the organization couldn't find any evidence of compromise in their logs. Why? It didn't pay Microsoft a premium for an E5-level license.

That's the story Steven Adair with Volexity took to Twitter to tell, highlighting the lack of access to logging for the vast majority of Microsoft customers who don't have E3 licenses.

"This incident was a real head-scratcher for us," Adair wrote. "Investigating incidents and suspect activity in Microsoft 365 and Azure AD is something we (at Volexity) do frequently. However, despite a notification from Microsoft regarding unauthorized access, we could not find any corroborating evidence."

The problem? The Volexity team didn't have access to the logging evidence with the human rights organization's E3 license.

"It turns out the attacker was accessing emails, and this level of activity was logged to the "MailItemsAccessed' operation," he added. "However, generally speaking, this log operation is not available to E3 licenses and required additional logging available only from more expensive E5/G5 plans."

Adair noted that email logging should be table stakes given the threat landscape, as evidenced by CISA's July 12 guidance for detecting APT-level activity that recommends enabling premium E5-level logging. Yet, according to Microsoft, an Office 365 E3 license runs $23 per user, per month, while the E5 costs $38 per user, per month, which Adair pointed out is prohibitive for many organizations.

Microsoft did not immediately respond to Dark Reading's request for comment.

Microsoft's Ongoing "Logging Tax"

While the recent Storm-0558 breach highlights the data discrepancies between the cybersecurity "haves" which can afford an E5 license, and those "have nots," like the human rights group targeted, the problem isn't new, according to cybersecurity expert Jake Williams. But Microsoft may soon feel pressured to do something about it in the wake of that latest campaign, which also affected 25 US federal government agencies. 

"The enhanced logging only available with an E5 license (or the Security and Compliance add-on license with E3) has been a thorn in the side of incident responders and breach coaches for years," Williams explains to Dark Reading. "Organizations hit with a BEC (business email compromise) expect to be able to see what messages the threat actor viewed but can't without the enhanced logging."

He adds that in some instances, there can also be discrepancies on what's available on a per account basis:  "An organization may only have E5 licensing on some accounts, leading to a lack of consistency in what activities they can see on a per-account basis."

Williams stresses that premium logs alone would not have detected Storm-0558's malicious activity with specificity. Nonetheless, Volexity's Adair explained that "this whole operation was uncovered by an FCEB Agency [due to] anomalous activity related to MailItemsAccessed log operations," and as such, Williams doesn't expect Microsoft to be able to avoid scrutiny over its logging surcharge going forward.

"There shouldn't be a logging tax, especially for something so foundational as email," Williams adds. "I suspect Microsoft executives will be answering some really uncomfortable questions at yet-to-be-scheduled Congressional hearings over this."