Microsoft to Offer Some Cybersecurity Free After Suspected China Hack

Microsoft said it plans to offer free some tools that can spot cyberattacks following last week’s disclosure of a major security breach linked to Chinese hackers that was undetectable for some customers.

The decision to open up access to its back-end systems that log activity on the cloud came after Microsoft’s tiered payment system attracted criticism in the wake of an alleged Chinese cyber-espionage campaign, which the company said infiltrated its cloud-based email system and compromised inboxes at about two dozen organizations globally. The federal government, including officials at the State Department and Commerce Secretary Gina Raimondo, was among the victims of the attack, U.S. officials said.

Beginning in September, the technology company will make 31 critically important security logs available free to licensees of the company’s lower-cost cloud services, including the type of email log that was used to identify the China-linked attack, said Vasu Jakkal, a vice president of security at Microsoft. The company will also increase the duration of retention for security logs from 90 to 180 days, Jakkal said.

While logs don’t prevent cyberattacks, companies use them to detect and investigate hacks because the logs keep track of activity on Microsoft’s servers. In the recent China-linked breach, key logging information required to detect the attack was only available to purchasers of Microsoft’s top-tier Microsoft 365 cloud service, known as E5, officials said last week. That left some customers with cheaper plans no way of figuring out whether they had been hacked.

“This is a significant step forward to ensuring that every Microsoft customer has the right visibility to detect other threats that we know are targeting American organizations every day,” said Eric Goldstein, executive assistant director for cybersecurity at the U.S. Cybersecurity and Infrastructure Security Agency. 

Jakkal and Goldstein said the effort to identify valuable security logs and provide them free to Microsoft customers had been continuing for a year and was a result of collaboration between Microsoft and the Biden administration. Both declined to link Wednesday’s announcement directly to the alleged China hack. But “there was clearly an urgency to get this done, given the sophistication of the landscape,” Jakkal said.

After the hack, senior Biden administration officials, a prominent Democratic senator and cybersecurity experts called on Microsoft to make computer logs of activity on the cloud more widely available. Once Microsoft became aware of the hacking campaign, which was first detected by the State Department, it was able to identify victims even if the targeted companies weren’t paying for the premium service. But experts said the lack of visibility for some customers meant the attack might have gone unnoticed for a longer period. 

Many companies are unaware that their cloud-computing products might come with incomplete logs, said Jake Williams, a cybersecurity consultant. “I consult with organizations regularly that only find out they are missing these logs when they have to investigate an account takeover,” Williams said.

Democratic Sen. Ron Wyden of Oregon welcomed the move but said large cybersecurity businesses like Microsoft had misaligned incentives that made it lucrative to offer insecure products and upsell customers on cybersecurity add-ons.

“It shouldn’t have taken multiple disastrous hacks of federal systems for Microsoft to make essential security features standard for government customers, but better late than never,” Wyden said in a statement. “Going forward, federal agencies should insist that software contracts include security logs and other cybersecurity features, so our national security is no longer compromised by a shoddy procurement process.”

In the alleged China breach, which Microsoft said dates back to May and was detected about a month later, government officials had said they were concerned that some users of Microsoft’s lower-cost cloud offerings wouldn’t have been able to see the email logging information that revealed the breach.

Microsoft continues to investigate the recent alleged China breach, but to date the company hasn’t explained how the hackers were able to pull it off. Goldstein said Tuesday that the federal government was continuing to investigate the hack and understand its full impact. Officials haven’t formally linked the attack to Beijing, but said they have no reason to doubt Microsoft’s attribution. China has denied the allegations and accused the U.S. of engaging in pervasive cyber espionage.

“This was a sophisticated attack, and we are working closely with Microsoft and the investigation continues,” Goldstein said.

Write to Dustin Volz at [email protected] and Robert McMillan at [email protected]