Microsoft Loses Weeks of Cloud Security Logs

Microsoft informed customers that it didn’t routinely store security records for its cloud products for two weeks in September, leaving network defenses vulnerable to breaches

“A bug in one of Microsoft’s internal monitoring agents caused a malfunction in certain agents when uploading log data to our internal logging platform,” according to a notification sent to affected clients.

The notification stated that the logging outage was not the result of a security incident and that it “only impacted the collection of log events.”

Business Insider initially disclosed the loss of log data in October. The notification’s specifics have not been extensively reported. The notifications that Microsoft sent to affected companies are likely accessible only to a handful of users with tenant admin privileges, as noted by security researcher Kevin Beaumont.

Network defenders can identify suspected intrusions by keeping track of events within a product, such as information about users signing in and unsuccessful attempts, which is facilitated by logging.

Identifying unauthorized access to the customers’ networks during that two-week interval may be more challenging due to the absence of logs.

According to the Business Insider report, The affected products are Microsoft Entra, Sentinel, Defender for Cloud, and Purview.

The notification stated that Affected customers “may have experienced gaps in security-related logs or events, potentially affecting customers’ ability to analyze data, detect threats, or generate security alerts.”

Microsoft declined to respond to inquiries regarding the logging outage; however, an executive from the company verified to TechCrunch that the incident resulted from a “operational bug within our internal monitoring agent.”

“We have resolved the matter by reversing a service change.” John Sheehan, a corporate vice president at Microsoft, stated, “We have contacted all affected customers and will offer assistance as required.”

The logging outage follows a year in which federal investigators criticized Microsoft for withholding security logs from specific U.S. federal government departments that host their emails on the company’s hardened, government-only cloud.

Investigators asserted that access to these logs could have identified a series of China-backed intrusions much earlier.

The intruders, known as Storm-0558, who China supported, breached Microsoft’s network and stole a digital skeleton key. This key granted the hackers unrestricted access to U.S. government emails stored in Microsoft’s cloud.

According to a government-issued post-mortem of the cyberattack, the State Department could identify the intrusions because it purchased a higher-tier Microsoft license that provided access to security archives for its cloud products. This license was not available to many other hacked U.S. government agencies.

Microsoft announced in September 2023 that it would begin providing logs to its lower-paid cloud accounts in response to the China-backed breaches.

Carly Page contributed a report.