Microsoft has confirmed that more than two weeks' worth of security logs were missing from some of its cloud products. The company said the issue was caused by a malfunction in one of its internal monitoring agents, which occurred between September 2 and September 19, 2024.
According to Microsoft, a bug in one of its internal monitoring agents has lead to failed uploads of log data to the company’s logging platform. The issue primarily impacted logs from Microsoft Entra, Sentinel, Defender for Cloud, and Purview. These logs typically provide information about sign-ins, failed login attempts, and other activity that can help defenders spot possible security incidents.
Microsoft clarified that the bug was introduced during efforts to fix a separate problem with its log collection service. Although the company followed safe deployment practices, it failed to detect the new issue for several days. However, Microsoft said that the problem has since been resolved.
"We have mitigated the issue by rolling back a service change. We have communicated to all impacted customers and will provide support as needed," John Sheehan, Microsoft’s corporate vice president, told TechCrunch.
The incident follows a string of high-profile security issues for the tech giant. In May 2023, a Chinese hacker group tracked as Storm-0558 exploited a vulnerability in Microsoft’s services, stealing a signing key that allowed them to breach corporate and government Exchange and Microsoft 365 accounts. The threat actor breached an unidentified number of email accounts linked to around 25 organizations, including some related individual consumer accounts and government agencies in Western Europe and the US.
The attackers leveraged forged authentication tokens to access impacted email accounts via Outlook Web Access in Exchange Online (OWA) and Outlook.com.
A few months after the attack, the DHS Cyber Safety Review Board (CSRB) released a report on Microsoft's hack blaming the company for the intrusion, which officials said was “preventable” and that “Storm-0558 was able to succeed because of a cascade of security failures at Microsoft.”