#NSBCS.057 - PSA: Turn on your Microsoft 365 Audit Logging!

Cyber Resilience
Written By Shane Bell
#NSBCS.057 - PSA: Turn on your Microsoft 365 Audit Logging!

Source: NSB Cyber

 

PSA: Turn on your Microsoft 365 Audit Logging!

It’s 2025, and we’re still seeing an important (and free) Microsoft 365 feature that’s not yet turned on by some organisations. That is the Microsoft 365 unified audit logging.

A lot of organisations already have these turned on in their Microsoft 365 tenancies, as it’s a feature enabled by default. But some tenancies still do not have it enabled it for various reasons – especially older Microsoft 365 tenancies or those purchased through a Microsoft Partner that hasn’t done this.

And no, do not wait until you have an incident to do this!

Firstly, why should I care?

Business email compromises continue to be a common occurrence for organisations of all sizes, including those that use a Microsoft 365 environment (which is a lot of us). When an email compromise occurs, you need to understand the facts of intrusion, otherwise you may find some nasty surprises left by the Threat Actor (e.g. leaving backdoors for themselves!).

As regular cyber incident responders that regularly respond to business email compromises, the Microsoft 365 unified audit logging is an incredibly useful source of forensic evidence in uncovering facts in an email compromise such as:

  • When did the Threat Actor first get into this user’s account?

  • How long was the Threat Actor in my Microsoft 365 environment for?

  • What did they potentially access? Did they access SharePoint or OneDrive?

  • What emails did the Threat Actor potentially access?

Without this logging on, it becomes a lot more difficult to accurately determine what the Threat Actor did or didn’t do. In some cases, you may end up having to assume the worst.

Oh yeah, and it doesn’t cost you a dime to turn on.

Okay fine, I’ll take 2 minutes to check (or ask my IT team to do this). What are the steps?

Here’s the basic steps below, but always consult the Microsoft articles incase things change. In Microsoft’s case, things change quite often!

  • Sign in to the Microsoft Purview (formerly compliance) portal, using a sufficiently privileged account.

  • Select the ‘Solutions’ card on the left, then select ‘Audit’.

  • In the ‘Audit’ view:

    • If you see a ‘Start recording user and admin activity’ button, this means that your M365 audit logging has not been enabled. Click this button to now enable it. Note: This does not incur additional costs to your M365 tenancy.

 

  • If you don’t see the button, and instead you see some search fields available, this means your M365 audit logging has already been enabled.

  • Once enabled, you can go a step further to validate by conducting a search to verify you can see audit logging results. Note that there may be a delay.

One thing to note is that, if you are enabling this in response to a security alert or incident and are hoping this would provide you historical data, you may be out of luck. Enabling the audit logging does not typically provide you historical information – it starts logging from the moment you enable it.

Check that you’ve got Microsoft 365 unified audit logging turned on!!!

For information on NSB Cyber’s Cyber Resilience capabilities or to book a meeting with our team, click here.

What we read this week

  • Extensions Poisoning Campaign target Multiple Browsers— A series of extension poisoning campaigns have targeted browsers like Chrome and Firefox, exploiting flaws in legitimate extensions to carry out malicious operations such as data theft, credential harvesting, and system compromise. One prominent example involves the "Bokbot" malware, distributed through a fake extension update. Other campaigns leverage well-known extensions, like "Adblock Plus" and "LastPass," to insert malicious payloads upon update or installation. These attacks highlight critical gaps in extension security, with attackers exploiting users’ trust in popular, widely-used extensions. Security experts recommend more stringent vetting processes for extension updates and user vigilance.

  • Microsoft Patch Tuesday Patches Record Number of vulnerabilities — Microsoft’s January 2025 Patch Tuesday addresses 159 vulnerabilities across Windows, Office, .NET, Visual Studio, and Azure, among other products. The update includes eight zero-day flaws, with three—CVE-2025-1200, CVE-2025-1201, and CVE-2025-1213—actively exploited in the wild. The critical vulnerabilities enable remote code execution or privilege escalation, making patching a top priority. Additional zero-days pose varied threats, from data disclosure to denial-of-service. Microsoft urges admins and end-users to apply updates promptly, prioritising systems affected by the three actively exploited zero-days. Full technical details and mitigation steps are available in Microsoft’s official Security Update Guide.

  • DPRK’s Lazarus Group expending fake job operations — North Korea’s Lazarus APT is intensifying social engineering attacks on developers with bogus recruitment lures, distributing malicious Visual Studio projects through platforms like GitHub. By pretending to be legitimate recruiters or technology companies, Lazarus tricks targets into executing trojanised code, exfiltrating credentials, intellectual property, and establishing persistence. Security experts note the group’s sophisticated spear-phishing tactics and stress the need for heightened vigilance among developer communities. Recent reporting from multiple cybersecurity firms underscores Lazarus’s reliance on advanced, tailored infection chains. Verification of recruiter authenticity, scanning software repositories for hidden malware, and robust endpoint security are advised to mitigate the threat.

  • CL0P Threat Actors keeps promises of Cleo vulnerability focus and exploitation — Cl0p ransomware group has published a list of organisations compromised through vulnerabilities in Cleo’s Managed File Transfer (MFT) software. This echoes’ to the group’s claim in December that it would entirely focus on organisations affected CVE-2024-50623, which allows unauthenticated remote code execution. While the patch was released in October 2024, sources discovered that the fix was insufficient, leaving instances vulnerable to exploitation. The group has reportedly targeted at least 66 organisations so far, however, the toll is likely expected to increase. This underscores the need for appropriate vulnerability management and timely patching, especially with actively exploited vulnerabilities.

  • US authorities leveraged PlugX Malware self-delete feature - In a court-authorised operation, the FBI leveraged PlugX malware’s own self-delete functionality to wipe the Chinese-linked remote access trojan from compromised US systems. The malware, attributed to state-sponsored threat actors, granted illicit access and control over infected networks. Rather than altering user files or applications, agents used PlugX’s built-in command to discreetly uninstall itself. According to sources, the Mustang Panda group behind the PlugX malware was paid by the Chinese government to manage cyber operations and develop this specific version of the malware.

References
https://www.darkreading.com/endpoint-security/extension-poisoning-campaign-gaps-browser-security

https://www.bleepingcomputer.com/news/microsoft/microsoft-january-2025-patch-tuesday-fixes-8-zero-days-159-flaws/
https://www.darkreading.com/threat-intelligence/north-korea-lazarus-apt-developer-recruitment-attacks
https://cybersecuritynews.com/cl0p-ransomware-group-cleo/
https://www.securityweek.com/fbi-uses-malwares-own-self-delete-trick-to-erase-chinese-plugx-from-us-computers/
Shane Bell
Next

#NSBCS.056 - Technical Attribution: A game of Cat-and-Mouse with Threat Actors