Updated: April 8, 2024 (July 17, 2023)

  Blog

Microsoft's latest email hack: M365 E3 subscribers beware

My Atlas / Blog

563 wordsTime to read: 3 min
Mary Jo Foley by
Mary Jo Foley

Mary Jo Foley is the Editor in Chief at Directions on Microsoft. Before joining Directions, Mary Jo has worked as... more

Microsoft publicly disclosed last week that a China-based hacking group (“Storm-0558”) infiltrated some individual and government Outlook email accounts for a month. Via several blog posts, Microsoft officials shared details about how the breach of approximately 25 organizations happened and some of the steps it has taken to remedy the issue.

But there was one key bit of information that Microsoft did not disclose about the hack of which Microsoft enterprise customers should be aware. In its write-up, The Wall Street Journal noted that customers who were using Microsoft 365 E3, rather than E5, didn’t realize they were being hacked.

From the WSJ:

“Companies detect and investigate attacks by using logging software that keeps records of activity on their servers. But in this latest Chinese espionage campaign, critical logging information required to detect the attack was only available to purchasers of Microsoft’s top-tier cloud service, said officials at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.”

E3 offers some logging information but does not keep track of specific mailbox data which would have revealed the attack. Microsoft 365 and Office 365 E3 (and other plans below) do not log read-access to individual Exchange Online mailbox items.

E5 includes advanced information protection, premium e-discovery, advanced threat protection and threat intelligence — all capabilities not included as part of E3. There are also limits on the age of Entra identity and access ID sign-in logs, which is where failed sign-ins show up. In Office 365, for instance, the limit is seven days.

“Many capabilities that Microsoft 365 Enterprise tenants need to operate safely and comply with regulations require the more expensive license suites. It’s like going to a car lot and being told you have to buy the premium option package to get the Check Engine light,” said Directions on Microsoft analyst Rob Helm.

Microsoft 365 E5 costs substantially more than E3. Before volume discounts, E3 costs $36 per user per month and E5, $57 per user per month. To date, relatively few Microsoft customers have purchased E5. Officials said during fiscal 2022 (the period between July 1, 2021, and June 30, 2022) that E5 represented about 12 percent of the total M365/O365 base. In Microsoft’s FY’23 Q’1, officials didn’t provide an update on E5 growth, other than to say more than half of the $10-million-plus Microsoft 365 bookings in the quarter came from E5.

Microsoft officials have been touting the growing size of the company’s security business — a boast which doesn’t sit well with some customers, competitors and critics, who argue that Microsoft should not be making money from insecurities in its own software and services. Recently, a leaked internal report meant for Microsoft’s board noted that Microsoft is aiming to grow its security and identity management (SCIM) business to $50 billion by FY’25 and possibly to $100 billion by FY’30. However, Microsoft officials also acknowledged in that report that deployment is lagging subscriptions.

As Directions on Microsoft analysts have noted before, customers need to use extreme care when mixing and matching Microsoft 365 E3 and E5 together. As a general rule, organizations should ensure that they do not deploy and enable Microsoft 365 E5 security and compliance services unless all knowledge workers are licensed for the entire Microsoft 365 E5 suite (or F5 equivalent). Related but different issues can occur if the organization partially licenses E5 subcomponents on an à la carte basis and not all users are licensed for all the services deployed as a part of those subcomponents.