Microsoft

Microsoft announces the 2025 Security Excellence Awards winners

Microsoft Malware Protection Center - Tue, 04/29/2025 - 11:00am

In today’s rapidly evolving digital world, security requires a global community of defenders working together as a team to build a safer world for all. That’s why we’re thrilled to recognize the extraordinary individuals and organizations who have gone above and beyond in the fight against cyberthreats with the 2025 Microsoft Security Excellence Awards.

In San Francisco, California, on Monday, April 28, 2025, we gathered our cybersecurity superheroes―Microsoft Intelligent Security Association (MISA) member finalists and winners. Together with Microsoft leadership, we celebrated the innovative defenders who are leading the charge against cybercriminals to ensure people and organizations can thrive.

“Congratulations to this year’s Microsoft Security Excellence Awards winners, and to all the incredible nominees,” said Vasu Jakkal, Corporate Vice President, Microsoft Security Business. “Our partners are the frontline defenders in an ever-changing cybersecurity landscape, working tirelessly to protect organizations and individuals from emerging cyberthreats. Their innovation and commitment are instrumental in advancing security worldwide. Together, we’re strengthening defenses and shaping the future of security.”

Discover the Microsoft Intelligent Security Association Celebrating the superheroes of cybersecurity

The past year has been a testament to the power of collaboration. From deploying AI-powered threat intelligence to fortifying Zero Trust strategies, our partners have continued to raise the bar. Together, we’re stronger, smarter, and more resilient in the face of growing cyberthreats.

The Microsoft Security Excellence Awards honor outstanding contributions across several categories. This year’s finalists and winners have demonstrated not only technical excellence but also a firm commitment to strengthening security for the organizations that rely on them. They’re the best of the best—pushing boundaries and embracing cutting-edge security technologies.

After a review of all the award nominations, our review panel created a shortlist of five nominees per category, with winners determined by votes from Microsoft and MISA members. Congratulations to you all!

Security Trailblazer

Partners that have delivered innovative solutions or services that leverage the full Microsoft range of security products and have proven to be outstanding leaders in accelerating customers’ efforts to mitigate cybersecurity threats.

BlueVoyant—Winner
Darktrace
HCLTech
Kocho
Wortell

Data Security and Compliance Trailblazer

Partners that deliver innovative solutions or services and are distinguished leaders in developing outcomes that provide a comprehensive approach to securing customer data with the Microsoft Purview platform.

Avanade—Winner
eShare
Lighthouse
Protiviti
Quorum Cyber

Identity Trailblazer

Partners that are leaders in the identity space and have driven identity-related initiatives and delivered innovative solutions or services with Microsoft Entra ID.

PwC—Winner
IDmelon
Kloudynet
Oxford Computer Group
Patriot Consulting

Endpoint Management Trailblazer

Partners that have proven expertise in helping customers modernize their endpoint and device management posture while enabling organizations to reduce costs.

Bridewell—Winner
Cloud4C
Devicie
InSpark
Shanghai Flyingnets Information Technology Co., LTD.

Security Customer Champion

Partners that go above and beyond to drive customer impact and that have a proven track record of customer obsession and success.

EY—Winner
1Password
Cyclotron
Epiq
Threatscape

Security Changemaker

Individuals within partner organizations who have made a remarkable security contribution to the company or the larger security community.

Micah Heaton, Executive Director, BlueVoyant—Winner
Federico Charosky, Chief Executive Officer, Quorum Cyber
Femke Cornelissen, Chief Copilot, Wortell
Harman Kaur, Vice President (VP) of Artificial Intelligence, Tanium
Sharon Ko, VP of Product Management, Armor

Diversity in Security

Partners that have demonstrated a significant commitment to enhancing diversity, equity, and inclusion to better serve security customers and foster change in the industry.

LTIMindtree Ltd—Winner
BUI
Jamf
Orange Cyberdefense
Silverfort

Security ISV of the Year

Independent software vendors (ISVs) that are all-around powerhouses and have innovative security solutions that integrate with a MISA-qualifying security product and demonstrate differentiated value and excellent customer experiences.

Netskope—Winner
ContraForce
Delinea
Kovrr
Tanium

Security MSSP of the Year

Managed security service providers (MSSPs) that are all-around powerhouses with strong integration between Microsoft products and ongoing managed security services and drive new security workloads, pipeline, usage, and consumption.

Quorum Cyber—Winner
baseVISION AG
glueckkanja AG
Performanta
Transparity

Meet the award presenters

This year’s awards were presented by Microsoft executives who recognize and support the critical role our partners play in cybersecurity:

Security Trailblazer: Andrew Conway, Vice President, Security Business and Marketing

Data Security and Compliance Trailblazer: Herain Oberoi, General Manager, Data Security, Governance, Compliance, Privacy Business and Marketing

Identity Trailblazer: Irina Nechaeva, General Manager, Identity and Network Access

Endpoint Management Trailblazer: Talal Alqinawi, Senior Director, Product Marketing Intune

Security Customer Champion: Nicole Ford, Vice President, Customer Security Officer

Security Changemaker: Vasu Jakkal, Corporate Vice President, Security Business

Diversity in Security: Dorothy Li, Corporate Vice President Security Copilot, Ecosystem and Marketplace

Security ISV of the Year: Steve Dispensa, Corporate Vice President Security Business Development

Security MSSP of the Year: Alym Rayani, Vice President Security GTM

Looking ahead: Stronger together

Congratulations again to this year’s winners and many thanks to all who were able to join us for a special evening celebrating our cybersecurity superheroes. Their dedication and expertise help us all move forward in our shared mission to build a safer, more secure world for everyone.

For anyone attending RSAC Conference from April 28 to May 1, 2025, be sure to stop by the Microsoft Booth 5744 North Expo where MISA members will be showcasing their solutions at our MISA demo station and the Microsoft Theater. Don’t miss these informative sessions:

Wortell—Unified SecOps: Defending Critical Infrastructure with Microsoft Defender. Tuesday, April 29, 2025, 3:00 PM PT to 3:20 PM PT.
Contraforce—Be Fast as Lightning: Automate Microsoft Defender XDR and Microsoft Sentinel Service Delivery. Tuesday, April 29, 2025, 3:30 PM PT to 3:50 PM PT.
Microsoft Security—Unlocking Opportunities: A Guide to Partnering with Microsoft. Wednesday, April 30, 2025, 11:30 AM PT to 11:50 AM PT.
EY—EY Security Copilot Powered Solutions. Wednesday, April 30, 2025, 12:00 PM PT to 12:20 PM PT.
Netskope—Simplifying Data Security for the Modern Network with Microsoft Purview and Netskope One. Wednesday, April 30, 2025, 5:30 PM PT to 5:50 PM PT.
Oxford Computer Group—Creating Bespoke Identity Governance Solutions with Microsoft Entra Suite. Thursday, May 1, 2025, 11:30 AM PT to 11:50 AM PT.

Learn more

Learn more about the Microsoft Intelligent Security Association.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Microsoft announces the 2025 Security Excellence Awards winners appeared first on Microsoft Security Blog.

Categories: Microsoft

Faster, more personalized service begins at the frontline with Microsoft Intune

Microsoft Malware Protection Center - Mon, 04/28/2025 - 12:00pm

In healthcare, patient trust often begins at the frontline with people who deliver care, respond to questions, and manage crucial in-the-moment decisions. Increasingly, those experiences are shaped by the tools frontline workers use. When devices are secure, responsive, and tailored to clinical workflows, they enable faster, more informed, and more compassionate care.

For chief technology officers (CTOs), this raises important questions: How can frontline devices enhance productivity and responsiveness? And just as critically, how can organizations ensure those devices are secure, compliant, and ready to go at a moment’s notice?

Healthcare isn’t alone in these challenges. Industries like retail, where frontline teams also engage directly with the public in fast-paced, high-stakes environments, face similar pressures around device management, security, and scalability. This blog focuses on how modern endpoint management supports care and delivery at the frontline, with parallel insights drawn from the retail world to highlight shared strategies and solutions.

Learn how Microsoft Intune can help your organization securely manage frontline devices.

Microsoft Intune

Secure and manage every device from one place.

Learn more Why endpoint management matters at the frontline

Every frontline interaction is a potential brand moment that impacts trust and outcomes. A poor experience can ripple quickly, but the right tools in the hands of frontline staff can lead to faster, more personalized service. To deliver those experiences at scale, CTOs should consider three foundational principles for frontline device strategy:

Recognize that many devices are shared. With shift-based work, secure and seamless sign-on backed by a Zero Trust approach helps provide the right person access to the right tools, without delay.
Use a cloud-native approach to manage all devices. Whether company-issued or bring-your-own device (BYOD), cross-platform management keeps devices are up-to-date and ready to go, reducing setup times and support tickets.
Embrace innovations like Microsoft Copilot and Microsoft 365. AI-powered tools and Cloud PCs help organizations scale faster, enhance security, and give workers access to the latest experiences, without disruption.

Now let’s explore what this looks like in practice, starting with healthcare.

Healthcare in focus: Modern management for care delivery

In healthcare, frontline workers rely on shared devices that must be secure, personalized, and compliant. Microsoft Intune has helped hospitals like Milton Keynes University Hospital implement endpoint management for shared tablets used in nurse stations—tools that support real-time monitoring and communication.

Because staff rotate across shifts, easy sign-in is essential, and devices must only receive updates during defined maintenance windows. These shared tablets also require network restrictions and strict access controls to meet security standards without interrupting care.

Intune also supports iPad OS and configuration, helping frontline staff access patient information quickly and securely at the bedside, reducing friction and improving the overall care experience.

With AI-powered tools like Microsoft Copilot in Intune, healthcare IT teams can proactively identify issues, troubleshoot devices, and maintain compliance, all while reducing operational burden. As new AI agent capabilities emerge, they’ll enable even faster remediation of vulnerabilities, protecting sensitive patient data in an evolving cyberthreat landscape.

And with Windows 365 Frontline, healthcare organizations can provide scalable, secure access to virtual desktops for rotating clinical staff, delivering performance without the need to deploy and manage a physical device for every user.

Retail in focus: Elevating service and speed on the store floor

In retail environments, every frontline interaction is a brand opportunity, and device performance can make or break that moment.

At the National Retail Federation (NRF) conference in January 2025, companies like IKEA and Levi’s showcased how giving employees access to personalized devices helps them visualize products with customers and provide more tailored service.

Retail staff often rely on shared devices across shifts, so it’s critical that sign-in is fast, interfaces are familiar, and access is secure but streamlined. Temporary session PINs and pre-configured apps let employees start working, and serving customers, immediately.

At Schwarz Group (which includes 575,000 employees across 13,900 stores in 32 countries, including the Lidl and Kaufland retail brands) Intune supports staging and managing tens of thousands of employee devices. IT can remotely provision new devices with pre-defined configurations, eliminating time-consuming setups and ensuring tools are ready before the employee even logs in.

Retailers can also take advantage of Windows 365 Cloud PCs and Windows 365 Frontline to give employees secure access to key tools across locations and shifts, while simplifying management and keeping costs down.

Streamline and secure your device ecosystem with Microsoft Intune A better frontline experience leads to better outcomes

Whether it’s a customer shopping in store or a patient receiving care, the frontline experience shapes how people perceive your organization. When frontline tools are secure, responsive, and tailored to the user, staff can serve with confidence—and people feel the difference.

Now is the time to reassess your endpoint strategy. For healthcare organizations, secure, cloud-native device management can be one of the most powerful levers for improving patient outcomes and operational efficiency. And for industries with similar frontline demands, like retail, the same principles can deliver meaningful gains in speed, security, and customer satisfaction.

Explore how other leading organizations are benefiting from modern, cloud-native endpoint management. For more, check out Intune’s recent “From the frontlines” blog for retail or for healthcare, or other examples of Intune customer stories.

Learn more

Learn more about Microsoft Intune.

The post Faster, more personalized service begins at the frontline with Microsoft Intune appeared first on Microsoft Security Blog.

Categories: Microsoft

Explore practical best practices to secure your data with Microsoft Purview

Microsoft Malware Protection Center - Fri, 04/25/2025 - 12:00pm

According to the Microsoft 2024 Data Security Index, organizations experience an average of 156 data security incidents annually, and this cyberthreat continues to be a top concern for data security decision-makers.1 A full 82% of security decision-makers believe a comprehensive, fully integrated platform is superior to managing multiple isolated tools. Yet on average, teams are juggling 12 different data security solutions, creating complexity that increases their vulnerability.1

Also, as organizations increasingly turn to generative AI tools, the risk of sensitive data exposure or unauthorized use grows. This shift makes broad visibility into data risks across the digital landscape not only important—but essential. To effectively safeguard data in today’s environment, organizations need a robust and integrated data security strategy, bringing together data and user context across cloud apps, services, devices, AI tools, and more. Achieving this requires a holistic approach—one that unifies people, processes, and technology to protect what matters most.

At Microsoft, we help empower data security leaders to keep their most valuable assets—data—safe, and now we’re publishing Securing your data with Microsoft Purview: A practical handbook. This guide is designed for data security leaders to initiate and enhance data security practices, leveraging the extensive experience of Microsoft subject matter experts (SMEs) and relevant customer insights. The guide aims to help customers efficiently and effectively implement data security with Microsoft Purview, maximizing the solution’s value by focusing on a integrated strategy.

Learn more with Securing your data with Microsoft Purview: A practical handbook Stronger data security begins with a clear plan

Data security is critically important and with the right approach, it doesn’t need to be overly complicated. As in the implementation of any technology, when securing data, proper preparation can help organizations avoid major roadblocks and realize greater efficiency and value going forward. The guide we’re sharing can help data security teams frame their goals and prioritize opportunities that are actionable, attainable, and can lead to quick wins—such as effective initial policies and greater organizational commitment to data security goals.

Every organization faces unique data security challenges and have varying levels of risk tolerance. However, a universal struggle remains: balancing employee productivity with robust data security. This guide walks leaders through several key considerations for creating data security goals that integrate business objectives and compliance needs. It also provides insights on how to collaborate across the organization to understand the full scope of data security requirements and develop a cross-functional team of stakeholders.

Lastly, preparation also includes defining what success will look like for your organization’s data security strategy. The guide helps leaders choose clear metrics for evaluating the effectiveness of their data security deployments with Microsoft Purview and includes examples of success metrics to consider. Additionally, the guide helps organizations focus on resolving their biggest data security risks first, while allowing the flexibility to modify, add, or change success metrics as challenges and maturity level change.

Read the guide: Securing your data with Microsoft Purview Leveraging Microsoft Purview to secure your organization’s data

Once organizations set goals and prioritize data security opportunities, it’s time to assess their environment and implement robust protections to secure their data.

Teams today are under constant pressure to protect sensitive data from leaks, unintentional oversharing, insider cyberthreats and more—all while enabling collaboration and innovation. Businesses need tools to understand where their data is, who’s accessing it, and how it’s being used. With advanced detection and prevention capabilities, companies can identify potential risks before they become incidents—whether it’s an employee sharing confidential information externally or sensitive data being stored in the wrong location. By automating policy enforcement and surfacing actionable insights, companies can reduce human error, strengthen their data security posture, and respond swiftly to emerging cyberthreats, without disrupting everyday workflows.

With Microsoft Purview, organizations can aim to establish a strong data security program by uncovering hidden risks to data throughout its lifecycle, safeguarding against data loss, and mitigating risks from both internal and external security incidents. To successfully leverage these capabilities, the guidance included in the asset walks us through a deeply integrated suite of products, ensuring a cohesive approach to data security.

This practical guide will enable data security teams to get up to speed with Microsoft Purview’s integrated set of solutions and establish a strong data security program from the start. From understanding your organization’s data to developing policies that align with the business and compliance needs of your organization, there are several steps to take to ensure data security programs are better set up for success. This guide is designed to empower data security teams to confidently establish the right strategy to secure their organization’s data, from policy design to implementation, troubleshooting, and continual improvement—providing a comprehensive approach for organizations to prevent data risks.

Discover more with Securing your data with Microsoft Purview: A practical handbook The next steps on your data security journey

Once your organization has deployed Microsoft Purview and navigated the initial steps, you’ll be well poised to go deeper into adjacent opportunities and scenarios to further protect your organization.

From empowering data security teams and deep-content investigation with the application of generative AI, to integrating data security into the Security Operations Center experience, continuing your data security journey with intentionality can lead to enhanced protection and operational efficiency. Looking across the other aspects of data within an organization is also crucial, as data compliance and data governance complement data security—ensuring comprehensive protection and management of data across its lifecycle, while meeting regulatory requirements and unlocking value creation from data.

Securing your organization’s data is not just about implementing the right tools, but also about fostering a culture of security awareness and collaboration. By leveraging Microsoft Purview and following the best practices outlined in this guide, you can create a robust data security strategy that protects your valuable assets and supports your business objectives. Remember, data security is a continuous journey, and with the right approach, you can navigate it successfully.

Download Securing your data with Microsoft Purview: A practical handbook and set up your organization for a successful implementation today.

To learn more about our latest data security innovations, check out the Microsoft Secure announcement blog for more news across Microsoft Purview.

Learn more with Microsoft Security

1Microsoft 2024 Data Security Index: The Risk of AI, Threatscape.

The post Explore practical best practices to secure your data with Microsoft Purview appeared first on Microsoft Security Blog.

Categories: Microsoft

New whitepaper outlines the taxonomy of failure modes in AI agents

Microsoft Malware Protection Center - Thu, 04/24/2025 - 12:00pm

We are releasing a taxonomy of failure modes in AI agents to help security professionals and machine learning engineers think through how AI systems can fail and design them with safety and security in mind.

The taxonomy continues Microsoft AI Red Team’s work to lead the creation of systematization of failure modes in AI; in 2019, we published one of the earliest industry efforts enumerating the failure modes of traditional AI systems. In 2020, we partnered with MITRE and 11 other organizations to codify the security failures in AI systems as Adversarial ML Threat Matrix, which has now evolved into MITRE ATLAS™. This effort is another step in helping the industry think through what the safety and security failures in the fast-moving and highly impactful agentic AI space are.

Taxonomy of Failure Mode in Agentic AI Systems

Microsoft's new whitepaper explains the taxonomy of failure modes in AI agents, aimed at enhancing safety and security in AI systems.

Read the whitepaper

To build out this taxonomy and ensure that it was grounded in concrete and realistic failures and risk, the Microsoft AI Red Team took a three-prong approach:

We catalogued the failures in agentic systems based on Microsoft’s internal red teaming of our own agent-based AI systems.
Next, we worked with stakeholders across the company—Microsoft Research, Microsoft AI, Azure Research, Microsoft Security Response Center, Office of Responsible AI, Office of the Chief Technology Officer, other Security Research teams, and several organizations within Microsoft that are building agents to vet and refine this taxonomy.
To make this useful to those outside of Microsoft, we conducted systematic interviews with external practitioners working on developing agentic AI systems and frameworks to polish the taxonomy further.

To help frame this taxonomy in a real-world application for readers, we also provide a case study of the taxonomy in action. We take a common agentic AI feature of memory and we walk through how an cyberattacker could corrupt an agent’s memory and use that as a pivot point to exfiltrate data.

Figure 1. Failure modes in agentic AI systems.

Core concepts in the taxonomy

While identifying and categorizing the different failure modes, we broke them down across two pillars, safety and security.

Security failures are those that result in core security impacts, namely a loss of confidentiality, availability, or integrity of the agentic AI system; for example, such a failure allowing a threat actor to alter the intent of the system.
Safety failure modes are those that affect the responsible implementation of AI, often resulting in harm to the users or society at large; for example, a failure that causes the system to provide differing quality of service to different users without explicit instructions to do so.

We then mapped the failures along two axes—novel and existing.

Novel failure modes are unique to agentic AI and have not been observed in non-agentic generative AI systems, such as failures that occur in the communication flow between agents within a multiagent system.
Existing failure modes have been observed in other AI systems, such as bias or hallucinations, but gain in importance in agentic AI systems due to their impact or likelihood.

As well as identifying the failure modes, we have also identified the effects these failures could have on the systems they appear in and the users of them. Additionally we identified key practices and controls that those building agentic AI systems should consider to mitigate the risks posed by these failure modes, including architectural approaches, technical controls, and user design approaches that build upon Microsoft’s experience in securing software as well as generative AI systems.

The taxonomy provides multiple insights for engineers and security professionals. For instance, we found that memory poisoning is particularly insidious in AI agents, with the absence of robust semantic analysis and contextual validation mechanisms allows malicious instructions to be stored, recalled, and executed. The taxonomy provides multiple strategies to combat this, such as limiting the agent’s ability to autonomously store memories by requiring external authentication or validation for all memory updates, limiting which components of the system have access to the memory, and controlling the structure and format of items stored in memory.

Read the new “Taxonomy of Failure Mode in Agentic AI Systems” whitepaper How to use this taxonomy

For engineers building agentic systems:
- We recommend that this taxonomy is used as part of designing the agent, augmenting the existing Security Development Lifecycle and threat modeling practice. The guide helps walk through the different harms and the potential impact.
- For each harm category, we provide suggested mitigation strategies that are technology agnostic to kickstart the process.
For security and safety professionals:
- This is a guide on how to probe AI systems for failures before the system launches. It can be used to generate concrete attack kill chains to emulate real world cyberattackers.
- This taxonomy can also be used to help inform defensive strategies for your agentic AI systems, including providing inspiration for detection and response opportunities.
For enterprise governance and risk professionals, this guide can help provide an overview of not just the novel ways these systems can fail but also how these systems inherit the traditional and existing failure modes of AI systems.

Learn more

Like all taxonomies, we consider this a first iteration and hope to continually update it, as we see the agent technology and cyberthreat landscape change. If you would like to contribute, please reach out to airt-agentsafety@microsoft.com.

The taxonomy was led by Pete Bryan; the case study on poisoning memory was led by Giorgio Severi. Others that contributed to this work: Joris de Gruyter, Daniel Jones, Blake Bullwinkel, Amanda Minnich, Shiven Chawla, Gary Lopez, Martin Pouliot, Whitney Maxwell, Katherine Pratt, Saphir Qi, Nina Chikanov, Roman Lutz, Raja Sekhar Rao Dheekonda, Bolor-Erdene Jagdagdorj, Eugenia Kim, Justin Song, Keegan Hines, Daniel Jones, Richard Lundeen, Sam Vaughan, Victoria Westerhoff, Yonatan Zunger, Chang Kawaguchi, Mark Russinovich, Ram Shankar Siva Kumar.

The post New whitepaper outlines the taxonomy of failure modes in AI agents appeared first on Microsoft Security Blog.

Categories: Microsoft

Understanding the threat landscape for Kubernetes and containerized assets

Microsoft Malware Protection Center - Wed, 04/23/2025 - 12:00pm

The dynamic nature of containers can make it challenging for security teams to detect runtime anomalies or pinpoint the source of a security incident, presenting an opportunity for attackers to stay undetected. Microsoft Threat Intelligence has observed threat actors taking advantage of unsecured workload identities to gain access to resources, including containerized environments. Microsoft data showed that in the past year, 51% of workload identities were completely inactive, representing a potential attack vector for threat actors.

Microsoft released and updated the threat matrix for Kubernetes, an active knowledge base for security threats that target Kubernetes clusters, to systematically map the attack surface of Kubernetes. We also worked with MITRE to develop the ATT&CK® for Containers matrix in 2021. As the adoption of containers-as-a-service among organizations rises, Microsoft Threat Intelligence continues to monitor the unique security threats that affect containerized environments.

Threats in Kubernetes environments

Containerized assets (including Kubernetes clusters, Kubernetes nodes, Kubernetes workloads, container registries, container images, and more) are at risk of several different types of attacks. To fully secure containerized workloads, organizations must secure the containers and the code running within them, software dependencies and libraries, continuous integration and continuous delivery (CI/CD) pipelines, runtime, and more.

Threats in Kubernetes environments can come from six primary areas:

Compromised accounts: In cases where Kubernetes clusters are deployed in public clouds (such as Azure Kubernetes Service (AKS) or Google Kubernetes Engine (GKE)), compromised cloud credentials could lead to cluster takeover, as attackers who have access to account credentials can get access to the cluster’s management layer.
Vulnerable or misconfigured images: Images that are not updated regularly might contain vulnerabilities that can be exploited in malicious attacks.
Environment misconfigurations: An attacker with access to the Kubernetes API, either through exposed management interfaces or lack of appropriate authentication/authorization controls, could completely take down the server, deploy malicious containers, or hijack the entire cluster.
App-level attacks: Applications could be exploited through several typical methods, such as SQL injection, cross-site scripting, and remote file inclusion.
Node-level attacks: Attackers can gain initial access through nodes (host machines that containers run on) that run on vulnerable code or software, have open management interfaces such as SSH, or run commands from the cloud control plane. There is also the risk of pod escape, where a compromised pod can provide access to the node or to other pods in the cluster.
Unauthorized traffic: Insecure networking between the different containers within the cluster and between the pods and outside world could be subject to malicious traffic if not secured.

Figure 1. Overview of attacks against Kubernetes environments Case study: Password spray attack leads to containers being used for cryptomining

In the past year, Microsoft Threat Intelligence has observed AzureChecker threats (tracked as Storm-1977) launching password spray attacks against cloud tenants in the education sector. The attack involves the use of AzureChecker.exe, a Command Line Interface (CLI) tool that is being used by a wide range of threat actors.

We observed that AzureChecker.exe connected to sac-auth[.]nodefunction[.]vip to download AES-encrypted data that when decrypted reveals the list of password spray targets. The tool then also accepted the file accounts.txt, which contained the username and password combinations to be used for the attack, as input. The threat actor then used the information from both files and posted the credentials to the target tenants for validation.

Microsoft Threat Intelligence was able to observe an instance of successful account compromise and found that the threat actor leveraged a guest account to create a resource group within the compromised subscription. The threat actor then created more than 200 containers within the resource group and used them for cryptomining activity.

Securing containerized environments

The following best practices can help secure containerized assets against commonly observed threats.

Secure code prior to deployment

Ensuring that containers have secure code prior to deployment is essential to preventing issues during deployment and runtime. To facilitate this, Microsoft Defender for Cloud scans container images for vulnerabilities and misconfigurations and alerts customers of issues before a container is deployed.

Defender for Cloud DevOps also provides visibility into the security posture of the CI/CD platform. Additional best practices such as restricting access to DevOps tooling, using a secret store instead of hard-coding secrets in code or documentation, and using hardened DevOps workstations to build and deploy code can help prevent security issues before code is deployed.

Secure container deployment and runtime

Container deployment refers to the phase of the lifecycle where container images are pulled from the static container registry to be run on virtual machines hosts. During deployment, you should ensure the following best security practices:

Ensure containers are immutable: Prevent patches from running containers whenever possible. As best practice, if you notice that a running container needs updates, you should rebuild the image and deploy the new container. Introducing new code in running containers can introduce new vulnerabilities, bypass secure development lifecycle protections, as well as pose an operational risk in case a container is restarted and run again with the original container image content without any runtime modifications.
Leverage Admission Controllers: Configure policies to prevent containers from being deployed from untrusted registries, from running out of alignment with the minimal Pod Security Standard that fits the pod requirement (such as restricting root privileges), and from utilizing too many resources in the event of a denial-of-service attack. These can be enforced with Azure Policy Add-On for Kubernetes.
Gate deployments of vulnerable images: Ensure that the containers being deployed are free of vulnerabilities and misconfigurations by running a vulnerability scan in the Build and Ship phases. Any image with high or critical severity vulnerabilities should be blocked from deployment.

Container runtime refers to the phase of the lifecycle where containers are running on the virtual hosts. During runtime, monitor your running containers for any new vulnerabilities that might have been introduced during runtime. In cases where a container image was not scanned in build time or in registry before being deployed to the cluster, Microsoft Defender Vulnerability Management supports Azure vulnerability assessments .

Additionally, monitor each node, pod, and container during runtime for any sort of anomalous or malicious activity that may be occurring:

Look for malicious API calls and unusual activity using a monitoring system to identify any unusual Kubernetes API server requests for malicious activity. Defenders can query Kubernetes API calls in Defender XDR advanced hunting using the CloudAuditEvents table.
For AKS clusters, Container Insights offers the ability to collect Syslog events from Linux nodes, to then be accessed within Azure’s built-in workbooks.

Defender for Containers’ Agentless discovery for Kubernetes provides API-based discovery of Kubernetes clusters, their configurations, and deployments. Defender for Cloud also identifies runtime threats at both the API level and the workload level. Additionally, organizations can use Microsoft Defender for Cloud to identify and remediate attack paths to address any potential attack vectors.

Secure user accounts and permissions

Attackers are increasingly using compromised identities for initial access and for establishing long-term persistence within an environment. If a compromised user has access to Kubernetes services, an attacker could use that identity to access those services using portal access or the command-line interface. In cases where Kubernetes clusters are deployed in public clouds (such as AKS in Azure or GKE in Google Cloud Platform (GCP)), compromised cloud credentials could lead to cluster takeover as attackers who have access to account credentials can get access to the cluster’s management layer.

The following recommendations, focused on requiring strong authentication to services and following the principle of least privilege, can help secure cloud credentials from compromise:

Use strong authentication when exposing sensitive interfaces to the internet. For example, attacks were observed against exposed Kubeflow and Argo workloads that were not configured to use OpenID Connect or other authentication methods.
Use strong authentication methods to the Kubernetes API to help prevent attackers from gaining access to the cluster even if valid credentials such as kubeconfig were achieved. For example, in AKS use Entra ID authentication instead of basic authentication. By using Entra ID authentication, a short-lived credential of the cluster is retrieved after authenticating to Entra ID.
Avoid using the read-only endpoint of Kubelet in port 10255, which doesn’t require authentication. In newer versions of managed clusters, this port is disabled.
Implement multifactor authentication (MFA).
Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions. This applies also to other external authorization providers such as Azure RBAC in AKS.
In a managed cluster, Kubernetes credentials are often retrieved or generated by the cloud provider through API call. To reduce the attack surface, grant permissions to the cloud provider API only to necessary accounts. In the case of Azure, make sure that only required identities have permissions to call: /subscriptions/resourceGroups/providers/Microsoft.ContainerService/managedClusters/listClusterUserCredential
The kubeconfig file can contain credentials of accounts that allow interaction with a cluster. By applying the least privilege principle to all accounts, you can limit the impact of an account compromised through the kubeconfig file. To further limit misuse of the kubeconfig file, enable Microsoft Entra-based authentication to AKS and disable the local admin account, avoiding the use of the kubeconfig file altogether.

The Kubernetes project also lists the following recommendations for permissions and role assignment best practices:

Avoid wildcard permissions, especially to all resources.
Use RoleBinding instead of ClusterAdminBinding to give access within a namespace.
Avoid adding users to the system:master group as it bypasses RBAC.
Use impersonation rights for admins instead of adding to the cluster admin role. Audit and monitor when impersonation is being done.
Avoid granting the escalate or bind permissions to roles when not needed, audit and monitor when escalation is being made.
Avoid adding users to the system:unauthenticated group.
Limit permissions to issue certificate signing requests (CSR) and certificates.
Avoid granting users with create rights on service accounts/token, which could be exploited to create TokenRequests and issue tokens for existing service accounts.
Users with control over validatingwebhookconfigurations or mutatingwebhookconfigurations can control webhooks that can read any object admitted to the cluster, and in the case of mutating webhooks, also mutate admitted objects

Secure container images

Secure the CI/CD environment. Secure code repositories and CI/CD environment by placing gates to restrict unauthorized access and modification of content. This can include enforcing RBAC permissions to access and make changes to code, artifacts and build pipelines, ensure governed process for pull-request approval, apply branch policies and others.
Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies. By ensuring consistent and comprehensive image assurance policy across the build, ship, and run development stages. One approach of ensuring images pass assurance or compliance checks it to sign the container images, so the image signature can be checked downstream when deploying to Kubernetes clusters at runtime.
Take and store data backups from pod-mounted volumes for critical workloads. Ensure backup and storage systems are hardened and kept separate from the Kubernetes environment to prevent compromise.

Restrict network traffic

The Kubernetes API server is the gateway to the cluster. Restricting access to the API server, as well as restricting how pods can communicate, can prevent unwanted access to the clusters management, even if an adversary gained valid credentials to the cluster. The following best practices can help harden clusters against attacks.

Restrict access to the API server using intrusion detection signatures, network policies, and a web application firewall to block traffic at network boundaries to pods and services in a Kubernetes cluster. In managed clusters, cloud providers often support native built-in firewalls, which can restrict the IP addresses that are allowed to access the API server.
- Implement a Next-Generation Firewall (NGFW) such as Azure Firewall, which offers a solution for AKS to monitor inbound and outbound traffic. You can integrate Azure Firewall as well as several third-party firewalls into Azure Sentinel to accumulate all logs into a centralized location. AKS also supports Retina, a cloud-agnostic platform for analysis of Kubernetes’ workload traffic.
- Use Kubernetes network policies to control traffic and manage how pods communicate.
- Adapt a network intrusion prevention solution to a Kubernetes environment if needed, in order to route network traffic destined to services through the security solution. In some cases, this can be done by deploying a containerized version of a network intrusion prevention solution to the Kubernetes cluster and be part of the cluster network, and in some cases, routing ingress traffic to Kubernetes services through an external appliance, requiring that all ingress traffic only come from such an appliance.
Enable Just In Time (JIT) access to the API server through Microsoft Entra conditional access. Employing JIT elevated access to the Kubernetes API server helps reduce the attack surface by allowing access only at specific times, and through a governed escalation process. Enabling JIT access in Kubernetes is often done together with OpenID authentication, which includes processes and tools to manage JIT access. One example of such OpenID authentication is Azure Active Directory authentication to Kubernetes clusters. The JIT approval is performed in the cloud control plane level. Therefore, even if attackers have access to account credentials, their access to the cluster is limited.
Limit access to services over network. Avoid exposing sensitive interfaces insecurely to the internet or limit access to it. Sensitive interfaces include management tools and applications that allow the creation of new containers in the cluster. Some of those services do not use authentication by default and are not intended to be exposed. Examples of services that were exploited include Weave Scope, Apache NiFi, and more.
- If services need to be exposed to the internet and are exposed using a LoadBalancer service, use IP restriction (loadBalancerSourceRanges) when possible. This reduces the attack surface of the application and can prevent attackers from being able to reach the sensitive interfaces.

Detection details Microsoft Defender for Cloud

Microsoft Defender for Containers provides security alerts on the cluster level and on the underlying cluster nodes by monitoring both the control plane (the API server) and the containerized workload itself.

Exposed Postgres service with trust authentication configuration in Kubernetes detected (Preview)
Exposed Postgres service with risky configuration in Kubernetes detected (Preview)
Attempt to create a new Linux namespace from a container detected
A history file has been cleared
Abnormal activity of managed identity associated with Kubernetes (Preview)
Abnormal Kubernetes service account operation detected
An uncommon connection attempt detected
Attempt to stop apt-daily-upgrade.timer service detected
Behavior similar to common Linux bots detected (Preview)
Command within a container running with high privileges
Container running in privileged mode
Container with a sensitive volume mount detected
CoreDNS modification in Kubernetes detected
Creation of admission webhook configuration detected
Detected file download from a known malicious source
Detected suspicious file download
Detected suspicious use of the nohup command
Detected suspicious use of the useradd command
Digital currency mining container detected
Digital currency mining related behavior detected
Docker build operation detected on a Kubernetes node
Exposed Kubeflow dashboard detected
Exposed Kubernetes dashboard detected
Exposed Kubernetes service detected
Exposed Redis service in AKS detected
Indicators associated with DDOS toolkit detected
K8S API requests from proxy IP address detected
Kubernetes events deleted
Kubernetes penetration testing tool detected
New container in the kube-system namespace detected
New high privileges role detected
Possible attack tool detected
Possible backdoor detected
Possible command line exploitation attempt
Possible credential access tool detected
Possible Cryptocoinminer download detected
Possible Log Tampering Activity Detected
Possible password change using crypt-method detected
Potential port forwarding to external IP address
Potential reverse shell detected
Privileged container detected
Process associated with digital currency mining detected
Process seen accessing the SSH authorized keys file in an unusual way
Role binding to the cluster-admin role detected
Security-related process termination detected
SSH server is running inside a container
Suspicious file timestamp modification
Suspicious request to Kubernetes API
Suspicious request to the Kubernetes Dashboard
Potential crypto coin miner started
Suspicious password access
Possible malicious web shell detected
Burst of multiple reconnaissance commands could indicate initial activity after compromise
Suspicious Download Then Run Activity
Access to kubelet kubeconfig file detected
Access to cloud metadata service detected
MITRE Caldera agent detected

Recent updates to Microsoft Defender for Cloud enhance its container security capabilities from development to runtime. Defender for Cloud now offers enhanced discovery, providing agentless visibility into Kubernetes environments, tracking containers, pods, and applications. The updates also strengthen security posture through continuous and granular scanning from build to runtime, helping maintain compliance and secure configurations across the SDLC.

Defender for Cloud’s native integration with Defender XDR enables threat protection with real-time monitoring, prioritizing vulnerabilities based on risk and enabling SOC analysts to detect and respond to threats faster through rich contextual insights and cloud-native response tools

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint also detects threats on endpoints running container hosts, focusing on suspicious behavior commonly observed on endpoints, including stealing locally stored credentials for accessing the cloud, downloading and running malicious images, and privilege escalation from dockers to hosts.

Microsoft Defender External Attack Surface Management

Microsoft Defender External Attack Surface Management detects Docker and Kubernetes instances with known vulnerabilities or misconfigurations using the following alerts:

ASI: Open Docker Daemon API Service
ASI: Unauthenticated Kubelet API

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

Incident investigation
Microsoft User analysis
Threat actor profile
Threat Intelligence 360 report based on MDTI article
Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Hunting queries

In addition to the below hunting queries, the open-source tool KubiScan, developed by CyberArk Labs, can be used to scan clusters for risky permissions and users. Results can be used to manage RBAC within the environment and eliminate unnecessary permissions; it can also be used in incident response to identify the potential exposure of compromised users.

Microsoft Defender XDR

In addition to viewing alerts and incidents within Defender XDR, you can now use Azure Resource Manager (ARM) logs as well as Kubernetes audits logs for further investigation using the advanced hunting capabilities.

If a hunting query provides a good indicator of malicious or unsanctioned activity in your environment, you can create a custom rule detection in the Defender XDR portal by going to the Advanced unting page > Manage rules > Create custom detection.

Privileged pod deployment

The following query surfaces deployment of a privileged pod:

CloudAuditEvents | where Timestamp > ago(1d) | where DataSource == "Azure Kubernetes Service" | where OperationName == "create" | where RawEventData.ObjectRef.resource == "pods" and isnull(RawEventData.ObjectRef.subresource) | where RawEventData.ResponseStatus.code startswith "20" | extend PodName = RawEventData.RequestObject.metadata.name | extend PodNamespace = RawEventData.ObjectRef.namespace | mv-expand Container = RawEventData.RequestObject.spec.containers | extend ContainerName = Container.name | where Container.securityContext.privileged == "true" | extend Username = RawEventData.User.username | project Timestamp, AzureResourceId , OperationName, IPAddress, UserAgent, PodName, PodNamespace, ContainerName, Username

Exec command

The following query identifies use of the exec command in the kube-system namespace:

CloudAuditEvents | where Timestamp > ago(1d) | where DataSource == "Azure Kubernetes Service" | where OperationName == "create" | where RawEventData.ObjectRef.resource == "pods" and RawEventData.ResponseStatus.code == 101 | where RawEventData.ObjectRef.namespace == "kube-system" | where RawEventData.ObjectRef.subresource == "exec" | where RawEventData.ResponseStatus.code == 101 | extend RequestURI = tostring(RawEventData.RequestURI) | extend PodName = tostring(RawEventData.ObjectRef.name) | extend PodNamespace = tostring(RawEventData.ObjectRef.namespace) | extend Username = tostring(RawEventData.User.username) | where PodName !startswith "tunnelfront-" and PodName !startswith "konnectivity-" and PodName !startswith "aks-link" | extend Commands = extract_all(@"command=([^\&]*)", RequestURI) | extend ParsedCommand = url_decode(strcat_array(Commands, " ")) | project Timestamp, AzureResourceId , OperationName, IPAddress, UserAgent, PodName, PodNamespace, Username, ParsedCommand

Cluster-admin role binding

The following query identifies the creation of cluster-admin role binding:

CloudAuditEvents | where Timestamp > ago(1d) | where OperationName == "create" | where RawEventData.ObjectRef.resource == "clusterrolebindings" | where RawEventData.ResponseStatus.code startswith "20" | where RawEventData.RequestObject.roleRef.name == "cluster-admin" | mv-expand Subject = RawEventData.RequestObject.subjects | extend SubjectName = tostring(Subject.name) | extend SubjectKind = tostring(Subject["kind"]) | extend BindingName = tostring(RawEventData.ObjectRef.name) | extend ActionTakenBy = tostring(RawEventData.User.username) | where ActionTakenBy != "acsService" //Remove FP | project Timestamp, AzureResourceId , OperationName, ActionTakenBy, IPAddress, UserAgent, BindingName, SubjectName, SubjectKind References

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Understanding the threat landscape for Kubernetes and containerized assets appeared first on Microsoft Security Blog.

Categories: Microsoft

Securing our future: April 2025 progress report on Microsoft’s Secure Future Initiative

Microsoft Malware Protection Center - Mon, 04/21/2025 - 11:00am

The Microsoft Secure Future Initiative (SFI) stands as the largest cybersecurity engineering project in history and most extensive effort of its kind at Microsoft. Since inception, we’ve dedicated the equivalent of 34,000 engineers working full-time for 11 months to mitigate risks and address the highest priority security tasks. Now, we are sharing the second SFI progress report, which highlights progress made in our multi-year journey to improve the security posture of Microsoft, our customers, and the industry at large.

Read the latest Secure Future Initiative report

We have made progress across culture and governance by fostering a security-first mindset in every employee and investing in holistic governance structures to address cybersecurity risk across our enterprise.

To better protect our customers, engineering teams across the company are delivering innovation aligned with our security principles, such as the new Secure by Design UX Toolkit which we tested with 20 product teams, rolled out to 22,000 employees, and shared publicly. This toolkit embeds security best practices into product development and is already delivering results. It includes best practices, conversation cards, and workshop tools to help teams build security capability, pinpoint vulnerabilities in products, and prioritize where to focus.

We have also made progress in every engineering pillar and objective, continuously hardening our identity security, reducing the risk of lateral movement across networks and tenants, improving our ability to detect and respond to cyberthreats, and partnering with the industry to protect customers from zero days. Insights and learnings from this progress inform ongoing innovations in our Microsoft Security portfolio—Microsoft Entra, Microsoft Defender, and Microsoft Purview—that helps better protect customers and Microsoft.

To better protect signing keys, in September 2024 we announced that we have moved Entra ID and Microsoft Account (MSA) access token signing keys to hardware-based security modules (HSMs) and virtualization-based security in Windows, with automatic rotation. Since then, we’ve applied new defense-in-depth protections in response to our Red Team research and assessments, migrated the MSA signing service to Azure confidential VMs, and are migrating Entra ID signing service to the same. Each of these improvements help mitigate the attack vectors that we suspect the actor used in the 2023 Storm-0558 attack on Microsoft.

We have also improved our ability to detect and respond to cyberthreats, adding more than 200 additional detections against top tactics, techniques, and procedures (TTPs), which will be integrated into Microsoft Defender where applicable. Partnering with the security research community proactively discovered 180 vulnerabilities in the high-impact areas of cloud and AI, and expanded our program to address vulnerabilities within a reduced time to mitigate to cover more products, environments, and lower severities.

Key highlights from the full SFI progress report can be found below:

Read the full SFI Progress Report Secure by Design, Default, and in Operations

In this report, you’ll find examples of how we’re building in protections from the start, aligned with our security principles:

New Secure by Design UX Toolkit, tested by 20 product teams and rolled out to 22,000 employees as well as a publicly available version, is helping teams build more secure, user-centered experiences.
The launch of 11 new innovations across Microsoft Azure, Microsoft 365, Windows, and Microsoft Security that help improve security by default.
AI development processes that now include dedicated security and safety reviews led by the Artificial Generative Intelligence Safety and Security Organization.
Applying secure operations practices across our AI systems, as outlined in our Responsible AI Transparency Report.
New policies, behavioral-based detection models, and investigation methods that thwarted $4 billion in fraud attempts.

These advances help protect our customers and Microsoft.

Security-first mindset, company-wide

Security starts with people. In the past year, we’ve activated a security-first culture across every corner of the company, from engineering to operations to customer support.

Every Microsoft employee now has a Security Core Priority tied directly to performance reviews.
50,000 employees have participated in the Microsoft Security Academy to improve their security skills.
99% of employees have completed our Security Foundations and Trust Code courses.

This shift isn’t about compliance, it’s about empowerment. We want every person at Microsoft to understand their role in keeping our customers safe and to have the tools to act on that responsibility.

Stronger governance to manage enterprise-wide risk

In May 2024, we introduced a new governance structure to improve risk visibility and accountability. Since then, we’ve deepened our investment:

We’ve appointed a Deputy Chief Information Security Officer (CISO) for Business Applications, and consolidated responsibility for Microsoft 365 and Experiences and Devices.
All 14 Deputy CISOs across Microsoft have completed a risk inventory and prioritization, creating a shared view of enterprise-wide security risk.

This kind of structure is critical for scale, ensuring security isn’t just centralized, but embedded throughout the organization.

Driving measurable progress across all pillars

We continue to make progress in every pillar and objective. Out of 28 objectives, five are nearing completion, 11 have made significant progress, and we continue to make progress against the rest. As a result of SFI our platforms and services are more secure and we have improved our ability to detect and respond to cyberthreats.

1. Protect identities and secrets: We have improved identity security for Microsoft services and customers

New defense-in-depth protections for Microsoft Entra ID and Microsoft Account (MSA) token signing keys already stored in hardware-based security modules. The Microsoft Account (MSA) signing service has been migrated to Azure confidential VMs.
90% of identity tokens from Microsoft Entra ID for Microsoft apps are validated by one consistent and hardened identity Software Development Kit (SDK).
To mitigate risk from advanced cyberattacks, 92% of employee productivity accounts now use phishing-resistant multifactor authentication (MFA).

2. Protect tenants and isolate production systems: We continue to remove legacy and unused resources, and increase isolation, to reduce the risk of lateral movement

We transitioned more than 88% of resources to Azure Resource Manager, removed a total of 6.3 million tenants (an additional 550,000 since September), and all new tenants are now automatically registered in our security emergency response system.
We use an automated lifecycle management solution for all Microsoft Entra ID applications in the production environment.
Authentication to 4.4 million production environment managed identities is now restricted to specific network locations, further protecting these critical assets.

3. Protect networks: Progress made against all objectives has improved the security of our network and delivered new innovations to help customers protect their networks

More than 99% of network assets have been inventoried and use enhanced security standards.
We continue to add additional layers of defense in depth by applying network isolation and segmentation to our network.
We introduced four new security capabilities to help customers secure their networks: Network Security Perimeter (NSP), DNS Security Extensions (DNSSEC), Azure Bastion Premium, and a private subnet feature.

4. Protect engineering systems: We have improved the security of systems we use to build, test, and deploy code

99.2% of pipelines have a complete inventory, which is enforced at creation and validated within 24 hours.
MFA protects 81% of production code branches through proof-of-presence checks.
Broad adoption of Central Feed Services, which helps to provide developers with a governed open-source feed.

5. Monitor and detect threats: To improve our ability to investigate and respond to cyberthreats

We track 97% of our production infrastructure assets centrally.
Engineering teams continue to adopt our security logging standard, including the two-year minimum retention policy.
We added more than 200 additional detections against top tactics, techniques, and procedures (TTPs). Applicable detections will be integrated into Microsoft Defender.

6. Accelerate response and remediation: We are addressing more vulnerabilities, more quickly, and continue to improve security-related customer communications

73% success rate addressing cloud vulnerabilities in our reduced time to mitigate, with significantly expanded program scope.
As part of Zero Day Quest, researchers identified 180 new vulnerabilities in the high impact areas of cloud and AI, enabling us to address them proactively.
We introduced new processes and playbooks to improve security incident communications to customers.

A future of secure innovation

Progress in cybersecurity is never linear. Cyberthreats evolve. Technology shifts. New risks emerge. But every step we take to secure our platforms is an investment in a safer future, for Microsoft, our customers, and the entire ecosystem.

SFI is how we’re rising to that challenge. We are applying Zero Trust principles, driving security from the engineering core, and sharing what we learn. There is more work ahead and we are committed to the journey.

We also know that security is a team sport. It takes collaboration across customers, partners, and the broader industry to move forward together. As part of our commitment to the broader ecosystem, we’re proud to continue to support initiatives like the CISA Secure by Design pledge, reinforcing our belief that security is the foundation of trust.

Thank you for your trust—and your partnership. Let’s keep building a secure future together.

Read the latest SFI Progress Report Learn more with Microsoft Security

To learn more about Microsoft Security solutions and Microsoft’s Secure Future Initiative, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Securing our future: April 2025 progress report on Microsoft’s Secure Future Initiative appeared first on Microsoft Security Blog.

Categories: Microsoft

Microsoft’s Secure by Design journey: One year of success

Microsoft Malware Protection Center - Thu, 04/17/2025 - 12:00pm

Cybersecurity is one of the top risks facing businesses. Organizations are struggling to navigate the ever-evolving cyberthreat landscape in which 600 million identity attacks are carried out daily.1 The median time for a cyberattacker to access private data from phishing is 1 hour and 12 minutes, and nation-state cyberattacks are on the rise.2 Organizations also face unprecedented complexity, making security jobs harder—57% of organizations are using more than 40 security tools, which requires significant resourcing and effort to integrate workflows and data.3 These challenges are magnified by the global security talent shortage organizations are facing and there are more than 4 million security jobs unfilled worldwide, rising insider risks, and the rapidly evolving regulatory landscape today.4 These cybersecurity challenges can not only increase significant business disruptions, they can also create devastating economic damages—the cost of cybercrime is expected to grow at 15% year over year, reaching $15.6 trillion by 2029.5

Get the latest Secure Future Initiative updates

In November 2023, to address the evolution of the digital and regulatory landscape, and the unprecedented changes in the cyberthreat landscape, we announced the Microsoft Secure Future Initiative. The Secure Future Initiative (SFI) is a multiyear effort to revolutionize the way we design, build, test, and operate our products and services, to achieve the highest security standards. SFI is our commitment to improve Microsoft’s security posture, thereby improving the security posture of all our customers, and to work with governments and industry to improve the security posture of the entire ecosystem.

Last year, the Cybersecurity and Infrastructure Security Agency (CISA), through its “Secure by Design” pledge, called on the technology industry to prioritize security at every stage of product development and deployment. This approach of embedding cybersecurity in digital delivery from the outset is also reflected in the United Kingdom’s Government’s Cyber Security Strategy as well as in the Australian Cyber Security Centre (ACSC)’s “Essential Eight” mitigation strategies to protect against cyberthreats. Throughout this blog post, the term “Secure by Design” encompasses both “secure by design” and “secure by default.”

Read CISA’s Secure by Design pledge

Microsoft committed to work towards key goals across a spectrum of Secure by Design principles advocated by numerous government agencies around the world. These goals aim to enhance security outcomes for customers by embedding robust cybersecurity practices throughout the product lifecycle. We continue to take our learnings, feed them back into our security standards, and operationalize these learnings as paved paths that can enable secure design and operations at scale. Our SFI updates provide examples of Microsoft’s progress in implementing secure by design, secure by default, and secure in operations principles, and provide best practices based on Microsoft’s own experience, demonstrating our dedication to improving security for customers.

Keep reading to learn about the initiatives Microsoft has undertaken over the past 18 months to support secure by design objectives as part of our SFI initiative. It is organized around our SFI principles to provide our customers and partners with an understanding of the robust security measures we are implementing to safeguard their digital environments.

Enhancing security with multifactor authentication and default password management

Phishing-resistant multifactor authentication provides the most robust defense against password-based cyberattacks, including credential stuffing and password theft. This includes promoting multifactor authentication among customers, implementing it as a default requirement for access, and participating in efforts to establish long-term standards in authentication.

In October 2024, Microsoft implemented mandatory multifactor authentication for the Microsoft Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center. Since then, Microsoft has worked with our customers to reduce extensions and rapidly advance multifactor authentication adoption. A key achievement is our progress in eliminating passwords across products. Microsoft has introduced enhancements to streamline authentication and improve sign-in experiences, emphasizing usability and security. Users can now remove passwords from their accounts and use passkeys instead, addressing vulnerabilities and preventing unauthorized access.

On March 26, 2025, Microsoft launched a new sign-in experience for more than 1 billion users. By the end of April 2025, most Microsoft account users will see updated sign-in and sign-up user experience flows for web and mobile apps. This new user experience is optimized for a passwordless and passkey-first experience. Microsoft is also updating the account sign-in logic to make passkey the default sign-in choice whenever possible.

Additional examples of Microsoft improving authentication and how customers can learn from Microsoft’s approach and solutions include:

Microsoft recommendations for organizations to get started deploying phishing-resistant passwordless authentication using Microsoft Entra ID.
Security defaults make it easier to help protect against identity-related cyberattacks like password spray, replay, and phishing common in today’s environments. Learn more about preconfigured security settings available in Microsoft Entra ID.
Microsoft’s Conditional Access uses identity-driven signals as part of access control decisions.
To help prevent phishing, Microsoft added additional hardening to Windows Hello, which is the multifactor authentication solution built-in to Windows. Windows Hello has also been extended to support passkeys, which are an industry standard, and which we continue to evolve. With Hello and passkeys, on Windows, it means much of the web can be protected with multifactor authentication, and people no longer need to choose between a simple sign-in and a safe sign-in.
Learn how Microsoft is advancing decentralized identity standards and verifiable credentials.
Following GitHub’s April 2024 update on a year of progress in pushing multifactor authentication adoption, further cohorts requiring multifactor authentication enablement have been rolled out in the past year. This effort continues to drive multifactor authentication utilization with almost 50% of contributing GitHub users having multifactor authentication enabled. Of those, more than 38% of users have two or more methods of two-factor authentication enabled and more than 3.6 million users have a passkey enabled on their account. Additionally, GitHub has pushed for best practices in multifactor authentication methods, and in November 2024 shipped enhancements to the management of multifactor authentication settings for organizations and enterprises that allow the restriction of insecure methods of multifactor authentication such as text messaging.

Reducing entire classes of vulnerabilities

Most exploited vulnerabilities today stem from types that can often be mitigated on a large scale, such as SQL injection, cross-site scripting, and memory safety language vulnerabilities. Governments aim to reduce these by encouraging companies to adopt practices like eliminating authorization validation logic mistakes, enabling the use of memory-safe languages, creating secure firmware architectures, and implementing secure administrative protections. The goal is to minimize exploitation risks by addressing systemic vulnerabilities at their root.

Our introduction of mandatory use of the Microsoft Authentication Library (MSAL) across all Microsoft applications helps ensure that advanced identity defenses, such as token binding, continuous access evaluation, and advanced application attack detections, are consistently implemented. This standardizes secure authentication processes, making it significantly harder for attackers to exploit identity-related vulnerabilities. MSAL enables developers to acquire security tokens from the Microsoft identity platform to authenticate users and access secured web APIs.

Read the updated Windows Security book and stay secure with Windows

Microsoft is also committed to adopting memory-safe languages, such as Rust, for developing new products and transitioning existing ones. This approach addresses common vulnerabilities related to memory safety. Microsoft is investing heavily into safe language to enhance the safety of our code, and we are applying this new approach to our security platform and other key areas like Microsoft Surface and Pluton security firmware.

In Windows 11, we’ve applied a secure by design strategy from the very first line of code. We have established a Hardware Security Baseline, which helps to ensure every Windows 11 PC has consistent hardware security forming a secure foundation. Windows 11 has secure by default settings and stronger controls for what apps and drivers are allowed to run. This is important as unverified apps and drivers lead to malware and script attacks. And most malware and ransomware apps are unsigned, which means they can be authored and distributed without being provably safe. For consumers and smaller organizations, Smart App Control is a new feature that uses cloud AI to enable millions of known safe apps to run, regardless of where you got them. For larger organizations, IT admins can layer on App Control for Business policies and deploy them using Intune.

With Windows powering business critical solutions across a wide variety of customers, we are committed to helping ensure that Windows remains the most secure and reliable platform. At Microsoft Ignite in 2024, we announced the Windows Resilience Initiative focused on enhancing the security and resilience of the Windows operating system. This involves implementing advanced security features, improving threat detection and response capabilities, and to help ensure that Windows can withstand and recover from cyberattacks. As part of the Windows Resilience Initiative, we are working to protect against common cyberattacks in addition to strengthening identity protection mentioned above.

As part of this we are addressing the long-standing challenge of overprivileged users and applications, which create significant risk. Yet many people do not want to give up admin control of their PC. To help strike the balance of admin privileges and security we are introducing Administrator protection (currently in Windows Insiders). Admin protection gives you the protection of standard user permissions by default, and when needed you can securely authorize a just-in-time system change using Windows Hello. Once the process has completed, the temporary admin token is destroyed. This means admin privileges do not persist. Admin protection will be disruptive to cyberattackers, as they no longer have elevated privileges by default, which will help organizations ensure they remain in control of Windows.

We are also collaborating with endpoint security partners to adopt safe deployment practices. This means all security product updates will be gradual, minimizing deployment risks and monitoring to help ensure any negative impact is kept to a minimum. Additionally, we are developing new Windows capabilities that allow security product developers to build their products outside of kernel mode, reducing the impact to Windows in the event of a security product crash.

Another key development is our secure by design user experience (UX) toolkit. Human error causes the majority of security breaches. The UX toolkit helps build more secure software and improve user security experiences. This toolkit represents a new way of thinking—where design and security aren’t siloed but are working together from the very beginning. Adopted internally and shared externally, the toolkit helps other software organizations in enhancing their security practices.

Other activities Microsoft has worked on to eliminate classes of vulnerabilities include:

Continued support to enable developers to use the memory safe language Rust on Windows.
Taking steps to mitigate Windows NT LAN (NTLM) Relay Attacks by default against Exchange Service, Active Directory Certificate Services and Lightweight Directory Access Protocol (LDAP).
Zero Trust Domain Name System (DNS) preview expanded to include Windows 11 enterprise customers. This feature helps lock down devices to only access-approved network destinations.
Surface embedded firmware products use of a common firmware architecture.
Launch of the Windows 365 Link, which is the first Cloud PC device for Windows 365. Windows 365 Link eliminates local data and apps and has no local admin users and provides employees a way to more securely stream their Windows 365 Cloud PC.
GitHub released CodeQL support for GitHub Actions workflow files. This new static analysis capability identifies common continuous integration and continuous delivery (CI/CD) flaws both in existing code bases and before they are introduced to help eliminate this class of vulnerabilities. Using this new feature, the GitHub Security Lab was able to help secure more than 75 GitHub Actions workflows in open source projects, disclosing more than 90 different vulnerabilities.

Boosting patch application rates

Timely and effective patch management is necessary for cybersecurity, as this is how we can reduce the window of opportunity for malicious actors to exploit software flaws.

Microsoft has made measurable increases in the installation of security patches, which we achieved by enabling automatic installation of software patches when possible and enabling this functionality by default, as well as by offering widespread support for these patches.

Microsoft continues to roll out major security updates on the second Tuesday of each month, known as Patch Tuesday. This regular schedule ensures that all systems receive timely updates to address critical vulnerabilities, thereby reducing the risk of exploitation by cyberattackers.

Building on this foundation, Microsoft has made significant strides in improving the update process with Windows 11. By reducing the number of required system restarts from 12 to four per year through the use of Hotpatch updates, we have further streamlined operations and encouraged organizations to remain compliant with patching requirements.

Other examples of our efforts in to boost patch and security update rates include:

Windows Hotpatch: Announced at Microsoft Ignite 2024, this provides a 60% reduction in time to adopt security updates, assisted by applying updates seamlessly without system restarts.
Microsoft has emphasized the importance of clearly communicating the expected lifespan of products at the time of sale and investing in provisioning capabilities to ease customer transitions to supported versions when products reach the end of their lifecycle. This strategy ensures that customers are well-informed and can smoothly adapt to new technologies.

Adopting a Vulnerability Disclosure Policy (VDP) and Common Vulnerabilities and Exposures (CVE)

Coordinated vulnerability disclosure, a practice Microsoft adopted more than a decade ago, benefits both security researchers and software manufacturers by enabling collaboration to enhance product security. A VDP that authorizes public testing of products, commits to refraining from legal action against those who follow the VDP in good faith, provides a clear channel for reporting vulnerabilities, and permits public disclosure of vulnerabilities according to coordinated vulnerability disclosure best practices and international standards makes a real difference for cybersecurity. Additionally, manufacturers can demonstrate transparency by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every CVE record for the manufacturer’s products.

Our adoption of the CWE and CPE standards in every CVE record for its products is an important achievement. This transparency facilitates accurate and detailed information about vulnerabilities, facilitating timely and effective remediation. By issuing CVEs promptly for all critical or high-impact vulnerabilities, Microsoft demonstrates its commitment to maintaining a secure environment and protecting its customers from potential cyberthreats.

Another notable highlight is the publication of a machine-readable CSAF files, which provide a clear channel for reporting vulnerabilities and authorizes public testing of Microsoft products. This fosters collaboration between security researchers and software manufacturers, enabling the identification and mitigation of vulnerabilities in a coordinated manner.

Other activities Microsoft has worked on to adopt VDP and CVE include:

Microsoft has published a security.txt file with links to different aspects of our VDP CVE related blogs generally.
Microsoft is now issuing CVEs for critical cloud service vulnerabilities, regardless of whether customers need to install a patch or to take other actions to protect themselves.
Microsoft has begun to publish root cause data for Microsoft CVEs using the CWE industry standard. By adopting CWE, more effective community discussion about discovering and mitigating weaknesses in existing software and hardware can be facilitated.
Microsoft added a new standard machine-readable format, called Common Security Advisory Framework (CSAF), to all Microsoft CVE information to help customer accelerate CVE response and remediation.

Empowering customers to detect and document intrusions

Organizations should do more to detect cybersecurity incidents and understand their impact. To ensure they can do that, manufacturers should provide artifacts and evidence-gathering tools, like audit logs.

An example of Microsoft’s commitment in this area is our implementation of robust sensors and logs, enhancing detection of cyberthreats. This initiative provides customers with actionable insights into potential intrusions, enabling swift responses and risk mitigation.

Other activities Microsoft has worked on to empower customers to detect and document inclusions include:

Microsoft Purview has expanded its audit logging and retention periods, among other security enhancements, to increase security visibility and incident response capabilities for cloud-based services.
Microsoft Security Copilot offers prebuilt promptbooks to automate security-related tasks, such as incident investigations, user analysis, and threat intelligence assessments, enhancing efficiency and accuracy in cybersecurity operations.
Microsoft has provided detailed guidance on implementing the United States Department of Defense (DoD) Zero Trust Strategy, with activities categorized into target and advanced phases to achieve full Zero Trust adoption by 2032.
Microsoft’s Expanded Cloud Logs Implementation Playbook provides detailed guidance on operationalizing new logging capabilities in Microsoft Purview Audit (Standard).
Microsoft has published a whitepaper on lessons learned from red teaming more than 100 generative AI products at Microsoft. The whitepaper highlights the importance of understanding AI systems, breaking them without computing gradients, and the necessity of human involvement in AI red teaming, among other topics.

GitHub shipped enhanced capabilities to the GitHub audit log to provide customers with increased visibility of API events and features to enable enterprise management, automation, and integration.

Read the latest SFI updates

1Microsoft Digital Defense Report 2024.

2Microsoft Digital Defense Report 2022.

3IDC North America Tools and Vendors Consolidation Survey, 2023.

42024 ISC2 Cybersecurity Workforce Study.

5Global cybercrime estimated cost 2029.

The post Microsoft’s Secure by Design journey: One year of success appeared first on Microsoft Security Blog.

Categories: Microsoft

Cyber Signals Issue 9 | AI-powered deception: Emerging fraud threats and countermeasures

Microsoft Malware Protection Center - Wed, 04/16/2025 - 7:00am

Introduction | Security snapshot | Threat briefing
Defending against attacks | Expert profile

Microsoft maintains a continuous effort to protect its platforms and customers from fraud and abuse. From blocking imposters on Microsoft Azure and adding anti-scam features to Microsoft Edge, to fighting tech support fraud with new features in Windows Quick Assist, this edition of Cyber Signals takes you inside the work underway and important milestones achieved that protect customers.

We are all defenders. 

Between April 2024 and April 2025, Microsoft:

Thwarted $4 billion in fraud attempts.
Rejected 49,000 fraudulent partnership enrollments.
Blocked about 1.6 million bot signup attempts per hour.

The evolution of AI-enhanced cyber scams

AI has started to lower the technical bar for fraud and cybercrime actors looking for their own productivity tools, making it easier and cheaper to generate believable content for cyberattacks at an increasingly rapid rate. AI software used in fraud attempts runs the gamut, from legitimate apps misused for malicious purposes to more fraud-oriented tools used by bad actors in the cybercrime underground.

AI tools can scan and scrape the web for company information, helping cyberattackers build detailed profiles of employees or other targets to create highly convincing social engineering lures. In some cases, bad actors are luring victims into increasingly complex fraud schemes using fake AI-enhanced product reviews and AI-generated storefronts, where scammers create entire websites and e-commerce brands, complete with fake business histories and customer testimonials. By using deepfakes, voice cloning, phishing emails, and authentic-looking fake websites, threat actors seek to appear legitimate at wider scale.

According to the Microsoft Anti-Fraud Team, AI-powered fraud attacks are happening globally, with much of the activity coming from China and Europe, specifically Germany due in part to Germany’s status as one of the largest e-commerce and online services markets in the European Union (EU). The larger a digital marketplace in any region, the more likely a proportional degree of attempted fraud will take place.

E-commerce fraud

Fraudulent e-commerce websites can be set up in minutes using AI and other tools requiring minimal technical knowledge. Previously, it would take threat actors days or weeks to stand up convincing websites. These fraudulent websites often mimic legitimate sites, making it challenging for consumers to identify them as fake.

Using AI-generated product descriptions, images, and customer reviews, customers are duped into believing they are interacting with a genuine merchant, exploiting consumer trust in familiar brands.

AI-powered customer service chatbots add another layer of deception by convincingly interacting with customers. These bots can delay chargebacks by stalling customers with scripted excuses and manipulating complaints with AI-generated responses that make scam sites appear professional.

In a multipronged approach, Microsoft has implemented robust defenses across our products and services to protect customers from AI-powered fraud. Microsoft Defender for Cloud provides comprehensive threat protection for Azure resources, including vulnerability assessments and threat detection for virtual machines, container images, and endpoints.

Microsoft Edge features website typo protection and domain impersonation protection using deep learning technology to help users avoid fraudulent websites. Edge has also implemented a machine learning-based Scareware Blocker to identify and block potential scam pages and deceptive pop-up screens with alarming warnings claiming a computer has been compromised. These attacks try to frighten users into calling fraudulent support numbers or downloading harmful software.

Job and employment fraud

The rapid advancement of generative AI has made it easier for scammers to create fake listings on various job platforms. They generate fake profiles with stolen credentials, fake job postings with auto-generated descriptions, and AI-powered email campaigns to phish job seekers. AI-powered interviews and automated emails enhance the credibility of job scams, making it harder for job seekers to identify fraudulent offers.

To prevent this, job platforms should introduce multifactor authentication for employer accounts to make it harder for bad actors to take over legitimate hirers’ listings and use available fraud-detection technologies to catch suspicious content.

Fraudsters often ask for personal information, such as resumes or even bank account details, under the guise of verifying the applicant’s information. Unsolicited text and email messages offering employment opportunities that promise high pay for minimal qualifications are typically an indicator of fraud.

Employment offers that include requests for payment, offers that seem too good to be true, unsolicited offers or interview requests over text message, and a lack of formal communication platforms can all be indicators of fraud.

Tech support scams

Tech support scams are a type of fraud where scammers trick victims into unnecessary technical support services to fix a device or software problems that don’t exist. The scammers may then gain remote access to a computer—which lets them access all information stored on it, and on any network connected to it or install malware that gives them access to the computer and sensitive data.

Tech support scams are a case where elevated fraud risks exist, even if AI does not play a role. For example, in mid-April 2024, Microsoft Threat Intelligence observed the financially motivated and ransomware-focused cybercriminal group Storm-1811 abusing Windows Quick Assist software by posing as IT support. Microsoft did not observe AI used in these attacks; Storm-1811 instead impersonated legitimate organizations through voice phishing (vishing) as a form of social engineering, convincing victims to grant them device access through Quick Assist.

Quick Assist is a tool that enables users to share their Windows or macOS device with another person over a remote connection. Tech support scammers often pretend to be legitimate IT support from well-known companies and use social engineering tactics to gain the trust of their targets. They then attempt to employ tools like Quick Assist to connect to the target’s device.

Quick Assist and Microsoft are not compromised in these cyberattack scenarios; however, the abuse of legitimate software presents risk Microsoft is focused on mitigating. Informed by Microsoft’s understanding of evolving cyberattack techniques, the company’s anti-fraud and product teams work closely together to improve transparency for users and enhance fraud detection techniques.

The Storm-1811 cyberattacks highlight the capability of social engineering to circumvent security defenses. Social engineering involves collecting relevant information about targeted victims and arranging it into credible lures delivered through phone, email, text, or other mediums. Various AI tools can quickly find, organize, and generate information, thus acting as productivity tools for cyberattackers. Although AI is a new development, enduring measures to counter social engineering attacks remain highly effective. These include increasing employee awareness of legitimate helpdesk contact and support procedures, and applying Zero Trust principles to enforce least privilege across employee accounts and devices, thereby limiting the impact of any compromised assets while they are being addressed.

Microsoft has taken action to mitigate attacks by Storm-1811 and other groups by suspending identified accounts and tenants associated with inauthentic behavior. If you receive an unsolicited tech support offer, it is likely a scam. Always reach out to trusted sources for tech support. If scammers claim to be from Microsoft, we encourage you to report it directly to us at https://www.microsoft.com/reportascam.

Building on the Secure Future Initiative (SFI), Microsoft is taking a proactive approach to ensuring our products and services are “Fraud-resistant by Design.” In January 2025, a new fraud prevention policy was introduced: Microsoft product teams must now perform fraud prevention assessments and implement fraud controls as part of their design process.

Recommendations

Strengthen employer authentication: Fraudsters often hijack legitimate company profiles or create fake recruiters to deceive job seekers. To prevent this, job platforms should introduce multifactor authentication and Verified ID as part of Microsoft Entra ID for employer accounts, making it harder for unauthorized users to gain control.
Monitor for AI-based recruitment scams: Companies should deploy deepfake detection algorithms to identify AI-generated interviews where facial expressions and speech patterns may not align naturally.
Be cautious of websites and job listings that seem too good to be true: Verify the legitimacy of websites by checking for secure connections (https) and using tools like Microsoft Edge’s typo protection.
Avoid providing personal information or payment details to unverified sources: Look for red flags in job listings, such as requests for payment or communication through informal platforms like text messages, WhatsApp, nonbusiness Gmail accounts, or requests to contact someone on a personal device for more information.

Using Microsoft’s security signal to combat fraud

Microsoft is actively working to stop fraud attempts using AI and other technologies by evolving large-scale detection models based on AI, such as machine learning, to play defense by learning from and mitigating fraud attempts. Machine learning is the process that helps a computer learn without direct instruction using algorithms to discover patterns in large datasets. Those patterns are then used to create a comprehensive AI model, allowing for predictions with high accuracy.

We have developed in-product safety controls that warn users about potential malicious activity and integrate rapid detection and prevention of new types of attacks.

Our fraud team has developed domain impersonation protection using deep-learning technology at the domain creation stage, to help protect against fraudulent e-commerce websites and fake job listings. Microsoft Edge has incorporated website typo protection, and we have developed AI-powered fake job detection systems for LinkedIn.

Microsoft Defender Smartscreen is a cloud-based security feature that aims to prevent unsafe browsing habits by analyzing websites, files, and applications based on their reputation and behavior. It is integrated into Windows and the Edge browser to help protect users from phishing attacks, malicious websites, and potentially harmful downloads.

Furthermore, Microsoft’s Digital Crimes Unit (DCU) partners with others in the private and public sector to disrupt the malicious infrastructure used by criminals perpetuating cyber-enabled fraud. The team’s longstanding collaboration with law enforcement around the world to respond to tech support fraud has resulted in hundreds of arrests and increasingly severe prison sentences worldwide. The DCU is applying key learnings from past actions to disrupt those who seek to abuse generative AI technology for malicious or fraudulent purposes.

Quick Assist features and remote help combat tech support fraud

To help combat tech support fraud, we have incorporated warning messages to alert users about possible tech support scams in Quick Assist before they grant access to someone approaching them purporting to be an authorized IT department or other support resource.

Windows users must read and click the box to acknowledge the security risk of granting remote access to the device.

Microsoft has significantly enhanced Quick Assist protection for Windows users by leveraging its security signal. In response to tech support scams and other threats, Microsoft now blocks an average of 4,415 suspicious Quick Assist connection attempts daily, accounting for approximately 5.46% of global connection attempts. These blocks target connections exhibiting suspicious attributes, such as associations with malicious actors or unverified connections.

Microsoft’s continual focus on advancing Quick Assist safeguards seeks to counter adaptive cybercriminals, who previously targeted individuals opportunistically with fraudulent connection attempts, but more recently have sought to target enterprises with more organized cybercrime campaigns that Microsoft’s actions have helped disrupt.

Our Digital Fingerprinting capability, which leverages AI and machine learning, drives these safeguards by providing fraud and risk signals to detect fraudulent activity. If our risk signals detect a possible scam, the Quick Assist session is automatically ended. Digital Fingerprinting works by collecting various signals to detect and prevent fraud.

For enterprises combating tech support fraud, Remote Help is another valuable resource for employees. Remote Help is designed for internal use within an organization and includes features that make it ideal for enterprises.

By reducing scams and fraud, Microsoft aims to enhance the overall security of its products and protect its users from malicious activities.

Consumer protection tips

Fraudsters exploit psychological triggers such as urgency, scarcity, and trust in social proof. Consumers should be cautious of:

Impulse buying—Scammers create a sense of urgency with “limited-time” deals and countdown timers.
Trusting fake social proof—AI generates fake reviews, influencer endorsements, and testimonials to appear legitimate.
Clicking on ads without verification—Many scam sites spread through AI-optimized social media ads. Consumers should cross-check domain names and reviews before purchasing.
Ignoring payment security—Avoid direct bank transfers or cryptocurrency payments, which lack fraud protections.

Job seekers should verify employer legitimacy, be on the lookout for common job scam red flags, and avoid sharing personal or financial information with unverified employers.

Verify employer legitimacy—Cross-check company details on LinkedIn, Glassdoor, and official websites to verify legitimacy.
Notice common job scam red flags—If a job requires upfront payments for training materials, certifications, or background checks, it is likely a scam. Unrealistic salaries or no-experience-required remote positions should be approached with skepticism. Emails from free domains (such as johndoehr@gmail.com instead of hr@company.com) are also typically indicators of fraudulent activity.
Be cautious of AI-generated interviews and communications—If a video interview seems unnatural, with lip-syncing delays, robotic speech, or odd facial expressions, it could be deepfake technology at work. Job seekers should always verify recruiter credentials through the company’s official website before engaging in any further discussions.
Avoid sharing personal or financial information—Under no circumstances should you provide a Social Security number, banking details, or passwords to an unverified employer.

Microsoft is also a member of the Global Anti-Scam Alliance (GASA), which aims to bring governments, law enforcement, consumer protection organizations, financial authorities and providers, brand protection agencies, social media, internet service providers, and cybersecurity companies together to share knowledge and protect consumers from getting scammed.

Recommendations

Remote Help: Microsoft recommends using Remote Help instead of Quick Assist for internal tech support. Remote Help is designed for internal use within an organization and incorporates several features designed to enhance security and minimize the risk of tech support hacks. It is engineered to be used only within an organization’s tenant, providing a safer alternative to Quick Assist.
Digital Fingerprinting: This identifies malicious behaviors and ties them back to specific individuals. This helps in monitoring and preventing unauthorized access.
Blocking full control requests: Quick Assist now includes warnings and requires users to check a box acknowledging the security implications of sharing their screen. This adds a layer of helpful “security friction” by prompting users who may be multitasking or preoccupied to pause to complete an authorization step.

Kelly Bissell: A cybersecurity pioneer combating fraud in the new era of AI

Kelly Bissell’s journey into cybersecurity began unexpectedly in 1990. Initially working in computer science, Kelly was involved in building software for healthcare patient accounting and operating systems at Medaphis and Bellsouth, now AT&T.

His interest in cybersecurity was sparked when he noticed someone logged into a phone switch attempting to get free long-distance calls and traced the intruder back to Romania. This incident marked the beginning of Kelly’s career in cybersecurity.

“I stayed in cybersecurity hunting for bad actors, integrating security controls for hundreds of companies, and helping shape the NIST security frameworks and regulations such as FFIEC, PCI, NERC-CIP,” he explains.

Currently, Kelly is Corporate Vice President of Anti-Fraud and Product Abuse within Microsoft Security. Microsoft’s fraud team employs machine learning and AI to build better detection code and understand fraud operations. They use AI-powered solutions to detect and prevent cyberthreats, leveraging advanced fraud detection frameworks that continuously learn and evolve.

“Cybercrime is a trillion-dollar problem, and it’s been going up every year for the past 30 years. I think we have an opportunity today to adopt AI faster so we can detect and close the gap of exposure quickly. Now we have AI that can make a difference at scale and help us build security and fraud protections into our products much faster.”

Previously Kelly managed the Microsoft Detection and Response Team (DART) and created the Global Hunting, Oversight, and Strategic Triage (GHOST) team that detected and responded to attackers such as Storm-0558 and Midnight Blizzard.

Prior to Microsoft, during his time at Accenture and Deloitte, Kelly collaborated with companies and worked extensively with government agencies like the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation, where he helped build security systems inside their operations.

His time as Chief Information Security Officer (CISO) at a bank exposed him to addressing both cybersecurity and fraud, leading to his involvement in shaping regulatory guidelines to protect banks and eventually Microsoft.

Kelly has also played a significant role in shaping regulations around the National Institute of Standards and Technology (NIST) and Payment Card Industry (PCI) compliance, which helps ensure the security of businesses’ credit card transactions, among others.

Internationally, Kelly played a crucial role in helping establish agencies and improve cybersecurity measures. As a consultant in London, he helped stand up the United Kingdom’s National Cyber Security Centre (NCSC), which is part of the Government Communications Headquarters (GCHQ), the equivalent of CISA. Kelly’s efforts in content moderation with several social media companies, including YouTube, were instrumental in removing harmful content.

That’s why he’s excited about Microsoft’s partnership with GASA. GASA brings together governments, law enforcement, consumer protection organizations, financial authorities, internet service providers, cybersecurity companies, and others to share knowledge and define joint actions to protect consumers from getting scammed.

“If I protect Microsoft, that’s good, but it’s not sufficient. In the same way, if Apple does their thing, and Google does their thing, but if we’re not working together, we’ve all missed the bigger opportunity. We must share cybercrime information with each other and educate the public. If we can have a three-pronged approach of tech companies building security and fraud protection into their products, public awareness, and sharing cybercrime and fraudster information with law enforcement, I think we can make a big difference,” he says.

Next steps with Microsoft Security

Methodology: Microsoft platforms and services, including Azure, Microsoft Defender for Office, Microsoft Threat Intelligence, and Microsoft Digital Crimes Unit (DCU), provided anonymized data on threat actor activity and trends. Additionally, Microsoft Entra ID provided anonymized data on threat activity, such as malicious email accounts, phishing emails, and attacker movement within networks. Additional insights are from the daily security signals gained across Microsoft, including the cloud, endpoints, the intelligent edge, and telemetry from Microsoft platforms and services. The $4 billion figure represents an aggregated total of fraud and scam attempts against Microsoft and our customers in consumer and enterprise segments (in 12 months).

The post Cyber Signals Issue 9 | AI-powered deception: Emerging fraud threats and countermeasures appeared first on Microsoft Security Blog.

Categories: Microsoft

Biographical Information Summary - This is Just a Summary Joe Pearce
About Joe Pearce joeintenn
Links Joe Pearce
Flounder's Keylime Pie is the Best in the World, At Least I Think So... Joe Pearce
Harley Ride Joe Pearce
Cobra with New Cover Joe Pearce
Mustang Cobra After Ceramic Coating Joe Pearce
Carter County Cruise In Joe Pearce
2003 Ford Mustang SVT Cobra Convertible NAPA Auto Car Show Top 10 Joe Pearce
Ponies in the Smokies - Mustang Trophy Joe Pearce

Microsoft

Microsoft announces the 2025 Security Excellence Awards winners

Faster, more personalized service begins at the frontline with Microsoft Intune

Explore practical best practices to secure your data with Microsoft Purview

New whitepaper outlines the taxonomy of failure modes in AI agents

Understanding the threat landscape for Kubernetes and containerized assets

Securing our future: April 2025 progress report on Microsoft’s Secure Future Initiative

Microsoft’s Secure by Design journey: One year of success

Cyber Signals Issue 9 | AI-powered deception: Emerging fraud threats and countermeasures

Welcome to Joe Pearce's Home Page.

Web page offered by Joe Pearce © 2004 - 2025 - All rights reserved.

Thanks to the ETSU Computer and Information Sciences Department.

Thanks to the NSTCC Computer and Information Sciences and Computer Engineering Technologies Department.

This is my Favicon.

You are here

Microsoft

Welcome to Joe Pearce's Home Page.

Web page offered by Joe Pearce © 2004 - 2025 - All rights reserved.

Thanks to the ETSU Computer and Information Sciences Department.

Thanks to the NSTCC Computer and Information Sciences and Computer Engineering Technologies Department.

This is my Favicon.