Microsoft

Generative AI is reshaping almost every industry and the legal field is no different. A Thompson Reuters Institute study of legal professionals found “a remarkable 79% of law firm respondents anticipate AI will have a high or transformational impact on their work within the next five years—a significant 10-point increase from 2023.”1 There are many promising opportunities to streamline workflows and drive efficiency by bringing AI into legal and litigation workflows. Simultaneously, there’s a need to ensure data compliance, security, governance, and privacy while deploying AI throughout your organization.  

Learn more about Microsoft Security.

Microsoft is continuously innovating, empowering people and organizations to achieve more, and Microsoft Purview is a key part of that mission. New advanced capabilities in Microsoft Purview eDiscovery make it easier to safeguard and manage compliance of data. eDiscovery allows you to easily search, collect, and review AI-based interactions across more than 25 AI applications. It also uses advanced AI capabilities to streamline eDiscovery workflows—from natural language queries for more intuitive searching to automatic case summarization for a quick snapshot of key insights. And more powerful AI-driven features are on the horizon to further accelerate and simplify the eDiscovery process. 

We are excited to share more about new developments across Microsoft Security at Legalweek 2025. If you are attending the conference in New York City from March 24 to March 27, 2025, we’d love to connect. Read on for an overview of our sessions. And request to attend our Executive Breakfast on Tuesday, March 25, 2025, from 7:30am–8:45am (ET) at the Mercury Ballroom, New York Hilton Midtown, to learn how to protect Microsoft 365 Copilot with Microsoft Purview as well as our latest developments in eDiscovery.  

Mark your calendar for these Legalweek sessions 

At Legalweek 2025, we will have experts from Microsoft and the legal field to offer insights into the latest cybersecurity challenges facing the legal sector as well as strategies to tackle these pressing issues. 

Session TitleSpeakersSession Date and TimeSession DescriptionTrustworthy AI: Helping to ensure privacy and security in AI transformation​ Katelyn Rothney, Senior Product Marketing Manager, Microsoft Azure AI; Ashley Pusey, Cyber Security and Data Privacy Associate, Kennedy’s CMP LLP; Rebecca Engrav, co-chair of the AI industry group at Perkins Coie; and John Israel, Global AI Security and Data Security Lead, KPMG. Tuesday, March 25, 2025, 11:30 AM–12:30 PM​ Eastern Time (ET) This session will delve into the complex interplay between AI innovation and data protection, exploring the necessary frameworks for designing AI solutions that prioritize transparency, integrity, and accountability. Learn the security and privacy risks inherent in AI adoption and how to mitigate them. Global compliance deep dive: Mastering the EU AI Act and international data regulationsManny Sahota, Director of Global Cloud Privacy, Regulatory Risk, and Compliance, Microsoft; Dajin Li, Partner, Taylor Wessing; Jennifer Driscoll, Partner, Robinson Cole; Jessica Long, Vice President, Head of Legal, Chief Privacy Officer, Allstate Canada; and Patrick J. Austin, Of Counsel, Woods Rogers.​ Tuesday, March 25, 2025, 2:00 PM–3:00 PM​ (ET) Navigate the complexities of global data compliance and learn how to stay ahead of regulatory requirements with an in-depth analysis of the EU AI Act and other key international regulations. Learn how to harmonize compliance strategies across different jurisdictions, overcome regulatory challenges, and future-proof your organization’s data governance framework. Collaboration in complex litigation: Streamlining team communication and document sharing EJ Bastien, Sr. Director, Discovery Programs, Microsoft; Lindsey Lanier, Director, Product Management, Relativity; Candi Smith, eDiscovery Analyst, Disney; Scott Milner, Partner & Global Practice Group Leader of eData, Morgan, Lewis & Bockius LLP; and Greg Buckles, Market Analyst–Press, eDiscovery Journal.Tuesday, March 25, 2025, 3:30 PM–4:30PM (ET) Explore how legal teams can streamline document sharing and optimize communication workflows to keep all stakeholders connected and informed. Learn how to simplify case management, enhance team collaboration, and make information easily accessible—even in hybrid work environments. Navigating the AI revolution: Strategic insights and innovations​ Jessica Escalera, Head of Legal Operations, Americas at HSBC; Nicole Langston, Head of eDiscovery, Counsel for Barclays; Nisha Narasimhan, Principal Product Manager, Microsoft; and Robert Keeling, Partner, Redgrave LLPWednesday, March 26, 2025, 11:30 AM–12:30PM (ET) This forward-looking panel discussion delves into how you can use cutting-edge products to steer your AI journey effectively. Join industry experts as they share insights on strategic approaches, address common challenges, and highlight the latest AI innovations.   Connect with Microsoft at Legalweek 

If you seek strategies for safeguarding and managing the compliance of your data and AI applications, check out one or more of our sessions at Legalweek. Throughout the conference, you can also interact with our Microsoft experts directly in a few ways: 

• Stop by Booth #3103 in New York Hilton Midtown Americas Hall 2 to learn how Microsoft solutions can address your challenges. 
• Request to attend the Executive Breakfast on Tuesday, March 25, 2025 from 7:30am – 8:45am ET at Mercury Ballroom, New York Hilton Midtown.
• Request dedicated time with our experts, who will be available in meeting rooms at 1700 Broadway, between 9:00 AM – 6:00 PM ET, Monday, March 24, 2025, through Thursday, March 27, 2025. We’d love to connect. Hope to see you there! 

Connect with members of the Microsoft Intelligent Security Association  

At Microsoft we truly believe security is a team sport. And we are thrilled to welcome three of our strategic Microsoft Intelligent Security Association (MISA) members to demonstrate their solutions at the Microsoft booth. Join Epiq Global, Lighthouse, and Relativity as they share their expertise and discuss how their solutions—together with Microsoft technology—are helping our mutual customers secure their data efficiently in the age of AI. 

• Epiq Global: Tuesday, March 25, 2025, 12:00 – 2:00 PM ET 
• Lighthouse: Wednesday, March 26, 2025, 2:30 – 4:30 PM ET 
• Relativity: Thursday, March 27, 2025, 10:00 AM – 12:00 PM ET 

Read more about MISA and membership benefits. 

Learn more about Microsoft Security solutions

To help your organization efficiently respond to legal matters or internal investigations with intelligent capabilities that reduce data to only what’s relevant, learn more about Microsoft Purview eDiscovery. 

Learn how to accelerate the secure adoption of AI with ready-to-go security and governance tools built for generative AI at The Microsoft at RSAC experience. From our signature Pre-Day to demos and networking, discover how Microsoft Security can give you the advantage you need in the era of AI. 

To learn more about Microsoft Security, visit our website.

 Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

Sources:

 1 The Future of Professionals: How AI is impacting the legal profession | Legal Blog 

The post Microsoft at Legalweek: Help safeguard your AI future with Microsoft Purview​ appeared first on Microsoft Security Blog.

Critical infrastructure is a key target of both physical and cyberattacks. Microsoft has observed an increase in reported attacks on internet-exposed operational technology (OT) devices that control real-world critical processes—like water and wastewater systems, as well as critical functions across industries including healthcare, manufacturing, energy, and more.1 Our previous Microsoft Digital Defense Reports have shown that unfortunately the security of OT devices has not kept pace with the strengthened security of IT hardware and software. As of July 2024, we had identified and shared more than 300 vulnerabilities in third-party OT applications. The initiative contributed to significant improvements in security across the OT industry.1 It highlights a need for organizations to integrate OT devices into their broader endpoint security strategy.  

We are excited to announce that Gartner has named Microsoft a Leader in the 2025 Gartner® Magic Quadrant™ for Cyber Physical Systems Protection Platforms. Gartner defines cyber-physical systems (CPS) as “engineered systems that orchestrate sensing, computation, control, networking and analytics” that connect the digital and physical worlds. They span industrial control systems (ICS), OT devices, Internet of Things (IoT) devices, and more.   

CPS devices are an inherent component to any security strategy, and as the only security platform vendor now recognized as a Leader in both endpoint and CPS security, it highlights, in our opinion, our commitment to providing customers with holistic endpoint security on any platform. Our cross-platform strategy is key to making continued progress in helping organizations protect their endpoints against the latest, and most sophisticated cyberattacks as they span operating systems and cross into CPS infrastructure, while driving continued efficiency for security operations center (SOC) teams. Read the report here.  

  

Meeting the unique OT security needs of organizations in every major industry  

The core of Microsoft’s CPS offering to help secure OT environments is Microsoft Defender for IoT, which provides CPS capabilities though purpose-built sensors, and combined with Defender for Endpoint, helps provide holistic endpoint security to organizations worldwide. Both are native components of our unified security operations platform.  

CPS security is deeply embedded into Microsoft’s approach to securing devices across the platforms our customers operate on. Defender for Endpoint uses its network traffic insights to discover devices that it centralizes in a unified device inventor; we provide holistic vulnerability management for software on both user, as well as CPS devices, and bring information together in a unified incident investigation experience to enable analysts to investigate endpoint-focused attacks end-to-end.

Further, Microsoft is deeply committed to helping customers achieve cost efficiencies through our strategic Microsoft 365 E5 Security bundles, while equally allowing maximum purchasing flexibility through our standalone offers for each solution.  

Secure your enterprise IoT devices with Microsoft Defender for IoT Innovations that drive better defense strategies  

Over the last 12 months, Microsoft has delivered significant innovations that help defenders gain the upper hand against OT and other cyberthreats including:   

Microsoft’s unified security operations platform brings the foundational tools a SOC needs into a single experience, with a consistent data model, unified capabilities, and broad protection. This unified experience helps SOCs close critical security gaps and streamline their operations, delivering better overall protection, reducing their response time by 88%, and improving overall efficiency.2 Defender for IoT is core to this platform, which combines the power of leading solutions in security information and event management (SIEM), extended detection and response (XDR), and Generative AI for security. It enables security teams to detect and respond to cyberthreats across OT environments and get key insights into their OT security posture, detect cyberthreats, and understand them in context of broader incidents.  

The unified agent combines protection across endpoints, OT devices, identities and data loss prevention (DLP) to help security teams streamline deployment and protection. The sensor is the software component that monitors and protects critical infrastructure, serving as one of the first lines of defense against cyberthreat actors. With our platform approach that brings together Microsoft Sentinel and Microsoft Defender XDR, we now have the first platform-level platform-level agent that unifies protection across four solution areas. The streamlined agent simplifies how you activate and manage core capabilities to more easily and swiftly reap the benefits of our AI-powered protection. Read more about the unified agent platform on the Microsoft Defender for Endpoint blog.  

Microsoft Security Exposure Management is part of the unified security operations portal and provides a unified view of security posture across company assets and workloads. Security initiatives are an experience that provides a simple way to assess security readiness for a specific security area or workload, and to constantly track and measure exposure risk over time. The OT Security initiative improves your OT site security posture by monitoring and protecting OT environments in the organization, and employing network layer monitoring. This initiative identifies devices and ensures that systems are working correctly, and data is protected. Your security teams can use the OT Security initiative to identify unprotected devices and harden posture across sites through vulnerability assessments, with actionable guidance to help remediate at-risk devices. Read more about security initiatives.   

Reduce risk and optimize your security posture with Microsoft Security Exposure Management

Thank you to all our customers. You inspire us as together we work to create a safer world.  

Learn more with Microsoft Security

Visit Microsoft Defender for IoT to learn how your organization can get real-time asset discovery, vulnerability management, and cyberthreat protection for your Internet of Things (IoT) and industrial infrastructure, such as industrial control systems (ICS) and operational technology (OT).   

Are you a regular user of Microsoft Defender for Endpoint or Defender for IoT? Review your experience on Gartner Peer Insights™ and get a $25 gift card.      

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.  

1Microsoft Digital Defense Report, Microsoft. 2024.
2The Total Economic Impact™ Of Microsoft SIEM And XDR, August 2022.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.  

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.  

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved.  

Gartner, Magic Quadrant for CPS Protection Platforms, 17 February 2025, By Katell Thielemann, Wam Voster, Ruggero Contu.  

The post Microsoft is named a Leader in the 2025 Gartner® Magic Quadrant™ for cyber-physical systems protection platforms​​ appeared first on Microsoft Security Blog.

AI adoption is picking up speed. Many companies are growing their technology estates by embracing powerful new solutions like generative AI. But to maximize the benefits of new technology with confidence, security professionals need to stay compliant with the evolving regulatory and audit requirements in the age of AI. It is in this spirit that Microsoft invites you to join us at RSACTM 2025 Conference in San Francisco, where we will showcase end-to-end security designed to help organizations accelerate the secure adoption of AI with ready-to-go security and governance tools and solutions to multiply security teams’ productivity.

Across the Microsoft Security portfolio, our innovations, together with world-class threat and regulatory intelligence, will help give security experts the advantage they need in the era of AI. From our signature Pre-Day to hands-on demos and one-on-one meetings, join the Microsoft experience at RSAC 2025 designed just for you.

Microsoft at RSAC

From our signature Pre-Day to hands-on demos and one-on-one meetings, discover how Microsoft Security can give you the advantage you need in the era of AI.

Explore events Kick things off at Microsoft Pre-Day

The Microsoft experience at RSAC 2025 begins with Microsoft Pre-Day on Sunday, April 27, 2025, at the Palace Hotel, just around the corner from the Moscone Center. For the fourth year running, the keynote speech held on Microsoft Pre-Day will kick off the full lineup of Microsoft events and activities throughout RSAC 2025. By joining us on Sunday, you’ll have the chance to hear directly from Microsoft Security business leaders—including Vasu Jakkal, Corporate Vice President, Microsoft Security Business; Charlie Bell, Executive Vice President, Microsoft Security; Sherrod DeGrippo, Director of Threat Intelligence Strategy; and other Microsoft Security leaders as they share reporting on emerging cyberthreat trends and the product innovations designed to protect against them. Vasu will also take the RSAC 2025 stage on Day 1 for the conference keynote.

At Pre-Day, attendees will hear Microsoft Security threat intelligence on emerging trends, explore new AI-first tools, demos, and best practices, and attain a better understanding of how Microsoft can help them secure and govern their AI deployments. Attend to discover how the adaptive, end-to-end security platform from Microsoft, including Microsoft Security Copilot, can help your team catch what others miss, speed up remediation, lower your total cost of ownership, and boost—rather than burden—you and your teams.

Stick around after Pre-Day for the reception—an evening of fun, networking, and entertainment, celebrating the vibrant security community. This is a unique opportunity to meet Microsoft security leaders, expand your professional network, and learn how others are addressing the latest security trends and challenges. Light refreshments will be served. CISOs who register to attend Microsoft Pre-Day will automatically be invited to a chief information security officer (CISO) dinner with Vasu Jakkal.  

Make sure to register for Microsoft Pre-Day to join in on all the day’s activities.

Register for Microsoft Pre-Day at RSAC 2025 Dedicated calendar of events for CISOs

Microsoft will be hosting a number of events tailored to CISOs throughout RSAC 2025. To kick off the week, Microsoft will be hosting a Pre-Day, followed by the exclusive CISO dinner on April 27, 2025. Following, there will be daily lunch and learn opportunities that address some of the primary challenges facing CISOs organizations:

• Monday April 28, 2025: Innovating Securely CISO Lunch—Learn insights concerning secure innovation centered around the new AI regulations, including the EU Act, Digital Operational Resilience Act (DORA), and more.
• Tuesday April 29, 2025: SFI Executive Lunch—Open to all and focused around the needs of Latin America-based CISOs, this lunch will bring together leaders and experts interested in understanding the latest Secure Future Initiative (SFI) progress and exchanging their thoughts on related best practices.
• Wednesday April 30, 2025: Embracing Cyber resilience CISO Lunch—Attendees are invited to network, learn, and exchange their insights regarding cyber resilience as the AI landscape evolves.

Finally, CISOs who attend RSAC 2025 are invited to stay through the end of the conference to attend the Microsoft Post-Day Forum at the Microsoft Experience Center at Silicon Valley on Thursday, May 1, 2025, from 9:00 AM PT to 1:00 PM PT. The day will be full of insightful presentations, interactive discussions, networking opportunities, and a curated CISO roundtable session. This informative day will also include an immersive tour of the unique state-of-the-art Microsoft Experience Center, which highlights larger-than-life solutions that show Microsoft’s cutting-edge technology solving many of today’s challenges. This experience is facilitated by envisioning specialists who spark inspired conversations, creative ideas, and new opportunities for leaders to participate in before returning home.

Sign up for Microsoft experiences at RSAC, including the Pre-Day, the CISO dinner, CISO lunch, and the Post-Day Forum. Request a one-on-one meeting with Microsoft experts to discuss your most pressing questions here.

Discover solutions to your challenges during the keynote speech and Microsoft sessions

As part of the RSAC agenda, Vasu Jakkal will take the stage on Monday, April 28, 2025, at 4:40 PM PT. During the speech, she will discuss the potential of agentic workflows to dramatically reshape the security landscape. Agentic AI has the power to enable more complex problem-solving, deeper agent collaboration, and iterative learning. All of this leads us toward a previously unheard-of new paradigm for security. Join Vasu Jakkal for an imaginative look at the future of AI security agents and how the people of our security teams will work alongside them to change the game.

​After the keynote and throughout the conference, attendees will be able to split their time between the Microsoft Security sessions included in the RSAC 2025 agenda, live demonstrations at booth #5744 in Moscone North, and a variety of roundtables, one-on-one meetings, and presentations at the Microsoft Security Hub at the Palace Hotel.

Here are two sessions not to miss:

• Tuesday, April 29, 2025, at 9:40 AM PT: Shaping the Future of Security with Agentic AI​—In a time of rapidly evolving cyberthreats, agentic AI is emerging as a transformative force in security. Join Dorothy Li, Corporate Vice President of Microsoft Security Copilot and Marketplace, to discover how autonomous decision-making is reshaping our approach to cybersecurity. This session will reveal how agentic AI empowers organizations to proactively mitigate risks, enhance operational efficiency, and elevate the effectiveness of your security tools. Attendees will gain actionable insights and practical strategies for harnessing the potential of agentic AI. Prepare to rethink the future of security and position your organization at the forefront of innovation.​
• Wednesday, April 30, 2025, at 9:40 AM PT: Accelerate AI Adoption with Stronger Security—AI adoption is accelerating, creating both new opportunities and security challenges. Led by Neta Haiby, Partner Product Manager at Microsoft​, this session covers key AI adoption trends, emerging risks, and common cyberthreats. Discover actionable steps to secure and govern AI, from establishing a dedicated security team for AI to adopting AI-specific solutions, ensuring your organization can innovate with confidence.​

Other well-known Microsoft experts will host session sharing what they’ve learned from their work pioneering and securing AI:

• Wednesday, April 30, 2025 at 8:30 AM PT: Guardians of the Cyber Galaxy: Allies Against AI-Powered Cybercrime by Sean Farrell, Assistant General Counsel, Digital Crimes Unit.
• Monday, April 28, 2025 at 1:10 PM PT: AI Era Authentication: Securing the Future with Inclusive Identity by Abhilasha Bhargav-Spantzel, Partner Security Architect, and Aditi Shah, Senior Data and Applied Scientist.
• Tuesday, April 29, 2025, at 8:30 AM PT: AI Safety: Where Do We Go From Here? by Ram Shankar Siva Kumar, Principal Research Lead, AI Red Team Lead.
• Tuesday, April 29, 2025, at 2:25 PM PT: Lessons Learned from a Year(ish) of Countering Malicious Actors’ Use of AI by Sherrod DeGrippo, Director, Threat intelligence strategy.

View live demonstrations and discover engaging ways to learn at booth #5744

At the Microsoft booth, attendees will have the chance to engage with experts, discover ready-to-go security and governance tools built for generative AI, and watch theater sessions showcasing the latest products, innovations, and industry perspectives from Microsoft. They’ll also get to enjoy a fun and interactive gaming experience. 

Microsoft product and partner experts will be on hand to showcase the newest advancements through captivating demonstrations, informative videos, and valuable resources. 

Visit the Microsoft booth theater for exclusive 20-minute demos and expert-led sessions on the latest in security and AI. Explore strategies to protect, govern, and secure AI. Listen in to insights on identity, compliance, privacy, threat defense, data protection, and more. Don’t miss this opportunity to learn from industry leaders and stay ahead in the ever-evolving security landscape.

Meetings and connections at the Microsoft Security Hub

The historic and luxurious Palace Hotel is home base for Microsoft during the week. RSAC 2025 attendees are invited to meet with Microsoft experts and executives, attend thought leadership sessions and roundtable lunches, and join networking opportunities. Detailed information about individual sessions can be found on the Microsoft Security Experiences at RSAC 2025 Landing Page.

Customers are also invited to deepen their understanding of the latest cybersecurity threats, trends, and developments by discussing their most important security product and threat intelligence questions directly with Microsoft security experts through scheduled one-on-one meetings, held from Monday, April 28, 2025, to Wednesday, April 30, 2025, at the Palace Hotel. Request your meeting directly through the Microsoft Security Experiences at RSAC 2025 Home Page.

Microsoft Intelligent Security Association featured partners

The Microsoft Intelligent Security Association (MISA) will once again have a considerable presence at RSAC 2025. MISA partners will be featured in the Microsoft Booth #5744 and included in other events happening throughout the week. Additionally, the sixth annual Microsoft Security Excellence Awards, presented by MISA, will be held at the Palace Hotel in San Francisco on April 28, 2025, celebrating our finalists and announcing winners in nine award categories as well as enjoying a time of connecting. 

Activities include:

• MISA demo station: Stop by the Microsoft Booth to explore the innovative solutions developed by MISA members, which integrate Microsoft Security technology.
• Theater sessions: Attend one or more of our five theater sessions at the Microsoft booth, led by MISA members, focusing on partner strategies and solutions for cyberthreat protection.
• View the MISA demo and theater schedule.
• MISA Partner awards: MISA members are invited to attend the Microsoft Security Excellence Awards on Monday, April 28, 2025, where winners will be announced in nine security award categories.

Get the most by staying through Microsoft Post-Day

Microsoft Post-Day Forum is a unique experience designed to help customers, CISOs, and security leaders dive deep into new concepts, ask questions they need answered about product features, and prepare to realize and enable the AI-first, end-to-end security concepts they’ve learned about throughout RSAC 2025. The Microsoft Post-Day Forum, hosted by Microsoft Security executives, will be held on Thursday, May 1, 2025, from 10:00 AM PT to 1:00 PM PT, at the Silicon Valley Experience Center. Pick up for the event will be held at the Palace Hotel at 8:00 AM PT, with drop off organized for 2:00 PM PT.

We look forward to seeing you at RSAC 2025!

Learn more about the Microsoft experience at RSAC 2025

Customers and partners can register for the events highlighted in this blog as well as other Microsoft ancillary events and more here.

Explore Microsoft Security events at RSAC 2025

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post ​​Join us for the end-to-end Microsoft RSAC 2025 Conference experience appeared first on Microsoft Security Blog.

Executive summary

Today we’re sharing that Microsoft discovered cyberattacks being launched by a group we call Storm-2372, who we assess with medium confidence aligns with Russia’s interests and tradecraft. The attacks appear to have been ongoing since August 2024 and have targeted governments, NGOs, and a wide range of industries in multiple regions. The attacks use a specific phishing technique called “device code phishing” that tricks users to log into productivity apps while Storm-2372 actors capture the information from the log in (tokens) that they can use to then access compromised accounts. These tokens are part of an industry standard and, while these phishing lures used Microsoft and other apps to trick users, they do not reflect a vulnerability unique to Microsoft nor have we found any vulnerabilities in our code base enabling this activity.

Microsoft Threat Intelligence Center discovered an active and successful device code phishing campaign by a threat actor we track as Storm-2372. Our ongoing investigation indicates that this campaign has been active since August 2024 with the actor creating lures that resemble messaging app experiences including WhatsApp, Signal, and Microsoft Teams. Storm-2372’s targets during this time have included government, non-governmental organizations (NGOs), information technology (IT) services and technology, defense, telecommunications, health, higher education, and energy/oil and gas in Europe, North America, Africa, and the Middle East. Microsoft assesses with medium confidence that Storm-2372 aligns with Russian interests, victimology, and tradecraft.  

In device code phishing, threat actors exploit the device code authentication flow to capture authentication tokens, which they then use to access target accounts, and further gain access to data and other services that the compromised account has access to. This technique could enable persistent access as long as the tokens remain valid, making this attack technique attractive to threat actors.

The phishing attack identified in this blog masquerades as Microsoft Teams meeting invitations delivered through email. When targets click the meeting invitation, they are prompted to authenticate using a threat actor-generated device code. The actor then receives the valid access token from the user interaction, stealing the authenticated session.

Because of the active threat represented by Storm-2372 and other threat actors exploiting device code phishing techniques, we are sharing our latest research, detections, and mitigation guidance on this campaign to raise awareness of the observed tactics, techniques, and procedures (TTPs), educate organizations on how to harden their attack surfaces, and disrupt future operations by this threat actor. Microsoft uses Storm designations as a temporary name given to an unknown, emerging, or developing cluster of threat activity, allowing Microsoft to track it as a unique set of information until we reach high confidence about the origin or identity of the threat actor behind the activity.

Microsoft Threat Intelligence Center continues to track campaigns launched by Storm-2372, and, when able, directly notifies customers who have been targeted or compromised, providing them with the necessary information to help secure their environments. Microsoft is also tracking other groups using similar techniques, including those documented by Volexity in their recent publication.

How does device code phishing work?

A device code authentication flow is a numeric or alphanumeric code used to authenticate an account from an input-constrained device that does not have the ability to perform an interactive authentication using a web flow and thus must perform this authentication on another device to sign-in. In device code phishing, threat actors exploit the device code authentication flow.

During the attack, the threat actor generates a legitimate device code request and tricks the target into entering it into a legitimate sign-in page. This grants the actor access and enables them to capture the authentication—access and refresh—tokens that are generated, then use those tokens to access the target’s accounts and data. The actor can also use these phished authentication tokens to gain access to other services where the user has permissions, such as email or cloud storage, without needing a password. The threat actor continues to have access so long as the tokens remain valid. The attacker can then use the valid access token to move laterally within the environment.

Figure 1. Device code phishing attack cycle Storm-2372 phishing lure and access

Storm-2372’s device code phishing campaign has been active since August 2024. Observed early activity indicates that Storm-2372 likely targeted potential victims using third-party messaging services including WhatsApp, Signal, and Microsoft Teams, falsely posing as a prominent person relevant to the target to develop rapport before sending subsequent invitations to online events or meetings via phishing emails.

Figure 2. Sample messages from the threat actor posing as a prominent person and building rapport on Signal

The invitations lure the user into completing a device code authentication request emulating the experience of the messaging service, which provides Storm-2372 initial access to victim accounts and enables Graph API data collection activities, such as email harvesting.

Figure 3. Example of lure used in phishing campaign

On the device code authentication page, the user is tricked into entering the code that the threat actor included as the ID for the fake Teams meeting invitation.

Post-compromise activity

Once the victim uses the device code to authenticate, the threat actor receives the valid access token. The threat actor then uses this valid session to move laterally within the newly compromised network by sending additional phishing messages containing links for device code authentication to other users through intra-organizational emails originating from the victim’s account.

Figure 4. Legitimate device code authentication page

Additionally, Microsoft observed Storm-2372 using Microsoft Graph to search through messages of the account they’ve compromised. The threat actor was using keyword searching to view messages containing words such as username, password, admin, teamviewer, anydesk, credentials, secret, ministry, and gov. Microsoft then observed email exfiltration via Microsoft Graph of the emails found from these searches.

Attribution

The actor that Microsoft tracks as Storm-2372 is a suspected nation-state actor working toward Russian state interests. It notably has used device code phishing to compromise targets of interest. Storm-2372 likely initially approaches targets through third-party messaging services, posing as a prominent individual relevant to the target to develop rapport before sending invites to online events or meetings. These invites lure the user into device code authentication that grants initial access to Storm-2372 and enables Graph API data collection activities such as email harvesting.

Storm-2372 targets include government, NGOs, IT services and technology, defense, telecommunications, health, higher education, and energy/oil and gas in Europe, North America, Africa, and the Middle East.

Mitigation and protection guidance

To harden networks against the Storm-2372 activity described above, defenders can implement the following:

• Only allow device code flow where necessary. Microsoft recommends blocking device code flow wherever possible. Where necessary, configure Microsoft Entra ID’s device code flow in your Conditional Access policies.
• Educate users about common phishing techniques. Sign-in prompts should clearly identify the application being authenticated to. As of 2021, Microsoft Azure interactions prompt the user to confirm (“Cancel” or “Continue”) that they are signing in to the app they expect, which is an option frequently missing from phishing sign-ins.
• If suspected Storm-2372 or other device code phishing activity is identified, revoke the user’s refresh tokens by calling revokeSignInSessions. Consider setting a Conditional Access Policy to force re-authentication for users.
• Implement a sign-in risk policy to automate response to risky sign-ins. A sign-in risk represents the probability that a given authentication request isn’t authorized by the identity owner. A sign-in risk-based policy can be implemented by adding a sign-in risk condition to Conditional Access policies that evaluates the risk level of a specific user or group. Based on the risk level (high/medium/low), a policy can be configured to block access or force multi-factor authentication.
  • When a user is a high risk and Conditional access evaluation is enabled, the user’s access is revoked, and they are forced to re-authenticate.
  • For regular activity monitoring, use Risky sign-in reports, which surface attempted and successful user access activities where the legitimate owner might not have performed the sign-in. 
• Require multifactor authentication (MFA). While certain attacks such as device code phishing attempt to evade MFA, implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats.
  • Leverage phishing-resistant authentication methods such as FIDO Tokens, or Microsoft Authenticator with passkey. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.
  • Block legacy authentication with Microsoft Entra by using Conditional Access. Legacy authentication protocols do not have the ability to enforce MFA, as legacy MFA (per-user MFA prompts) is susceptible to abuse.
• Centralize your organization’s identity management into a single platform. If your organization is a hybrid environment, integrate your on-premises directories with your cloud directories. If your organization is using a third-party for identity management, ensure this data is being logged in a SIEM or connected to Microsoft Entra to fully monitor for malicious identity access from a centralized location. The added benefits to centralizing all identity data is to facilitate implementation of Single Sign On (SSO) and provide users with a more seamless authentication process, as well as configure Entra ID’s machine learning models to operate on all identity data, thus learning the difference between legitimate access and malicious access quicker and easier. It is recommended to synchronize all user accounts except administrative and high privileged ones when doing this to maintain a boundary between the on-premises environment and the cloud environment, in case of a breach.
• Secure accounts with credential hygiene: practice the principle of least privilege and audit privileged account activity in your Entra ID environments to slow and stop attackers.

Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender for Office 365

Microsoft Defender for Office 365 detects malicious activity associated with this threat through the following alerts:

• This email has traits consistent with phishing
• This HTML has traits consistent with phishing

Microsoft Entra ID Protection

The following Microsoft Entra ID Protection risk detections inform Entra ID user risk events and can indicate associated threat activity, including unusual user activity consistent with known attack patterns identified by Microsoft Threat Intelligence research:

• Activity from Anonymous IP address (RiskEventType: anonymizedIPAddress)
• Microsoft Entra threat intelligence (sign-in): (RiskEventType: investigationsThreatIntelligence)

Hunting queries Microsoft Defender XDR

The following query can help identify possible device code phishing attempts:

let suspiciousUserClicks = materialize(UrlClickEvents | where ActionType in ("ClickAllowed", "UrlScanInProgress", "UrlErrorPage") or IsClickedThrough != "0" | where UrlChain has_any ("microsoft.com/devicelogin", "login.microsoftonline.com/common/oauth2/deviceauth") | extend AccountUpn = tolower(AccountUpn) | project ClickTime = Timestamp, ActionType, UrlChain, NetworkMessageId, Url, AccountUpn); //Check for Risky Sign-In in the short time window let interestedUsersUpn = suspiciousUserClicks | where isnotempty(AccountUpn) | distinct AccountUpn; let suspiciousSignIns = materialize(AADSignInEventsBeta | where ErrorCode == 0 | where AccountUpn in~ (interestedUsersUpn) | where RiskLevelDuringSignIn in (10, 50, 100) | extend AccountUpn = tolower(AccountUpn) | join kind=inner suspiciousUserClicks on AccountUpn | where (Timestamp - ClickTime) between (-2min .. 7min) | project Timestamp, ReportId, ClickTime, AccountUpn, RiskLevelDuringSignIn, SessionId, IPAddress, Url ); //Validate errorCode 50199 followed by success in 5 minute time interval for the interested user, which suggests a pause for the code which the user provided from the phishing email let interestedSessionUsers = suspiciousSignIns | where isnotempty(AccountUpn) | distinct AccountUpn; let shortIntervalSignInAttemptUsers = materialize(AADSignInEventsBeta | where AccountUpn in~ (interestedSessionUsers) | where ErrorCode in (0, 50199) | summarize ErrorCodes = make_set(ErrorCode) by AccountUpn, CorrelationId, SessionId | where ErrorCodes has_all (0, 50199) | distinct AccountUpn); suspiciousSignIns | where AccountUpn in (shortIntervalSignInAttemptUsers) Microsoft Sentinel

Microsoft Sentinel customers can use the following queries to detect phishing attempts and email exfiltration attempts via Graph API. While these queries are not specific to threat actors, they can help you stay vigilant and safeguard your organization from phishing attacks:

• Campaign with suspicious keywords
• Determine Successfully Delivered Phishing Emails to Inbox/Junk folder.
• Successful Signin from Phishing Link
• Phishing link click observed in Network Traffic
• Suspicious URL clicked Anomaly of MailItemAccess by GraphAPI
• OAuth Apps accessing user mail via GraphAPI
• OAuth Apps reading mail both via GraphAPI and directly
• OAuth Apps reading mail via GraphAPI anomaly

References

• https://www.blackhillsinfosec.com/dynamic-device-code-phishing/
• https://www.huntress.com/blog/oh-auth-2-0-device-code-phishing-in-google-cloud-and-azure
• https://github.com/secureworks/family-of-client-ids-research?tab=readme-ov-file#which-client-applications-are-compatible-with-each-other

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Storm-2372 conducts device code phishing campaign appeared first on Microsoft Security Blog.

A successful AI transformation starts with a strong security foundation. With a rapid increase in AI development and adoption, organizations need visibility into their emerging AI apps and tools. Microsoft Security provides threat protection, posture management, data security, compliance, and governance to secure AI applications that you build and use. These capabilities can also be used to help enterprises secure and govern AI apps built with the DeepSeek R1 model and gain visibility and control over the use of the seperate DeepSeek consumer app. 

Secure and govern AI apps built with the DeepSeek R1 model on Azure AI Foundry and GitHub  Develop with trustworthy AI 

Last week, we announced DeepSeek R1’s availability on Azure AI Foundry and GitHub, joining a diverse portfolio of more than 1,800 models.   

Customers today are building production-ready AI applications with Azure AI Foundry, while accounting for their varying security, safety, and privacy requirements. Similar to other models provided in Azure AI Foundry, DeepSeek R1 has undergone rigorous red teaming and safety evaluations, including automated assessments of model behavior and extensive security reviews to mitigate potential risks. Microsoft’s hosting safeguards for AI models are designed to keep customer data within Azure’s secure boundaries. 

azure AI content Safety

Learn more

With Azure AI Content Safety, built-in content filtering is available by default to help detect and block malicious, harmful, or ungrounded content, with opt-out options for flexibility. Additionally, the safety evaluation system allows customers to efficiently test their applications before deployment. These safeguards help Azure AI Foundry provide a secure, compliant, and responsible environment for enterprises to confidently build and deploy AI solutions. See Azure AI Foundry and GitHub for more details.

Build transformative AI apps with Azure AI Foundry Start with Security Posture Management

Microsoft Defender for Cloud

Learn more

AI workloads introduce new cyberattack surfaces and vulnerabilities, especially when developers leverage open-source resources. Therefore, it’s critical to start with security posture management, to discover all AI inventories, such as models, orchestrators, grounding data sources, and the direct and indirect risks around these components. When developers build AI workloads with DeepSeek R1 or other AI models, Microsoft Defender for Cloud’s AI security posture management capabilities can help security teams gain visibility into AI workloads, discover AI cyberattack surfaces and vulnerabilities, detect cyberattack paths that can be exploited by bad actors, and get recommendations to proactively strengthen their security posture against cyberthreats.

Figure 1. AI security posture management in Defender for Cloud detects an attack path to a DeepSeek R1 workload.

By mapping out AI workloads and synthesizing security insights such as identity risks, sensitive data, and internet exposure, Defender for Cloud continuously surfaces contextualized security issues and suggests risk-based security recommendations tailored to prioritize critical gaps across your AI workloads. Relevant security recommendations also appear within the Azure AI resource itself in the Azure portal. This provides developers or workload owners with direct access to recommendations and helps them remediate cyberthreats faster. 

Safeguard DeepSeek R1 AI workloads with cyberthreat protection

While having a strong security posture reduces the risk of cyberattacks, the complex and dynamic nature of AI requires active monitoring in runtime as well. No AI model is exempt from malicious activity and can be vulnerable to prompt injection cyberattacks and other cyberthreats. Monitoring the latest models is critical to ensuring your AI applications are protected.

Integrated with Azure AI Foundry, Defender for Cloud continuously monitors your DeepSeek AI applications for unusual and harmful activity, correlates findings, and enriches security alerts with supporting evidence. This provides your security operations center (SOC) analysts with alerts on active cyberthreats such as jailbreak cyberattacks, credential theft, and sensitive data leaks. For example, when a prompt injection cyberattack occurs, Azure AI Content Safety prompt shields can block it in real-time. The alert is then sent to Microsoft Defender for Cloud, where the incident is enriched with Microsoft Threat Intelligence, helping SOC analysts understand user behaviors with visibility into supporting evidence, such as IP address, model deployment details, and suspicious user prompts that triggered the alert. 

Figure 2. Microsoft Defender for Cloud integrates with Azure AI to detect and respond to prompt injection cyberattacks.

Additionally, these alerts integrate with Microsoft Defender XDR, allowing security teams to centralize AI workload alerts into correlated incidents to understand the full scope of a cyberattack, including malicious activities related to their generative AI applications. 

Figure 3. A security alert for a prompt injection attack is flagged in Defender for Cloud Secure and govern the use of the DeepSeek app

In addition to the DeepSeek R1 model, DeepSeek also provides a consumer app hosted on its local servers, where data collection and cybersecurity practices may not align with your organizational requirements, as is often the case with consumer-focused apps. This underscores the risks organizations face if employees and partners introduce unsanctioned AI apps leading to potential data leaks and policy violations. Microsoft Security provides capabilities to discover the use of third-party AI applications in your organization and provides controls for protecting and governing their use.

Secure and gain visibility into DeepSeek app usage 

Microsoft Defender for Cloud Apps

Learn more

Microsoft Defender for Cloud Apps provides ready-to-use risk assessments for more than 850 Generative AI apps, and the list of apps is updated continuously as new ones become popular. This means that you can discover the use of these Generative AI apps in your organization, including the DeepSeek app, assess their security, compliance, and legal risks, and set up controls accordingly. For example, for high-risk AI apps, security teams can tag them as unsanctioned apps and block user’s access to the apps outright.

Figure 4. Discover usage and control access to Generative AI applications based on their risk factors in Defender for Cloud Apps. Comprehensive data security 

Data security

Learn more

In addition, Microsoft Purview Data Security Posture Management (DSPM) for AI provides visibility into data security and compliance risks, such as sensitive data in user prompts and non-compliant usage, and recommends controls to mitigate the risks. For example, the reports in DSPM for AI can offer insights on the type of sensitive data being pasted to Generative AI consumer apps, including the DeepSeek consumer app, so data security teams can create and fine-tune their data security policies to protect that data and prevent data leaks. 

Figure 5. Microsoft Purview Data Security Posture Management (DSPM) for AI enables security teams to gain visibility into data risks and get recommended actions to address them. Prevent sensitive data leaks and exfiltration  

Microsoft Purview Data Loss Prevention

Learn more

The leakage of organizational data is among the top concerns for security leaders regarding AI usage, highlighting the importance for organizations to implement controls that prevent users from sharing sensitive information with external third-party AI applications.

Microsoft Purview Data Loss Prevention (DLP) enables you to prevent users from pasting sensitive data or uploading files containing sensitive content into Generative AI apps from supported browsers. Your DLP policy can also adapt to insider risk levels, applying stronger restrictions to users that are categorized as ‘elevated risk’ and less stringent restrictions for those categorized as ‘low-risk’. For example, elevated-risk users are restricted from pasting sensitive data into AI applications, while low-risk users can continue their productivity uninterrupted. By leveraging these capabilities, you can safeguard your sensitive data from potential risks from using external third-party AI applications. Security admins can then investigate these data security risks and perform insider risk investigations within Purview. These same data security risks are surfaced in Defender XDR for holistic investigations.

Figure 6. Data Loss Prevention policy can block sensitive data from being pasted to third-party AI applications in supported browsers.

This is a quick overview of some of the capabilities to help you secure and govern AI apps that you build on Azure AI Foundry and GitHub, as well as AI apps that users in your organization use. We hope you find this useful!

To learn more and to get started with securing your AI apps, take a look at the additional resources below:  

• AI security posture management in Microsoft Defender for Cloud 
• Threat protection for AI workloads in Microsoft Defender for Cloud
• Get visibility into your DeepSeek use with Defender for Cloud Apps 
• Microsoft Purview data security and compliance protections for generative AI apps 

Learn more with Microsoft Security

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

The post Securing DeepSeek and other AI systems with Microsoft Security appeared first on Microsoft Security Blog.

Microsoft is publishing for the first time our research into a subgroup within the Russian state actor Seashell Blizzard and its multiyear initial access operation, tracked by Microsoft Threat Intelligence as the “BadPilot campaign”. This subgroup has conducted globally diverse compromises of Internet-facing infrastructure to enable Seashell Blizzard to persist on high-value targets and support tailored network operations. This blog details this subgroup’s recently observed tactics, techniques, and procedures (TTPs), and describes three of its distinct exploitation patterns. The geographical targeting to a near-global scale of this campaign expands Seashell Blizzard’s scope of operations beyond Eastern Europe. Additionally, the opportunistic access methods outlined in this campaign will continue to offer Russia opportunities for niche operations and activities.

Active since at least 2021, this subgroup within Seashell Blizzard has leveraged opportunistic access techniques and stealthy forms of persistence to collect credentials, achieve command execution, and support lateral movement that has at times led to substantial regional network compromises. Observed operations following initial access indicate that this campaign enabled Seashell Blizzard to obtain access to global targets across sensitive sectors including energy, oil and gas, telecommunications, shipping, arms manufacturing, in addition to international governments. We assess that this subgroup has been enabled by a horizontally scalable capability bolstered by published exploits that allowed Seashell Blizzard to discover and compromise numerous Internet-facing systems across a wide range of geographical regions and sectors. Since early 2024, the subgroup has expanded its range of access to include targets in the United States and United Kingdom by exploiting vulnerabilities primarily in ConnectWise ScreenConnect (CVE-2024-1709) IT remote management and monitoring software and Fortinet FortiClient EMS security software (CVE-2023-48788). These new access operations built upon previous efforts between 2021 and 2023 which predominantly affected Ukraine, Europe, and specific verticals in Central and South Asia, and the Middle East.

Microsoft Threat Intelligence assesses that while some of the subgroup’s targeting is opportunistic, its compromises cumulatively offer Seashell Blizzard options when responding to Russia’s evolving strategic objectives. Since April 2022, Russia-aligned threat actors have increasingly targeted international organizations that are either geopolitically significant or provide military and/or political support to Ukraine. In addition to establishing access to these targets outside Ukraine, we assess that the subgroup has likely enabled at least three destructive cyberattacks in Ukraine since 2023 (see below discussion of Seashell Blizzard for more information about their activities against Ukraine).  

Seashell Blizzard’s far-reaching access operations pose a significant risk to organizations within the group’s strategic purview. Despite the commodity nature of this subgroup’s exploitation patterns, notable shifts within the actor’s post-compromise tradecraft are reflected within the subgroup’s activities, which may carry over to other aspects of Seashell Blizzard’s more traditional operations and carry more significant implications for auditing during incident response. 

Microsoft Threat Intelligence tracks campaigns launched by Seashell Blizzard as well as this subgroup, and when able, directly notifies customers who have been targeted or compromised, providing them with the necessary information to help secure their environments. As part of our continuous monitoring, analysis, and reporting on the threat landscape, we are sharing our research on this campaign’s activity to raise awareness of the observed TTPs and to educate organizations on how to harden their attack surfaces against this and similar activity. 

Who is Seashell Blizzard?

Seashell Blizzard is a high-impact threat actor linked to the Russian Federation that conducts global activities on behalf of Russian Military Intelligence Unit 74455 (GRU). Seashell Blizzard’s specialized operations have ranged from espionage to information operations and cyber-enabled disruptions, usually in the form of destructive attacks and manipulation of industrial control systems (ICS). Active since at least 2013, this threat actor’s prolific operations include destructive attacks such as KillDisk (2015) and FoxBlade (2022), supply-chain attacks (MeDoc, 2017), and pseudo-ransomware attacks such as NotPetya (2017) and Prestige (2022), in addition to numerous other specialized disruptive capabilities. Seashell Blizzard is assessed to be highly skilled at enabling broad and persistent access against priority computer networks, which sometimes gives the group significant tenure for future potential follow-on activity.

Due to their specialization in computer network exploitation (CNE) and expertise targeting critical infrastructure such as ICS and supervisory control and data acquisition systems (SCADA), Seashell Blizzard’s operations have frequently been leveraged during military conflicts and as an adaptable element during contentious geopolitical events. Historically, some of Seashell Blizzard’s operations may be considered part of a spectrum of retaliatory actions sometimes used by the Russian Federation. Since Russia’s invasion of Ukraine in 2022, Seashell Blizzard has conducted a steady stream of operations complementing Russian military objectives. The threat actor’s longstanding strategic targets in the region have included critical infrastructure such as energy and water, government, military, transportation and logistics, manufacturing, telecommunications, and other supportive civilian infrastructure.

Since at least April 2023, Seashell Blizzard has increased targeting of military communities in the region, likely for tactical intelligence gain. Their persistent targeting of Ukraine suggests Seashell Blizzard is tasked to obtain and retain access to high-priority targets to provide the Russian military and Russian government a range of options for future actions.

Seashell Blizzard’s network intrusions leverage diverse tradecraft and typically employ a range of common publicly available tools, including Cobalt Strike and DarkCrystalRAT. Network intrusions linked to the threat actor have affected multiple tiers of infrastructure, showcasing Seashell Blizzard’s abilities to target end users, network perimeters, and vertical-specific systems leveraging both publicly available and custom exploits and methods.

Since February 2022, Seashell Blizzard has generally taken three approaches to their network intrusions:

• Targeted: Seashell Blizzard has frequently used tailored mechanisms to access targets, including scanning and exploitation of specific victim infrastructure, phishing, and modifying legitimate functionality of existing systems to either expand network access or obtain confidential information.
• Opportunistic: Seashell Blizzard has increasingly used broad exploitation of Internet-facing infrastructure and distribution of malware implants spread through trojanized software to achieve scalable but indiscriminate access. In cases where a resulting victim is identified as strategically valuable, Microsoft Threat Intelligence has observed the threat actor conducting significant post-compromise activities.
• Hybrid: Seashell Blizzard has very likely gained access to target organizations using a limited supply-chain attack narrowly focused within Ukraine, an operation that was recently mitigated by the Computer Emergency Response Team of Ukraine (CERT-UA). Other hybrid methods have included compromise of regional managed IT service providers, which often afforded regional or vertical-specific access to diverse targets.

Seashell Blizzard overlaps with activity tracked by other security vendors as BE2, UAC-0113, Blue Echidna, Sandworm, PHANTOM, BlackEnergy Lite, and APT44.

Attribution assessment

Microsoft Threat Intelligence assesses that the initial access subgroup is linked to Seashell Blizzard. Despite the subgroup’s opportunistic tactics, we are able to distinguish this subgroup due to its consistent use of distinct exploits, tooling, infrastructure, and late-stage methods used to establish persistence. Moreover, our longstanding forensic investigation uncovered distinct post-compromise activities, a part of which incorporated specific operational capabilities and resources chiefly utilized by Seashell Blizzard. We have also observed the initial access subgroup to pursue access to an organization prior to a Seashell Blizzard-linked destructive attack.

Scope of operations and targeting trends

Microsoft Threat Intelligence assesses that Seashell Blizzard uses this initial access subgroup to horizontally scale their operations as new exploits are acquired and to sustain persistent access to current and future sectors of interest to Russia. This subgroup conducts broad operations against a variety of sectors and geographical areas. In 2022, its primary focus was Ukraine, specifically targeting the energy, retail, education, consulting, and agriculture sectors. In 2023, it globalized the scope of its compromises, leading to persistent access within numerous sectors in the United States, Europe, Central Asia, and the Middle East. It frequently prioritized sectors that either provided material support to the war in Ukraine or were geopolitically significant. In 2024, while the exposure of multiple vulnerabilities likely offered the subgroup more access than ever, it appeared to have honed its focus to the United States, Canada, Australia, and the United Kingdom.

This subgroup’s historical pattern of exploitation has also led to the compromise of globally diverse organizations that appear to have limited or no utility to Russia’s strategic interests. This pattern suggests the subgroup likely uses an opportunistic “spray and pray” approach to achieving compromises at scale to increase the likelihood of acquiring access at targets of interest with limited tailored effort. In cases where a strategically significant target is compromised, we have observed significant later post-compromise activity. The geographic focus of the subgroup frequently transitions between broad campaigns against multiple geographic targets and a narrow focus on specific regions or countries, demonstrating the subgroup’s flexibility to pursue unique regional objectives.

Figure 1. The geographical spread of the initial access subgroup’s targets Initial access subgroup opportunistically compromises perimeter infrastructure using published CVEs

Since late 2021, Seashell Blizzard has used this initial access subgroup to conduct targeted operations by exploiting vulnerable Internet-facing infrastructure following discovery through direct scanning and, more uniquely, use of third-party internet scanning services and knowledge repositories. These exploitation efforts are followed by an operational lifecycle using a consistent set of TTPs to support persistence and lateral movement, which have incrementally evolved to become more evasive over time. Microsoft Threat Intelligence has identified at least three distinct exploitation patterns and operational behaviors linked to this subgroup, which are described in more detail below:

Figure 2. Seashell Blizzard initial access subgroup operational lifecycle

To date, at least eight vulnerabilities common within specific categories of server infrastructure typically found on network perimeters of small office/home office (SOHO) and enterprise networks have been exploited by this subgroup:

• Microsoft Exchange (CVE-2021-34473)
  • Zimbra Collaboration (CVE-2022-41352)
  • OpenFire (CVE-2023-32315)
  • JetBrains TeamCity (CVE-2023-42793)
  • Microsoft Outlook (CVE-2023-23397)
  • Connectwise ScreenConnect (CVE-2024-1709)
  • Fortinet FortiClient EMS (CVE-2023-48788)
  • JBOSS (exact CVE is unknown)

In nearly all cases of successful exploitation, Seashell Blizzard carried out measures to establish long-term persistence on affected systems. This persistent access is noted in at least three cases to have preceded select destructive attacks attributed to Seashell Blizzard, highlighting that the subgroup may periodically enable destructive or disruptive attacks.

Exploitation patterns

We have observed the initial access subgroup using three specific exploit patterns:

Deployment of remote management and monitoring (RMM) suites for persistence and command and control (February 24, 2024 – present)

In early 2024, the initial access subgroup began using RMM suites, which was a novel technique used by Seashell Blizzard to achieve persistence and command and control (C2). This was first observed when the subgroup exploited vulnerabilities in ConnectWise ScreenConnect (CVE-2024-1709) and Fortinet FortiClient EMS (CVE-2023-48788). The subgroup then deployed RMM software such as Atera Agent and Splashtop Remote Services. The use of RMM software allowed the threat actor to retain critical C2 functions while masquerading as a legitimate utility, which made it less likely to be detected than a remote access trojan (RAT). While these TTPs have been used by other nation-state threat actors since at least 2022, including by Iranian state actor Mango Sandstorm, the Seashell Blizzard initial access subgroup’s specific techniques are considered distinct.

Figure 3. Use of ScreenConnect to install Atera Agent

During the first weeks of this exploitation pattern, the initial access subgroup primarily targeted organizations in Ukraine, the United States, Canada, the United Kingdom, and Australia. It is highly likely that Seashell Blizzard conducted post-compromise activity at only a limited number of organizations that were part of this initial victim pool. For these organizations, Seashell Blizzard conducted preliminary credential access through multiple means and deployed at least one custom utility to facilitate remote access and tunneling (see the section on ShadowLink below for more information).

Both CVE-2024-1709 and CVE-2023-48788 provided the ability to launch arbitrary commands on a vulnerable server. Following exploitation, the subgroup used two methods of payload retrieval to install RMM agents on affected servers:

• Retrieval of Atera Agent installers from legitimate agent endpoints – Commonly observed on exploited ScreenConnect servers, Seashell Blizzard used resulting command execution to retrieve Atera installers via Bitsadmin and curl from legitimate installation URLs hosted by Atera.

• Retrieval of Atera Agent from actor-controlled infrastructure – During exploitation of CVE-2023-48788 between April 9 and April 10, 2024, Seashell Blizzard retrieved remote agent installers from actor-controlled virtual private server (VPS) infrastructure.

Following installation of RMM software, Seashell Blizzard uses the native functionality of the agents to deploy secondary tools to help credential acquisition, data exfiltration, and upload of custom utilities to facilitate more robust access to compromised systems.

Seashell Blizzard likely uses three primary methods of credential access:

• Registry-based credential access via reg.exe:

• Credential access via renamed procdump:

• Since RMM agents typically afford an interactive graphical interface, native credential access mechanisms common via task manager were likely also carried out. In addition, credential access via Taskmanager UI by LSASS process dumping was likely also employed.

During Seashell Blizzard intrusions, we observed rclone.exe deployed to affected servers and subsequently used to carry out data exfiltration using an actor-supplied configuration file.

Among a subgroup of victims, Seashell Blizzard carried out unique post-compromise activity, indicating that the threat actor sought more durable persistence and direct access. In these cases, Seashell Blizzard deployed OpenSSH with a unique public key, allowing them to access compromised systems using an actor-controlled account and credential, in addition to a unique persistence and assured C2 method known to Microsoft Threat Intelligence as ShadowLink.

Figure 4. How ShadowLink avoids discovery

ShadowLink facilitates persistent remote access by configuring a compromised system to be registered as a Tor hidden service. This is achieved using a combination of Tor service binaries and a unique actor-defined Tor configuration file (referred as the ‘torrc’) configuring the system for remote access. Systems compromised with ShadowLink receive a unique .onion address, making them remotely accessible via the Tor network. This capability allows Seashell Blizzard to bypass common exploit patterns of deploying a RAT, which commonly leverages some form of C2 to actor-controlled infrastructure that are often easily audited and identified by network administrators. Instead, by relying on Tor hidden services, the compromised system creates a persistent circuit to the Tor network, acting as a covert tunnel, effectively cloaking all inbound connections to the affected asset and limiting exposures from both the actor and victim environment.

ShadowLink contains two primary components: a legitimate Tor service binary and a torrc which contains requisite configurations for the Tor hidden services address—specifically, port-forwarding for common services such as Remote Desktop Protocol (RDP) and SecureShell (SSH) Protocol. Commonly, Seashell Blizzard has utilized ShadowLink to redirect inbound connections to the Tor hidden service address to ports for RDP (3389). ShadowLink persisted via a system service:

Microsoft Threat Intelligence has also observed Forest Blizzard, a separate GRU actor, leveraging similar Tor-based capabilities in their operations.

Web shell deployment for persistence and C2 (late 2021 – present)

Since late 2021, the Seashell Blizzard initial access subgroup has primarily deployed web shells following successful exploitation to maintain footholds and achieve the ability to execute commands necessary to deploy secondary tooling to assist lateral movement. To date, this exploit pattern remains its predominant persistence method. Beginning in mid-2022, this pattern of exploitation enabled unique post-compromise activities against organizations in Central Asia and Europe, which were likely intended to further Russia’s geopolitical objectives and preposition against select strategic targets.

Figure 5. Seashell Blizzard exploitation of CVE-2021-34473 and CVE-2022-41352 Exploitation of Microsoft Exchange and Zimbra vulnerabilities

Microsoft Threat Intelligence has identified at least two web shells consistently deployed by this initial access subgroup. While web shells can be deployed using a variety of methods, they are most often deployed following the exploitation of vulnerabilities allowing remote code execution (RCE) or achieving some level of arbitrary file upload. In the case of the initial access subgroup, we have observed web shells deployed following exploitation of vulnerabilities in Microsoft Exchange (CVE-2021-34473) and Zimbra (CVE-2022-41352). In cases where RCE is available, the initial access subgroup routinely retrieves web shells from actor-controlled infrastructure. This infrastructure can be either legitimate but compromised websites or dedicated actor infrastructure.

We observed the following web shell retrieval commands being used:

Microsoft Threat Intelligence has identified a web shell that we assess as exclusive to the initial access subgroup and is associated with the previously mentioned web shell retrieval patterns. Detected as LocalOlive, this web shell is identified on compromised perimeter infrastructure and serves as the subgroup’s primary means of achieving C2 and deploying additional utilities to compromised infrastructure. Written in ASPX supporting C#, the web shell carries sufficient yet rudimentary functionality to support the following secondary activities:

• Upload and download files
• Run shell commands
• Open a port (default port is set to TCP 250)

Figure 6. LocalOlive web shell def.aspx

On October 24, 2022, the initial access subgroup successfully exploited CVE-2022-41352. This Zimbra Collaborative vulnerability allows a threat actor to deploy web shells and other arbitrary files by sending an email with a specially crafted attachment, effectively exploiting an arbitrary file-write vulnerability. The initial access subgroup leveraged this vulnerability to deliver a primitive web shell to affected servers, allowing for execution of arbitrary commands.

Emails were sent from the following actor-controlled addresses:

• akfcjweiopgjebvh@proton.me
• ohipfdpoih@proton.me
• miccraftsor@outlook.com
• amymackenzie147@protonmail.ch
• ehklsjkhvhbjl@proton.me
• MirrowSimps@outlook.com

Figure 7. Web shell used during Zimbra exploitation

Reconnaissance and fingerprinting

After deploying web shells, the initial access subgroup then executes specific sequential commands below likely used to fingerprint and attribute victim networks; these patterns of behavior may indicate that either operators are quick to capitalize on compromises or the possible use of automation following successful exploitation.

Tunneling utilities deployment

When Seashell Blizzard identifies targets of likely strategic value, it often furthers its network compromise by deploying tunneling utilities such as Chisel, plink, and rsockstun to established dedicated conduits into affected network segments.

When Chisel is deployed, it often followed multiple naming conventions, including:

• MsChSoft.exe
• MsNan.exe
• Msoft.exe
• Chisel.exe
• Win.exe
• MsChs.exe
• MicrosoftExchange32.exe
• Desk.exe
• Sys.exe

For example, the initial access subgroup has used the following tunneling commands:

When rsockstun is deployed, it has used naming conventions such as Sc.exe.

Tunneling launch

When establishing tunnels, the initial access subgroup has routinely established reverse tunnels to exclusive VPS actor-owned infrastructure, including:

Tunneling IPFirst observed usedLast observed used103.201.129[.]130May 2022July 2022104.160.6[.]2September 2022December 2022195.26.87[.]209September 2023April 2024

Note that these IP addresses are relevant within or around the timeframes enumerated in the table above. Some IP addresses may no longer be used by Seashell Blizzard at the time of this writing but are provided for historical and forensic understanding.

Modification of infrastructure to expand network influence through credential collection (late 2021 – 2024)

In targeted operations where the initial access subgroup is likely seeking network access, Microsoft Threat Intelligence has observed subsequent malicious modifications to network resources including Outlook Web Access (OWA) sign-in pages and DNS configurations.

Figure 8. Simple attack chain for Seashell Blizzard exploitation of OWA

Modifying network resources allows Seashell Blizzard to passively gather relevant network credentials, which may be used to expand the actor’s access to sensitive information and widen its access to target networks in general. Notably, the infrastructure associated with this unique technique is sometimes also used in the two prior exploitation patterns, highlighting the versatility of late-stage infrastructure which may not always be limited to distinct patterns of exploitation.

Modification of web access sign-in portals

The initial access subgroup uses rogue JavaScript inserted into otherwise legitimate sign-in portals. This malicious JavaScript collects and sends clear text usernames and passwords to actor-controlled infrastructure as they are submitted in real time by users of the affected organization. We assess that this method has likely afforded the subgroup credentials to support lateral movement within several organizations.

Microsoft Threat Intelligence has tracked the following actor-controlled infrastructure linked to this unique credential collection method when modifying legitimate OWA sign-in pages:

• hwupdates[.]com
• cloud-sync[.]org
• 103.201.129[.]130

Figure 9. Seashell Blizzard credential collection from OWA Modification of DNS configurations

Microsoft Threat Intelligence assesses with moderate confidence that the initial access subgroup has modified DNS A record configurations for select targets. While the purpose of these modifications is unclear, due to the nature of affected systems, it is possible that they may have been purposed to intercept credentials from critical authentication services.

Conclusion

Given that Seashell Blizzard is Russia’s cyber tip of the spear in Ukraine, Microsoft Threat Intelligence assesses that this access subgroup will continue to innovate new horizontally scalable techniques to compromise networks both in Ukraine and globally in support of Russia’s war objectives and evolving national priorities. This subgroup, which is characterized within the broader Seashell Blizzard organization by its near-global reach, represents an expansion in both the geographical targeting conducted by Seashell Blizzard and the scope of its operations. At the same time, Seashell Blizzard’s far-reaching, opportunistic access methods likely offer Russia expansive opportunities for niche operations and activities that will continue to be valuable over the medium term.

Mitigation and protection guidance

To harden networks against the Seashell Blizzard activity listed above, defenders can implement the following:

Strengthen operating environment configuration

• Utilize a vulnerability management system, such as Microsoft Defender Vulnerability Management, to manage vulnerabilities, weaknesses, and remediation efforts across your environment’s operating systems, software inventories, and network devices.
• Require multifactor authentication (MFA). While certain attacks such as AiTM phishing attempt to circumvent MFA, implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats.
  • Leverage phishing-resistant authentication methods such as FIDO Tokens, or Microsoft Authenticator with passkey. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.
• Implement Entra ID Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
• Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
• Organizations can also use Microsoft Defender External Attack Surface Management (EASM) , a tool that continuously discovers and maps digital attack surface to provide an external view of your online infrastructure. EASM leverages vulnerability and infrastructure data to generate Attack Surface Insights, reporting that highlights key risks to a given organization.
• Enable Network Level Authentication for Remote Desktop Service connections.
• Enable AppLocker to restrict specific software tools prohibited within the organization, such as reconnaissance, fingerprinting, and RMM tools, or grant access to only specific users.

Strengthen Microsoft Defender for Endpoint configuration

• Ensure that tamper protection is enabled in Microsoft Defender for Endpoint. 
• Enable network protection in Microsoft Defender for Endpoint. 
• Turn on web protection.
• Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.     
• Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume.  
• Microsoft Defender XDR customers can turn on the following attack surface reduction rules to prevent common attack techniques used by threat actors. 
  • Block executable content from email client and webmail 
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion 
  • Block execution of potentially obfuscated scripts
  • Block JavaScript or VBScript from launching downloaded executable content
  • Block process creations originating from PSExec and WMI commands

Strengthen Microsoft Defender Antivirus configuration

• Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. 
• Enable Microsoft Defender Antivirus scanning of downloaded files and attachments.
• Enable Microsoft Defender Antivirus real-time protection.
• Turn on PUA protection in block mode in Microsoft Defender Antivirus 

Strengthen Microsoft Defender for Office 365 configuration

• Turn on Safe Links and Safe Attachments in Microsoft Defender for Office 365.
• Enable Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
• Invest in advanced anti-phishing solutions that monitor incoming emails and visited websites. Microsoft Defender for Office 365 merges incident and alert management across email, devices, and identities, centralizing investigations for email-based threats.
• Configure Microsoft Defender for Office 365 to recheck links on click.
• Use the Attack Simulator in Microsoft Defender for Office 365 to run realistic, yet safe, simulated phishing and password attack campaigns. Run spear-phishing (credential harvest) simulations to train end-users against clicking URLs in unsolicited messages and disclosing credentials.

Strengthen Microsoft Defender for Identity configuration

• Prevent clear text credential exposure.
• Reduce lateral movement paths that may be used by attackers.
• Identify legacy components that may introduce security vulnerabilities.

Microsoft Defender XDR detections Microsoft Defender Antivirus 

Microsoft Defender Antivirus detects this threat as the following malware: 

• HackTool:Win64/ShadowLink.A!dha
• HackTool:Win64/ShadowLink.B!dha
• Exploit:Python/CVE-2024-1709
• Rnasom:Win32/Inc.MA
• BackDoor:PHP/Remoteshell.V
• Trojan:Win32/LocalOlive.A!dha
• Trojan:Win32/LocalOlive.B!dha
• Trojan:Win32/LocalOlive.C!dha

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:

• Seashell Blizzard activity group

The following alerts might also indicate threat activity related to this threat. Note, however, these alerts also can be triggered by unrelated threat activity.

• Possible Seashell Blizzard activity
• Suspicious Atera installation via ScreenConnect
• Suspicious command execution via ScreenConnect
• Suspicious sequence of exploration activities
• CredentialDumpingViaEsentutlDetector
• Suspicious behavior by cmd.exe was observed
• SQL Server login using xp_cmdshell
• Suspicious port scan activity within an RDP session
• Suspicious connection to remote service
• Suspicious usage of remote management software
• New local admin added using Net commands
• Sensitive data was extracted from registry
• Suspicious Scheduled Task Process Launched
• Potential human-operated malicious activity
• Compromised account conducting hands-on-keyboard attack
• Sensitive file access for possible data exfiltration or encryption
• Possible Fortinet FortiClientEMS vulnerability exploitation
• Possible target of NTLM credential theft
• Possible exploitation of ProxyShell vulnerabilities
• Possibly malicious use of proxy or tunneling tool
• Hidden dual-use tool launch attempt

Microsoft Defender for Cloud

The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

• Communication with suspicious domain identified by threat intelligence
• Suspicious PowerShell Activity Detected
• Detected suspicious combination of HTA and PowerShell
• Detected encoded executable in command line data
• Detected obfuscated command line

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments. Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence to get more information about this threat actor.

Microsoft Defender Threat Intelligence

• Seashell Blizzard
• Seashell Blizzard uses new ShadowLink variant
• Seashell Blizzard exploiting vulnerabilities to install Atera Agent for post-compromise activities
• Seashell Blizzard launches destructive attack against local Ukrainian government, Storm-1512 takes credit
• Credential Theft via Modification of Outlook Web Access (OWA) Login Pages
• Seashell Blizzard Targeting Zimbra Servers Using Malicious Email Attachment
• Seashell Blizzard Uses TOR Hidden Services on Targets for Persistence and Evasion

Hunting queries   Microsoft Defender XDR

The following sample queries let you search for a week’s worth of events. To explore up to 30 days’ worth of raw data to inspect events in your network and locate potential PowerShell-related indicators for more than a week, go to the Advanced hunting page > Query tab, select the calendar dropdown menu to update your query to hunt for the Last 30 days.

ScreenConnect

Surface the possible exploitation of ScreenConnect to launch suspicious commands.

DeviceProcessEvents | where InitiatingProcessParentFileName endswith "ScreenConnect.ClientService.exe" | where (FileName in~ ("powershell.exe", "powershell_ise.exe", "cmd.exe") and ProcessCommandLine has_any ("System.DirectoryServices.ActiveDirectory.Domain", "hidden -encodedcommand", "export-registry", "compress-archive", "wget -uri", "curl -Uri", "curl -sko", "ipconfig /all", "& start /B", "start msiexec /q /i", "whoami", "net user", "net group", "localgroup administrators", "dsquery", "samaccountname=", "query session", "adscredentials", "o365accountconfiguration", "-dumpmode", "-ssh", "o or (FileName =~ "wget.exe" and ProcessCommandLine contains "http") or (FileName =~ "mshta.exe" and ProcessCommandLine contains "http") or (FileName =~ "curl.exe" and ProcessCommandLine contains "http") or ProcessCommandLine has_all ("powershell", "-command", "curl") or ProcessCommandLine has_any ("E:jscript", "e:vbscript", "start msiexec /q /i") or ProcessCommandLine has_all ("reg add", "DisableAntiSpyware", @"\Microsoft\Windows Defender") or ProcessCommandLine has_all ("reg add", "DisableRestrictedAdmin", @"CurrentControlSet\Control\Lsa") or ProcessCommandLine has_all ("vssadmin", "delete", "shadows") or ProcessCommandLine has_all ("vssadmin", "list", "shadows") or ProcessCommandLine has_all ("wmic", "process call create") or ProcessCommandLine has_all ("wmic", "delete", "shadowcopy") or ProcessCommandLine has_all ("wmic", "shadowcopy", "call create") or ProcessCommandLine has_all ("wbadmin", "delete", "catalog") or ProcessCommandLine has_all ("ntdsutil", "create full") or (ProcessCommandLine has_all ("schtasks", "/create") and not(ProcessCommandLine has "shutdown")) or (ProcessCommandLine has "nltest" and ProcessCommandLine has_any ("domain_trusts", "dclist", "all_trusts")) or (ProcessCommandLine has "lsass" and ProcessCommandLine has_any ("procdump", "tasklist", "findstr")) or FileName in~ ("tasklist.exe", "ssh.exe", "icacls.exe", "certutil.exe", "calc.exe", "bitsadmin.exe", "accesschk.exe", "mshta.exe", "winrm.exe", "dsquery.exe", "makecab.exe", "hh.exe", "pcalua.exe", "regsvr32.exe", "cmstp.exe", "esentutl.exe", "dnscmd.exe", "gpscript.exe", "msdt.exe", "msra.exe", "odbcconf.exe") | where not(ProcessCommandLine has_any ("servicedesk.atera.com", "support.csolve.net", "lt.tech-keys.com", "certutil -hashfile"))

FortiClient EMS log capture

If you believe your FortiClient has been exploited before patching, this query may help with further investigation.

According to Horizon3 research, the C:\Program Files (x86)\Fortinet\FortiClientEMS\logs log file can be examined to identify malicious activity. Run the following query to surface devices with this log file for further investigation. 

DeviceFileEvents | where FileName contains @"C:\Program Files (x86)\Fortinet\FortiClientEMS\logs" | distinct DeviceName

Additionally, Horizon3 noted that this SQL vulnerability could allow for remote code execution (RCE) using the xp_cmdshell functionality of Microsoft SQL Server. The SQL logs can also be examined for evidence of xp_cmdshell being leveraged to spawn a Windows command shell.

According to Microsoft research, the following query could help surface exploitation activity related to this vulnerability. 

DeviceProcessEvents | where InitiatingProcessFileName == "sqlservr.exe" | where FileName =~ "cmd.exe" | where ProcessCommandLine has_any ("webclient", "downloadstring", "http", "https", "downloadfile") | where InitiatingProcessCommandLine has_all ("sqlservr.exe", "-sFCEMS")

Tor service

Find services associated with Tor. 

DeviceEvents | where ActionType == 'ServiceInstalled' | extend JSON = parse_json(AdditionalFields) | where JSON.ServiceName has 'tor'

YARA rule

Use the following Yara rule to find malicious JavaScript inserted into OWA sign-in pages.   

rule injected_cred_logger_owa { strings: $owa = "<!-- OwaPa" $jq = "jquery" $ajax = ".ajax" $keypress = ".keypress" $which = "e.which == 13" $encoding1 = "btoa" $encoding2 = "unescape" $encoding3 = "encodeURIComponent" $m1 = "GET" $m2 = "POST" condition: $owa and $jq and $ajax and $keypress and $which and (2 of ($encoding*)) and (1 of ($m*)) } Microsoft Sentinel 

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.  

While the below query is not linked to any specific threat actor, it is effective in surfacing network connectivity that may indicate use of remote monitoring and management program ScreenConnect. Implementing this query can help you stay vigilant and safeguard your organization from unauthorized use of RMM software:

• ScreenConnect network connection

Below are the queries using Sentinel ASIM Functions to hunt threats across both Microsoft first-party and third-party data sources. ASIM also supports deploying parsers to specific workspaces from GitHub, using an ARM template or manually.

Below query can be used to hunt normalized Network Session events using the ASIM unifying parser _Im_NetworkSession for IOCs:

let lookback = 30d; let ioc_ip_addr = dynamic(["103.201.129.130", "104.160.6.2", "195.26.87.209"]); let ioc_domains = dynamic(["hwupdates.com", "cloud-sync.org"]); _Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now()) | where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains) | summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor

Below query can be used to hunt normalized Web Session events using the ASIM unifying parser _Im_WebSession for IOCs:

let lookback = 30d; let ioc_ip_addr = dynamic(["103.201.129.130", "104.160.6.2", "195.26.87.209"]); let ioc_url_patterns = dynamic(["hwupdates.com", "cloud-sync.org","def.aspx"]); _Im_WebSessionn(starttime=todatetime(ago(lookback)), endtime=now()) | where url has_any (ioc_url_patterns) or DstIpAddr has_any (ioc_ip_addr) | summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor Indicators of compromise IndicatorTypedef.aspxLocalOlive web shellakfcjweiopgjebvh@proton.meActor-controlled email addressohipfdpoih@proton.meActor-controlled email addressmiccraftsor@outlook.comActor-controlled email addressamymackenzie147@protonmail.chActor-controlled email addressehklsjkhvhbjl@proton.meActor-controlled email addressMirrowSimps@outlook.comActor-controlled email addressMsChSoft.exeChisel tunneling utilityMsNan.exeChisel tunneling utilityMsoft.exeChisel tunneling utilityChisel.exeChisel tunneling utilityWin.exeChisel tunneling utilityMsChs.exeChisel tunneling utilityMicrosoftExchange32.exeChisel tunneling utilitySc.exeRocstun tunneling utility103.201.129[.]130Seashell Blizzard infrastructure104.160.6[.]2Seashell Blizzard infrastructure195.26.87[.]209Seashell Blizzard infrastructurehwupdates[.]comSeashell Blizzard infrastructurecloud-sync[.]orgSeashell Blizzard infrastructurec7379b2472b71ea0a2ba63cb7178769d27b27e1d00785bfadac0ae311cc88d8bLocalOliveb38f1906680c80e1606181b3ccb8539dab5af2a7222165c53cdd68d09ec8abb0LocalOlive9f3d8252e8f3169751a705151bdf675ac194bfd8457cbe08e1f3c17d7e9e9be2LocalOlive68c7aab670ee9d7461a4a8f06333994f251dc79813934166421091e2f1fa145cLocalOliveb9ef2e948a9b49a6930fc190b22cbdb3571579d37a4de56564e41a2ef736767bChisel636e04f0618dd578d107f440b1cf6c910502d160130adae5e415b2dd2b36abcbLocalOlive148.251.53[.]222Seashell Blizzard infrastructure89.149.200[.]91 17738a27bb307b3cb7bd571934a398223e170842005f1725c46c7075f14e90feSeashell Blizzard infrastructurecab97e837a3fc095bf59703574cbfa7e60fb10991101ba9bfc9bbf294c18fd97LocalOlive References

• https://nvd.nist.gov/vuln/detail/CVE-2024-1709
• https://nvd.nist.gov/vuln/detail/CVE-2023-48788
• https://www.cisa.gov/news-events/ics-alerts/ir-alert-h-16-056-01
• https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and
• https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd
• https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains
• https://cloud.google.com/blog/topics/threat-intelligence/trojanized-windows-installers-ukrainian-government
• https://cert.gov.ua/article/6278706
• https://cloud.google.com/blog/topics/threat-intelligence/apt44-unearthing-sandworm
• https://nvd.nist.gov/vuln/detail/CVE-2021-34473
• https://nvd.nist.gov/vuln/detail/CVE-2022-41352
• https://nvd.nist.gov/vuln/detail/CVE-2023-32315
• https://nvd.nist.gov/vuln/detail/CVE-2023-42793
• https://nvd.nist.gov/vuln/detail/CVE-2023-23397
• https://medium.com/@laurent.mandine/chisel-the-hackers-hidden-tunnel-for-stealthy-network-access-acdcdaafeabd
• https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation appeared first on Microsoft Security Blog.

There are countless statistics about cybercrime and one of the most impactful is that for threat actors. Their profits continue to increase year over year and are on track to rise from $9.22 trillion in 2024 to $13.82 trillion by 2028.1 If the financial drain caused by threat actors were pooled it would be ranked as the third largest gross domestic product (GDP) by country, trailing behind the number two spot, which is China at $18.27 trillion.2

That statistic alone tells us a great deal about the importance of preparedness for a potential cyberattack, which includes a robust incident response plan. To create such a plan, it is critical to understand potential risks, and one of the best ways to do that is to conduct a proactive threat hunt and compromise assessment.

Microsoft Incident Response is made up of highly skilled investigators, researchers, engineers, and analysts who specialize in handling global security incidents. In addition to reactive response, they also conduct proactive compromise assessments to find threat actor activity. They’ll provide recommendations and best practice guidance to strengthen an organization’s security posture.

Microsoft Incident Response

Your first call before, during, and after a cybersecurity incident.

Microsoft Incident Response compromise assessments utilizes the same methodology and resources as those used in an investigation but without the time pressure and crisis-driven decision making associated with a live cyberattack. Compromise assessments are often used by those who have had a prior incident and want to measure their security posture after the implementation of new security measures. Some customers use the service as an annual assessment prior to locking down change controls. Others may use it to assess the environment of an acquisition prior to joining infrastructures.

What happens when a compromise assessment turns into a reactive incident response engagement? Let’s dive into a recent situation where our team encountered this very scenario.

Why differentiate between proactive and reactive investigations?

What are indicators of compromise?

Read more

It is important to understand the key differences between proactive and reactive investigations, as each has different goals and measures for success. Microsoft Incident Response’s proactive compromise assessments are focused on detection and prevention, which includes identifying potential indicators of compromise (IOCs), bringing attention to potential vulnerabilities, and helping customers mitigate risks by implementing security hardening measures.

Our reactive investigations are centered on incident management during and immediately after a compromise, including incident analysis, threat hunting, tactical containment, and Tier 0 recovery, all while under the pressure of an active cyberattack.

Proactive and reactive incident response are essential capabilities for providing a more robust defense strategy. They enable an organization to address an active cyberattack during a period when time and knowing the next steps are critical. At the same time, it provides experts with the experience needed to help prevent future incidents. Not all organizations have the resources required to maintain an incident response team capable of proactive and reactive approaches and may want to consider using a third-party service.

The importance of Microsoft’s “double duty” incident response experts

When confronted by an active threat actor, two things are at the forefront of success and can’t be lost—time and knowledge.

While conducting a proactive compromise assessment for a nonprofit organization in mid-2024, Microsoft Incident Response began their forensic investigation. Initially identifying small artifacts of interest, the assessment quickly changed as suspicious events began to unfold. At the time the threat actor was not known, but has since been tracked as Storm-2077, a Chinese state actor that has been active since at least January 2024. Storm-2077’s techniques focus on email data theft, using valid credentials harvested from compromised systems. Storm-2077 was lurking in the shadows of the organization’s environment. When they felt they had been detected, these threat actors put their fingers on keyboards and started making moves.

Precious time to remediate was not lost. Microsoft Incident Response immediately switched from proactive to reactive mode. The threat actor created a global administrator account and began disabling legitimate organizational global administrator accounts to gain full control of the environment. The targeted organization’s IT team was already synchronized with Microsoft Incident Response through the active compromise assessment that was taking place. The targeted customer took note of the event and came to Microsoft for deconfliction. Once the activity was determined to be malicious, the organization’s IT team disabled the access, and the proactive incident response investigation converted to being reactive. The threat actor was contained and access was remediated quickly because of this collaboration.

The threat actor had likely been present in the organization’s environment for a few months or more. They had taken advantage of a stolen session token to conduct a token replay attack, and through this had gained access to multiple accounts.

Proactive assessments that don’t utilize reactive investigation teams for delivery may result in a delay in responding or even generate more challenges for the incoming investigation team.

Thankfully, Microsoft Incident Response conducts proactive compromise assessments with the same resources that deliver reactive investigations. They can take immediate action to halt active cyberthreats before they do more harm.

Read the report to go deeper into the details of the cyberattack, including Storm-2077 tactics, the response activity, and lessons that other organizations can learn from this case.

Explore Microsoft Incident Response services What is the Cyberattack Series?

With our Cyberattack Series, customers will discover how Microsoft Incident Response investigates unique and notable attacks. For each cyberattack story, we will share:

• How the cyberattack happened.
• How the breach was discovered.
• Microsoft’s investigation and eviction of the threat actor.
• Strategies to avoid similar cyberattacks.

Learn more

To learn more about Microsoft Incident Response capabilities, please visit our website, or reach out to your Microsoft account manager or Premier Support contact.

Download our Unified Security e-book to learn more about how Microsoft can help you be more secure.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

1Cybercrime Expected To Skyrocket in Coming Years, Statista. February 22, 2024.

2World GDP Rankings 2024 | Top 10 Countries Ranked By GDP, Forbes India. November 4, 2024.

The post Build a stronger security strategy with proactive and reactive incident response: Cyberattack Series appeared first on Microsoft Security Blog.

In December 2024, Microsoft Threat Intelligence observed limited activity by an unattributed threat actor using a publicly available, static ASP.NET machine key to inject malicious code and deliver the Godzilla post-exploitation framework. In the course of investigating, remediating, and building protections against this activity, we observed an insecure practice whereby developers have incorporated various publicly disclosed ASP.NET machine keys from publicly accessible resources, such as code documentation and repositories, which threat actors have used to perform malicious actions on target servers.

Microsoft has since identified over 3,000 publicly disclosed keys that could be used for these types of attacks, which are called ViewState code injection attacks. Whereas many previously known ViewState code injection attacks used compromised or stolen keys that are often sold on dark web forums, these publicly disclosed keys could pose a higher risk because they are available in multiple code repositories and could have been pushed into development code without modification.

Microsoft recommends that organizations do not copy keys from publicly available sources and to regularly rotate keys. Microsoft Defender for Endpoint can help reduce this risk by detecting publicly disclosed keys. To further discourage this practice, we have also removed key samples from limited instances where they were included in our own public documentation.

The limited malicious activity observed in December 2024 identified one publicly disclosed key that was used to inject malicious code. Microsoft Threat Intelligence continues to monitor the additional use of this attack technique. In this blog, we share more information about ViewState code injection attacks and provide recommendations for securing machine keys and monitoring configuration files.

What are ViewState code injection attacks?

ViewState is the method by which ASP.NET Web Forms preserve page and control state between postbacks. ViewState data is stored in a hidden field on the page and is encoded using Base64-encoding. To protect ViewState against tampering and information disclosure, the ASP.NET page framework uses machine keys: ValidationKey and DecryptionKey. ValidationKey is used to create a message authentication code (MAC) to be attached in the ViewState. DecryptionKey is related to the option of encrypting ViewState. These keys are either auto-generated and stored in registry or specified manually in config files.

If these keys are stolen or made accessible to threat actors, these threat actors can craft a malicious ViewState using the stolen keys and send it to the website via a POST request. When the request is processed by ASP.NET Runtime on the targeted server, the ViewState is decrypted and validated successfully because the right keys are used. The malicious code is then loaded into the worker process memory and executed, providing the threat actor remote code execution capabilities on the target IIS web server.

ViewState code injection attack leading to Godzilla post-exploit framework

In December 2024, an unattributed threat actor conducted a ViewState code injection attack leveraging a publicly known machine key. The malicious ViewState payload reflectively loaded assembly.dll (SHA-256: 19d87910d1a7ad9632161fd9dd6a54c8a059a64fc5f5a41cf5055cd37ec0499d), a Godzilla post-exploitation framework, followed by plugin modules. Godzilla’s functionality includes executing malicious commands, injecting shellcode into processes, and more.

ViewState code injection attack chain leading to Godzilla. Recommendations

Microsoft Defender for Endpoint customers can identify publicly disclosed keys in their environment based on the presence of the alert Publicly disclosed ASP.NET machine key. This alert is for informational purposes and is not indicative of attack activity. Additionally, Microsoft has provided a list of hash values for identified publicly disclosed machine keys in our Github repository and recommends checking machine keys in your environment using the provided script.

If publicly disclosed keys are identified in your environment, Microsoft recommends the following actions, depending on your scenario:

• If you are running an ASP.NET web application on .NET Framework and this is not part of Exchange Server or SharePoint, review the following potential setups:
  • You have set fixed key values using the <machineKey> element of the web.config to align the encryption/decryption of ViewState values within multiple servers that are part of a web farm. This configuration assumes you have multiple web servers hosting the same instance of a web application to distribute load among them, and that requests that were originally served from one server in the farm could trigger POST requests to another server of the same farm.
    • In this case, you will need to rotate the values of your machine keys in all servers of the farm, either by using the IIS manager console or PowerShell (see details below). Ensure that you use the same newly generated values on all servers in the farm.
  • You have set fixed key values using the <machineKey> element for a single server that is running your ASP.NET web application. In this scenario, removing the <machineKey> element from the configuration will revert the application to the auto-generated values for the ASP.NET machine keys that are stored inside your computer’s registry.
    • See the below details on how the <machineKey> element can be removed by editing the web.config configuration file or using the IIS manager console.
• If you are using SharePoint or Exchange web applications, SharePoint uses its own key management system, which allows the keys to be rotated as described in this article.

Follow the steps below for removing or replacing the ASP.NET machine key values in the web.config configuration file using either the IIS manager console or PowerShell.

Using the IIS manager console:

1. From the IIS manager console, select the website or web application that contains the fixed key values in the web.config configuration file.
2. From the middle pane of the IIS manager console, select the Machine Key element icon.
3. To create new machine key values, select the Generate Keys button on the right-hand side of the console, which will populate new values for Validation and Decryption key textboxes.
4. Once the new values are populated, select the Apply button from the right-hand side pane to persist the new values into the web.config file for the target website or web application.
5. To remove the fixed keys and rely on the auto-generated machine key values for ASP.NET, select the Automatically generate at runtime checkboxes for both the Validation and Decryption keys. This will render the two text fields for these values disabled.
6. Proceed to select the Apply button on the right-hand side of the console, which will remove the <machineKey> element from the web.config file of the website or web application.

Using PowerShell:

• Using PowerShell, create a .ps1 file (for example, GenerateKeys.ps1) with the following content:

function Generate-MachineKey { [CmdletBinding()] param ( [ValidateSet("AES", "DES", "3DES")] [string]$decryptionAlgorithm = 'AES', [ValidateSet("MD5", "SHA1", "HMACSHA256", "HMACSHA384", "HMACSHA512")] [string]$validationAlgorithm = 'HMACSHA256' ) process { function BinaryToHex { [CmdLetBinding()] param($bytes) process { $builder = new-object System.Text.StringBuilder foreach ($b in $bytes) { $builder = $builder.AppendFormat([System.Globalization.CultureInfo]::InvariantCulture, "{0:X2}", $b) } $builder } } switch ($decryptionAlgorithm) { "AES" { $decryptionObject = new-object System.Security.Cryptography.AesCryptoServiceProvider } "DES" { $decryptionObject = new-object System.Security.Cryptography.DESCryptoServiceProvider } "3DES" { $decryptionObject = new-object System.Security.Cryptography.TripleDESCryptoServiceProvider } } $decryptionObject.GenerateKey() $decryptionKey = BinaryToHex($decryptionObject.Key) $decryptionObject.Dispose() switch ($validationAlgorithm) { "MD5" { $validationObject = new-object System.Security.Cryptography.HMACMD5 } "SHA1" { $validationObject = new-object System.Security.Cryptography.HMACSHA1 } "HMACSHA256" { $validationObject = new-object System.Security.Cryptography.HMACSHA256 } "HMACSHA385" { $validationObject = new-object System.Security.Cryptography.HMACSHA384 } "HMACSHA512" { $validationObject = new-object System.Security.Cryptography.HMACSHA512 } } $validationKey = BinaryToHex($validationObject.Key) $validationObject.Dispose() [string]::Format([System.Globalization.CultureInfo]::InvariantCulture, "<machineKey decryption=`"{0}`" decryptionKey=`"{1}`" validation=`"{2}`" validationKey=`"{3}`" />", $decryptionAlgorithm.ToUpperInvariant(), $decryptionKey, $validationAlgorithm.ToUpperInvariant(), $validationKey) } }

• Using a Windows PowerShell command prompt, navigate to the location containing your .ps1 file. Load the .ps1 file (for example, GenerateKeys.ps1) by executing the following command:

..\GenerateKeys.ps1

• Call the function within the script file by executing the following command:

Generate-MachineKey

• Copy the resulting <machineKey> element to the web.config file of your website or web application, replacing the existing one.

NOTE: If successful exploitation of publicly disclosed keys has occurred, rotating machine keys will not sufficiently address possible backdoors or persistence methods established by a threat actor or other post-exploitation activity, and additional investigation may be warranted. In particular, web-facing servers should be fully investigated and strongly considered for re-formatting and re-installation in an offline medium in cases where publicly disclosed keys have been identified, as these servers are most at risk of possible exploitation.

Microsoft also recommends the following best practices for securing machine keys and web servers:

• Follow secure DevOps standards and securely generate machine keys. Avoid using default keys or keys listed in public resources.
• At deployment, encrypt sensitive information like the machineKey and connectionStrings elements in web.config. This prevents these secrets from ever existing in plaintext on the file system, inhibiting an attacker’s ability to read these secrets at all.
• Upgrade your application to use ASP.NET 4.8 to enable Antimalware Scan Interface (AMSI) capabilities.
• Harden Windows Servers instances by using attack surface reduction rules such as Block Webshell creation for Servers. Attack surface reduction rules are sweeping settings that are effective at stopping entire classes of threats.

Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects post-exploitation activity such as delivery of the Godzilla framework with the following components as the following malware. Note, however, that these alerts can also be triggered by unrelated threat activity and are not necessarily indicative of ViewState code injection attacks:

• Backdoor:MSIL/GodZillaMod.A
• Trojan:Win32/WebShellTerminal 
• Backdoor:MSIL/Godzela

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alert indicates the presence of publicly disclosed machine keys but are not indicative of exploitation activity. To get this alert, you must be running Microsoft Defender Antivirus as your active antivirus. Customers who receive this alert should review our steps for rotating or removing machine keys in the Recommendations section.

• Publicly disclosed ASP.NET machine key

The following alert might also indicate threat activity such as code injection attacks. Note, however, that this alert can be also triggered by unrelated threat activity.

• IIS worker process loaded suspicious .NET assembly

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

• Incident investigation
• Microsoft User analysis
• Threat actor profile
• Threat Intelligence 360 report based on MDTI article
• Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Hunting queries

Microsoft recommends monitoring configuration files and configurable locations using the following audit policy settings, which will enable the logging of Event ID 4663 in the Windows Security Event Log. Before setting up auditing, note that:

• There are different scopes to configuration settings as some have a global scope and some are effective only to the scope of the application, the root web.config file, or the machine.config file. Each scope has the potential to have the <machineKey> section declared, possibly containing secrets.
• The scope of a configuration section is defined in the allowDefinition attribute of the section Element for configSections (General Settings Schema) element in the machine.config file for all sections that are included with ASP.NET. The scope of a configuration setting is listed for each element in ASP.NET Configuration Settings and General Configuration Settings (ASP.NET), in the Element Information table next to Configurable Locations.
• In configurations where it is specified to auto-generate keys at runtime, keys are stored in the application pool identity registry hive.
• It is important to understand that these locations also may be called through the Volume Shadow Copy Service.

Monitor access to ASP.NET configuration files by configuring Advanced Audit Policy settings:

1. Open the Group Policy Management Console from Server Manager > Tools > Group Policy Management.
2. Open a GPO that will apply policy to the ASP.NET application or web server.
3. From the window that opens, go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit object level access.
   • Define these policy settings: Checked
   • Success: Checked
   • Failure: Optional

After enabling Audit object access, enable auditing on individual files through the Security Tab on file properties to audit sensitive configuration files:

1. Locate your web.config or other configuration file of concern and open the Security Tab and select the Advanced button.
2. Select the Auditing tab and Add a new rule.
3. Select a principal and resolve the principal Everyone. Select the Read checkbox at minimum.
4. Save your changes by clicking Ok, Ok, Ok.

After Audit object access is configured, and Auditing has been turned on for specific files, alerts can be viewed using Event ID 4663 in the Windows Security Event Log. Information includes SubjectUserName accessing the file, and the ProcessId and ProcessName. Seeing a username or process that is not the IIS Application Pool service account or the w3wp.exe process could be a sign of tampering and attempt to compromise a machine key.

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Additionally, once auditing is enabled for specific configuration files that may contain machine keys, Sentinel customers can leverage the SecurityEvent table to analyze collected Event ID 4663 and identify potential anomalies and unauthorized or suspicious file access attempts. To begin the threat hunting process, the following query can be used as a starting point:

SecurityEvent | where TimeGenerated > ago(1d) | where EventID == 4663 | where ObjectName contains "web.config" or ObjectName contains "machine.config" | summarize StartTime = max(Time Generated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName, ProcessId, AccountType, AccessMask

Some of the key information captured in the result includes the SubjectUserName, which identifies the user accessing the file, along with the associated ProcessId and ProcessName. Observing a username or process other than the expected IIS Application Pool service account or the standard w3wp.exe process may signal potential tampering or an attempt to compromise the machine key.

Indicators of compromise IndicatorTypeDescriptionFirst seenLast seen19d87910d1a7ad9632161fd9dd6a54c8a059a64fc5f5a41cf5055cd37ec0499dSHA-256Godzilla post-exploitation framework2024-12-112024-12-19

Microsoft has provided a list of hash values for identified publicly disclosed machine keys in our Github repository. We recommend using the included script to compare the values against static keys in your environment to determine whether your machine keys have been disclosed in publicly accessible resources, and using the Recommendations listed above to rotate or remove machine keys.

References

• https://www.zerodayinitiative.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Code injection attacks using publicly disclosed ASP.NET machine keys appeared first on Microsoft Security Blog.

Inspiration can spark in an instant when you’re at a conference. Perhaps you discover a new tool during a keynote that could save you hours of time. Or maybe a peer shares a story over coffee that makes you rethink an approach. One conversation, one session, or one event could give you fresh ideas, renewed excitement, and a vision for what to do next.

In the current AI landscape, inspiration and information are more important than ever for security professionals to stay ahead of threat actors. So if you’re looking to boost your skills and stay ahead of the threat landscape, join Microsoft Security at the top cybersecurity events in 2025.

Whether you join us at an industry staple like RSAC or one of our own events like Microsoft Secure, you can benefit in several key ways:

• Get insights and strategies needed to overcome obstacles and drive your security initiatives forward with confidence.
• See live demos of the latest products, product features, skills, and tools you can use in your work. Be among the first to hear about Microsoft Security innovations, such as Microsoft’s Secure Future Initiative and XSPA (cross-site port attack) updates attendees of Microsoft Ignite 2024 heard.
• Learn from Microsoft Security experts on global threat intelligence.
• Network with other like-minded security pros, learn best practices from your peers, and meet one-on-one with our experts.

Whatever your role, there’s an event for you and a path to successfully safeguarding your organization.

Microsoft at RSAC

From our signature Pre-Day to hands-on demos and one-on-one meetings, discover how Microsoft Security can give you the advantage you need in the era of AI.

Register now Conferences to inspire and engage everyone

Security professionals of all levels can benefit from attending one of the biggest cybersecurity events, including RSAC, Black Hat, plus two premier Microsoft events—Microsoft Secure (virtual) and Microsoft Ignite (in-person and virtual). If you love being the first to hear about Microsoft product innovations, don’t miss these Microsoft events with insights every security professional can put to good use.

Microsoft Secure

Date: April 9, 2025
Location: Online only

Microsoft Secure is Microsoft’s cybersecurity conference. This year’s one-hour digital showcase will spotlight AI-first, end-to-end security innovations with clear use cases and customer stories of how they use our tools daily. Attendees will deep-dive into cybersecurity products and strategies along with thousands of other cybersecurity professionals.

RSAC

Dates: April 28-May 1, 2025
Location: San Francisco, CA

RSAC 2025 is a can’t-miss security conference, bringing together more than 40,000 security professionals to discuss the latest cybersecurity challenges and innovation with the best of the best. With the theme of “Many Voices. One Community,” RSAC will feature keynotes, track sessions, interactive sessions, networking opportunities, and an expo designed to foster advanced security strategies.

Throughout RSAC, Microsoft Security will showcase innovations and share world-class threat and regulatory intelligence to help you safely adopt AI and face the rapidly changing cyberthreat landscape. From our signature Pre-Day to hands-on demos and one-on-one meetings, discover how Microsoft Security can give you the advantage you need in the era of AI.​ Check out the full Microsoft at RSAC experience.

Black Hat

Dates: August 2-7, 2025
Location: Las Vegas, NV

The Black Hat Conference is a premier learning event in the cybersecurity industry, known for its in-depth technical sessions and cutting-edge research presentations on topics like critical infrastructure and information security research news.

Microsoft is a key sponsor of the conference each year, where we showcase our latest discoveries and AI research on real-world problems and solutions. Last year, our AI Red Teaming in Practice training sessions and our AI Summit roundtables were a hit. Black Hat is also known for its security community celebrations, including the Cybersecurity Woman of the Year Awards and the Researcher celebrations, which we take part in every year.

Microsoft Ignite

Dates: November 17-21, 2025
Location: San Francisco, CA, and online

Microsoft Ignite is Microsoft’s biggest annual conference for developers, IT professionals, business leaders, security professionals, and partners. Thousands of security professionals like you attend every year to hear the biggest security product announcements from Microsoft Security and gain training and skilling to prepare for future advancements in AI. Security professionals of all levels can join interactive labs, workshops, keynotes, technical breakout sessions, demos, and more, led by Microsoft Security leaders and experts.

Over the past few years, we’ve really boosted Microsoft Security experiences at Microsoft Ignite. Last year, we hosted the Microsoft Ignite Security Forum for security leaders and two workshops on AI red teaming and Microsoft 365 Copilot deployment. Plus, we hosted more than 30 sessions demoing new features to help you secure your environment, use your favorite Microsoft tools safely and securely, and make sure your organizational processes prioritize security first.

If you attend Microsoft Ignite in person this year, you won’t want to miss our Security Leaders Dinner or the security community party. If you’re not able to attend in person, you can register for our virtual event.​ Sign up to learn more.

Events for security leaders and decision-makers Microsoft AI Tour

Dates: Through May 30, 2025
Location: Multiple worldwide

The Microsoft AI Tour is a free, one-day event for executives that explores the ways AI can drive growth and create lasting value in multiple cities around the globe. Whether you’re a functional decision-maker who evaluates investments, an IT team member charged with security, or a CISO revamping your security strategy, there will be valuable security content tailored to your needs.

Microsoft Security’s top business leaders attend AI tour locations worldwide to share with you how Microsoft Security Copilot lets you protect at the speed and scale of AI. They are also available to meet with you.

Reserve your spot at an event near you.   

Event locationEvent dateDubai, United Arab EmiratesFebruary 6, 2025Singapore, Southeast AsiaFebruary 19, 2025Tokyo, JapanFebruary 26-27, 2025London, United KingdomMarch 5, 2025Brussels, BelgiumMarch 25, 2025Seoul, South KoreaMarch 26, 2025Paris, FranceMarch 26, 2025Madrid, SpainMarch 27, 2025Tokyo, JapanMarch 27, 2025Beijing, ChinaApril 23, 2025Athens, GreeceMay 27-30, 2025 Gartner Security and Risk Management Summit

Dates: June 9-11, 2025
Location: National Harbor, MD

The Gartner Security and Risk Management Summit (Gartner SRM) explores trends in cybersecurity risk management, including the integration of generative AI, being an effective CISO, the importance of balancing response and recovery efforts with prevention, combating misinformation, and closing the cybersecurity skills gap to build a resilient workforce.

Microsoft Security executives host sessions at Gartner SRM to help you ensure the security of AI systems and adopt AI to drive innovation and efficiency. Our most popular topics center around securing and governing AI.

Events for technical and security practitioners

Security teams look for conferences that provide specialized knowledge on the industry in which they work or on a narrow cybersecurity topic.

Legalweek

Dates: March 24-27, 2025
Location: New York, NY

Legalweek is a weeklong conference where approximately 6,000 members of the legal community will gather to network with their peers, explore emerging trends, spotlight the latest tech, and offer a roadmap through industry shifts. Topics explored at past Legalweek conferences include the ethical and regulatory impact of using your data to train AI, litigation in the age of cybersecurity, and maximizing efficiency and legal automation.  

This year, we’ll be sponsoring three sessions on AI and one on collaboration in complex litigation. As in years past, Microsoft is hosting an Executive Breakfast at Legalweek from 7:30 AM ET-8:45 AM ET on Tuesday, March 25, 2025. RSVP today and stop by Booth #3103 in New York Hilton Midtown Americas Hall 2 to learn more about the latest Microsoft Purview innovations. If you’d like to meet with our team while at Legalweek, sign up for a one-on-one meeting.

Identiverse

Dates: June 3-6, 2025
Location: Las Vegas, NV

Limiting access to AI, apps, and resources to those with the proper permissions is a crucial part of security. The Identiverse conference provides education, collaboration, and insight into the future of identity security. More than 2,500 attendees will share insights, develop new ideas, and advance the state of modern digital identity and security.

The event features sessions on best practices, industry trends, and latest technologies; an exhibition hall to showcase the latest identity solution innovations; and networking opportunities. Microsoft will host a booth where attendees can connect with Microsoft Security experts and leaders.

Events for developers

The cybersecurity talent shortage is requiring many to step up even if cybersecurity isn’t in their official job description. If you are an IT professional being tasked with cybersecurity or someone with an eagerness to learn cybersecurity tactics, join our Microsoft events aimed at helping you uplevel your cybersecurity skills.

Microsoft Build

Dates: May 21-23, 2025
Location: Seattle, WA

Security is a team sport and developers are increasingly the first string team members who build security into the development of applications. Microsoft Build Conference 2025 is Microsoft’s developer-focused event. It will showcase exciting updates and innovations from Microsoft Security for developers to create AI-enabled security solutions for their organizations.

The event includes connection opportunities, demos, and security-focused sessions. Past topics have included using AI to accelerate development processes, tools for enhancing the developer experience, and strategies for building in the cloud. Stay up to date on Microsoft Build news and find out when registration is open.

Find your inspiration at an event this year

Cybersecurity events foster a culture of continuous learning and adaptation, empowering you to stay ahead of emerging cyberthreats and maintain a resilient security posture. The ideas will flow freely at these events. Whether you attend one of the biggest conferences of the year or a smaller event (or both), you’ll be in good company. Microsoft Security will be there be, too, excited to share and eager to learn.

Hope to see you at a future event!

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Hear from Microsoft Security experts at these top cybersecurity events in 2025 appeared first on Microsoft Security Blog.

If 2024 taught us anything, it’s that a proactive, no-compromises approach to security is essential for 2025 and beyond.

Nation-states and advanced cybercriminals are making significant investments in infrastructure and automation to intensify familiar cyberattack patterns; password attacks, for example, escalated from 579 incidents per second in 20211 to 7,000 in 2024.2 These groups are also adopting emerging technologies such as AI to create deepfakes and personalized spear-phishing campaigns that manipulate people into granting unauthorized access.

Adopting proactive defensive measures is the only way to get ahead of such determined efforts to compromise identities and gain access to your environment.

Microsoft is strengthening our own defenses through the Secure Future Initiative (SFI), a multiyear commitment to advance the way we design, build, test, and operate Microsoft technology to ensure it meets the highest possible standards for security. One of our first steps was to conduct a full inventory of our environment and do a thorough “spring cleaning,” deleting 730,000 outdated and non-compliant apps and removing 1.7 million unused or outdated Microsoft Azure Active Directory and Microsoft Entra ID systems from production and test areas.3 As part of this process, we deeply examined identity and network access controls, addressed top risks, implemented standard practices, and improved our incident response.

Learn more about the Microsoft Secure Future Initiative

We learned from talking with our largest customers that many are dealing with the exact same issues; they’re also assessing their environments to surface potential vulnerabilities and strengthen their defenses. Based on these learnings and on the evolving behavior of threat actors, we’ve identified three priorities for enhancing identity and access security measures for 2025:

1. Start secure, stay secure, and prepare for new cyberthreats.
2. Extend Zero Trust access controls to all resources.
3. Use generative AI to tip the scales in favor of defenders.

1. Start secure, stay secure, and prepare for new cyberthreats

Many organizations struggle to eliminate technical and security debt while continuing to add new users, resources, and applications. While more of our customers are implementing basic identity security measures, such as multifactor authentication, they may still not enforce them everywhere. Moreover, basic measures aren’t enough to protect against advanced identity attacks such as token theft4 or adversary-in-the-middle phishing.5

It’s essential to understand your entire attack surface, identify all potential entry points, and proactively apply access security that closes any gaps.

Traditional security approaches deploy security tools and measures “as needed.” Unfortunately, the additive approach of starting at 100% open and then dialing up defenses leaves holes that bad actors can exploit and use as launching pads for lateral movement. Reactive security isn’t enough to safeguard your environment. Our guidance for 2025 is to always start at the highest level of security (Secure by Default), then dial back as needed for compatibility or other reasons. It’s also critical to protect all identities: employees, contractors, partners, customers, and, most importantly, machine, service, and AI identities.

Security defaults in Microsoft Entra ID

Learn more

To encourage Secure by Default practices with customers, Microsoft last year mandated the use of multifactor authentication across the Microsoft Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center. To complement security defaults, we started rolling out Microsoft-managed Conditional Access policies for all new tenants to ensure you benefit from baseline risk-based security policies that are pre-configured and turned on by default.6 Tenants that retain security defaults experience 80% fewer compromised accounts than unprotected tenants, while compromise rates have fallen by 20.5% for Microsoft Entra ID Premium tenants with Microsoft-managed policies enabled.6

Outlined below are practical measures that any security leader can implement to improve hygiene and safeguard identities within their organization:

• Implement multifactor authentication: Prioritize phishing-resistant authentication methods like passkeys, which are considered the most secure option currently available. Require multifactor authentication for all applications, including private and legacy ones. Also consider using high-assurance credentials like digital employee IDs with facial matching for workflows such as new employee onboarding and password resets.
• Employ risk-based Conditional Access policies and continuous access evaluation: Configure strong Conditional Access policies that initiate additional security measures, such as step-up authentication, automatically for high-risk sign-ins. Allow only just-enough access, and ideally just-in-time access, to critical resources. Augment Conditional Access with continuous access evaluation to ensure ongoing access checks and to protect against token theft.
• Discover and manage shadow IT: Detect unauthorized apps (also known as shadow IT) and tenants, so you can control access to them. Shadow IT often lacks essential security controls that organizations enforce and manage to prevent compromise. Shadow tenants, often created for development and testing, may lack sufficient security policies and controls. Establish standard processes for creating new tenants that are secure by default and then safely retiring them when they’re no longer needed.
• Secure access for non-human identities: Start by taking an inventory of your workload identities. Replace secrets, credentials, certificates, and keys with more secure authentication, such as managed identities for Azure resources. Implement least privilege and just-in-time access coupled with granular Conditional Access policies for workload identities.  

To get started: Explore Microsoft Entra ID capabilities for multifactor authentication, Conditional Access, continuous access evaluation, and Microsoft Entra ID Protection. Confirm that security defaults or Microsoft-managed Conditional Access Policies are enabled on all your tenants and obtain guidance on the phishing-resistant authentication methods available in Microsoft Entra ID, including passkeys. Use Microsoft Defender for Cloud Apps to discover and manage shadow IT in your Microsoft network. Adopt managed identities for Azure and workload identity federation, and strengthen access controls for non-human identities with Microsoft Entra Workload ID.

Try Microsoft Entra ID for free 2. Extend Zero Trust access controls to all resources

It’s essential to have visibility, control, and governance over who and what has access to your environment, what they’re trying to do, and why. The goal is to enable flexible work while protecting against escalating cyberthreats. This requires extending Zero Trust access controls to every resource and entry point, including legacy on-premises applications and services, legacy devices and infrastructure, and any internet destinations. Consider how you can reduce effort and errors using automation, while also making it easier for security teams to share insights and collaborate.

Outlined below are key strategies for extending Zero Trust access controls to all resources.

• Unify your access policy engines across all users, applications, endpoints, and networks to simplify your Zero Trust architecture. Converge access policies for identity security tools and network security tools to eliminate coverage gaps and enforce more robust access controls.
• Extend modern access controls to all apps and internet resources: Use modern network security tools like Secure Access Service Edge to extend strong authentication, Conditional Access, and continuous access evaluation to legacy on-premises apps, shadow IT apps, and any internet destination. Retire your outdated VPN and configure granular per-app access policies to prevent lateral movement inside your network.
• Enforce least privilege access: Automate your identity and access lifecycle to ensure that all users only have necessary access as they join your organization and change jobs, and that their access is revoked as soon as they leave. Use cloud human resources systems as a source of authority in join-move-leave workflows to enforce real-time access changes. Eliminate standing privileges and require just-in-time access for sensitive workloads and data. Regularly review access permissions to help prevent lateral movement in case of a user identity compromise.

To get started: Explore the Microsoft Entra Suite to secure user access and simplify Zero Trust deployments. Use entitlement management and lifecycle workflows to automate identity and access lifecycle processes. Use Microsoft Entra Private Access to replace legacy VPN with modern access controls, and use Microsoft Entra Internet Access to extend Conditional Access and conditional access evaluation to any resource, including shadow IT apps and internet destinations. Use Microsoft Entra Workload ID to secure access for non-human identities.

Explore the Microsoft Zero Trust approach 3. Use generative AI to tip the scales in favor of defenders

Generative AI is indispensable for staying ahead of cyberthreats in 2025. It helps defenders identify policy gaps, detect risks, and automate processes to strengthen security practices and defend against threats. A recent study found that within three months, organizations using Microsoft Security Copilot experienced a 30.13% reduction in average time to resolve security incidents.7 For identity teams, the impact is even more pronounced. IT admins using Copilot in the Microsoft Entra admin center spent 45.41% less time troubleshooting sign-ins, and increased accuracy by 46.88%.8

Outlined below are opportunities available to transform the daily work of identity professionals with generative AI:

• Enhance risky user investigations: Investigate identity compromises faster with AI-powered recommendations for proactive mitigation and defense. Use natural language conversations to investigate risky users and to gain insights into elevated risk levels and risky sign-ins.
• Troubleshoot sign-ins: Use natural language conversations to uncover root causes of sign-in failures, interruptions, or multifactor authentication prompts. Automate troubleshooting tasks and let AI discover actionable insights across user details, group details, sign-in logs, audit logs, and diagnostic logs.
• Mitigate app risks: Use intuitive prompts to manage and remediate application risks as well as gain detailed insights into permissions, workload identities, and cyberthreats.

At Microsoft Ignite 2024, we announced the preview of Security Copilot embedded directly into the Microsoft Entra admin center that included new skills to empower identity professionals and security analysts. We’re committed to enhancing Security Copilot to help identity and network security professionals collaborate effectively, respond more swiftly, and get ahead of emerging threats. We encourage you to participate in shaping these tools as we develop them.

To get started: Learn more about getting started with Microsoft Security Copilot.

Learn more about Microsoft Security Copilot Our commitment to supporting proactive security measures

By investing in proactive measures in 2025, you can significantly improve your security hygiene and operational resilience. To help you strengthen your defenses, we’re committed to innovating ahead of malicious actors, simplifying security to reduce the burden on security teams, and sharing everything we learn from protecting Microsoft and our customers.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

1The passwordless future is here for your Microsoft account, Vasu Jakkal. September 15, 2021.

2Microsoft Digital Defense Report 2024.

3Secure Future Initiative: September 2024 Progress Report, Microsoft.

4How to break the token theft cyber-attack chain, Alex Weinert. June 20, 2024.

5Defeating Adversary-in-the-Middle phishing attacks, Alex Weinert. November 18, 2024.

6Automatic Conditional Access policies in Microsoft Entra streamline identity protection, Alex Weinert. November 3, 2023.

7Generative AI and Security Operations Center Productivity: Evidence from Live Operations, Microsoft. November 2024.

8Randomized Controlled Trials for Security Copilot for IT Administrators, Microsoft. November 2024.

The post 3 priorities for adopting proactive identity and access security in 2025 appeared first on Microsoft Security Blog.

As a data security global black belt, I help organizations secure AI solutions. They are concerned about data oversharing, data leaks, compliance, and other potential risks. Microsoft Purview is Microsoft’s solution for securing and governing data in generative AI.

I’m often asked how long it takes to deploy Microsoft Purview. The answer depends on the specifics of the organization and what they want to achieve. Microsoft Purview should enable a comprehensive data governance program but it can provide risk mitigation for generative AI in the short term while the program is underway.

Microsoft Purview

Secure and govern your entire data estate.

Explore solutions

Organizations need AI solutions to add value for their customers and to stay competitive. They can’t wait for years to secure and govern these systems.

For the organizations deploying generative AI, “how long does it take to deploy Microsoft Purview?” isn’t the right question.

The risk mitigation Microsoft Purview provides for AI can begin on day one. This includes Microsoft AI, like Microsoft 365 Copilot, AI that an organization builds in-house, and AI from third parties like Google Gemini or ChatGPT.

This post will discuss ways we can secure and govern data used or generated by AI quickly, with minimal user impact, change management, and resources required.

These Microsoft Purview solutions are:

• Microsoft Purview Data Security Posture Management for AI
• Microsoft Purview Information Protection
• Microsoft Purview Data Loss Prevention
• Microsoft Purview Communications Compliance
• Microsoft Purview Insider Risk Management
• Microsoft Purview Data Lifecycle Management
• Microsoft Purview Audit and Microsoft Purview eDiscovery
• Microsoft Purview Compliance Manager

Here are short term steps you can take while the comprehensive data governance program is underway.

Microsoft Purview Data Security Posture Management for AI

Microsoft Purview Data Security Posture Management for AI (DSPM for AI) provides visibility into data security risks. It reports on:

• User’s interactions with AI.
• Sensitive information in the prompts users share with the AI.
• Whether the sensitive information users share is labeled and thus is protected by durable security policy controls.
• Whether and how user interactions may be violating company policy including codes of conduct and attempts at jailbreak, where users manipulate the system to circumvent protections.
• The risk level of users interacting with the system, such as inadvertent or malicious activities they may be involved in that put the organization at risk.

DSPM for AI reports on this for each AI application and can drill down from the reports to the individual user activities. DSPM for AI collects and surfaces insights from the other Microsoft Purview solutions around generative AI risks in a single screen.

Custom sensitive information types, sensitivity labels, and information protection rules are reasoned over by DSPM for AI, but if these are not available, more than 300 out-of-the-box sensitive information types are available from day one.  

DSPM for AI will use these to report on risk for the organization without additional configuration. The organization’s administrators can configure policy to mitigate these risks directly from the DSPM for AI tool.

Figure 1. DSPM for AI shows interactions with Microsoft 365 Copilot, enterprise generative AI from other providers, and AI developed in-house.

Figure 2. DSPM for AI Reports on generative AI user interactions with sensitive data.

A big concern that organizations have in widely deploying generative AI is that it will return results that contain sensitive information that the user should not have access to. SharePoint sites have been created over the years, are unlabeled, and may be accessible to the entire organization through the AI. The “security by obscurity” that may have prevented the sensitive information from being inappropriately shared is now negated by the AI that reasons over and returns the data.

Data assessments, part of DSPM for AI, and currently in preview, identifies potential oversharing risks and allows the administrator to apply a sensitivity label to the SharePoint sites, the sensitive data, or initiate an Microsoft Entra ID user access review to manage group memberships.

The administrator can engage the business stakeholder who has knowledge of the risk posed by the data and invite them to mitigate the risk or apply the policy at scale from the Microsoft Purview administration portal.

Figure 3. Data assessment—visualize risk, review access, and deploy policy.

Learn more about Microsoft Purview Data Security Posture Management for AI Microsoft Purview Information Protection

The document access controls of Microsoft Purview Information Protection, including sensitivity labels, are enforced when the data is reasoned over by AI. The user is given visibility in context that they are working with sensitive information. This awareness empowers users to protect the organization. 

The sensitivity labels that enforce scoped encryption, watermarking, and other protections travel with the document as the user interacts with the AI. When the AI creates new content based on the document, the new content inherits the most restrictive label and policy.

Microsoft Purview can automatically apply sensitivity labels to AI interactions based on the organization’s existing policy for email, desktop applications, and Microsoft Teams, or new policy can be deployed for the AI.

These can be based on out-of-the-box sensitive information types for a quick start.

Learn more about Microsoft Purview Information Protection Microsoft Purview Data Loss Prevention

The Microsoft Purview Data Loss Prevention policies that the organization currently uses for email, desktop applications, and Teams can be extended to the AI or new policy for the AI can be created. Cut and paste of sensitive information or transfer of a labeled document into the AI can be prevented or only allowed with an auditable justification from the user.

A rule can be configured to prevent all documents bearing a specific label from being reasoned over by the AI. Out-of-the-box sensitive information types can be used for a quick start.

Learn more about Microsoft Purview Data Loss Prevention Microsoft Purview Communication Compliance

Microsoft Purview Communication Compliance provides the ability to detect regulatory compliance (for example, SEC or FINRA) and business conduct violations such as sensitive or confidential information, harassing or threatening language, and sharing of adult content.

Out-of-the-box policies can be used to monitor user prompts or AI-generated content. It provides policy enforcement in near real time and also audit logs and reporting.

Learn more about Microsoft Purview Communication Compliance Microsoft Purview Insider Risk Management

Microsoft Purview Insider Risk Management correlates signal to identify potential malicious or accidental behaviors from legitimate users. Pre-configured generative AI-specific risk detections and policy templates are now available in preview.

As the Insider Risk Management solution algorithms determine a user to be engaging in risky behavior, the data loss prevention (DLP) policies for that user can be made stricter using a feature called Adaptive Protection. It can be configured with out-of-the-box policies. This continuous monitoring and policy modulation mitigates risk while reducing administrator workload.

AI analytics can be activated from the Microsoft Purview portal to provide insights even before the Insider Risk Management solution is deployed to users. This quickly surfaces AI risks with minimal administrative workload.

Learn more about Microsoft Purview Insider Risk Management Microsoft Purview Data Lifecycle Management

Microsoft Purview can enforce AI Data Lifecycle Management, with retention of AI prompts, prompt returns, and the documents AI creates for a specified time period. This can be done globally for every interaction with an AI solution. It can be done with out-of-the-box or custom policies. This will keep these interactions available for future investigations, for regulatory compliance, or to tune policies and inform the governance program.

A policy for deletion of AI interactions can be enforced so information is not over-retained.

Learn more about Microsoft Purview Data Lifecycle Management Microsoft Purview Audit and Microsoft Purview eDiscovery

The organization will need to support internal investigations around the use of AI. Microsoft Purview Audit logs and retains these interactions. They also need to support their legal team should they have to produce AI interactions to support litigation.

Learn more about Microsoft Purview Audit

Microsoft Purview eDiscovery can put a user’s interactions with the AI as well as their other Microsoft 365 documents and communications on hold so that their availability to support investigations is maintained. It allows them to be searched based metadata, enhancing relevancy, annotated, and produced.

Learn more about Microsoft Purview eDiscovery Microsoft Purview Compliance Manager

Microsoft Purview Compliance Manager has pre-built assessments for AI regulations including:

• EU Artificial Intelligence Act.
• ISO/IEC 23894:2023.
• ISO/IEC 42001:2023.
• NIST AI Risk Management Framework (RMF) 1.0.

These assessments are available to benchmark compliance over time, report on control status, and maintain and produce evidence for both Microsoft and the organization’s activities that support the regulatory compliance program.

Learn more about Microsoft Purview Compliance Manager Microsoft Purview is an AI enabler

Without security, governance, and compliance bases being covered, the AI program puts the organization at risk. An AI program can be blocked before it deploys if the team can’t demonstrate how it is mitigating these risks.

The actions suggested here can all be taken quickly, and with limited effort, to set up a generative AI deployment for success.

Explore the Microsoft Purview product family Learn more

Learn more about Microsoft Purview.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Fast-track generative AI security with Microsoft Purview appeared first on Microsoft Security Blog.