Microsoft

In mid-November 2024, Microsoft Threat Intelligence observed the Russian threat actor we track as Star Blizzard sending their typical targets spear-phishing messages, this time offering the supposed opportunity to join a WhatsApp group. This is the first time we have identified a shift in Star Blizzard’s longstanding tactics, techniques, and procedures (TTPs) to leverage a new access vector. Star Blizzard’s targets are most commonly related to government or diplomacy (both incumbent and former position holders), defense policy or international relations researchers whose work touches on Russia, and sources of assistance to Ukraine related to the war with Russia.

In our last blog post about Star Blizzard, we discussed how the threat actor targeted dozens of civil society organizations—journalists, think tanks, and non-governmental organizations (NGOs)—between January 2023 and August 2024 by deploying spear-phishing campaigns to exfiltrate sensitive information and interfere in their activities. Since October 3, 2024, Microsoft and the US Department of Justice have seized or taken down more than 180 websites related to that activity. While this coordinated action had a short-term impact on Star Blizzard’s phishing operations, we noted at the time that after this threat actor’s active infrastructure was exposed, they swiftly transitioned to new domains to continue their operations, indicating that the threat actor is highly resilient to operational disruptions.

We assess the threat actor’s shift to compromising WhatsApp accounts is likely in response to the exposure of their TTPs by Microsoft Threat Intelligence and other organizations, including national cybersecurity agencies. While this campaign appears to have wound down at the end of November, we are highlighting the new shift as a sign that the threat actor could be seeking to change its TTPs in order to evade detection.

As part of our continuous monitoring, analysis, and reporting on the threat landscape, we are sharing our information on Star Blizzard’s latest activity to raise awareness of this threat actor’s shift in tradecraft and to educate organizations on how to harden their attack surfaces against this and similar activity. We also directly notify customers who have been targeted or compromised, providing them with the necessary information to help secure their environments.

Targeting WhatsApp account data

Star Blizzard’s new spear-phishing campaign, while novel in that it uses and targets WhatsApp for the first time, exhibits familiar spear-phishing TTPs for Star Blizzard, with the threat actor initiating email contact with their targets, to engage them, before sending them a second message containing a malicious link. The sender address used by the threat actor in this campaign impersonates a US government official, continuing Star Blizzard’s practice of impersonating known political/diplomatic figures, to further ensure target engagement. The initial email sent to targets contains a quick response (QR) code purporting to direct users to join a WhatsApp group on “the latest non-governmental initiatives aimed at supporting Ukraine NGOs.” This code, however, is intentionally broken and will not direct the user towards any valid domain; this is an effort to coax the target recipient into responding.

Figure 1. Star Blizzard initial spear-phishing email with broken QR code

When the recipient responds, Star Blizzard sends a second email containing a Safe Links-wrapped t[.]ly shortened link as the alternative link to join the WhatsApp group.

Figure 2. Star Blizzard follow-on spear-phishing email with URL link

When this link is followed, the target is redirected to a webpage asking them to scan a QR code to join the group. However, this QR code is actually used by WhatsApp to connect an account to a linked device and/or the WhatsApp Web portal. This means that if the target follows the instructions on this page, the threat actor can gain access to the messages in their WhatsApp account and have the capability to exfiltrate this data using existing browser plugins, which are designed for exporting WhatsApp messages from an account accessed via WhatsApp Web.

Figure 3. Malicious Star Blizzard phish attempt using WhatsApp linking QR code

While this campaign was limited and appeared to have terminated at the end of November, it nevertheless marked a break in long-standing Star Blizzard TTPs and highlighted the threat actor’s tenacity in continuing spear-phishing campaigns to gain access to sensitive information even in the face of repeated degradations of their operations.

Microsoft Threat Intelligence recommends that all email users belonging to sectors that Star Blizzard typically targets always remain vigilant when dealing with email, especially emails containing links to external resources. These targets are most commonly related to:

• Government or diplomacy (incumbent and former position holders)
• Research into defense policy or international relations when related to Russia
• Assistance to Ukraine related to the ongoing conflict with Russia

When in doubt, contact the person you think is sending the email using a known and previously used email address to verify that the email was indeed sent by them.

Mitigations

To harden networks against the Star Blizzard activity listed above, defenders can implement the following:

• Implement Microsoft Defender for Endpoint on Android and iOS, which includes anti-phishing capabilities that also apply to QR code phishing attacks, blocking phishing sites from being accessed. 
• Enable network protection in Microsoft Defender for Endpoint
• Ensure that tamper protection is enabled in Microsoft Dender for Endpoint
• Run endpoint detection and response in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode.
• Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume.
• Turn on PUA protection in block mode in Microsoft Defender Antivirus
• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques.
• Turn on Microsoft Defender Antivirus real-time protection.
• Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
• Turn on Safe Links and Safe Attachments for Office 365.
• Use the Attack Simulator in Microsoft Defender for Office 365 to run realistic, yet safe, simulated phishing and password attack campaigns. Utilize the QR code payload in attack simulation training scenarios to mirror Star Blizzard’s and other threat actor’s QR code spear-phishing techniques.

Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender for Endpoint

The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

• Star Blizzard activity group

Hunting queries Microsoft Defender XDR

Surface events that may have communicated with the Star Blizzard C2s. 

let domainList = dynamic(["civilstructgeo.org", "aerofluidthermo.org"]); union ( DnsEvents | where QueryType has_any(domainList) or Name has_any(domainList) | project TimeGenerated, Domain = QueryType, SourceTable = "DnsEvents" ), ( IdentityQueryEvents | where QueryTarget has_any(domainList) | project Timestamp, Domain = QueryTarget, SourceTable = "IdentityQueryEvents" ), ( DeviceNetworkEvents | where RemoteUrl has_any(domainList) | project Timestamp, Domain = RemoteUrl, SourceTable = "DeviceNetworkEvents" ), ( DeviceNetworkInfo | extend DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks = parse_json(ConnectedNetworks) | mv-expand DnsAddresses, ConnectedNetworks | where DnsAddresses has_any(domainList) or ConnectedNetworks.Name has_any(domainList) | project Timestamp, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable = "DeviceNetworkInfo" ), ( VMConnection | extend RemoteDnsQuestions = parse_json(RemoteDnsQuestions), RemoteDnsCanonicalNames = parse_json(RemoteDnsCanonicalNames) | mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames | where RemoteDnsQuestions has_any(domainList) or RemoteDnsCanonicalNames has_any(domainList) | project TimeGenerated, Domain = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames), SourceTable = "VMConnection" ), ( W3CIISLog | where csHost has_any(domainList) or csReferer has_any(domainList) | project TimeGenerated, Domain = coalesce(csHost, csReferer), SourceTable = "W3CIISLog" ), ( EmailUrlInfo | where UrlDomain has_any(domainList) | project Timestamp, Domain = UrlDomain, SourceTable = "EmailUrlInfo" ), ( UrlClickEvents | where Url has_any(domainList) | project Timestamp, Domain = Url, SourceTable = "UrlClickEvents" ) | order by TimeGenerated desc Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

While the below queries are not linked to any specific threat actor, they are effective in detecting potential phishing attempts. Implementing these queries can help you stay vigilant and safeguard your organization from phishing attacks

• Delivered Bad Emails from Top bad IPv4 addresses
• Phishing Link Execution Observed
• Successful Signin from Phishing Link
• Suspicious URL Clicked
• Email Delivered to Inbox

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

• Incident investigation
• Microsoft User analysis
• Threat actor profile
• Threat Intelligence 360 report based on MDTI article

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

• Star Blizzard adopting PDF-less approach to spearphishing
• Star Blizzard spearphishing campaign targets US think tanks
• Disrupting Star Blizzard’s ongoing phishing operations

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Indicators of compromise IndicatorTypeLast seencivilstructgeo[.]orgDomainOctober 2024aerofluidthermo[.]orgDomainOctober 2024 References

• https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a

Learn more

For further information on the threats detailed in this blog post, refer to these additional Microsoft blogs:

• Protecting Democratic Institutions from Cyber Threats
• Star Blizzard increases sophistication and evasion in ongoing attacks
• Disrupting SEABORGIUM’s ongoing phishing operations

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post New Star Blizzard spear-phishing campaign targets WhatsApp accounts appeared first on Microsoft Security Blog.

As our Microsoft AI Tour reached Brussels, Paris, and Berlin toward the end of last year, we met with European organizations that were energized by the possibilities of our latest AI technologies and engaged in deployment projects. They were also alert to the fact that 2025 is the year that key obligations under the European Union’s AI Act come into effect, opening a new chapter in digital regulation as the world’s first, comprehensive AI law becomes a reality.  

At Microsoft, we are ready to help our customers do two things at once: innovate with AI and comply with the EU AI Act. We are building our products and services to comply with our obligations under the EU AI Act and working with our customers to help them deploy and use the technology compliantly. We are also engaged with European policymakers to support the development of efficient and effective implementation practices under the EU AI Act that are aligned with emerging international norms.  

Below, we go into more detail on these efforts. Since the dates for compliance with the EU AI Act are staggered and key implementation details are not yet finalized, we will be publishing information and tools on an ongoing basis. You can consult our EU AI Act documentation on the Microsoft Trust Center to stay up to date. 

Building Microsoft products and services that comply with the EU AI Act 

Organizations around the world use Microsoft products and services for innovative AI solutions that empower them to achieve more. For these customers, particularly those operating globally and across different jurisdictions, regulatory compliance is of paramount importance. This is why, in every customer agreement, Microsoft has committed to comply with all laws and regulations applicable to Microsoft. This includes the EU AI Act. It is also why we made early decisions to build and continue to invest in our AI governance program. 

As outlined in our inaugural Transparency Report, we have adopted a risk management approach that spans the entire AI development lifecycle. We use practices like impact assessments and red-teaming to help us identify potential risks and ensure that teams building the highest-risk models and systems receive additional oversight and support through governance processes, like our Sensitive Uses program. After mapping risks, we use systematic measurement to evaluate the prevalence and severity of risks against defined metrics. We manage risks by implementing mitigations like the classifiers that form part of Azure AI Content Safety and ensuring ongoing monitoring and incident response.  

Our framework for guiding engineering teams building Microsoft AI solutions—the Responsible AI Standard—was drafted with an early version of the EU AI Act in mind.  

Building on these foundational components of our program, we have devoted significant resources to implementing the EU AI Act across Microsoft. Cross-functional working groups combining AI governance, engineering, legal, and public policy experts have been working for months to identify whether and how our internal standards and practices should be updated to reflect the final text of the EU AI Act as well as early indications of implementation details. They have also been identifying any additional engineering work needed to ensure readiness.  

For example, the EU AI Act’s prohibited practices provisions are among the first provisions to come into effect in February 2025. Ahead of the European Commission’s newly established AI Office providing additional guidance, we have taken a proactive, layered approach to compliance. This includes:​ 

• Conducting a thorough review of Microsoft-owned systems already on the market to identify any places where we might need to adjust our approach, including by updating documentation or implementing technical mitigations.​ To do this, we developed a series of questions designed to elicit whether an AI system could implicate a prohibited practice and dispatched this survey to our engineering teams via our central tooling. Relevant experts reviewed the responses and followed up with teams directly where further clarity or additional steps were necessary. These screening questions remain in our central responsible AI workflow tool on an ongoing basis, so that teams working on new AI systems answer them and engage the review workflow as needed.  
• Creating new restricted uses in our internal company policy to ensure Microsoft does not design or deploy AI systems for uses prohibited by the EU AI Act.​ We are also developing specific marketing and sales guidance to ensure that our general-purpose AI technologies are not marketed or sold for uses that could implicate the EU AI Act’s prohibited practices.  
• Updating our contracts, including our Generative AI Code of Conduct, so that our customers clearly understand they cannot engage in any prohibited practices.​ For example, the Generative AI Code of Conduct now has an express prohibition on the use of the services for social scoring. 

We were also among the first organizations to sign up to the three core commitments in the AI Pact, a set of voluntary pledges developed by the AI Office to support regulatory readiness ahead of some of the upcoming compliance deadlines for the EU AI Act. In addition to our regular rhythm of publishing annual Responsible AI Transparency Reports, you can find an overview of our approach to the EU AI Act and a more detailed summary of how we are implementing the prohibited practices provisions on the Microsoft Trust Center. 

Working with customers to help them deploy and use Microsoft products and services in compliance with the EU AI Act 

One of the core concepts of the EU AI Act is that obligations need to be allocated across the AI supply chain. This means that an upstream regulated actor, like Microsoft in its capacity as a provider of AI tools, services, and components, must support downstream regulated actors, like our enterprise customers, when they integrate a Microsoft tool into a high-risk AI system. We embrace this concept of shared responsibility and aim to support our customers with their AI development and deployment activities by sharing our knowledge, providing documentation, and offering tooling. This all ladders up to the AI Customer Commitments that we made in June of last year to support our customers on their responsible AI journeys. 

We will continue to publish documentation and resources related to the EU AI Act on the Microsoft Trust Center to provide updates and address customer questions. Our Responsible AI Resources site is also a rich source of tools, practices, templates, and information that we believe will help many of our customers establish the foundations of good governance to support EU AI Act compliance.  

On the documentation front, the 33 Transparency Notes that we have published since 2019 provide essential information about the capabilities and limitations of our AI tools, components, and services that our customers rely on as downstream deployers of Microsoft AI platform services. We have also published documentation for our AI systems, such as answers to frequently asked questions. Our Transparency Note for the Azure OpenAI Service, an AI platform service, and FAQ for Copilot, an AI system, are examples of our approach. 

We expect that several of the secondary regulatory efforts under the EU AI Act will provide additional guidance on model- and system-level documentation. These norms for documentation and transparency are still maturing and would benefit from further definition consistent with efforts like the Reporting Framework for the Hiroshima AI Process International Code of Conduct for Organizations Developing Advanced AI Systems. Microsoft has been pleased to contribute to this Reporting Framework through a process convened by the OECD and looks forward to its forthcoming public release. 

Finally, because tooling is necessary to achieve consistent and efficient compliance, we make available to our customers versions of the tools that we use for our own internal purposes. These tools include Microsoft Purview Compliance Manager, which helps customers understand and take steps to improve compliance capabilities across many regulatory domains, including the EU AI Act; Azure AI Content Safety to help mitigate content-based harms; Azure AI Foundry to help with evaluations of generative AI applications; and Python Risk Identification Tool or PyRIT, an open innovation framework that our independent AI Red Team uses to help identify potential harms associated with our highest-risk AI models and systems. 

Helping to develop efficient, effective, and interoperable implementation practices 

A unique feature of the EU AI Act is that there are more than 60 secondary regulatory efforts that will have a material impact on defining implementation expectations and directing organizational compliance. Since many of these efforts are in progress or yet to get underway, we are in a key window of opportunity to help establish implementation practices that are efficient, effective, and aligned with emerging international norms. 

Microsoft is engaged with the central EU regulator, the AI Office, and other relevant authorities in EU Member States to share insights from our AI development, governance, and compliance experience, seek clarity on open questions, and advocate for practical outcomes. We are also participating in the development of the Code of Practice for general-purpose AI model providers, and we remain longstanding contributors to the technical standards being developed by European Standards organizations, such as CEN and CENELEC, to address high-risk AI system requirements in the EU AI Act. 

Our customers also have a key role to play in these implementation efforts. By engaging with policymakers and industry groups to understand the evolving requirements and have a say on them, our customers have the opportunity to contribute their valuable insights and help shape implementation practices that better reflect their circumstances and needs, recognizing the broad range of organizations in Europe that are energized by the opportunity to innovate and grow with AI. In the coming months, a key question to be resolved is when organizations that substantially fine-tune AI models become downstream providers due to comply with general-purpose AI model obligations in August. 

Going forward 

Microsoft will continue to make significant product, tooling, and governance investments to help our customers innovate with AI in line with new laws like the EU AI Act. Implementation practices that are efficient, effective, and interoperable internationally are going to be key to supporting useful and trustworthy innovation on a global scale, so we will continue to lean into regulatory processes in Europe and around the world. We are excited to see the projects that animated our Microsoft AI Tour events in Brussels, Paris, and Berlin improve people’s lives and earn their trust, and we welcome feedback on how we can continue to support our customers in their efforts to comply with new laws like the EU AI Act. 

The post Innovating in line with the European Union’s AI Act  appeared first on Microsoft Security Blog.

Microsoft Threat Intelligence discovered a new macOS vulnerability that could allow attackers to bypass Apple’s System Integrity Protection (SIP) in macOS by loading third party kernel extensions. SIP is a security technology that restricts the performance of operations that may compromise system integrity; thus, a SIP bypass affects the overall security of the operating system. Bypassing SIP could lead to serious consequences, such as increasing the potential for attackers and malware authors to successfully install rootkits, create persistent malware, bypass Transparency, Consent and Control (TCC), and expand the attack surface for additional techniques and exploits.

We shared these findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). A fix for this vulnerability, now identified as CVE-2024-44243, was included in the security updates released by Apple on December 11, 2024. The findings were discovered in parallel between Microsoft and Mickey Jin, who also responsibly reported the vulnerability to Apple. Users should ensure their systems are up to date. We thank the Apple security team for their collaboration and efforts in fixing this issue.

In many cases, special entitlements are leveraged to bypass security mechanisms like SIP, making it essential to monitor specially entitled processes for anomalous behavior. This need for proactive monitoring is only further emphasized when a specially entitled process invokes kernel extensions from third party organizations without proper validation or reduced privileges, which an attacker could exploit to install a kernel driver (rootkit) in a way that could evade detection by security solutions. Following our previous SIP bypass blog posts (Shrootless, Migraine), our team set up mechanisms to proactively alert on potentially attacker-controlled child processes of special entitled processes, which enabled Microsoft Defender and our researcher team to ultimately identify CVE-2024-44243.

In this blog post, we detail the connection between entitlements and SIP and explain how CVE-2024-44243 could be used to bypass SIP security measures. This research also highlights some of the benefits and challenges of kernel-based monitoring. Prohibiting third party code to run in the kernel can increase macOS reliability, the tradeoff being that it reduces monitoring capabilities for security solutions. If SIP is bypassed, the entire operating system can no longer be considered reliable, and with reduced monitoring visibility, threat actors can tamper with any security solutions on the device to evade detection. As such, this research is being presented to the broader security community to underline the critical role of responsible disclosure and collaborative efforts in securing devices across platforms.

Understanding SIP and entitled processes

As previously covered in our previous SIP bypass blogposts (Shrootless, Migraine), SIP (also known as “rootless”) is a macOS mechanism that enforces several operating system protections against the root user, including the ability to:

• Load arbitrary kernel drivers
• Change non-volatile random-access memory (NVARM) variables
• Get task ports for Apple-signed processes
• Allow kernel debugging
• Modify sensitive files that are a part of the operating system

One interesting fact about SIP is that bypassing just one of those restrictions is likely to lead to bypasses of all other SIP restrictions – for example:

• SIP policy is controlled by NVRAM variables, so modifying NVRAM variables bypasses SIP.
• Kernel code execution (either through kernel extensions or debugging) can change SIP since it is enforced at the kernel level.
• Modifying sensitive files on the file system can bypass SIP, for instance, by modifying the list of allowed kernel extensions and then loading that kernel extension.

SIP bypasses have traditionally focused on special binaries with specific entitlements. As a reminder, entitlements are special capabilities a process might have and are a part of the digital signature of the process. Therefore, entitlements cannot be easily forged by attackers. In addition to the well-documented entitlements available for software developers, certain entitlements are reserved only for processes that have specific operating system functions, such as system updates, debugging capabilities, memory tracing, and security extensions. We refer to them as private entitlements, as their name would commonly start with a com.apple.private prefix. There are many of those special entitlements, most are not documented by Apple at all.

Our team has identified the criticality in monitoring anomalous behavior by those specially entitled processes, as in many cases special entitlements could be used for bypassing security mechanisms. For example:

EntitlementDescriptioncom.apple.rootless.installProcesses entitled with the com.apple.rootless.install entitlement can bypass SIP file system checks. Several examples that abuse that entitlement have been reported, including:
– Reported by Stefan Esser and presented at SyScan360, this vulnerability misused the fact that fsck_cs follows symbolic links and could therefore write to arbitrary file paths.
– CVE-2022-26712 – reported by Mickey Jin. The vulnerability abuses the SystemShoveService.xpc XPC service, which is entitled with the com.apple.rootless.install entitlement.

Note that this is not a complete list of vulnerabilities associated with that entitlement.com.apple.rootless.install.heritableProcesses entitled with the com.apple.rootless.install.heritable inherit the com.apple.rootless.install entitlement to all their child processes. Notable examples include:
– CVE-2019-8561 – discovered by Trend Micro. The vulnerability leverages a Time-of-check-time-of-use (TOCTOU) issue in the system_installd binary.
– CVE-2020–9854 – reported by Ilias Morad, which exploited a specific installer script that was spawned by system_installd and allowed an arbitrary process execution from a command-line argument.
– CVE-2021-30892 – reported by Microsoft Defender, known as “Shrootless”. The vulnerability abuses Apple-signed package that includes shell script components and abuses the system_installd binary.
– CVE-2022-22583 – reported by Perception Point. This vulnerability is a variant on our previously reported Shrootless vulnerability and takes advantage of a the /tmp symbolic link used by system_installd.
– CVE-2023-32369 – reported by Microsoft Defender, known as “Migraine”. The exploit abuses the system migration daemon (migrationd ).

Note that this is not a complete list of vulnerabilities associated with that entitlement.

There are other entitlements that could be used for other types of vulnerabilities, such as the com.apple.private.tcc.allow entitlement, which could be used for TCC bypasses, which we also monitor. However, in this blog post we will focus on SIP-related entitlements only.

Due to the sensitive nature of the com.apple.rootless.install.heritable entitlement, it is evident that monitoring anomalous child processes of processes entitled with com.apple.rootless.install.heritable is important for security research.

Discovery of SIP bypasses through custom file systems

One of the processes entitled with the previously described com.apple.rootless.install.heritable entitlement is storagekitd, which is a daemon that handles disk state-keeping by the Storage Kit private framework.

Figure 1. storagekitd and its SIP-related entitlements

As shown, storagekitd has many SIP bypassing capabilities, including the com.apple.rootless.install.heritable, which means all its child processes are of great interest.

Using advanced hunting query language, we can look for all child processes of the storagekitd daemon:

DeviceProcessEvents | where InitiatingProcessFileName == "storagekitd" and FolderPath !startswith "/System" and FolderPath !startswith "/sbin" and FolderPath !startswith "/bin" and FolderPath !startswith "/usr" | summarize by ProcessCommandLine

Interestingly, we found several processes, which we immediately investigated:

Example pathExplanation/Library/Filesystems/iboysoft_NTFS.fs/Contents/Resources/newfs_ms_ntfsCustom NTFS implementation from iBoysoft./Library/Filesystems/tuxera_ntfs.fs/Contents/Resources/newfs_tuxera_ntfsCustom NTFS implementation from Tuxera./Library/Filesystems/ufsd_ExtFS.fs/Contents/Resources/fsck_ufsd_ExtFSCustom EXT file system implementation from Paragon./Library/Filesystems/ufsd_NTFS.fs/Contents/Resources/fsck_ufsd_NTFSCustom NTFS implementation from Paragon./Library/Filesystems/easeus_NTFS.fs/Contents/Resources/newfs_easeus_NTFSCustom NTFS implementation from EaseUS.

We therefore attempted to install those solutions. By overriding the binaries under the relevant bundle under /Library/Filesystems and triggering them with the Disk Utility app, we proved that we were able to bypass SIP protections, overriding the Apple kernel extensions exclusion list. Moreover, we have successfully been able to automate our process with the diskutil utility, which, similarly to the Disk Utility app, uses the Storage Kit private framework:

Figure 2. SIP bypass done by triggering storagekitd

It’s important to note everything described in this blog post is a macOS vulnerability due to storagekitd’s ability to invoke arbitrary processes without proper validation or dropping privileges, rather than a vulnerability in each of those products.

Experimenting with custom file systems

Mounting filesystems on macOS involves the Disk Arbitration daemon (diskarbitrationd), which supports filesystems that are implemented in the kernel (APFS, HFS+) and those that are implemented in userspace. Filesystems implemented in userspace are known as User Filesystems (UserFS). macOS comes pre-shipped with several such filesystem implementations, each appears as a file system bundle (*.fs) under /System/Library/Filesystems and /Library/Filesystems.

Figure 3. Custom filesystem bundles

While the structure of file system bundles is not-well documented, the diskarbitrationd is fully open-source, which shows what properties are expected from such a bundle. The structure is as follows:

• A dictionary of FSMediaTypes exists, in which the key is the file system formal name (or a designated GUID), and the value contains various content hints.
• More importantly, the bundle information clearly specifies the binary file names and command line-arguments that will be used for specific operations, such as mounting, repairing, and probing.

As described by Csaba Fitzl of Kandji in POC2024, upon mounting, the disk utility consults a specialized daemon known as the Storage Kit daemon (storagekitd), which, in turn, uses the Disk Arbitration daemon (diskarbitrationd) to invoke the right mount process via posix_spawn. However, we noticed certain operations (such as “disk repair”) are directly invoked under storagekitd. Since an attacker that can run as root can drop a new file system bundle to /Library/Filesystems, they can later trigger storagekitd to spawn custom binaries, hence bypassing SIP.

Figure 4. New file system registration that includes the name and the executables to be run Figure 5. Registered file system recognized by the Disk Utility

Triggering the erase operation on the newly created file system can bypass SIP protections as well.

Detecting the vulnerability with Microsoft Defender for Endpoint monitoring

System Integrity Protection (SIP) serves as a critical safeguard against malware, attackers, and other cybersecurity threats, establishing a fundamental layer of protection for macOS systems. Bypassing SIP impacts the entire operating system’s security and could lead to severe consequences, emphasizing the necessity for comprehensive security solutions that can detect anomalous behavior from specially entitled processes. The challenge of detecting such threats is compounded by the inherent limitations in kernel-level visibility on macOS, making it difficult for traditional security measures to spot and mitigate these sophisticated attacks.

As our research demonstrates, an attacker with the ability to run as root could have exploited CVE-2024-44243 by loading third party kernel extensions to bypass SIP. To address these challenges, Microsoft Defender Vulnerability Management quickly identifies and resolves CVE-2024-44243 and similar vulnerabilities while Microsoft Defender for Endpoint offers robust monitoring capabilities designed to detect and alert on anomalous behavior associated with specially entitled processes on macOS. Proactive monitoring for such anomalies is crucial to enable defenders to stay ahead of emerging threats and mitigate potential risks effectively. By leveraging these advanced detection mechanisms, organizations can gain greater visibility into activities that may indicate an attempt to exploit vulnerabilities that bypass SIP and other protection technologies across platforms.

Figure 6. Microsoft Defender for Endpoint Potential System Integrity Protection bypass alert

This research underscores the importance of shared knowledge and collaborative efforts within the security community. We’d like to again thank Apple for their work in addressing this vulnerability, and Mickey Jin for responsibly disclosing the vulnerability in parallel with Microsoft. We believe that disseminating this information will not only foster responsible disclosure but also encourage collective action to fortify defenses against developing threats. By working together and leveraging the insights gained from these findings, we can better protect our systems and respond effectively to evolving security challenges.

Jonathan Bar Or

Microsoft Defender Research Team

References

• https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-44243
• https://support.apple.com/en-us/121839
• https://x.com/patch1t
• https://developer.apple.com/documentation/bundleresources/entitlements
• https://www.slideshare.net/slideshow/syscan360-stefan-esser-os-x-el-capitan-sinking-the-ship/59926048
• https://jhftss.github.io/CVE-2022-26712-The-POC-For-SIP-Bypass-Is-Even-Tweetable/
• https://www.trendmicro.com/en_us/research/22/k/cve-2019-8561-a-hard-to-banish-packagekit-framework-vulnerabilit.html
• https://objective-see.org/blog/blog_0x4D.html
• https://perception-point.io/blog/technical-analysis-cve-2022-22583/
• https://iboysoft.com/
• https://ntfsformac.tuxera.com/
• https://www.paragon-software.com/
• https://toolbox.easeus.com/ntfs-for-mac/
• https://ss64.com/mac/diskutil.html
• https://support.apple.com/guide/disk-utility/welcome/mac
• https://github.com/apple-open-source/macos/tree/master/DiskArbitration
• https://powerofcommunity.net/poc2024/Csaba%20Fitzl,%20Apple%20Disk-O%20Party.pdf

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Analyzing CVE-2024-44243, a macOS System Integrity Protection bypass through kernel extensions appeared first on Microsoft Security Blog.

Microsoft’s AI red team is excited to share our whitepaper, “Lessons from Red Teaming 100 Generative AI Products.”

The AI red team was formed in 2018 to address the growing landscape of AI safety and security risks. Since then, we have expanded the scope and scale of our work significantly. We are one of the first red teams in the industry to cover both security and responsible AI, and red teaming has become a key part of Microsoft’s approach to generative AI product development. Red teaming is the first step in identifying potential harms and is followed by important initiatives at the company to measure, manage, and govern AI risk for our customers. Last year, we also announced PyRIT (The Python Risk Identification Tool for generative AI), an open-source toolkit to help researchers identify vulnerabilities in their own AI systems.

Pie chart showing the percentage breakdown of products tested by the Microsoft AI red team. As of October 2024, we had red teamed more than 100 generative AI products.

With a focus on our expanded mission, we have now red-teamed more than 100 generative AI products. The whitepaper we are now releasing provides more detail about our approach to AI red teaming and includes the following highlights:

• Our AI red team ontology, which we use to model the main components of a cyberattack including adversarial or benign actors, TTPs (Tactics, Techniques, and Procedures), system weaknesses, and downstream impacts. This ontology provides a cohesive way to interpret and disseminate a wide range of safety and security findings.
• Eight main lessons learned from our experience red teaming more than 100 generative AI products. These lessons are geared towards security professionals looking to identify risks in their own AI systems, and they shed light on how to align red teaming efforts with potential harms in the real world.
• Five case studies from our operations, which highlight the wide range of vulnerabilities that we look for including traditional security, responsible AI, and psychosocial harms. Each case study demonstrates how our ontology is used to capture the main components of an attack or system vulnerability.

Lessons from Red Teaming 100 Generative AI Products

Discover more about our approach to AI red teaming.

Read the whitepaper Microsoft AI red team tackles a multitude of scenarios

Over the years, the AI red team has tackled a wide assortment of scenarios that other organizations have likely encountered as well. We focus on vulnerabilities most likely to cause harm in the real world, and our whitepaper shares case studies from our operations that highlight how we have done this in four scenarios including security, responsible AI, dangerous capabilities (such as a model’s ability to generate hazardous content), and psychosocial harms. As a result, we are able to recognize a variety of potential cyberthreats and adapt quickly when confronting new ones.

This mission has given our red team a breadth of experiences to skillfully tackle risks regardless of:

• System type, including Microsoft Copilot, models embedded in systems, and open-source models.
• Modality, whether text-to-text, text-to-image, or text-to-video.
• User type—enterprise user risk, for example, is different from consumer risks and requires a unique red teaming approach. Niche audiences, such as for a specific industry like healthcare, also deserve a nuanced approach. 

Top three takeaways from the whitepaper

AI red teaming is a practice for probing the safety and security of generative AI systems. Put simply, we “break” the technology so that others can build it back stronger. Years of red teaming have given us invaluable insight into the most effective strategies. In reflecting on the eight lessons discussed in the whitepaper, we can distill three top takeaways that business leaders should know.

Takeaway 1: Generative AI systems amplify existing security risks and introduce new ones

The integration of generative AI models into modern applications has introduced novel cyberattack vectors. However, many discussions around AI security overlook existing vulnerabilities. AI red teams should pay attention to cyberattack vectors both old and new.

• Existing security risks: Application security risks often stem from improper security engineering practices including outdated dependencies, improper error handling, credentials in source, lack of input and output sanitization, and insecure packet encryption. One of the case studies in our whitepaper describes how an outdated FFmpeg component in a video processing AI application introduced a well-known security vulnerability called server-side request forgery (SSRF), which could allow an adversary to escalate their system privileges.

Illustration of the SSRF vulnerability in the video-processing generative AI application.

• Model-level weaknesses: AI models have expanded the cyberattack surface by introducing new vulnerabilities. Prompt injections, for example, exploit the fact that AI models often struggle to distinguish between system-level instructions and user data. Our whitepaper includes a red teaming case study about how we used prompt injections to trick a vision language model.

Red team tip: AI red teams should be attuned to new cyberattack vectors while remaining vigilant for existing security risks. AI security best practices should include basic cyber hygiene.

Takeaway 2: Humans are at the center of improving and securing AI

While automation tools are useful for creating prompts, orchestrating cyberattacks, and scoring responses, red teaming can’t be automated entirely. AI red teaming relies heavily on human expertise.

Humans are important for several reasons, including:

• Subject matter expertise: LLMs are capable of evaluating whether an AI model response contains hate speech or explicit sexual content, but they’re not as reliable at assessing content in specialized areas like medicine, cybersecurity, and CBRN (chemical, biological, radiological, and nuclear). These areas require subject matter experts who can evaluate content risk for AI red teams.
• Cultural competence: Modern language models use primarily English training data, performance benchmarks, and safety evaluations. However, as AI models are deployed around the world, it is crucial to design red teaming probes that not only account for linguistic differences but also redefine harms in different political and cultural contexts. These methods can be developed only through the collaborative effort of people with diverse cultural backgrounds and expertise.
• Emotional intelligence: In some cases, emotional intelligence is required to evaluate the outputs of AI models. One of the case studies in our whitepaper discusses how we are probing for psychosocial harms by investigating how chatbots respond to users in distress. Ultimately, only humans can fully assess the range of interactions that users might have with AI systems in the wild.

Red team tip: Adopt tools like PyRIT to scale up operations but keep humans in the red teaming loop for the greatest success at identifying impactful AI safety and security vulnerabilities.

Takeaway 3: Defense in depth is key for keeping AI systems safe

Numerous mitigations have been developed to address the safety and security risks posed by AI systems. However, it is important to remember that mitigations do not eliminate risk entirely. Ultimately, AI red teaming is a continuous process that should adapt to the rapidly evolving risk landscape and aim to raise the cost of successfully attacking a system as much as possible.

• Novel harm categories: As AI systems become more sophisticated, they often introduce entirely new harm categories. For example, one of our case studies explains how we probed a state-of-the-art LLM for risky persuasive capabilities. AI red teams must constantly update their practices to anticipate and probe for these novel risks.
• Economics of cybersecurity: Every system is vulnerable because humans are fallible, and adversaries are persistent. However, you can deter adversaries by raising the cost of attacking a system beyond the value that would be gained. One way to raise the cost of cyberattacks is by using break-fix cycles.1 This involves undertaking multiple rounds of red teaming, measurement, and mitigation—sometimes referred to as “purple teaming”—to strengthen the system to handle a variety of attacks.
• Government action: Industry action to defend against cyberattackers and
  failures is one side of the AI safety and security coin. The other side is
  government action in a way that could deter and discourage these broader
  failures. Both public and private sectors need to demonstrate commitment and vigilance, ensuring that cyberattackers no longer hold the upper hand and society at large can benefit from AI systems that are inherently safe and secure.

Red team tip: Continually update your practices to account for novel harms, use break-fix cycles to make AI systems as safe and secure as possible, and invest in robust measurement and mitigation techniques.

Advance your AI red teaming expertise

The “Lessons From Red Teaming 100 Generative AI Products” whitepaper includes our AI red team ontology, additional lessons learned, and five case studies from our operations. We hope you will find the paper and the ontology useful in organizing your own AI red teaming exercises and developing further case studies by taking advantage of PyRIT, our open-source automation framework.

Together, the cybersecurity community can refine its approaches and share best practices to effectively address the challenges ahead. Download our red teaming whitepaper to read more about what we’ve learned. As we progress along our own continuous learning journey, we would welcome your feedback and hearing about your own AI red teaming experiences.

Learn more with Microsoft Security

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹ Phi-3 Safety Post-Training: Aligning Language Models with a “Break-Fix” Cycle

The post 3 takeaways from red teaming 100 generative AI products appeared first on Microsoft Security Blog.

The expanding attack surface is creating more opportunities for exploitation and adding to the pressure on security leaders and teams. Increasingly, organizations are investing in managed detection and response services (MDR) to bolster their security operations center (SOC) and meet the challenge. Demand is growing rapidly: according to Frost & Sullivan, the market for MDR is expanding at a rate of 35.2% annually.1   

While there are new vendors launching MDR services regularly, many security teams are turning to Microsoft Defender Experts for XDR, a recognized leader, to deliver comprehensive coverage.1 Employed worldwide by organizations across industries, Microsoft’s team of dedicated experts proactively hunts for cyberthreats and triages, investigates, and responds to incidents on a customer’s behalf around the clock across their most critical assets. Our proven service brings together in-house security professionals and industry-leading protection with Microsoft Defender XDR to help security teams rapidly stop cyberthreats and keep their environments secure.2 

Frost & Sullivan names Microsoft Defender Experts for XDR a leader in the Frost Radar™ Managed Detection and Response for 2024.1 

Microsoft Defender Experts for XDR

Give your security operations center team coverage with end-to-end protection and expertise.

Learn more Reduce the staffing burden, improve security coverage, and focus on other priorities

Microsoft Defender Experts for XDR improves operational efficacy greatly while elevating an organization’s security posture to a new level. The team of experts will monitor the environment, find and halt cyberthreats, and help contain incidents faster with human-led response and remediation. With Defender Experts for XDR, organizations will expand their threat protection capabilities, reduce the number of incidents over time, and have more resources to focus on other priorities.

More experts on your side

Scaling in-house security teams remains challenging. Security experts are not only scarce but expensive. The persistent gap in open security positions has widened to 25% since 2022, meaning one in four in-house security analyst positions will remain unfilled.3 In the Forrester Consulting New Technology Project Total Economic Impact study, without Defender Experts for XDR, the in-house team size for the composite organization would need to increase by up to 30% in mid-impact scenario or 40% in high-impact scenario in year one to provide the same level of threat detection service.4 When you consider the lack of available security talent, increasing an in-house team size by 40% poses significant security concerns to CISOs. Existing security team members won’t be able to perform all the tasks required. Many will be overworked, which may lead to burnout.

With more than 34,000 full-time equivalent security engineers, Microsoft is one of the largest security companies in the world. Microsoft Defender Experts for XDR reinforces your security team with Microsoft security professionals to help reduce talent gap concerns. In addition to the team of experts, customers have additional Microsoft security resources to help with onboarding, recommendations, and strategic insights.

“Microsoft has the assets and people I needed. All the technologies, Microsoft Azure, and a full software stack end-to-end, all combined together with the fabric of security. Microsoft [Defender Experts for XDR] has the people and the ability to hire and train those people with the most upmost skill set to deal with the issues we face.”

—Head of Cybersecurity Response Architecture, financial services industry

Accelerate and expand protection against today’s cyberthreats

Microsoft Defender Experts for XDR deploys quickly. That’s welcome news to organizations concerned about maturing their security program and can’t wait for new staffing and capabilities to be developed in-house. Customers can quickly leverage the deep expertise of the Microsoft Defender Experts for XDR team to tackle the increasing number of sophisticated threats. 

What is phishing?

Learn more

CISOs and security teams know that phishing attacks continue to rise because cybercriminals are finding success. Email remains the most common method for phishing attacks, with 91% of all cyberattacks beginning with a phishing email. Phishing is the primary method for delivering ransomware, accounting for 45% of all ransomware attacks. Financial institutions are most targeted at 27.7% followed by nearly all other industries.5

According to internal Microsoft Defender Experts for XDR statistics, roughly 40% of halted threats are phishing.

Microsoft Defender Experts for XDR is a managed extended detection and response service (MXDR). MXDR is an evolution of traditional MDR services, which primarily focuses on endpoints. Our MXDR service has greater protection across endpoints, email and productivity tools, identities, and cloud apps—ensuring the detection and disruption of many cyberthreats, such as phishing, that would not be covered by endpoint-only managed services. That expanded and consolidated coverage enables Microsoft Defender Experts for XDR to find even the most emergent threats. For example, our in-house team identified and disrupted a significant Octo Tempest operation that was working across previously siloed domains. 

The reduction in the likelihood of breaches with Microsoft Defender Experts for XDR is roughly 20% and is worth $261,000 to $522,000 over three years with Defender Experts.4

In addition to detecting, triaging, and responding to cyberthreats, Microsoft Defender Experts for XDR publishes insights to keep organizations secure. That includes recent blogs on file hosting services abuse and phishing abuse of remote monitoring and management tools. As well, the MXDR service vetted roughly 45 indicators related to adversary-in-the-middle, password spray, and multifactor authentication fatigue and added them to Spectre to help keep organizations secure.

From September 2024 through November 2024, Microsoft Security published multiple cyberthreat articles covering real-world exploration topics such as Roadtools, AzureHound, Fake Palo Alto GlobalProtect, AsyncRAT via ScreenConnect, Specula C2 Framework, SectopRAT campaign, Selenium Grid for Cryptomining, and Specula.

“The Microsoft MXDR service, Microsoft Defender Experts for XDR, is helping our SOC team around the clock and taking our security posture to the next level. On our second day of using the service, there was an alert we had previously dismissed, but Microsoft continued the investigation and identified a machine in our environment that was open to the internet. It was created by a threat actor using a remote desktop protocol (RDP). Microsoft Defender Experts for XDR’s MXDR investigation and response to remediate the issue was immediately valuable to us.”

—Director of Security Operations, financial services industry

MXDR beyond the endpoint with Microsoft Defender Experts for XDR Halt cyberthreats before they do damage

In 2024 the mean time for the average organization to identify a breach was 194 days and containment 64 days.6  Organizations must proactively look for cyberattackers across unified cross-domain telemetry versus relying solely on disparate product alerts. Proactive threat hunting is no longer a nice-to-have in an organization’s security practice. It’s a must-have to detect cyberthreats faster before they can do significant harm.

When every minute counts, Microsoft Defender Experts for XDR can help speed up the detection of an intrusion with proactive threat hunting informed by Microsoft’s threat intelligence, which tracks more than 1,500 unique cyberthreat groups and correlates insights from 78 trillion security signals per day.7

Microsoft Defender Experts for Hunting proactively looks for threats around the clock across endpoints, email, identity, and cloud apps using Microsoft Defender and other signals. Threat hunting leverages advanced AI and human expertise to probe deeper and rapidly correlate and expose cyberthreats across an organization’s security stack. With visibility across diverse, cross-domain telemetry and threat intelligence, Microsoft Defender Experts for Hunting extends in-house threat hunting capabilities to provide an additional layer of threat detection to improve a SOC’s overall threat response and security efficacy.

In a recent survey, 63% of organizations saw a measurable improvement in their security posture with threat hunting. 49% saw a reduction in network and endpoint attacks along with more accurate threat detection and a reduction of false positives.8

Microsoft Defender Experts for Hunting enables organizations to detect and mitigate cyberthreats such as advanced persistent threats or zero-day vulnerabilities. By actively seeking out hidden risks and reducing dwell time, threat hunting minimizes potential damage, enhances incident response, and strengthens overall security posture.

Microsoft Defender Experts for XDR, which includes Microsoft Defender Experts for Hunting, allows customers to stay ahead of sophisticated threat actors, uncover gaps in defenses, and adapt to an ever-evolving cyberthreat landscape.

“Managed threat hunting services detect and address security threats before they become major incidents, reducing potential damage. By implementing this (Defender Experts for Hunting), we enhance our cybersecurity posture by having experts who continuously look for hidden threats, ensuring the safety of our data, reputation, and customer trust.”

—CISO, technology industry

Spend less to get more

Microsoft Defender Experts for XDR helps CISOs do more with their security budgets. According to a 2024 Forrester Total Economic Impact™ study, Microsoft Defender Experts for XDR generated a project return on investment (ROI) of up to 254% with a projected net present value of up to $6.1 million for the profiled composite company.4

Microsoft Defender Experts for XDR includes trusted advisors who provide insights on operationalizing Microsoft Defender XDR for optimal security efficacy. This helps reduce the burden on in-house security and IT teams so they can focus on other projects.

Beyond lowering security operations costs, the Forrester study noted Microsoft Defender Experts for XDR efficiency gains for surveyed customers, including a 49% decrease in security-related IT help desk tickets. Other productivity gains included freeing up 42% of available full time employee hours and lowering general IT security-related project hours by 20%.4

Learn how Microsoft Defender Experts for XDR can improve organizational security

Microsoft Defender Experts for XDR is Microsoft’s MXDR service. It delivers round-the-clock threat detection, investigation, and response capabilities, along with proactive threat hunting. Designed to help close the security talent gap and enhance organizational security postures, the MXDR service combines Microsoft’s advanced Microsoft Defender XDR capabilities with dedicated security experts to tackle cyberthreats like phishing, ransomware, and zero-day vulnerabilities. Offering rapid deployment, significant ROI (254%, as per Forrester), and operational efficiencies, Microsoft Defender Experts for XDR reduces incident and alerts volume, improves the security posture, and frees up in-house resources. Organizations worldwide benefit from these scalable solutions, leveraging Microsoft’s threat intelligence and security expertise to stay ahead of evolving cyberthreats.

To learn more, please visit Microsoft Defender Experts for XDR or contact your Microsoft security representative.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

1Frost & Sullivan names Microsoft a Leader in the Frost Radar™: Managed Detection and Response, 2024, Srikanth Shoroff. March 25, 2024.

2Microsoft a Leader in the Forrester Wave for XDR, Microsoft Security Blog. June 3, 2024.

3ISC2 Cybersecurity Workforce Report, 2024.

4Forrester Consulting study commissioned by Microsoft, 2024, New Technology: The Projected Total Economic Impact™ of Microsoft Defender Experts For XDR.

52024 Phishing Facts and Statistics, Identitytheft.org.

6Time to identify and contain data breaches global 2024, Statista.

7Microsoft Digital Defense Report, 2024.

8SANS 2024 Threat Hunting Survey, March 19, 2024.

The post Why security teams rely on Microsoft Defender Experts for XDR for managed detection and response appeared first on Microsoft Security Blog.