Microsoft Malware Protection Center

Subscribe to Microsoft Malware Protection Center feed
Expert coverage of cybersecurity topics
Updated: 43 min 4 sec ago

AI innovations for a more secure future unveiled at Microsoft Ignite

Tue, 11/19/2024 - 8:30am

In today’s rapidly changing cyberthreat landscape, influenced by global events and AI advancements, security must be top of mind. Over the past three years, password cyberattacks have surged from 579 to more than 7,000 per second, nearly doubling in the last year alone.¹ New cyberattack methods challenge our security posture, pushing us to reimagine how the global security community defends organizations.  

At Microsoft, we remain steadfast in our commitment to security, which continues to be our top priority. Through our Secure Future Initiative (SFI), we’ve dedicated the equivalent of 34,000 full-time engineers to the effort, making it the largest cybersecurity engineering project in history—driving continuous improvement in our cyber resilience. In our latest update, we share insights into the work we are doing in culture, governance, and cybernorms to promote transparency and better support our customers in this new era of security. For each engineering pillar, we provide details on steps taken to reduce risk and provide guidance so customers can do the same.

Insights gained from SFI help us continue to harden our security posture and product development. At Microsoft Ignite 2024, we are pleased to unveil new security solutions, an industry-leading bug bounty program, and innovations in our AI platform. 

Learn more about the Secure Future Initiative Transforming security with graph-based posture management 

Microsoft’s Security Fellow and Deputy Chief Information Security Office (CISO) John Lambert says, “Defenders think in lists, cyberattackers think in graphs. As long as this is true, attackers win,” referring to cyberattackers’ relentless focus on the relationships between things like identities, files, and devices. Exploiting these relationships helps criminals and spies do more extensive damage beyond the point of intrusion. Poor visibility and understanding of relationships and pathways between entities can limit traditional security solutions to defending in siloes, unable to detect or disrupt advanced persistent threats (APTs).

We are excited to announce the general availability of Microsoft Security Exposure Management. This innovative solution dynamically maps changing relationships between critical assets such as devices, data, identities, and other connections. Powered by our security graph, and now with third-party connectors for Rapid 7, ServiceNow, Qualys, and Tenable in preview, Exposure Management provides customers with a comprehensive, dynamic view of their IT assets and potential cyberattack paths. This empowers security teams to be more proactive with an end-to-end exposure management solution. In the constantly evolving cyberthreat landscape, defenders need tools that can quickly identify signal from noise and help prioritize critical tasks.  

Beyond seeing potential cyberattack paths, Exposure Management also helps security and IT teams measure the effectiveness of their cyber hygiene and security initiatives such as zero trust, cloud security, and more. Currently, customers are using Exposure Management in more than 70,000 cloud tenants to proactively protect critical entities and measure their cybersecurity effectiveness.

Explore Microsoft Security Exposure Management Announcing $4 million AI and cloud security bug bounty “Zero Day Quest” 

Born out of our Secure Future Initiative commitments and our belief that security is a team sport, we also announced Zero Day Quest, the industry’s largest public security research event. We have a long history of partnering across the industry to mitigate potential issues before they impact our customers, which also helps us build more secure products by default and by design.  

Every year our bug bounty program pays millions for high-quality security research with over $16 million awarded last year. Zero Day Quest will build on this work with an additional $4 million in potential rewards focused on cloud and AI—— which are areas of highest impact to our customers. We are also committed to collaborating with the security community by providing access to our engineers and AI red teams. The quest starts now and will culminate in an in-person hacking event in 2025.

As part of our ongoing commitment to transparency, we will share the details of the critical bugs once they are fixed so the whole industry can learn from them—after all, security is a team sport. 

Learn more about Zero Day Quest New advances for securing AI and new skills for Security Copilot 

AI adoption is rapidly outpacing many other technologies in the digital era. Our generative AI solution, Microsoft Security Copilot, continues to be adopted by security teams to boost productivity and effectiveness. Organizations in every industry, including National Australia Bank, Intesa Sanpaolo, Oregon State University, and Eastman are able to perform security tasks faster and more accurately.² A recent study found that three months after adopting Security Copilot, organizations saw a 30% reduction in their mean time to resolve security incidents. More than 100 partners have integrated with Security Copilot to enrich the insights with ecosystem data. New Copilot skills are now available for IT admins in Microsoft Entra and Microsoft Intune, data security and compliance teams in Microsoft Purview, and security operations teams in the Microsoft Defender product family.   

Discover more with Microsoft Security Copilot

According to our Security for AI team’s new “Accelerate AI transformation with strong security” white paper, we found that over 95% of organizations surveyed are either already using or developing generative AI, or they plan to do so in the future, with two thirds (66%) choosing to develop multiple AI apps of their own. This fast-paced adoption has led to 37 new AI-related bills passed into law worldwide in 2023, reflecting a growing international effort to address the security, safety, compliance, and transparency challenges posed by AI technologies.³ This underscores the criticality of securing and governing the data that fuels AI. Through Microsoft Defender, our customers have discovered and secured more than 750,000 generative AI app instances and Microsoft Purview has audited more than a billion Copilot interactions.⁴  

Microsoft Purview is already helping thousands of organizations, such as Cummins, KPMG, and Auburn University, with their AI transformation by providing data security and compliance capabilities across Microsoft and third-party applications. Now, we’re announcing new capabilities in Microsoft Purview to discover, protect, and govern data in generative AI applications. Available for preview, new capabilities in Purview include Data Loss Prevention (DLP) for Microsoft 365 Copilot, prevention of data oversharing in AI apps, and detection of risky AI use such as malicious intent, prompt injections, and misuse of protected materials. Additionally, Microsoft Purview now includes Data Security Posture Management (DSPM) that gives customers a single pane of glass to proactively discover data risks, such as sensitive data in user prompts, and receive recommended actions and insights for quick responses during incidents. For more details, read the blog on Tech Community

Explore Microsoft Purview

Microsoft continues to innovate on our end-to-end security platform to help defenders make the complex simpler, while staying ahead of cyberthreats and enabling their AI transformation. At the same time, we are continuously improving the safety and security of our cloud services and other technologies, including these recent steps to make Windows 11 more secure

Next steps with Microsoft Security

From the advances announced to our daily defense of customers, and the steadfast dedication of Chief Executive Officer (CEO) Satya Nadella and every employee, security remains our top priority at Microsoft as we deliver on our principles of secure by design, secure by default, and secure operations. To learn more about our vision for the future of security, tune in to the Microsoft Ignite keynote. 

Microsoft Ignite 2024

Gain insights to keep your organizations safer with an AI-first, end-to-end cybersecurity approach.

Register now

Are you a regular user of Microsoft Security products? Review your experience on Gartner Peer Insights™ and get a $25 gift card. To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

¹ Microsoft Digital Defense Report 2024.

² Microsoft customer stories:

³ How countries around the world are trying to regulate artificial intelligence, Theara Coleman, The Week US. July 4, 2023.

Earnings Release FY25 Q1, Microsoft. October 30, 2024.

The post AI innovations for a more secure future unveiled at Microsoft Ignite appeared first on Microsoft Security Blog.

Categories: Microsoft

Microsoft Data Security Index annual report highlights evolving generative AI security needs

Wed, 11/13/2024 - 12:00pm

Generative AI presents companies of all sizes with opportunities to increase efficiency and drive innovation. With this opportunity comes a new set of cybersecurity requirements particularly focused on data that has begun to reshape the responsibilities of data security teams. The 2024 Microsoft Data Security Index focuses on key statistics and actionable insights to secure your data used and referenced by your generative AI applications.

What is generative aI?

Learn more

84% of surveyed organizations want to feel more confident about managing and discovering data input into AI apps and tools. This report includes research to provide you with the actionable industry-agnostic insights and guidance to better secure your data used by your generative AI applications. 

Microsoft Data Security Index

Gain deeper insights about generative AI and its influence on data security.

Discover more

In 2023, we commissioned our first independent research that surveyed more than 800 data security professionals to help business leaders develop their data security strategies. This year, we expanded the survey to 1,300 security professionals to uncover new learnings on data security and AI practices.   

Some of the top-level insights from our expanded research are:  

  1. The data security landscape remains fractured across traditional and new risks due to AI.
  2. User adoption of generative AI increases the risk and exposure of sensitive data.
  3. Decision-makers are optimistic about AI’s potential to boost their data security effectiveness.
The data security landscape remains fractured across traditional and new risks

On average, organizations are juggling 12 different data security solutions, creating complexity that increases their vulnerability. This is especially true for the largest organizations: On average, medium enterprises use nine tools, large enterprises use 11, and extra-large enterprises use 14. In addition, 21% of decision-makers cite the lack of consolidated and comprehensive visibility caused by disparate tools as their biggest challenge and risk.

Fragmented solutions make it difficult to understand data security posture since data is isolated and disparate workflows could limit comprehensive visibility into potential risks. When tools don’t integrate, data security teams have to build processes to correlate data and establish a cohesive view of risks, which can lead to blind spots and make it challenging to detect and mitigate risks effectively.

As a result, the data also shows a strong correlation between the number of data security tools used and the frequency of data security incidents. In 2024, organizations using more data security tools (11 or more) experienced an average of 202 data security incidents, compared to 139 incidents for those with 10 or fewer tools.

In addition, a growing area of concern is the rise in data security incidents from the use of AI applications, which nearly doubled from 27% in 2023 to 40% in 2024. Attacks from the use of AI apps not only expose sensitive data but also compromise the functionality of the AI systems themselves, further complicating an already fractured data security landscape.

In short, there’s an increasingly urgent need for more integrated and cohesive data security strategies that can address both traditional and emerging risks linked to the use of AI tools.

Adoption of generative AI increases the risk and exposure of sensitive data

User adoption of generative AI increases the risk and exposure of sensitive data. As AI becomes more embedded in daily operations, organizations recognize the need for stronger protection. 96% of companies surveyed admitted that they harbored some level of reservation about employee use of generative AI. However, 93% of companies also reported that they had taken proactive action and were at some stage of either developing or implementing new controls around employee use of generative AI.  

Unauthorized AI applications can access and misuse data, leading to potential breaches. The use of these unauthorized AI applications often occurs with employees logging in with personal credentials or using personal devices for work-related tasks. On average, 65% of organizations admit that their employees are using unsanctioned AI apps.

Given these concerns, it is important for organizations to implement the right data security controls and to mitigate these risks and ensure that AI tools are used responsibly. Currently, 43% of companies are focused on preventing sensitive data from being uploaded into AI apps, while another 42% are logging all activities and content within these apps for potential investigations or incident response. Similarly, 42% are blocking user access to unauthorized tools, and an equal percentage are investing in employee training on secure AI use.

To implement the right data security controls, customers need to increase their visibility of their AI application usage as well as the data that is flowing through those applications. In addition, they need a way to assess the risk levels of emerging generative AI applications and be able to apply conditional access policies to those applications based on a user’s risk levels.

Finally, they need to be able to access audit logs and generate reports to help them assess their overall risk levels as well as provide transparency and reporting for regulatory compliance.

AI’s potential to boost data security effectiveness

Traditional data security measures often struggle to keep up with the sheer volume of data generated in today’s digital landscape. AI, however, can sift through this data, identifying patterns and anomalies that might indicate a security threat. Regardless of where they are in their generative AI adoption journeys, organizations that have implemented AI-enabled data security solutions often gain both increased visibility across their digital estates and increased capacity to process and analyze incidents as they are detected.

77% of organizations believe that AI will accelerate their ability to discover unprotected sensitive data, detect anomalous activity, and automatically protect at-risk data. 76% believe AI will improve the accuracy of their data security strategies, and an overwhelming 93% are at least planning to use AI for data security.

Organizations already using AI as part of their data security operations also report fewer alerts. On average, organizations using AI security tools receive 47 alerts per day, compared to an average 79 alerts among those that have yet to implement similar AI solutions.

AI’s ability to analyze vast amounts of data, detect anomalies, and respond to threats in real-time offers a promising avenue for strengthening data security. This optimism is also driving investments in AI-powered data security solutions, which are expected to play a pivotal role in future security strategies.

As we look to the future, customers are looking for ways to streamline how they discover and label sensitive data, provide more effective and accurate alerts, simplify investigations, make recommendations to better secure their data environments, and ultimately reduce the number of data security incidents.

Read the full Microsoft Data Security Index Final thoughts 

So, what can be made of this new generative AI revolution, especially as it pertains to data security? For those beginning their adoption roadmap or looking for ways to improve, here are three broadly applicable recommendations:  

  • Hedge against data security incidents by adopting an integrated platform.
  • Adopt controls for employee use of generative AI that won’t impact productivity. 
  • Uplevel your data security strategy with help from AI.

Gain deeper insights about generative AI and its influence on data security by exploring Data Security Index: Trends, insights, and strategies to keep your data secure and navigate generative AI. There you’ll also find in-depth sentiment analysis from participating data security professionals, providing even more insight into common thought processes around generative AI adoption. For further reading, you can also check out the Data Security as a Foundation for Secure AI Adoption white paper. 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

The post Microsoft Data Security Index annual report highlights evolving generative AI security needs appeared first on Microsoft Security Blog.

Categories: Microsoft

DoD Zero Trust Strategy proves security benchmark years ahead of schedule with Microsoft collaboration

Mon, 11/11/2024 - 12:00pm

In 2022, the United States Department of Defense (DoD) released its formal Zero Trust (ZT) Strategy with the goal of achieving enterprise-wide Target Level ZT implementation by September 30, 2027. A pioneer among these departments is the United States Navy, which recently launched Flank Speed—a large-scale zero trust deployment that aims to protect more than 560,000 identities and devices while improving the overall user experience.  

As part of the department’s ongoing assessments of zero trust implementation, Flank Speed just underwent its second round of security assessments sponsored by the DoD Zero Trust Portfolio Management Office (PfMO)—with tremendous results. Just two years after the initial DoD guidance was issued, the United States Navy demonstrated that their integrated approach to security could achieve the department’s ZT goals, years ahead of schedule. The model developed by the Navy in collaboration with Microsoft can be replicated to help both civilian and defense agencies to similarly accelerate their own zero trust goals. 

DoD Zero Trust Report

The United States Navy is proving that Zero Trust goes beyond compliance standards and has become a proven security methodology with real world results.  

Discover more

During the exhaustive test, the comprehensive, integrated suite of Microsoft Security tools enabled Navy personnel to meet Target Level zero trust implementation, achieving 100% success in the 91 Target Level activities tested. Further testing of 61 Advanced Level zero trust activities determined the Navy had achieved success in nearly all (60 of 61) advanced Target Level activities.

The DoD expanded beyond traditional penetration testing to thoroughly evaluate all 152 zero trust activities. Prior to the month-long test, military personnel were trained on the effective operation of the comprehensive zero trust solution over the course of six months. This training allowed Navy personnel to detect and mitigate all attack vectors presented to them by the near-peer adversary assessment team.  

“Flank Speed’s unprecedented ability to achieve the very highest level of DoD ZT outcomes demonstrate to us that the department and the federal government that ZT cyber defenses work very effectively to protect and defend our data and systems against the very latest cyber-attacks from our adversaries.”

—Mr. Randy Resnick, Senior Executive Service, Chief ZT Officer for the DoD 

Components of success 

Flank Speed is a large-scale deployment born out of the need to securely facilitate remote workers at the onset of the COVID-19 pandemic and built on the Navy’s unclassified combined Azure and Microsoft 365 Impact Level 5(IL5) cloud. To achieve a secure operating environment, the Navy aligned its security approach around the DoD’s seven zero trust pillars—each of which represents its own protection area:  

  • Users 
  • Devices
  • Applications and workloads
  • Data
  • Networks
  • Automation and orchestration
  • Visibility and analytics

As outlined in the diagram below, the Microsoft 365 E5 package combines best-in-class productivity solutions with comprehensive security technologies that can address all seven pillars of the DoD Zero Trust Strategy.  

This comprehensive and extensible zero trust platform supports a range of environments including hybrid cloud, multicloud, and multiplatform needs. It brings pre-integrated extended detection and response (XDR) services, coupled with cloud-based device management and cloud-based identity and access management to meet the security priorities necessary for all defense and civilian organizations. The specific technologies and implementation strategies that support each pillar are outlined in this blog post. Microsoft has also published a higher-level Security Adoption Framework (SAF) that provides guidance to organizations as they navigate the ever-changing security landscape. 

A partner agencies can trust 

Implementation of a zero trust solution from scratch can be a daunting task. A successful deployment requires the integration of properly configured technologies across numerous product categories. No single product can effectively achieve zero trust goals alone, but selecting a set of integrated capabilities whether first or third party can provide significant acceleration. In order to be effective in the long term, a zero trust implementation must also be flexible enough to adapt quickly to new adversary tactics. Following the White House Executive Order to improve the nation’s cybersecurity and protect federal government networks, Microsoft offered technical expertise that helped architect and deploy technologies aligned to the DoD ZT strategy, including continuous monitoring, big data analysis, and comply-to-connect components. 

The success of Flank Speed is a critical demonstration of this collaborative approach to implementation. That a complex and critical environment such as that belonging to the Navy fully met not only its Target Level zero trust activities, but nearly all of the Advanced Level criteria more than three years before the DoD’s 2027 deadline with a repeatable solution, is a testament that zero trust can be implemented effectively at scale across the government.  

Importantly, though Flank Speed itself is cloud-native, it has been deployed to extend its usability and security capabilities to both cloud-only and existing on-premises workloads and devices, both ashore and afloat. This gave the Navy a rapid path to increased security that was independent of any effort to modernize or sunset existing legacy assets. Along with the proven security achievements, this capacity to extend zero trust security to existing infrastructure could have wide-ranging benefits for organizations pursuing similar cybersecurity goals of a homogeneous security baseline across heterogeneous environments. 

A commitment to security and innovation 

Microsoft’s support in helping the United States Department of Defense and its branches achieve zero trust implementation also helps inform Microsoft’s own Secure Future Initiative, which aims to continuously apply the company’s cumulative security learnings in an effort to improve its own methods and practices, and to ensure that security is kept paramount in everything Microsoft creates and provides to its customers. Independent learnings gleaned as part of the Secure Future Initiative, in return, help Microsoft refine its approach in support of government organizations and a vast ecosystem of security partners. In this way Microsoft can work to ensure that zero trust environments supported by Microsoft 365 and Azure stay up to date, even as cyber threat actors change and mature their tactics and tools. This continuous collaboration advances the broader effort to secure and support the United States national security and the security posture of democratic organizations the world over.  

Microsoft commends the United States Navy for their milestone achievement. The United States Navy and the United States Department of Defense are proving that zero trust goes beyond compliance standards and has become a proven security methodology with real world results.  

Read the full DoD Zero Trust assessment announcement Next steps

To learn more about how to accelerate your Zero Trust implementation with best practices, the latest trends, and a framework informed by real-world deployments, visit our latest guidance

 To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

The post DoD Zero Trust Strategy proves security benchmark years ahead of schedule with Microsoft collaboration appeared first on Microsoft Security Blog.

Categories: Microsoft

More value, less risk: How to implement generative AI across the organization securely and responsibly

Thu, 11/07/2024 - 12:00pm

The technology landscape is undergoing a massive transformation, and AI is at the center of this change—posing both new opportunities as well as new threats.  While AI can be used by adversaries to execute malicious activities, it also has the potential to be a game changer for organizations to help defeat cyberattacks at machine speed. Already today generative AI stands out as a transformative technology that can help boost innovation and efficiency. To maximize the advantages of generative AI, we need to strike a balance between addressing the potential risks and embracing innovation. In our recent strategy paper, “Minimize Risk and Reap the Benefits of AI,” we provide a comprehensive guide to navigating the challenges and opportunities of using generative AI.

According to a recent survey conducted by ISMG, the top concerns for both business executives and security leaders on using generative AI in their organization range, from data security and governance, transparency and accountability to regulatory compliance.1 In this paper, the first in a series on AI compliance, governance, and safety from the Microsoft Security team, we provide business and technical leaders with an overview of potential security risks when deploying generative AI, along with insights into recommended safeguards and approaches to adopt the technology responsibly and effectively.

Learn how to deploy generative AI securely and responsibly

In the paper, we explore five critical areas to help ensure the responsible and effective deployment of generative AI: data security, managing hallucinations and overreliance, addressing biases, legal and regulatory compliance, and defending against threat actors. Each section provides essential insights and practical strategies for navigating these challenges. 

Data security

Data security is a top concern for business and cybersecurity leaders. Specific worries include data leakage, over-permissioned data, and improper internal sharing. Traditional methods like applying data permissions and lifecycle management can enhance security. 

Managing hallucinations and overreliance

Generative AI hallucinations can lead to inaccurate data and flawed decisions. We explore techniques to help ensure AI output accuracy and minimize overreliance risks, including grounding data on trusted sources and using AI red teaming. 

Defending against threat actors

Threat actors use AI for cyberattacks, making safeguards essential. We cover protecting against malicious model instructions, AI system jailbreaks, and AI-driven attacks, emphasizing authentication measures and insider risk programs. 

Addressing biases

Reducing bias is crucial to help ensure fair AI use. We discuss methods to identify and mitigate biases from training data and generative systems, emphasizing the role of ethics committees and diversity practices.

Legal and regulatory compliance

Navigating AI regulations is challenging due to unclear guidelines and global disparities. We offer best practices for aligning AI initiatives with legal and ethical standards, including establishing ethics committees and leveraging frameworks like the NIST AI Risk Management Framework.

Explore concrete actions for the future

As your organization adopts generative AI, it’s critical to implement responsible AI principles—including fairness, reliability, safety, privacy, inclusiveness, transparency, and accountability. In this paper, we provide an effective approach that uses the “map, measure, and manage” framework as a guide; as well as explore the importance of experimentation, efficiency, and continuous improvement in your AI deployment.

I’m excited to launch this series on AI compliance, governance, and safety with a strategy paper on minimizing risk and enabling your organization to reap the benefits of generative AI. We hope this series serves as a guide to unlock the full potential of generative AI while ensuring security, compliance, and ethical use—and trust the guidance will empower your organization with the knowledge and tools needed to thrive in this new era for business.

Additional resources

Minimize Risk and Reap the Benefits of AI

Get more insights from Bret Arsenault on emerging security challenges from his Microsoft Security blogs covering topics like next generation built-in security, insider risk management, managing hybrid work, and more.

1, 2 ISMG’s First annual generative AI study – Business rewards vs. security risks: Research report, ISMG.

The post More value, less risk: How to implement generative AI across the organization securely and responsibly appeared first on Microsoft Security Blog.

Categories: Microsoft

​​Zero Trust Workshop: Advance your knowledge with an online resource

Wed, 11/06/2024 - 12:00pm

Microsoft is on the front lines helping secure customers worldwide—analyzing and responding to cybersecurity threats, building security technologies,  and partnering with organizations to effectively deploy these technologies for increased security. Many of you have been following as we’ve described our Secure Future Initiative, which is pushing the Zero Trust principles verify explicitly, least privilege and assume breach into the programmatic approach of Secure by Design, Secure by Default, and Secure Operations across Microsoft consistently, durably and at scale. In the Microsoft Security division, we are also focused on helping our customers deploy our suite of security products to protect themselves from cyber threats. We know that most of our customers are embarking on a Zero Trust journey, but many struggle with the enormity of the opportunity: where to start, what to do next, and how to measure progress. 

We are announcing a resource to help our customers answer these questions: The Microsoft Zero Trust Workshop, a self-service tool to help you plan and execute your Zero Trust journey guide by yourself or with the guidance of a partner.

The Zero Trust Workshop lets you customize your organization’s end-to-end security deployment to your unique business needs and your environment with a powerful tool that: provides a comprehensive assessment of zero trust capabilities learned from hundreds of deployments; guides you with a visual easy-to-use tool that explains each step of the journey; and delivers a digital artifact that you and your team can use to plan and prioritize your next steps and to compare and measure progress regularly. 

Zero Trust Workshop

A comprehensive technical guide to help customers and partners adopt a Zero Trust strategy and deploy security solutions end-to-end to secure their organizations.

Learn more How our workshop helps customers and partners solidify their Zero Trust strategy 

Over the past year, we have piloted this workshop with more than 30 customers and partners. They have consistently told us that this provides them with the clarity, coverage, and actionable guidance they need to secure their organization within each Zero Trust pillar and across the pillars. When asked how likely they are to recommend the workshop to their partner teams or to other customers, customers give the workshop a net promoter score of 73.

The layout and question structure is fantastic as it provokes a fair amount of thought around adding each of the capabilities to take a multi-faceted approach to authentication and authorization.

—Senior vice president at a major financial institution

Security is a team sport, and we recognize that customers often need security partners to help them plan and execute their security strategy. This is why we partnered with several deployment partners across the pillars of Zero Trust to get their feedback on the workshop and how they would use it to help their customers.

The Zero Trust Workshop is a great starting point for our customers who want to embrace Zero Trust principles, but don’t know how to align the technology they already own. Furthermore, the workshop allows our customers to measure the progress they’ve made and aim for the next incremental hardening of the Zero Trust model, which is part and parcel of the Zero Trust manner of thinking. As a Microsoft partner and as an MVP, I advocate that customers use the materials provided by Microsoft, including these workshops, to measure and further their security posture.

Nicolas Blank, NBConsult

[The Zero Trust workshop] has enabled Slalom to help clients accelerate their efforts towards a comprehensive cyber resilience strategy. It provides a clear picture of an organization’s current state and provides a template for order of operations and best practices in a very tidy package. It’s an easy-to-use tool with a huge impact, and our clients and workshop participants have been very impressed by how it organizes and prioritizes a complex set of operations in an approachable and manageable way.

Slalom

Please try the Zero Trust Workshop How to start using the workshop to plan your Zero Trust journey

The Zero Trust Workshop is comprised of two main components, all in one handy file you can download and use to drive these conversations: 

  • The Zero Trust Basic Assessment (optional): For customers starting on their Zero Trust journey, the assessment is a foundational tool that customers can run before the workshop to check for common misconfigurations and gaps in settings (for example, having too many global admins) to remediate before starting to enable the security features and capabilities of a Zero Trust journey.  
  • The Zero Trust Strategy workshop: This is a guided breakdown of the Zero Trust areas according to the standard Zero Trust pillars (Identity, Devices, Data, Network, Infrastructure and Application, and Security Operations). For each pillar, we walk you through the associated areas with a proposed “do this first, consider this then, think about this next” order to how you should tackle them. For each area and capability, you have guidance on why it matters and options to address it and then can discuss it with your stakeholder and decide if this is something you already did, something you are going to do, or something you do not plan to implement at this time. As you progress through the different boxes and areas, you create an artifact for your organization on how well-deployed you are in this Zero Trust pillar and what are the next areas to tackle.  

Now, we are launching the Identity, Devices, and Data pillars. We will add the Network, Infrastructure and Application, and Security Operations in the coming few months. The website for the workshop will announce these as they become available.

Figure 1. Example of the apps and users area of the Identity pillar of the workshop. Figure 2. Example of the strategy and co-management areas of the Devices pillar of the workshop. Figure 3. Example of the identification, classification and protection areas of the Data pillar of the workshop.

I invite you to check out the Zero Trust Workshop site where we have detailed training videos and content. 

For our valued security deployment partners, the workshop is also included in the recently launched Zero Trust Partner kit where, as a partner, you can take the workshop material and customize it for your customer engagements based on your needs. 

Closing thoughts

We all need to work together to help secure the world we live in and keep people safe with the intention of collective defense. As shared in the most recent Microsoft Digital Defense Report, the cyber threat landscape is ever-growing and requires a collaborative approach between product vendors, security experts, and customers to help protect everyone. In the spirit of working with the wider ecosystem to help secure all customers, we recently partnered with NIST’s NCCoE and more than 20 security vendors to publish a guide on how to adopt NIST’s Zero Trust reference architecture using Microsoft’s Security products and this is another example of us working with all of you deploying security out there to help secure the ecosystem. 

Give the Zero Trust Workshop a try

We would love to hear how you are using it. Use the feedback form on the site to share with us how we can improve it to help your organization implement a Zero Trust journey. 

Additional resources to accelerate your Zero Trust journey 

This joins a library of other resources to guide your security modernization and Zero Trust journey, including: 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. 

The post ​​Zero Trust Workshop: Advance your knowledge with an online resource appeared first on Microsoft Security Blog.

Categories: Microsoft

How Microsoft Defender for Office 365 innovated to address QR code phishing attacks

Mon, 11/04/2024 - 12:00pm

Over the last year, the cybersecurity industry faced a significant surge in QR code phishing campaigns, with some attacks increasing at a growth rate of 270% per month.1 A QR code (short for “Quick Response code”) is a two-dimensional barcode that can be scanned using a smartphone or other mobile device equipped with a camera. The codes can contain information like website URLs, contact information, product details, and more. They are most often used for taking users to websites, files, or applications. But when bad actors exploit them, they can be used to mislead users into unwittingly compromising their credentials and data.

Advanced protection against phishing with Microsoft Defender for Office 365 Unique characteristics of QR code phishing campaigns

Security 101: What is phishing?

Learn more

Like with other phishing techniques, the goal of QR code phishing attacks is to get the user to click on a malicious link that seems legitimate. They often use minimalistic emails to deliver malicious QR codes that prompt seemingly legitimate actions—like password resets or two-factor authentication verifications. A QR code can also be easily manipulated to redirect unsuspecting victims to malicious websites or to download malware in exactly the same way as URLs.

Figure 1. QR code as an image within email body redirecting to a malicious website.

The normal warning signs users might notice on larger screens can often go unnoticed on mobile devices. While the tactics, techniques, and procedures (TTPs) vary depending on which bad actor is at work, Microsoft Defender for Office 365 has detected a key set of patterns in QR code phishing attacks, including but not limited to:

  • URL redirection, where a click or tap takes you not where you expected, but to a forwarded URL.
  • Minimal to no text, which reduces the signals available for analysis and machine learning detection.
  • Exploiting a known or trusted brand, using their familiarity and reputation to increase likelihood of interaction.
  • Exploiting known email channels that trusted, legitimate senders use.
  • A variety of social lures, including multifactor authentication, document signing, and more.
  • Embedding QR codes in attachments.
The impact of QR code phishing campaigns on the broader email security industry

With the most common intent of QR code phishing being credential theft, malware distribution, or financial theft, QR code campaigns are often massive—exceeding 1,000 users and follow targeted information gathering reconnaissance by bad actors.2

Microsoft security researchers first started noticing an increase in QR-code based attacks in September 2023. We saw attackers quickly morphing their techniques in two keys ways: First by manipulating the way that the QR code rendered (such as different colors and tables), and second by manipulating the embedded URL to do redirection.

The dynamic nature of QR codes made it challenging for traditional email security mechanisms that were designed for link-based phishing techniques to effectively filter and protect against these types of cyberattacks. A key reason was the fact that extensive image content analysis was not commonly done for every image in every message, and did not represent a standard in the industry at the time of the surge.

As a result, for several months our customers saw an increase in bad email that contained malicious QR codes as we were adapting and evolving our technology to be effective against QR codes. This was a challenging time for our customers and those of other email security vendors. We added incremental resources and redirected all our engineering energy to address these issues, and along the way not only delivered new technological innovations but also modified our processes and modernized components of our pipeline to be more resilient in the future. Now these challenges have been addressed through a key set of innovations, and we want to share our learnings and technology advancements moving forward.

For bad actors, QR code phishing has become a lucrative business, and attackers are utilizing AI and large language models (LLMs) like ChatGPT to increase the speed and improve the believability of their attacks. Recent research by Insikt Group noted that bad actors can generate 1,000 phishing emails in under two hours for as little as $10.3 For the security industry, this necessitates a multifaceted response including improved employee training and a renewed commitment to innovation.

The necessity of innovation in QR code phishing defense

Innovation in the face of evolving QR code phishing risk is not just beneficial, it’s imperative. As cybercriminals continually refine their tactics to exploit new technologies, security solutions must evolve at a similar pace to remain effective. In response to the growing threat of QR code phishing, Microsoft Defender for Office 365 took decisive action to leverage advanced machine learning and AI—developing robust defenses capable of detecting and neutralizing QR code phishing attacks in real time. Our team meticulously analyzed these cyberthreats across trillions of signals, gaining valuable insights into their mechanisms and evolving patterns. This knowledge helped us refine our security protocols and enhance our platform’s resilience with several strategic updates. As the largest email security provider, we have seen a significant decline in QR code phishing attempts. At the height, Defender for Office 365 was blocking 3 million attempts daily, and with the delivery of innovative protection we have seen this number shrink to 200,000 QR code phishing attempts every day. This is testament that our innovation is having the desired effect: reducing the effectiveness of QR code-based attacks and forcing attackers to shift their tactics.

Figure 2. QR code phishing blocked by Microsoft Defender for Office 365.

Recent innovations and protections we’ve implemented and improved within Microsoft Defender for Office 365 to help combat QR code phishing include:

  • URL extraction enhancements: Microsoft Defender for Office 365 has improved its capabilities to extract URLs from QR codes, substantially boosting the system’s ability to detect and counteract phishing links hidden within QR images. This enhancement enables a more thorough analysis of potential cyberthreats embedded in QR codes. In addition, we now extract metadata from QR codes, which enriches the contextual data available during threat assessments, enhancing our ability to detect suspicious activities early in the attack chain.
  • Advanced image processing: Advanced image processing techniques at the initial stage of the mail flow process allow us to extract and log URLs hidden within QR codes. This proactive measure disrupts attacks before they have a chance to compromise end user inboxes, addressing cyberthreats at the earliest possible point.
  • Advanced hunting and remediation: To offer a comprehensive response to QR code threats across email, endpoint, and identities with our advanced hunting capabilities, security teams across organizations are well equipped to specifically identify and filter out malicious activities linked to these codes.
  • User resilience against QR code phishing: To further equip our organization against these emerging threats, Microsoft Defender for Office 365 has expanded its advanced capabilities to include QR code threats, maintaining alignment with email platforms and specific cyberattack techniques. Our attack simulation training systems along with standard setup of user selection, payload configuration, and scheduling, now have specialized payloads for QR code phishing to simulate authentic attack scenarios.

Read more technical details on how to hunt and respond to QR code-based attacks. By integrating all these capabilities across the Microsoft Defender XDR platform, we can help ensure any QR code-related threats identified in emails are thoroughly analyzed in conjunction with endpoint and identity data, creating a robust security posture that addresses threats on multiple fronts.

Protect against QR code-based phishing attacks with Microsoft Defender for Office 365 Staying ahead of the evolving threat landscape 

The enhancements of Microsoft Defender for Office 365 to defend against QR code-based phishing attacks showcased our need to advance Microsoft’s email and collaboration security faster. The rollout of the above has closed this gap and made Defender for Office 365 effective against these attacks, and as the use of QR codes expands, our defensive tactics will now equally advanced to combat them.

Our continuous investment in analyzing the cyberthreat landscape, learning from past gaps, and our updated infrastructure will enable us to effectively handle present issues and proactively address future risks faster as threats emerge across email and collaboration tools. We will soon be sharing more exciting innovation that will showcase our commitment to delivering the best email and collaboration security solution to customers.

For more information, view the data sheet on protecting against QR code phishing or visit the website to learn more about Microsoft Defender for Office 365.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

1Attackers Weaponizing QR Codes to Steal Employees Microsoft Credentials, Cybersecurity News. August 22, 2023.

2Hunting for QR Code AiTM Phishing and User Compromise, Microsoft Tech Community. February 12, 2024.

3Security Challenges Rise as QR Code and AI-Generated Phishing Proliferate, Recorded Future. July 18, 2024.

The post How Microsoft Defender for Office 365 innovated to address QR code phishing attacks appeared first on Microsoft Security Blog.

Categories: Microsoft

​​Microsoft now a Leader in three major analyst reports for SIEM

Thu, 10/31/2024 - 1:00pm

We’re excited and honored to be positioned in the Leaders Category in the IDC MarketScape: Worldwide SIEM (security information and event management) for Enterprise 2024 Vendor Assessment (doc #US51541324, September 2024)—our third major analyst report in SIEM to name Microsoft as a Leader. We were recognized in the most recent reports as a Leader in the 2024 Gartner® Magic Quadrant™ for Security Information and Event Management and as a Leader in The Forrester Wave™: Security Analytics Platforms, Q4 2022. We believe this position validates our vision and continued investments in Microsoft Sentinel, making it a best-in-class, cloud-native SIEM solution. It’s always a rewarding experience when trusted analysts recognize the continued work we’ve put into helping our customers modernize their operations, improve their security posture, and work more efficiently. 

A Leader in the market with an innovative solution for the SOC  

Microsoft Sentinel provides a unique experience for customers to help them act faster and stay safer while managing the scaling costs of security. Customers choose our SIEM in order to:  

Protect everything with a comprehensive SIEM solution. Microsoft Sentinel is a cloud-native solution that supports detection, investigation, and response across multi-cloud and multi-platform data sources with 340+ out-of-the-box connectors A strength of Microsoft’s offering is its breadth, which includes user entity and behavior analytics (UEBA), threat intelligence and security orchestration, automation, and response (SOAR) capabilities, along with native integrations into Microsoft Defender threat protection products. 

  • Enhance security with a unified security operations platform. Customers get the best protection when pairing Microsoft Sentinel with Defender XDR in Microsoft’s unified security operations platform. The integration not only brings the two products together into one experience but combines functionalities across each to maximize efficiency and security. One example is the unified correlation engine which delivers 50% faster alerting between first- and third-party data, custom detections and threat intelligence.3 Customers can stay safer with a unified approach, with capabilities like automatic attack disruption—which contains attacks in progress, limiting their impact at machine speed.   
  • Address any scenario. As the first cloud-native SIEM, Microsoft Sentinel helps customers observe threats across their digital estate with the flexibility required for today’s challenges. Our content hub offerings include over 200 Microsoft- created solutions and over 280 community contributions. The ability to adapt to the unique use cases of an organization is something called out in both the Forrester and Gartner reports.  
  • Scale your security coverage with cloud flexibility. Compared with legacy, on-premises SIEM solutions, Microsoft Sentinel customers see up to a 234% return on investment (ROI).1 This makes it an attractive option for customers looking for a scalable offering to meet the evolving needs of their business while managing the costs of data. We’ve recently launched a new, low-cost data tier called Auxiliary Logs to help customers increase the visibility of their digital environment, while keeping their budgets in check. In addition, Microsoft’s SOC Optimizations feature, a first of its kind offering, provides targeted recommendations to users on how to better leverage their security data to manage costs and maximize their protection, based on their specific environment and using frameworks like the MITRE attack map  
  • Respond quickly to emergent threats with AI. Security Copilot is a GenAI tool that can help analysts increase the speed of their response, uplevel their skills, and improve the quality of their work. 92% of analysts reported using Copilot helped make them more productive and 93% reported an improvement in the quality of their work.2  

What’s next in Microsoft Security 

Microsoft is dedicated to continued leadership in security through ongoing investment to provide customers with the intelligence, automation, and scalability they need to protect their businesses and work efficiently. New and upcoming enhancements include more unified features across SIEM and XDR, exposure management and cloud security in the unified security operations platform, and our SIEM migration tool—which now supports conversion of Splunk detections to Microsoft Sentinel analytics rules and additional Copilot skills to help analysts do their job better.  

​​CTA​: To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

[1] The Total Economic Impact™ Of Microsoft Sentinel (forrester.com) 

[2] Microsoft Copilot for Security randomized controlled trial (RCT) with experienced security analysts conducted by Microsoft Office of the Chief Economist, January 2024 

3Microsoft internal data 

Gartner, Magic Quadrant for Security Information and Event Management, By Andrew Davies, Mitchell Schneider, Rustam Malik, Eric Ahlm, 8 May 2024 

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. 

The post ​​Microsoft now a Leader in three major analyst reports for SIEM appeared first on Microsoft Security Blog.

Categories: Microsoft

Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network

Thu, 10/31/2024 - 1:00pm

Since August 2023, Microsoft has observed intrusion activity targeting and successfully stealing credentials from multiple Microsoft customers that is enabled by highly evasive password spray attacks. Microsoft has linked the source of these password spray attacks to a network of compromised devices we track as CovertNetwork-1658, also known as xlogin and Quad7 (7777). Microsoft is publishing this blog on how covert networks are used in attacks, with the goal of increasing awareness, improving defenses, and disrupting related activity against our customers.

Microsoft assesses that credentials acquired from CovertNetwork-1658 password spray operations are used by multiple Chinese threat actors. In particular, Microsoft has observed the Chinese threat actor Storm-0940 using credentials from CovertNetwork-1658. Active since at least 2021, Storm-0940 obtains initial access through password spray and brute-force attacks, or by exploiting or misusing network edge applications and services. Storm-0940 is known to target organizations in North America and Europe, including think tanks, government organizations, non-governmental organizations, law firms, defense industrial base, and others.

As with any observed nation-state threat actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to help secure their environments. In this blog, we provide more information about CovertNetwork-1658 infrastructure, and associated Storm-0940 activity. We also share mitigation recommendations, detection information, and hunting queries that can help organizations identify, investigate, and mitigate associated activity.

What is CovertNetwork-1658?

Microsoft tracks a network of compromised small office and home office (SOHO) routers as CovertNetwork-1658. SOHO routers manufactured by TP-Link make up most of this network. Microsoft uses “CovertNetwork” to refer to a collection of egress IPs consisting of compromised or leased devices that may be used by one or more threat actors.

CovertNetwork-1658 specifically refers to a collection of egress IPs that may be used by one or more Chinese threat actors and is wholly comprised of compromised devices. Microsoft assesses that a threat actor located in China established and maintains this network. The threat actor exploits a vulnerability in the routers to gain remote code execution capability. We continue to investigate the specific exploit by which this threat actor compromises these routers. Microsoft assesses that multiple Chinese threat actors use the credentials acquired from CovertNetwork-1658 password spray operations to perform computer network exploitation (CNE) activities.

Post-compromise activity on compromised routers

After successfully gaining access to a vulnerable router, in some instances, the following steps are taken by the threat actor to prepare the router for password spray operations:

  1. Download Telnet binary from a remote File Transfer Protocol (FTP) server
  2. Download xlogin backdoor binary from a remote FTP server
  3. Utilize the downloaded Telnet and xlogin binaries to start an access-controlled command shell on TCP port 7777
  4. Connect and authenticate to the xlogin backdoor listening on TCP port 7777
  5. Download a SOCKS5 server binary to router
  6. Start SOCKS5 server on TCP port 11288
Figure 1. Steps taken to prepare the router for password spray operations  

CovertNetwork-1658 is observed conducting their password spray campaigns through this proxy network to ensure the password spray attempts originate from the compromised devices.

Password spray activity from CovertNetwork-1658 infrastructure

Microsoft has observed multiple password spray campaigns originating from CovertNetwork-1658 infrastructure. In these campaigns, CovertNetwork-1658 submits a very small number of sign-in attempts to many accounts at a target organization. In about 80 percent of cases, CovertNetwork-1658 makes only one sign-in attempt per account per day. Figure 2 depicts this distribution in greater detail.

Figure 2. CovertNetwork-1658 count of sign-in attempts per account per day.

CovertNetwork-1658 infrastructure is difficult to monitor due to the following characteristics:

  • The use of compromised SOHO IP addresses
  • The use of a rotating set of IP addresses at any given time. The threat actors had thousands of available IP addresses at their disposal. The average uptime for a CovertNetwork-1658 node is approximately 90 days.
  • The low-volume password spray process; for example, monitoring for multiple failed sign-in attempts from one IP address or to one account will not detect this activity

Various security vendors have reported on CovertNetwork-1658 activities, including Sekoia (July 2024) and Team Cymru (August 2024). Microsoft assesses that after these blogs were published, the usage of CovertNetwork-1658 network has declined substantially. The below chart highlights a steady and steep decline in the use of CovertNetwork-1658’s original infrastructure since their activities have been exposed in public reporting as observed in Censys.IO data.

Figure 3. Chart showing the drop in CovertNetwork-1658’s available nodes between August 1, 2024 and October 29, 2024

Microsoft assesses that CovertNetwork-1658 has not stopped operations as indicated in recent activity but is likely acquiring new infrastructure with modified fingerprints from what has been publicly disclosed. An observed increase in recent activity may be early evidence supporting this assessment.

Figure 4. Chart showing number of Microsoft Azure tenants targeted by day between October 8, 2024-October 30, 2024.

Historically, Microsoft has observed an average of 8,000 compromised devices actively engaged in the CovertNetwork-1658 network at any given time. On average, about 20 percent of these devices perform password spraying at any given time. Any threat actor using the CovertNetwork-1658 infrastructure could conduct password spraying campaigns at a larger scale and greatly increase the likelihood of successful credential compromise and initial access to multiple organizations in a short amount of time. This scale, combined with quick operational turnover of compromised credentials between CovertNetwork-1658 and Chinese threat actors, allows for the potential of account compromises across multiple sectors and geographic regions.

Below are User Agent Strings observed in the password spray activity:

  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
  • Chrome/80.0.3987.149 Safari/537.36Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Observed activity tied to Storm-0940

Microsoft has observed numerous cases where Storm-0940 has gained initial access to target organizations using valid credentials obtained through CovertNetwork-1658’s password spray operations. In some instances, Storm-0940 was observed using compromised credentials that were obtained from CovertNetwork-1658 infrastructure on the same day. This quick operational hand-off of compromised credentials is evidence of a likely close working relationship between the operators of CovertNetwork-1658 and Storm-0940.

After successfully gaining access to a victim environment, in some instances, Storm-0940 has been observed:        

  • Using scanning and credential dumping tools to move laterally within the network;
  • Attempting to access network devices and install proxy tools and remote access trojans (RATs) for persistence; and
  • Attempting to exfiltrate data.
Recommendations

Organizations can defend against password spraying by building credential hygiene and hardening cloud identities. Microsoft recommends the following mitigations to reduce the impact of this threat:

Detection details

Alerts with the following titles in the Security Center can indicate threat activity on your network:

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alert can indicate associated threat activity:

  • Storm-0940 actor activity detected
Microsoft Defender XDR

The following alert might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

  • Password spray attacks originating from single ISP
Microsoft Defender for Identity

The following Microsoft Defender for Identity alerts can indicate associated threat activity:

  • Password Spray
  • Unfamiliar Sign-in properties
  • Atypical travel
  • Suspicious behavior: Impossible travel activity
Microsoft Defender for Cloud Apps

The following Microsoft Defender for Cloud Apps alerts can indicate associated threat activity:

  • Suspicious Administrative Activity
  • Impossible travel activity
Hunting queries Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Potential Storm-0940 activity           

This query identifies UserAgents obtained from observed activity and AAD SignInEvent attributes that identify potential activity to guide investigation:

//Advanced Hunting Query let suspAppRes = datatable(appId:string, resourceId:string) [ "1950a258-227b-4e31-a9cf-717495945fc2", "00000003-0000-0000-c000-000000000000" ]; let userAgents = datatable(userAgent:string) [ "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" //Low fidelity ]; AADSignInEventsBeta | where Timestamp >=ago(30d) | where ApplicationId in ((suspAppRes | project appId)) and ResourceId in ((suspAppRes | project resourceId)) and UserAgent in ((userAgents| project userAgent)) Failed sign-in activity The following query identifies failed attempts to sign-in from multiple sources that originate from a single ISP. Attackers distribute attacks from multiple IP addresses across a single service provider to evade detection IdentityLogonEvents | where Timestamp > ago(4h) | where ActionType == "LogonFailed" | where isnotempty(AccountObjectId) | summarize TargetCount = dcount(AccountObjectId), TargetCountry = dcount(Location), TargetIPAddress = dcount(IPAddress) by ISP | where TargetCount >= 100 | where TargetCountry >= 5 | where TargetIPAddress >= 25 Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.

Potential Storm-0940 activity

This query identifies UserAgents obtained from observed activity and AAD SignInEvent attributes that identify potential activity to guide investigation:

//sentinelquery let suspAppRes = datatable(appId:string, resourceId:string) [ "1950a258-227b-4e31-a9cf-717495945fc2", "00000003-0000-0000-c000-000000000000" ]; let userAgents = datatable(userAgent:string) [ "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" //Low fidelity ]; SigninLogs | where TimeGenerated >=ago(30d) | where AppId in ((suspAppRes | project appId)) and ResourceIdentity in ((suspAppRes | project resourceId)) and UserAgent in ((userAgents| project userAgent)) Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network appeared first on Microsoft Security Blog.

Categories: Microsoft

​​Microsoft now a Leader in three major analyst reports for SIEM

Thu, 10/31/2024 - 1:00pm

We’re excited and honored to be positioned in the Leaders Category in the IDC MarketScape: Worldwide SIEM (security information and event management) for Enterprise 2024 Vendor Assessment (doc #US51541324, September 2024)—our third major analyst report in SIEM to name Microsoft as a Leader. We were recognized in the most recent reports as a Leader in the 2024 Gartner® Magic Quadrant™ for Security Information and Event Management and as a Leader in The Forrester Wave™: Security Analytics Platforms, Q4 2022. We believe this position validates our vision and continued investments in Microsoft Sentinel, making it a best-in-class, cloud-native SIEM solution. It’s always a rewarding experience when trusted analysts recognize the continued work we’ve put into helping our customers modernize their operations, improve their security posture, and work more efficiently. 

A Leader in the market with an innovative solution for the SOC  

Microsoft Sentinel provides a unique experience for customers to help them act faster and stay safer while managing the scaling costs of security. Customers choose our SIEM in order to:  

Protect everything with a comprehensive SIEM solution. Microsoft Sentinel is a cloud-native solution that supports detection, investigation, and response across multi-cloud and multi-platform data sources with 340+ out-of-the-box connectors A strength of Microsoft’s offering is its breadth, which includes user entity and behavior analytics (UEBA), threat intelligence and security orchestration, automation, and response (SOAR) capabilities, along with native integrations into Microsoft Defender threat protection products. 

  • Enhance security with a unified security operations platform. Customers get the best protection when pairing Microsoft Sentinel with Defender XDR in Microsoft’s unified security operations platform. The integration not only brings the two products together into one experience but combines functionalities across each to maximize efficiency and security. One example is the unified correlation engine which delivers 50% faster alerting between first- and third-party data, custom detections and threat intelligence.3 Customers can stay safer with a unified approach, with capabilities like automatic attack disruption—which contains attacks in progress, limiting their impact at machine speed.   
  • Address any scenario. As the first cloud-native SIEM, Microsoft Sentinel helps customers observe threats across their digital estate with the flexibility required for today’s challenges. Our content hub offerings include over 200 Microsoft- created solutions and over 280 community contributions. The ability to adapt to the unique use cases of an organization is something called out in both the Forrester and Gartner reports.  
  • Scale your security coverage with cloud flexibility. Compared with legacy, on-premises SIEM solutions, Microsoft Sentinel customers see up to a 234% return on investment (ROI).1 This makes it an attractive option for customers looking for a scalable offering to meet the evolving needs of their business while managing the costs of data. We’ve recently launched a new, low-cost data tier called Auxiliary Logs to help customers increase the visibility of their digital environment, while keeping their budgets in check. In addition, Microsoft’s SOC Optimizations feature, a first of its kind offering, provides targeted recommendations to users on how to better leverage their security data to manage costs and maximize their protection, based on their specific environment and using frameworks like the MITRE attack map  
  • Respond quickly to emergent threats with AI. Security Copilot is a GenAI tool that can help analysts increase the speed of their response, uplevel their skills, and improve the quality of their work. 92% of analysts reported using Copilot helped make them more productive and 93% reported an improvement in the quality of their work.2  

What’s next in Microsoft Security 

Microsoft is dedicated to continued leadership in security through ongoing investment to provide customers with the intelligence, automation, and scalability they need to protect their businesses and work efficiently. New and upcoming enhancements include more unified features across SIEM and XDR, exposure management and cloud security in the unified security operations platform, and our SIEM migration tool—which now supports conversion of Splunk detections to Microsoft Sentinel analytics rules and additional Copilot skills to help analysts do their job better.  

​​CTA​: To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

[1] The Total Economic Impact™ Of Microsoft Sentinel (forrester.com) 

[2] Microsoft Copilot for Security randomized controlled trial (RCT) with experienced security analysts conducted by Microsoft Office of the Chief Economist, January 2024 

3Microsoft internal data 

Gartner, Magic Quadrant for Security Information and Event Management, By Andrew Davies, Mitchell Schneider, Rustam Malik, Eric Ahlm, 8 May 2024 

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. 

The post ​​Microsoft now a Leader in three major analyst reports for SIEM appeared first on Microsoft Security Blog.

Categories: Microsoft

​​7 cybersecurity trends and tips for small and medium businesses to stay protected

Thu, 10/31/2024 - 12:00pm

As October draws to a close, marking 21 years of Cybersecurity Awareness Month, cyberattacks continue to be a challenge for businesses of all sizes, however, small and medium businesses (SMBs) face distinct challenges when it comes to cybersecurity. Although SMBs face heightened cybersecurity threats, unlike large enterprises, they often lack the resources and expertise to implement extensive security measures or manage complex security solutions, making them prime targets for bad actors. Both the risks that SMBs face and their current level of security readiness are not widely understood.

To help us better understand the SMB security needs and trends, Microsoft partnered with Bredin, a company specializing in SMB research and insights, to conduct a survey focused on security for businesses with 25 to 299 employees. As we share these insights below, and initial actions that can take to address them, SMBs can also find additional best practices to stay secure in the Be Cybersmart Kit.  

SMB Cybersecurity Research Report

Read the full report to learn more about how security is continuing to play an important role for SMBs.

Discover more 1. One in three SMBs have been victims of a cyberattack 

With cyberattacks on the rise, SMBs are increasingly affected. Research shows that 31% of SMBs have been victims of cyberattacks such as ransomware, phishing, or data breaches. Despite this, many SMBs still hold misconceptions that increase their risk and vulnerability. Some believe they are too small to be targeted by hackers or assume that compliance equates to security. It is crucial to understand that bad actors pose a threat to businesses of all sizes, and complacency in cybersecurity can lead to significant risks. 

How can SMBs approach this?

Microsoft, in collaborating with the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA), has outlined four simple best practices to creates a strong cybersecurity foundation.

  • Use strong passwords and consider a password manager.
  • Turn on multifactor authentication.
  • Learn to recognize and report phishing.
  • Make sure to keep your software updated.
2. Cyberattacks cost SMBs more than $250,000 on average and up to $7,000,000 

The unexpected costs of a cyberattack can be devastating for an SMB and make it difficult to financially recover from. These costs can include expenses incurred for investigation and recovery efforts to resolve the incident, and associated fines related to a data breach. Cyberattacks not only present an immediate financial strain but can also have longer term impacts on an SMB. Diminished customer trust due to a cyberattack can cause broader reputational damage and lead to missed business opportunities in the future. It’s difficult to anticipate the impact of a cyberattack because the time it takes to recover can vary from one day to more than a month. While many SMBs are optimistic about their ability to withstand a cyberattack, some fail to accurately estimate the time needed to restore operations and resume normal business activities 

How can SMBs approach this?

SMBs can conduct a cybersecurity risk assessment to understand gaps in security and determine steps to resolve them. These assessments can help SMBs uncover areas open to attack to minimize them, ensure compliance with regulatory requirements, establish incident response plans, and more. Effectively and proactively planning can help minimize the financial, reputational, and operational costs associated with a cyberattack should one happen. Many organizations provide self-service assessments, and working with a security specialist or security service provider can bring additional expertise and guidance through the process as needed.

3. 81% of SMBs believe AI increases the need for additional security controls

The rapid advancement of AI technologies and the ease of use through simple user interfaces creates notable challenges for SMBs when used by employees. Without the proper tools in place to secure company data, AI use can lead to sensitive or confidential information getting in the wrong hands. Fortunately, more than half of companies currently not using AI security tools intend to implement them within the next six months for more advanced security. 

How can SMBs approach this?

Data security and data governance play a critical role in successful adoption and use of AI. Data security, which includes labeling and encrypting documents and information, can mitigate the chance of restricted information being referenced in AI prompts. Data governance, or the process of managing, understanding, and securing data, can help establish a framework to effectively organize data within.

4. 94% consider cybersecurity critical to their business 

Recognizing the critical importance of cybersecurity, 94% of SMBs consider it essential to their operations. While it was not always considered a top priority given limited resources and in-house expertise, the rise in cyberthreats and increased sophistication of cyberattacks now pose significant risks for SMBs that is largely recognized across the SMB space. Managing work data on personal devices, ransomware, and phishing and more are cited as top challenges that SMBs are facing. 

How can SMBs approach this?

For SMBs that want to get started with available resources to train and educate employees, security topics across Cybersecurity 101, Phishing, and more are provided through Microsoft’s Cybersecurity Awareness site.

5. Less than 30% of SMBs manage their security in-house 

Given the limited resources and in-house expertise within SMBs, many turn to security specialists for assistance. Less than 30% of SMBs manage security in-house and generally rely on security consultants or service providers to manage security needs. These security professionals provide crucial support in researching, selecting, and implementing cybersecurity solutions, ensuring that SMBs are protected from new threats. 

How can SMBs approach this?

Hiring a Managed Service Provider (MSP) is commonly used to supplement internal business operations. MSPs are organizations that help manage broad IT services, including security, and serve as strategic partners to improve efficiency and oversee day-to-day IT activities. Examples of security support can consist of researching and identifying the right security solution for a business based on specific needs and requirements. Additionally, MSPs can implement and manage the solution by configuring security policies and responding to incidents on the SMBs behalf. This model allows more time for SMBs to focus on core business objectives while MSPs keep the business protected.

6. 80% intend to increase their cybersecurity spending, with data protection as top area of spend 

Given the heightened importance of security, 80% of SMBs intend to increase cybersecurity spending. Top motivators are protection from financial losses and safeguards for client and customer data. It’s no surprise that data protection comes in as the top investment area with 65% of SMBs saying that is where increased spending will be allocated, validating the need for additional security with the rise of AI. Other top areas of spending include firewall services, phishing protection, ransomware and device protection, access control, and identity management.  

How can SMBs approach this?

Prioritizing these investments in the areas above, SMBs can improve security posture and reduce the risk of cyberattacks. Solutions such as Data Loss Prevention (DLP) help identify suspicious activity and prevent sensitive data from leaving leaking outside of the business, Endpoint Detection and Response (EDR) help protect devices and defend against threats, and Identity and Access Management (IAM) help ensure only the right people get access to the right information.

7. 68% of SMBs consider secure data access a challenge for remote workers 

The transition to hybrid work models has brought new security challenges for SMBs, and these issues will continue as hybrid work becomes a permanent fixture. With 68% of SMBs employing remote or hybrid workers, ensuring secure access for remote employees is increasingly critical. A significant 75% of SMBs are concerned about data loss on personal devices. To safeguard sensitive information in a hybrid work setting, it is vital to implement device security and management solutions so employees can securely work from anywhere.  

How can SMBs approach this?

Implement measures to protect data and internet-connected devices that include installing software updates immediately, ensuring mobile applications are downloaded from legitimate app stores, and refraining from sharing credentials over email or text, and only doing so over the phone in real-time.

Next steps with Microsoft Security
  • Read the full report to learn more about how security is continuing to play an important role for SMBs.
  • Get the Be Cybersmart Kit to help educate everyone in your organization with cybersecurity awareness resources.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

The post ​​7 cybersecurity trends and tips for small and medium businesses to stay protected appeared first on Microsoft Security Blog.

Categories: Microsoft

Microsoft Ignite: Sessions and demos to improve your security strategy

Wed, 10/30/2024 - 12:00pm

Now more than ever is the time for every organization to prioritize security. The use of AI by cyberattackers gives them an asymmetric advantage over defenders, as cyberattackers only have to be right once, while defenders have to be right 100% of the time. The way to win is with AI-first, end-to-end security—a key focus for Microsoft Security at Microsoft Ignite, November 18 to 22, 2024. Join thousands of security professionals at the event online to become part of a community focused on advancing defenders against ever-evolving cyberthreats.

Across many sessions and demos, we’ll address the top security pain points related to AI and empower you with practical, actionable strategies. Keep reading this blog for a guide of highlighted sessions for security professionals of all levels, whether you’re attending in-person or online.

And be sure to register for the digital experience to explore the Microsoft Security sessions at Microsoft Ignite.

Register for Microsoft Ignite online Be among the first to hear top news

Microsoft is bringing together every part of the company in a collective mission to advance cybersecurity protection to help our customers and the security community. We have four powerful advantages to drive security innovation: large-scale data and threat intelligence; end-to-end protection; responsible AI; and tools to secure and govern the use of AI.

Microsoft Chairman and Chief Executive Officer Satya Nadella said in May 2024 that security is the top priority for our company. Nadella, along with Microsoft Security Executive Vice President Charlie Bell, are the featured speakers at the Microsoft Ignite opening keynote on Tuesday, November 19, 2024, where you can expect to hear more of Microsoft’s vision for the future of security. Other well-known cybersecurity speakers at Microsoft Ignite include Bret Arsenault, Microsoft Corporate Vice President (CVP) and Chief Cybersecurity Advisor; Ann Johnson, CVP and Deputy Chief Information Security Officer (CISO); Joy Chik, President, Identity and Network Access; Mark Russinovich, Chief Technology Officer and Deputy CISO; and Sherrod DeGrippo, Director of Threat Intelligence Strategy.

For a deeper dive into security product news and demos, join the security general session on Wednesday, November 20, 2024, at 9:45 AM CT. Hear from Charlie Bell and Vasu Jakkal, CVP, Microsoft Security Business, who will share exciting security innovations to empower you with AI tools designed to help you get ahead of attackers.

These news-breaking sessions are just the start of the value you can gain from attending online.

Benefit from insights designed for your role

While cybersecurity is a shared concern of security professionals, we realize the specific concerns are unique to role. Recognizing this, we developed sessions tailored to what matters most to you.

  • CISOs and senior security leaders: If you’ll be with us in Chicago, kick off the conference with the Microsoft Ignite Security Forum on November 18, 2024 from 1 PM CT to 5 PM CT. Join this exclusive pre-day event to hear from Microsoft security experts on threat intelligence insights, our Secure Future Initiative (SFI), and trends in security. Go back to your registration to add this experience on. Also for those in Chicago, be sure to join the Security Leaders Dinner, where you can engage with your peers and provide insights on your greatest challenges and successes. If you’re joining online, gain firsthand access to the latest Microsoft Security announcements. Whether you’re in person or online, don’t miss “Proactive security with continuous exposure management” (BRK324), which will explore how Microsoft Security Exposure Management unifies disparate data silos for visibility of end-to-end attack surface, and “Secure and govern data in Microsoft 365 Copilot and beyond” (BRK321), which will discuss the top concerns of security leaders when it comes to AI and how you can gain the confidence and tools to adopt AI. Plus, learn how to make your organization as diverse as the threats you are defending in “The Power of Diversity: Building a stronger workforce in the era of AI” (BRK330).
  • Security analysts and engineers: Join actionable sessions for information you can use immediately. Sessions designed for the security operations center (SOC) include “Microsoft cybersecurity architect lab—Infrastructure security” (LAB454), which will showcase how to best use the Microsoft Secure Score to improve your security posture, and “Simplify your SOC with the unified security operations platform” (BRK310), which will feature a fireside chat with security experts to discuss common security challenges and topics. Plus, learn to be a champion of safe AI adoption in “Scott and Mark learn responsible AI” (BRK329), which will explore the three top risks in large language models and the origins and potential impacts of each of these.
  • Developers and IT professionals: We get it—security isn’t your main focus, but it’s increasingly becoming part of your scope. Get answers to your most pressing questions at Microsoft Ignite. Sessions that may interest you include “Secure and govern custom AI built on Azure AI and Copilot Studio” (BRK322), which will dive into how Microsoft can enable data security and compliance controls for custom apps, detect and respond to AI threats, and managed your AI stack vulnerabilities, and “Making Zero Trust real: Top 10 security controls you can implement now” (BRK328), which offers technical guidance to make Zero Trust actionable with 10 top controls to help improve your organization’s security posture. Plus, join “Supercharge endpoint management with Microsoft Copilot in Intune” (THR656) for guidance on unlocking Microsoft Intune’s potential to streamline endpoint management.
  • Microsoft partners: We appreciate our partners and have developed sessions aimed at supporting you. These include “Security partner growth: The power of identity with Entra Suite” (BRK332) and “Security partner growth: Help customers modernize security operations” (BRK336).
Attend sessions tailored to addressing your top challenge

When exploring effective cybersecurity strategies, you likely have specific challenges that are motivating your actions, regardless of your role within your organization. We respect that our attendees want a Microsoft Ignite experience tailored to their specific objectives. We’re committed to maximizing your value from attending the event, with Microsoft Security sessions that address the most common cybersecurity challenges.

  • Managing complexity: Discover ways to simplify your infrastructure in sessions like “Simpler, smarter, and more secure endpoint management with Intune” (BRK319), which will explore new ways to strengthen your security with Microsoft Intune and AI, and “Break down risk silos and build up code-to-code security posture” (BRK312), which will focus on how defenders can overcome the expansive alphabet soup of security posture tools and gain a unified cloud security posture with Microsoft Defender for Cloud.   
  • Increasing efficiency:: Learn how AI can help you overcome talent shortage challenges in sessions like “Secure data across its lifecycle in the era of AI” (BRK318), which will explore Microsoft Purview leveraging Microsoft Security Copilot can help you detect hidden risks, mitigate them, and protect and prevent data loss, and “One goal, many roles: Microsoft Security Copilot: Real-world insights and expert advice” (BRK316), which will share best practices and insider tricks to maximize Copilot’s benefits so you can realize quick value and enhance your security and IT operations.  
  • Threat landscape: Navigate effectively through the modern cyberthreat landscape, guided by the insights shared in sessions like “AI-driven ransomware protection at machine speed: Defender for Endpoint” (BRK325), which will share a secret in Microsoft Defender for Endpoint success and how it uses machine learning and threat intelligence, and the theater session “Threat intelligence at machine speed with Microsoft Security Copilot” (THR555), which will showcase how Copilot can be used as a research assistant, analyst, and responder to simplify threat management.
  • Regulatory compliance: Increase your confidence in meeting regulatory requirements by attending sessions like “Secure and govern your data estate with Microsoft Purview” (BRK317), which will explore how to secure and govern your data with Microsoft Purview, and “Secure and govern your data with Microsoft Fabric and Purview” (BRK327), which will dive into how Microsoft Purview works together with Microsoft Fabric for a comprehensive approach to secure and govern data.
  • Maximizing value: Discover how to maximize the value of your cybersecurity investments during sessions like “Transform your security with GenAI innovations in Security Copilot” (BRK307), which will showcase how Microsoft Security Copilot’s automation capabilities and use cases can elevate your security organization-wide, and “AI-driven ransomware protection at machine speed: Defender for Endpoint” (BRK325), which will dive into the key secret to the success of Defender for Endpoint customers in reducing the risk of ransomware attacks as well maximizing the value of the product’s new features and user interfaces.
Register for Microsoft Ignite online Explore cybersecurity tools with product showcases and hands-on training

Learning about Microsoft security capabilities is useful, but there’s nothing like trying out the solutions for yourself. Our in-depth showcases and hands-on trainings give you the chance to explore these capabilities for yourself. Bring a notepad and your laptop and let’s put these tools to work.

  • “Secure access at the speed of AI with Copilot in Microsoft Entra” (THR556): Learn how AI with Security Copilot and Microsoft Entra can help you accelerate tasks like troubleshooting, automate cybersecurity insights, and strengthen Zero Trust.  
  • “Mastering custom plugins in Microsoft Security Copliot” (THR653): Gain practical knowledge of using Security Copilot’s capabilities during a hands-on session aimed at security and IT professionals ready for advanced customization and integration with existing security tools. 
  • “Getting started with Microsoft Sentinel” (LAB452): Get hands-on experience on building detections and queries, configuring your Microsoft Sentinel environment, and performing investigations. 
  • “Secure Azure services and workloads with Microsoft Defender for Cloud” (LAB457): Explore how to mitigate security risks with endpoint security, network security, data protection, and posture and vulnerability management. 
  • “Evolving from DLP to data security with Microsoft Preview” (THR658): See for yourself how Microsoft Purview Data Loss Prevention (DLP) integrates with insider risk management and information protection to optimize your end-to-end DLP program. 
Network with Microsoft and other industry professionals

While you’ll gain a wealth of insights and learn about our latest product innovations in sessions, our ancillary events offer opportunities to connect and socialize with Microsoft and other security professionals as committed to you to strengthening the industry’s defenses against cyberthreats. That’s worth celebrating!

  • Pre-day Forum: All Chicago Microsoft Ignite attendees are welcome to add on to the event with our pre-day sessions on November 18, 2024, from 1 PM CT to 5 PM CT. Topics covered will include threat intelligence, Microsoft’s Secure Future Initiative, AI innovation, and AI security research, and the event will feature a fireside chat with Microsoft partners and customers. The pre-day event is designed for decision-makers from businesses of all sizes to advance your security strategy. If you’re already attending in person, log in to your Microsoft Ignite registration and add on the Microsoft Security Ignite Forum.
  • Security Leaders Dinner: We’re hosting an exclusive dinner with leaders of security teams, where you can engage with your peers and provide insights on your greatest challenges and successes. This intimate gathering is designed specifically for CISOs and other senior security leaders to network, share learnings, and discuss what’s happening in cybersecurity.   
  • Secure the Night Party: All security professionals are encouraged to celebrate the cybersecurity community with Microsoft from 6 PM CT to 10 PM CT on Wednesday, November 20, 2024. Don’t miss this opportunity to connect with Microsoft Security subject matter experts and peers at our “Secure the Night” party during Microsoft Ignite in Chicago. Enjoy an engaging evening of conversations and experiences while sipping tasty drinks and noshing on heavy appetizers provided by Microsoft. We look forward to welcoming you. Reserve your spot today

Something that excites us the most about Microsoft Ignite is the opportunity to meet with cybersecurity professionals dedicated to modern defense. Stop by the Microsoft Security Expert Meetup space to say hello, learn more about capabilities you’ve been curious about, or ask questions about Microsoft’s cybersecurity efforts. 

Register today to attend Microsoft Ignite online

There’s still time to register to participate in Microsoft Ignite online from November 19 to 22, 2024, to catch security-focused breakout sessions, product demos, and participate in interactive Q&A sessions with our experts. No matter how you participate in Microsoft Ignite, you’ll gain insights on how to secure your future with an AI-first, end-to-end cybersecurity approach to keep your organizations safer.

Explore the security sessions at Microsoft Ignite 2024

Plus, you can take your security knowledge further at Tech Community Live: Microsoft Security edition on December 3, 2024, to ask all your follow-up questions from Microsoft Ignite. Microsoft Experts will be hosting live Ask Microsoft Anything sessions on topics from Security for AI to Copilot for Security.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Ignite: Sessions and demos to improve your security strategy appeared first on Microsoft Security Blog.

Categories: Microsoft

Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files

Tue, 10/29/2024 - 3:00pm

Since October 22, 2024, Microsoft Threat Intelligence has observed Russian threat actor Midnight Blizzard sending a series of highly targeted spear-phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors. This activity is ongoing, and Microsoft will continue to investigate and provide updates as available. Based on our investigation of previous Midnight Blizzard spear-phishing campaigns, we assess that the goal of this operation is likely intelligence collection. Microsoft is releasing this blog to notify the public and disrupt this threat actor activity. This blog provides context on these external spear-phishing attempts, which are common attack techniques and do not represent any new compromise of Microsoft.

The spear-phishing emails in this campaign were sent to thousands of targets in over 100 organizations and contained a signed Remote Desktop Protocol (RDP) configuration file that connected to an actor-controlled server. In some of the lures, the actor attempted to add credibility to their malicious messages by impersonating Microsoft employees. The threat actor also referenced other cloud providers in the phishing lures.

While this campaign focuses on many of Midnight Blizzard’s usual targets, the use of a signed RDP configuration file to gain access to the targets’ devices represents a novel access vector for this actor. Overlapping activity has also been reported by the Government Computer Emergency Response Team of Ukraine (CERT-UA) under the designation UAC-0215 and also by Amazon.

Midnight Blizzard is a Russian threat actor attributed by the United States and United Kingdom governments to the Foreign Intelligence Service of the Russian Federation, also known as the SVR. This threat actor is known to primarily target governments, diplomatic entities, non-governmental organizations (NGOs), and IT service providers, primarily in the United States and Europe. Its focus is to collect intelligence through longstanding and dedicated espionage of foreign interests that can be traced to early 2018. Its operations often involve compromise of valid accounts and, in some highly targeted cases, advanced techniques to compromise authentication mechanisms within an organization to expand access and evade detection.

Midnight Blizzard is consistent and persistent in its operational targeting, and its objectives rarely change. It uses diverse initial access methods, including spear phishing, stolen credentials, supply chain attacks, compromise of on-premises environments to laterally move to the cloud, and leveraging service providers’ trust chain to gain access to downstream customers. Midnight Blizzard is known to use the Active Directory Federation Service (AD FS) malware known as FOGGYWEB and MAGICWEB. Midnight Blizzard is identified by peer security vendors as APT29, UNC2452, and Cozy Bear.

As with any observed nation-state actor activity, Microsoft is in the process of directly notifying customers that have been targeted or compromised, providing them with the necessary information to secure their accounts. Strong anti-phishing measures will help to mitigate this threat. As part of our commitment to helping protect against cyber threats, we provide indicators of compromise (IOCs), hunting queries, detection details, and recommendations at the end of this post.

Spear-phishing campaign

On October 22, 2024, Microsoft identified a spear-phishing campaign in which Midnight Blizzard sent phishing emails to thousands of users in over 100 organizations. The emails were highly targeted, using social engineering lures relating to Microsoft, Amazon Web Services (AWS), and the concept of Zero Trust. The emails contained a Remote Desktop Protocol (RDP) configuration file signed with a LetsEncrypt certificate. RDP configuration (.RDP) files summarize automatic settings and resource mappings that are established when a successful connection to an RDP server occurs. These configurations extend features and resources of the local system to a remote server, controlled by the actor.

In this campaign, the malicious .RDP attachment contained several sensitive settings that would lead to significant information exposure. Once the target system was compromised, it connected to the actor-controlled server and bidirectionally mapped the targeted user’s local device’s resources to the server. Resources sent to the server may include, but are not limited to, all logical hard disks, clipboard contents, printers, connected peripheral devices, audio, and authentication features and facilities of the Windows operating system, including smart cards. This access could enable the threat actor to install malware on the target’s local drive(s) and mapped network share(s), particularly in AutoStart folders, or install additional tools such as remote access trojans (RATs) to maintain access when the RDP session is closed. The process of establishing an RDP connection to the actor-controlled system may also expose the credentials of the user signed in to the target system.

Figure 1. Malicious remote connection RDP connection

When the target user opened the .RDP attachment, an RDP connection was established to an actor-controlled system. The configuration of the RDP connection then allowed the actor-controlled system to discover and use information about the target system, including:

  • Files and directories
  • Connected network drives
  • Connected peripherals, including smart cards, printers, and microphones
  • Web authentication using Windows Hello, passkeys, or security keys
  • Clipboard data
  • Point of Service (also known as Point of Sale or POS) devices
Targets

Microsoft has observed this campaign targeting governmental agencies, higher education, defense, and non-governmental organizations in dozens of countries, but particularly in the United Kingdom, Europe, Australia, and Japan. This target set is consistent with other Midnight Blizzard phishing campaigns.

Email infrastructure

Midnight Blizzard sent the phishing emails in this campaign using email addresses belonging to legitimate organizations that were gathered during previous compromises. The domains used are listed in the IOC section below.

Mitigations

Microsoft recommends the following mitigations to reduce the impact of this threat.

Strengthen operating environment configuration Strengthen endpoint security configuration

If you are using Microsoft Defender for Endpoint take the following steps:

  • Ensure tamper protection is turned on in Microsoft Defender for Endpoint.
  • Turn on network protection in Microsoft Defender for Endpoint.
  • Turn on web protection.
  • Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can help block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to help remediate malicious artifacts that are detected post-breach.
  • Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to help resolve breaches, significantly reducing alert volume. 
  • Microsoft Defender XDR customers can turn on the following attack surface reduction rules to help prevent common attack techniques used by threat actors.
    • Block executable content from email client and webmail
    • Block executable files from running unless they meet a prevalence, age, or trusted list criterion
Strengthen antivirus configuration
  • Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to help cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections help block a majority of new and unknown variants.
  • Enable Microsoft Defender Antivirus scanning of downloaded files and attachments.
  • Enable Microsoft Defender Antivirus real-time protection.
Strengthen Microsoft Office 365 configuration
  • Turn on Safe Links and Safe Attachments for Office 365.
  • Enable Zero-hour auto purge (ZAP) in Office 365 to help quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
Strengthen email security configuration
  • Invest in advanced anti-phishing solutions that monitor incoming emails and visited websites. For example, Microsoft Defender for Office 365 merges incident and alert management across email, devices, and identities, centralizing investigations for email-based threats. Organizations can also leverage web browsers that automatically identify and help block malicious websites, including those used in phishing activities.
  • If you are using Microsoft Defender for Office 365, configure it to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Microsoft 365 applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect an organization from malicious links used in phishing and other attacks.
  • If you are using Microsoft Defender for Office 365, use the Attack Simulator in Microsoft Defender for Office 365 to run realistic, yet safe, simulated phishing and password attack campaigns. Run spear-phishing (credential harvest) simulations to train end-users against clicking URLs in unsolicited messages and disclosing credentials.
Conduct user education
  • Robust user education can help mitigate the threat of social engineering and phishing emails. Companies should have a user education program that highlights how to identify and report suspicious emails.
Microsoft Defender XDR detections Microsoft Defender for Endpoint

The following alerts may also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

  • Midnight Blizzard Actor activity detected
  • Suspicious RDP session
Microsoft Defender Antivirus

Microsoft Defender Antivirus detects at least some of the malicious .RDP files as the following signature:

  • Backdoor:Script/HustleCon.A
Microsoft Defender for Cloud

The following alerts may also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

  • Communication with suspicious domain identified by threat intelligence
  • Suspicious outgoing RDP network activity
  • Traffic detected from IP addresses recommended for blocking
Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide threat intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

Hunting queries Microsoft Defender XDR

Identify potential Midnight Blizzard targeted recipients 

Surface possible targeted email accounts within the environment where the email sender originated from a Midnight Blizzard compromised domain related to the RDP activity.

EmailEvents | where SenderFromDomain in~ ("sellar.co.uk", "townoflakelure.com", "totalconstruction.com.au", "swpartners.com.au", "cewalton.com") | project SenderFromDomain, SenderFromAddress, RecipientEmailAddress, Subject, Timestamp

Surface potential targets of an RDP attachment phishing attempt

Surface emails that contain a remote desktop protocol (RDP) file attached. This may indicate that the recipient of the email may have been targeted in an RDP attachment phishing attack attempt.

EmailAttachmentInfo | where FileType == "rdp" | join kind=inner (EmailEvents) on NetworkMessageId | project SenderFromAddress, RecipientEmailAddress, Subject, Timestamp, FileName, FileType

Identify potential successfully targeted assets in an RDP attachment phishing attack

Surface devices that may have been targeted in an email with an RDP file attached, followed by an RDP connection attempt from the device to an external network. This combined activity may indicate that a device may have been successfully targeted in an RDP attachment phishing attack.

// Step 1: Identify emails with RDP attachments let rdpEmails = EmailAttachmentInfo | where FileType == "rdp" | join kind=inner (EmailEvents) on NetworkMessageId | project EmailTimestamp = Timestamp, RecipientEmailAddress, NetworkMessageId, SenderFromAddress; // Step 2: Identify outbound RDP connections let outboundRDPConnections = DeviceNetworkEvents | where RemotePort == 3389 | where ActionType == "OutboundConnection" | where RemoteIPType == "Public" | project RDPConnectionTimestamp = Timestamp, DeviceId, InitiatingProcessAccountUpn, RemoteIP; // Step 3: Correlate email and network events rdpEmails | join kind=inner (outboundRDPConnections) on $left.RecipientEmailAddress == $right.InitiatingProcessAccountUpn | project EmailTimestamp, RecipientEmailAddress, SenderFromAddress, RDPConnectionTimestamp, DeviceId, RemoteIP

Threat actor RDP connection files attached to email

Surface users that may have received an RDP connection file attached in email that have been observed in this attack from Midnight Blizzard.

EmailAttachmentInfo | where FileName in~ ( "AWS IAM Compliance Check.rdp", "AWS IAM Configuration.rdp", "AWS IAM Quick Start.rdp", "AWS SDE Compliance Check.rdp", "AWS SDE Environment Check.rdp", "AWS Secure Data Exchange - Compliance Check.rdp", "AWS Secure Data Exchange Compliance.rdp", "Device Configuration Verification.rdp", "Device Security Requirements Check.rdp", "IAM Identity Center Access.rdp", "IAM Identity Center Application Access.rdp", "Zero Trust Architecture Configuration.rdp", "Zero Trust Security Environment Compliance Check.rdp", "ZTS Device Compatibility Test.rdp" ) | project Timestamp, FileName, SHA256, RecipientEmailAddress, SenderDisplayName, SenderFromAddress Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Indicators of compromise

Email sender domains:

  • sellar[.]co.uk
  • townoflakelure[.]com
  • totalconstruction[.]com.au
  • swpartners[.]com.au
  • cewalton[.]com

RDP file names:

  • AWS IAM Compliance Check.rdp
  • AWS IAM Configuration.rdp
  • AWS IAM Quick Start.rdp
  • AWS SDE Compliance Check.rdp
  • AWS SDE Environment Check.rdp
  • AWS SDE Environment Check.rdp 
  • AWS Secure Data Exchange – Compliance Check.rdp
  • AWS Secure Data Exchange Compliance.rdp
  • Device Configuration Verification.rdp
  • Device Security Requirements Check.rdp
  • IAM Identity Center Access.rdp
  • IAM Identity Center Application Access.rdp
  • Zero Trust Architecture Configuration.rdp
  • Zero Trust Security Environment Compliance Check.rdp
  • ZTS Device Compatibility Test.rdp

RDP remote computer domains:

ap-northeast-1-aws.s3-ua[.]cloudap-northeast-1-aws.ukrainesec[.]cloudca-central-1.gov-ua[.]cloudca-central-1.ua-gov[.]cloudca-west-1.aws-ukraine[.]cloudca-west-1.mfa-gov[.]cloudca-west-1.ukrtelecom[.]cloudcentral-2-aws.ua-mil[.]cloudcentral-2-aws.ua-sec[.]cloudcentral-2-aws.ukrainesec[.]cloudcentral-2-aws.ukrtelecom[.]cloudeu-central-1.difesa-it[.]cloudeu-central-1.mfa-gov[.]cloudeu-central-1.mil-be[.]cloudeu-central-1.mil-pl[.]cloudeu-central-1.minbuza[.]cloudeu-central-1.mindef-nl[.]cloudeu-central-1.msz-pl[.]cloudeu-central-1.quirinale[.]cloudeu-central-1.regeringskansliet-se[.]cloudeu-central-1.s3-be[.]cloudeu-central-1.s3-esa[.]cloudeu-central-1.s3-nato[.]cloudeu-central-1.ua-gov[.]cloudeu-central-1.ua-sec[.]cloudeu-central-1.ukrtelecom[.]cloudeu-central-1-aws.amazonsolutions[.]cloudeu-central-1-aws.dep-no[.]cloudeu-central-1-aws.gov-pl[.]cloudeu-central-1-aws.gov-sk[.]cloudeu-central-1-aws.gov-trust[.]cloudeu-central-1-aws.mfa-gov[.]cloudeu-central-1-aws.minbuza[.]cloudeu-central-1-aws.mindef-nl[.]cloudeu-central-1-aws.msz-pl[.]cloudeu-central-1-aws.mzv-sk[.]cloudeu-central-1-aws.ncfta[.]cloudeu-central-1-aws.presidencia-pt[.]cloudeu-central-1-aws.quirinale[.]cloudeu-central-1-aws.regeringskansliet-se[.]cloudeu-central-1-aws.s3-be[.]cloudeu-central-1-aws.s3-ua[.]cloudeu-central-1-aws.ua-gov[.]cloudeu-central-1-aws.ukrainesec[.]cloudeu-central-2-aws.amazonsolutions[.]cloudeu-central-2-aws.aws-ukraine[.]cloudeu-central-2-aws.dep-no[.]cloudeu-central-2-aws.gov-pl[.]cloudeu-central-2-aws.gov-sk[.]cloudeu-central-2-aws.mil-be[.]cloudeu-central-2-aws.mil-pl[.]cloudeu-central-2-aws.mindef-nl[.]cloudeu-central-2-aws.msz-pl[.]cloudeu-central-2-aws.mzv-sk[.]cloudeu-central-2-aws.presidencia-pt[.]cloudeu-central-2-aws.regeringskansliet-se[.]cloudeu-central-2-aws.s3-be[.]cloudeu-central-2-aws.ua-gov[.]cloudeu-central-2-aws.ua-mil[.]cloudeu-central-2-aws.ukrtelecom[.]cloudeu-east-1-aws.amazonsolutions[.]cloudeu-east-1-aws.dep-no[.]cloudeu-east-1-aws.gov-sk[.]cloudeu-east-1-aws.gov-ua[.]cloudeu-east-1-aws.mil-be[.]cloudeu-east-1-aws.mil-pl[.]cloudeu-east-1-aws.minbuza[.]cloudeu-east-1-aws.mindef-nl[.]cloudeu-east-1-aws.msz-pl[.]cloudeu-east-1-aws.mzv-sk[.]cloudeu-east-1-aws.quirinale[.]cloudeu-east-1-aws.regeringskansliet-se[.]cloudeu-east-1-aws.s3-be[.]cloudeu-east-1-aws.s3-de[.]cloudeu-east-1-aws.ua-gov[.]cloudeu-east-1-aws.ua-sec[.]cloudeu-east-1-aws.ukrtelecom[.]cloudeu-north-1.difesa-it[.]cloudeu-north-1.gov-trust[.]cloudeu-north-1.gov-ua[.]cloudeu-north-1.gv-at[.]cloudeu-north-1.mil-be[.]cloudeu-north-1.mil-pl[.]cloudeu-north-1.mzv-sk[.]cloudeu-north-1.ncfta[.]cloudeu-north-1.regeringskansliet-se[.]cloudeu-north-1.s3-be[.]cloudeu-north-1.s3-de[.]cloudeu-north-1.s3-ua[.]cloudeu-north-1-aws.dep-no[.]cloudeu-north-1-aws.difesa-it[.]cloudeu-north-1-aws.gov-pl[.]cloudeu-north-1-aws.gov-sk[.]cloudeu-north-1-aws.mil-be[.]cloudeu-north-1-aws.mil-pl[.]cloudeu-north-1-aws.minbuza[.]cloudeu-north-1-aws.ncfta[.]cloudeu-north-1-aws.presidencia-pt[.]cloudeu-north-1-aws.quirinale[.]cloudeu-north-1-aws.regeringskansliet-se[.]cloudeu-north-1-aws.s3-be[.]cloudeu-north-1-aws.s3-de[.]cloudeu-north-1-aws.ua-energy[.]cloudeu-north-1-aws.ua-gov[.]cloudeu-south-1-aws.admin-ch[.]cloudeu-south-1-aws.dep-no[.]cloudeu-south-1-aws.difesa-it[.]cloudeu-south-1-aws.gov-pl[.]cloudeu-south-1-aws.gov-trust[.]cloudeu-south-1-aws.mfa-gov[.]cloudeu-south-1-aws.mil-be[.]cloudeu-south-1-aws.minbuza[.]cloudeu-south-1-aws.mzv-sk[.]cloudeu-south-1-aws.quirinale[.]cloudeu-south-1-aws.s3-be[.]cloudeu-south-1-aws.s3-de[.]cloudeu-south-1-aws.ua-gov[.]cloudeu-south-2.dep-no[.]cloudeu-south-2.gov-pl[.]cloudeu-south-2.gov-sk[.]cloudeu-south-2.mil-be[.]cloudeu-south-2.mil-pl[.]cloudeu-south-2.mindef-nl[.]cloudeu-south-2.s3-be[.]cloudeu-south-2.s3-de[.]cloudeu-south-2.s3-esa[.]cloudeu-south-2.s3-nato[.]cloudeu-south-2.ua-sec[.]cloudeu-south-2.ukrainesec[.]cloudeu-south-2-aws.amazonsolutions[.]cloudeu-south-2-aws.dep-no[.]cloudeu-south-2-aws.gov-pl[.]cloudeu-south-2-aws.gov-sk[.]cloudeu-south-2-aws.mfa-gov[.]cloudeu-south-2-aws.mil-be[.]cloudeu-south-2-aws.mil-pl[.]cloudeu-south-2-aws.mil-pt[.]cloudeu-south-2-aws.minbuza[.]cloudeu-south-2-aws.msz-pl[.]cloudeu-south-2-aws.mzv-sk[.]cloudeu-south-2-aws.ncfta[.]cloudeu-south-2-aws.quirinale[.]cloudeu-south-2-aws.regeringskansliet-se[.]cloudeu-south-2-aws.s3-be[.]cloudeu-south-2-aws.s3-de[.]cloudeu-south-2-aws.s3-esa[.]cloudeu-south-2-aws.s3-nato[.]cloudeu-south-2-aws.s3-ua[.]cloudeu-south-2-aws.ua-gov[.]cloudeu-southeast-1-aws.amazonsolutions[.]cloudeu-southeast-1-aws.aws-ukraine[.]cloudeu-southeast-1-aws.dep-no[.]cloudeu-southeast-1-aws.difesa-it[.]cloudeu-southeast-1-aws.gov-sk[.]cloudeu-southeast-1-aws.gov-trust[.]cloudeu-southeast-1-aws.mil-be[.]cloudeu-southeast-1-aws.mil-pl[.]cloudeu-southeast-1-aws.mindef-nl[.]cloudeu-southeast-1-aws.msz-pl[.]cloudeu-southeast-1-aws.mzv-cz[.]cloudeu-southeast-1-aws.mzv-sk[.]cloudeu-southeast-1-aws.quirinale[.]cloudeu-southeast-1-aws.s3-be[.]cloudeu-southeast-1-aws.s3-de[.]cloudeu-southeast-1-aws.s3-esa[.]cloudeu-southeast-1-aws.s3-ua[.]cloudeu-southeast-1-aws.ua-energy[.]cloudeu-southeast-1-aws.ukrainesec[.]cloudeu-west-1.aws-ukraine[.]cloudeu-west-1.difesa-it[.]cloudeu-west-1.gov-sk[.]cloudeu-west-1.mil-be[.]cloudeu-west-1.mil-pl[.]cloudeu-west-1.minbuza[.]cloudeu-west-1.msz-pl[.]cloudeu-west-1.mzv-sk[.]cloudeu-west-1.regeringskansliet-se[.]cloudeu-west-1.s3-de[.]cloudeu-west-1.s3-esa[.]cloudeu-west-1.s3-ua[.]cloudeu-west-1.ua-gov[.]cloudeu-west-1.ukrtelecom[.]cloudeu-west-1-aws.amazonsolutions[.]cloudeu-west-1-aws.aws-ukraine[.]cloudeu-west-1-aws.dep-no[.]cloudeu-west-1-aws.gov-pl[.]cloudeu-west-1-aws.gov-sk[.]cloudeu-west-1-aws.gov-trust[.]cloudeu-west-1-aws.gov-ua[.]cloudeu-west-1-aws.mil-be[.]cloudeu-west-1-aws.mil-pl[.]cloudeu-west-1-aws.minbuza[.]cloudeu-west-1-aws.quirinale[.]cloudeu-west-1-aws.s3-be[.]cloudeu-west-1-aws.s3-de[.]cloudeu-west-1-aws.s3-esa[.]cloudeu-west-1-aws.s3-nato[.]cloudeu-west-1-aws.ua-sec[.]cloudeu-west-1-aws.ukrainesec[.]cloudeu-west-2-aws.amazonsolutions[.]cloudeu-west-2-aws.dep-no[.]cloudeu-west-2-aws.difesa-it[.]cloudeu-west-2-aws.gov-pl[.]cloudeu-west-2-aws.gov-sk[.]cloudeu-west-2-aws.gv-at[.]cloudeu-west-2-aws.mil-be[.]cloudeu-west-2-aws.mil-pl[.]cloudeu-west-2-aws.minbuza[.]cloudeu-west-2-aws.mindef-nl[.]cloudeu-west-2-aws.msz-pl[.]cloudeu-west-2-aws.mzv-sk[.]cloudeu-west-2-aws.quirinale[.]cloudeu-west-2-aws.s3-be[.]cloudeu-west-2-aws.s3-de[.]cloudeu-west-2-aws.s3-esa[.]cloudeu-west-2-aws.s3-nato[.]cloudeu-west-2-aws.s3-ua[.]cloudeu-west-2-aws.ua-sec[.]cloudeu-west-3.amazonsolutions[.]cloudeu-west-3.aws-ukraine[.]cloudeu-west-3.mil-be[.]cloudeu-west-3.mil-pl[.]cloudeu-west-3.minbuza[.]cloudeu-west-3.mindef-nl[.]cloudeu-west-3.msz-pl[.]cloudeu-west-3.mzv-sk[.]cloudeu-west-3.presidencia-pt[.]cloudeu-west-3.s3-be[.]cloudeu-west-3.s3-ua[.]cloudeu-west-3.ukrainesec[.]cloudeu-west-3.ukrtelecom[.]cloudeu-west-3-aws.aws-ukraine[.]cloudeu-west-3-aws.dep-no[.]cloudeu-west-3-aws.difesa-it[.]cloudeu-west-3-aws.gov-pl[.]cloudeu-west-3-aws.gov-sk[.]cloudeu-west-3-aws.gov-trust[.]cloudeu-west-3-aws.mil-be[.]cloudeu-west-3-aws.mil-pl[.]cloudeu-west-3-aws.mil-pt[.]cloudeu-west-3-aws.minbuza[.]cloudeu-west-3-aws.mindef-nl[.]cloudeu-west-3-aws.msz-pl[.]cloudeu-west-3-aws.mzv-sk[.]cloudeu-west-3-aws.quirinale[.]cloudeu-west-3-aws.regeringskansliet-se[.]cloudeu-west-3-aws.s3-be[.]cloudeu-west-3-aws.s3-ua[.]cloudeu-west-3-aws.ua-mil[.]cloudus-east-1-aws.mfa-gov[.]cloudus-east-1-aws.s3-ua[.]cloudus-east-1-aws.ua-gov[.]cloudus-east-1-aws.ua-sec[.]cloudus-east-2.aws-ukraine[.]cloudus-east-2.gov-ua[.]cloudus-east-2.ua-sec[.]cloudus-east-2.ukrainesec[.]cloudus-east-2-aws.gov-ua[.]cloudus-east-2-aws.ua-gov[.]cloudus-east-2-aws.ukrtelecom[.]cloudus-east-console.aws-ukraine[.]cloudus-east-console.ua-energy[.]cloudus-west-1.aws-ukraine[.]cloudus-west-1.ua-energy[.]cloudus-west-1.ua-gov[.]cloudus-west-1.ukrtelecom[.]cloudus-west-1-amazon.ua-energy[.]cloudus-west-1-amazon.ua-mil[.]cloudus-west-1-amazon.ua-sec[.]cloudus-west-1-aws.gov-ua[.]cloudus-west-2.gov-ua[.]cloudus-west-2.ua-energy[.]cloudus-west-2.ua-sec[.]cloudus-west-2-aws.mfa-gov[.]cloudus-west-2-aws.s3-ua[.]cloudus-west-2-aws.ua-energy[.]cloud References Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files appeared first on Microsoft Security Blog.

Categories: Microsoft