Jumpstart your Microsoft Graph Security API integration with the new JavaScript sample app

July 18th, 2018 No comments

The Microsoft Graph Security API, which launched this spring, is a unified REST API for integrating data and intelligence from Microsoft products, services, and partners. Using Microsoft Graph, developers can easily build applications that consolidate and correlate security alerts from multiple sources, unlock contextual data to inform investigations, and automate security operations for greater efficiency.

We just launched a new sample app that makes it easier than ever for developers to get started. Similar to the Python sample and C# sample, currently available, the new JavaScript sample app provides ready-to-run code to:

  • Display a list of all security alerts for a tenant. Filter by top alerts, category, provider, and severity, or alerts related to a particular user or device.
  • View rich alert details in JSON.
  • Show additional information from Microsoft Graph about a user or device.
  • Update the status of an alert, provide feedback, and add comments.
  • Subscribe to notifications of all new and updated alerts that meet your filters.

Get started with the JavaScript sample app today!

Categories: cybersecurity Tags:

Enable your users to work securely from anywhere, anytime, across all of their devices

July 18th, 2018 No comments


Image of four hands collaborating over a drawing of a lightbulb.This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 Security solutions. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blog, Assessing Microsoft 365 Security solutions using the NIST Cybersecurity Framework.

Your users expect technology to help them be productive, yet you need to keep your organizations data safe. This blog will show you how Microsoft 365 Security solutions can help you achieve this fine balance between productivity and security. We recommend an integrated solution that incorporates managing identities, managing devices, then securing applications, email, and data.

First, well start with the question that we often hear from customers: How can I make sure my employees are working securely when they are working remotely? With digital technology changing how people work, users need to be productive on a variety of devices, regardless if they are company-provided or bring your own device (BYOD). The vital foundation to your in-depth security strategy is strong, integrated identity protection.

Securing identities to protect at the front door

Identity management in Azure Active Directory (Azure AD) is your first step. Once user identities are managed in Azure AD, you can enable Azure AD single sign-on (SSO) to manage authentication across devices, cloud apps, and on-premises apps. Then layer Multi-factor Authentication (MFA) with Azure AD Conditional Access (see Figure 1). These security tools work together to reauthenticate high-risk users and to take automated action to secure your network.

Infographic of a conditions and controls that create a secure network.Figure 1. Set user policies using Azure AD Conditional Access.

Security across devices

From identity, we move to devices. Microsoft Intune lets you manage both company-owned and BYOD from the cloud. Once you set up your Intune subscription, you can add users and groups, assign licenses, deploy and protect apps, and set up device enrollment.

Through Azure AD, you can then create conditional access policies according to user, device, application, and risk.

To strengthen employee sign-in on Windows 10 PCs, Windows Hello for Business replaces passwords with strong MFA consisting of a user credential and biometric or PIN.

Security across apps

Microsoft Cloud App Security gives you visibility and control over the cloud apps that your employees are using. You can see the overall picture of cloud apps across your network, including any unsanctioned apps your employees may be using. Discovering shadow IT apps can help you prevent unmonitored avenues into or out of your network.

Security across email

Once you have secured your organizations devices and applications, its equally important to safeguard your organizations flow of information. Sending and receiving email is one of the weakest spots for IT security. Azure Information Protection allows you to configure policies to classify, label, and protect data based on sensitivity. Then you can track activities on shared data and revoke user access if necessary.

For security against malicious emails, Office 365 Advanced Threat Protection (ATP) lets you set up anti-phishing protections to protect your employees from increasingly sophisticated phishing attacks.

Security across data

Once you have secured how employees access data, its equally important to safeguard the data itself. Microsoft BitLocker Drive Encryption technology prevents others from accessing your disk drives and flash drives without authorization, even if theyre lost or stolen. Windows Information Protection helps protect against accidental data leaks, with protection and policies that travel with the data wherever it goes.

Deployment tips from our experts

Now that you know more about how Microsoft 365 security solutions can protect your people and data in a mobile world, here are three proven tips to put it all into action:

  1. Be proactive, not reactive. Proactively provision identities through Azure AD, enroll devices through Microsoft Intune, and set up Intune App Protection. Enrolling devices can help keep your companys data safe by preventing threats or data breaches before they happen.
  2. Keep your company data safe. Managing employee identities is a fundamental part of information security. Enable SSO and MFA, set up conditional access policies, and then deploy Azure Information Protection for classification and protection of sensitive data.
  3. Plan for success with Microsoft FastTrack. This valuable service comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving user adoption, FastTrack is your benefit service that is ready to assist you. Get started at FastTrack for Microsoft 365.

Want to learn more?

For more information and guidance on this topic, stay tuned for the white paper Work securely from anywhere, anytime, across all your devices coming soon!

More blog posts from this series:

Categories: Cloud Computing Tags:

Microsoft Intelligent Security Association expands with new members and products

Last April, we introduced theMicrosoft Intelligent Security Associationa group of 19 security technology providers who have integrated their solutions with a select set of Microsoft products to provide customers better protection, detection, and response.

Today, we are pleased to announce five new members have agreed to join the associationDuo Security, Fortinet, Trusona, Yubico, and Contrast Security. Microsoft is committed to growing the association with partners who can help increase the digital safety to our mutual customers.

In addition to these new members, we are also announcing the addition of Microsoft Cloud App Securityexpanding the products included in the program. Cloud App Security gives you visibility into your cloud apps and services, provides sophisticated analytics to identify and combat cyberthreats, and enables you to control how your data travels.We are thrilled that existing members Zscaler and Forcepoint have integrated with our Cloud App Security product to increase the capabilities in new and exciting ways.

Microsoft is excited by the initial reaction to the Microsoft Intelligent Security Association, and we are committed to continuing to build on this early momentum.

Categories: Uncategorized Tags:

How Microsoft 365 Security integrates with the broader security ecosystem—part 1

July 17th, 2018 No comments

Today’s post was coauthored by Debraj Ghosh, Senior Product Marketing Manager, and Diana Kelley, Cybersecurity Field CTO.

This week is the annual Microsoft Inspire conference, where Microsoft directly engages with industry partners. Last year at Inspire, we announced Microsoft 365, providing a solution that enables our partners to help customers drive digital transformation. One of the most important capabilities of Microsoft 365 is securing the modern workplace from the constantly evolving cyberthreat landscape. Microsoft 365 includes information protection, threat protection, identity and access management, and security managementproviding in-depth and holistic security.

Across our Azure, Office 365, and Windows platforms, Microsoft offers a rich set of security tools for the modern workplace. However, the growth and diversity of technological platforms means customers will leverage solutions extending beyond the Microsoft ecosystem of services. While Microsoft 365 Security offers complete coverage for all Microsoft solutions, our customers have asked:

  1. What is Microsofts strategy for integrating into the broader security community?
  2. What services does Microsoft offer to help protect assets extending beyond the Microsoft ecosystem?
  3. Are there real-world examples of Microsoft providing enterprise security for workloads outside of the Microsoft ecosystem and is the integration seamless?

In this series of blogs, well address these topics, beginning with Microsofts strategy for integrating into the broader security ecosystem. Our integration strategy begins with partnerships spanning globally with industry peers, industry alliances, law enforcement, and governments.

Industry peers

Cyberattacks on businesses and governments continue to escalate and our customers must respond more quickly and aggressively to help ensure safety of their data. For many organizations, this means deploying multiple security solutions, which are more effective through seamless information sharing and working jointly as a cohesive solution. To this end, we established the Microsoft Intelligent Security Association. Members of the association work with Microsoft to help ensure solutions have access to more security signals from more sourcesand enhanced from shared threat intelligencehelping customers detect and respond to threats faster.

Figure 1 shows current members of the Microsoft Intelligent Security Association whose solutions complement Microsoft 365 Securitystrengthening the services offered to customers:

Figure 1. Microsoft Intelligent Security Association member organizations.

Industry alliances

Industry alliances are critical for developing guidelines, best practices, and creating a standardization of security requirements. For example, the Fast Identity Online (FIDO) Alliance, helps ensure organizations can provide protection on-premises and in web properties for secure authentication and mobile user credentials. Microsoft is a FIDO board member. Securing identities is a critical part of todays security. FIDO intends to help ensure all who use day-to-day web or on-premises services are provided a standard and exceptional experience for securing their identity.

Microsoft exemplifies a great sign-in experience with Windows Hello, leveraging facial recognition, PIN codes, and fingerprint technologies to power secure authentication for every service and application. FIDO believes the experience is more important than the technology, and Windows Hello is a great experience for everyone as it maintains a secure user sign-in. FIDO is just one example of how Microsoft is taking a leadership position in the security community.

Figure 2 shows FIDOs board member organizations:

Figure 2. FIDO Alliance Board member organizations.

Law enforcement and governments

To help support law enforcement and governments, Microsoft has developed the Digital Crimes Unit (DCU), focused on:

  • Tech support fraud
  • Online Chile exploitation
  • Cloud crime and malware
  • Global strategic enforcement
  • Nation-state actors

The DCU is an international team of attorneys, investigators, data scientists, engineers, analysts, and business professionals working together to transform the fight against cybercrime. Part of the DCU is the Cyber Defense Operations Center, where Microsoft monitors the global threat landscape, staying vigilant to the latest threats.

Figure 3 shows the DCU operations Center:

Figure 3. Microsoft Cyber Defense Operations Center.

Digging deeper

In part 2 of our series, well showcase Microsoft services that enable customers to protect assets and workloads extending beyond the Microsoft ecosystem. Meanwhile, learn more about the depth and breadth of Microsoft 365 Security and start trials of our advanced solutions, which include:

Categories: cybersecurity Tags:

Hawkeye Keylogger – Reborn v8: An in-depth campaign analysis

Much of cybercrime today is fueled by underground markets where malware and cybercriminal services are available for purchase. These markets in the deep web commoditize malware operations. Even novice cybercriminals can buy malware toolkits and other services they might need for malware campaigns: encryption, hosting, antimalware evasion, spamming, and many others.

Hawkeye Keylogger (also known as iSpy Keylogger) is an info-stealing malware thats being sold as malware-as-a-service. Over the years, the malware authors behind Hawkeye have improved the malware service, adding new capabilities and techniques. It was last used in a high-volume campaign in 2016.

This year marked the resurgence of Hawkeye. In April, malware authors started peddling a new version of the malware that they called Hawkeye Keylogger – Reborn v8. Not long after, on April 30, Office 365 Advanced Threat Protection (Office 365 ATP) detected a high-volume campaign that distributed the latest variants of this keylogger.

At the onset, Office 365 ATP blocked the email campaign and protected customers, 52% of whom are in the software and tech sector. Companies in the banking (11%), energy (8%), chemical (5%), and automotive (5%) industries are also among the top targets

Figure 1. Top industries targeted by the April 2018 Hawkeye campaign

Office 365 ATP uses intelligent systems that inspect attachments and links for malicious content to protect customers against threats like Hawkeye in real time. These automated systems include a robust detonation platform, heuristics, and machine learning models. Office 365 ATP uses intelligence from various sensors, including multiple capabilities in Windows Defender Advanced Threat Protection (Windows Defender ATP).

Windows Defender AV (a component of Windows Defender ATP) detected and blocked the malicious attachments used in the campaign in at least 40 countries. United Arab Emirates accounted for 19% of these file encounters, while the Netherlands (15%), the US (11%), South Africa (6%) and the UK (5%) make the rest of the top 5 countries that saw the lure documents used in the campaign. A combination of generic and heuristic protections in Windows Defender AV (TrojanDownloader:O97M/Donoff, Trojan:Win32/Tiggre!rfn, Trojan:Win32/Bluteal!rfn, VirTool:MSIL/NetInject.A) ensured these threats are blocked in customer environments.

Figure 2. Top countries that encountered malicious documents used in the Hawkeye campaign

As part of our job to protect customers from malware attacks, Office 365 ATP researchers monitor malware campaigns like Hawkeye and other developments in the cybercriminal landscape. Our in-depth investigation into malware campaigns like Hawkeye and many others adds to the vast threat intelligence we get from the Microsoft Intelligent Security Graph, which enables us to continuously raise the bar in security. Through the Intelligent Security Graph, security technologies in Microsoft 365 share signals and detections, allowing these technologies to automatically update protection and detection mechanisms, as well as orchestrate remediation across Microsoft 365.

Figure 3. Microsoft 365 threat protection against Hawkeye

Campaign overview

Despite its name, Hawkeye Keylogger – Reborn v8 is more than a common keylogger. Over time, its authors have integrated various modules that provide advanced functionalities like stealth and detection evasion, as well as credential theft and more.

Malware services like Hawkeye are advertised and sold in the deep web, which requires anonymity networks like Tor to access, etc. Interestingly, the Hawkeye authors advertised their malware and even published tutorial videos on a website on the surface web (that has since been taken down). Even more interesting, based on underground forums, it appears the malware authors have employed intermediary resellers, an example of how cybercriminal underground business models expand and evolve.

Our investigation into the April 2018 Hawkeye campaign shows that the cybercriminals have been preparing for the operation since February, when they registered the domains they later used in the campaign.

Typical of malware campaigns, the cybercriminals undertook the following steps:

  • Built malware samples and malware configuration files using a malware builder they acquired from the underground
  • Built weaponized documents to be used a social engineering lure (possibly by using another tool bought in the underground)
  • Packed or obfuscated the samples (using a customized open-source packer)
  • Registered domains for delivery of malware
  • Launched a spam campaign (possibly using a paid spam service) to distribute the malware

Like other malware toolkits, Hawkeye comes with an admin panel that cybercriminals use to monitor and control the attack.

Figure 4: Hawkeyes admin panel

Interestingly, some of the methods used in this Hawkeye campaign are consistent with previous attacks. This suggests that the cybercriminals behind this campaign may be the same group responsible for malware operations that delivered the remote access tool (RAT) Remcos and the info-stealing bot malware Loki. The following methods were used in these campaigns:

  • Multiple documents that create a complicated, multi-stage delivery chain
  • Redirections using shortened bit.ly links
  • Use of malicious macro, VBScript, and PowerShell scripts to run the malware; the Remcos campaign employed an exploit for CVE-2017-0199 but used the same domains
  • Consistent obfuscation technique across multiple samples

Point of entry

In late April, Office 365 ATP analysts spotted a new spam campaign with the subject line RFQ-GHFD456 ADCO 5647 deadline 7th May carrying a Word document attachment named Scan Copy 001.doc. While the attachments file name extension was .doc, it was in fact a malicious Office Open XML format document, which usually uses a .docx file name extension.

In total, the campaign used four different subject lines and five attachments.

Figure 5: Sample emails used in the Hawkeye campaign

Because the attachment contains malicious code, Microsoft Word opens with a security warning. The document uses a common social engineering lure: it displays a fake message and an instruction to Enable editing and Enable content.

Figure 6: The malicious document with social engineering lure

The document contains an embedded frame that connects to a remote location using a shortened URL.

Figure 7: frame in settings.rels.xml on the document

The frame loads an .rtf file from hxxp://bit[.]ly/Loadingwaitplez, which redirects to hxxp://stevemike-fireforce[.]info/work/doc/10.doc.

Figure 8: RTF loaded as a frame inside malicious document

The RTF has an embedded malicious .xlsx file with macro as an OLE object, which in turn contains a stream named PACKAGE that contains the .xlsx contents.

The macro script is mostly obfuscated, but the URL to the malware payload is notably in plaintext.

Figure 9: Obfuscated macro entry point

De-obfuscating the entire script makes its intention clear. The first section uses PowerShell and the System.Net.WebClient object to download the malware to the path C:\Users\Public\svchost32.exe and execute it.

The macro script then terminates both winword.exe and excel.exe. In specific scenarios where Microsoft Word overrides default settings and is running with administrator privileges, the macro can delete Windows Defender AVs malware definitions. It then changes the registry to disable Microsoft Offices security warnings and safety features.

In summary, the campaigns delivery comprises of multiple layers of components that aim to evade detection and possibly complicate analysis by researchers.

Figure 10: The campaigns delivery stages

The downloaded payload, svchost32.exe, is a .NET assembly named Millionare that is obfuscated using a custom version of ConfuserEx, a well-known open-source .NET obfuscator.

Figure 11: Obfuscated .NET assembly Millionare showing some of the scrambled names

The obfuscation modifies the .NET assemblys metadata such that all the class and variable names are non-meaningful and scrambled names in Unicode. This obfuscation causes some analysis tools like .NET Reflector to show some namespaces or classes names as blank, or in some cases, display parts of the code backwards.

Figure 12: .NET Reflector presenting the code backwards due to obfuscation

Finally, the .NET binary loads an unpacked .NET assembly, which includes DLL files embedded as resources in the portable executable (PE).

Figure 13: Loading the unpacked .NET assembly during run-time

Malware loader

The DLL that initiates the malicious behavior is embedded as a resource in the unpacked .NET assembly. It is loaded in memory using process hollowing, a code injection technique that involves spawning a new instance of a legitimate process and then hollowing it out, i.e., replacing the legitimate code with malware.

Figure 14: In-memory unpacking of the malware using process hollowing.

Unlike previous Hawkeye variants (v7), which loaded the main payload into its own process, the new Hawkeye malware injects its code into MSBuild.exe, RegAsm.exe, and VBC.exe, which are signed executables that ship with .NET framework. This is an attempt to masquerade as a legitimate process.

Figure 15: Obfuscated calls using .NET reflection to perform process hollowing injection routine that injects the malwares main payload into RegAsm.exe

Additionally, in the previous version, the process hollowing routine was written in C. In the new version, this routine is completely rewritten as a managed .NET that calls the native Windows API.

Figure 16: Process hollowing routine implemented in .NET using native API function calls

Malware functionalities

The new Hawkeye variants created by the latest version of the malware toolkit have multiple sophisticated functions for information theft and evading detection and analysis.

Information theft

The main keylogger functionality is implemented using hooks that monitor key presses, as well as mouse clicks and window context, along with clipboard hooks and screenshot capability.

It has specific modules for extracting and stealing credentials from the following applications:

  • Beyluxe Messenger
  • Core FTP
  • FileZilla
  • Minecraft (replaced the RuneScape module in previous version)

Like many other malware campaigns, it uses the legitimate BrowserPassView and MailPassView tools to dump credentials from the browser and email client. It also has modules for taking screenshots of the desktop, as well as the webcam, if it exists.

Notably, the malware has a mechanism to visit certain URLs for click-based monetization.

Stealth and anti-analysis

On top of the processes hollowing technique, this malware uses other methods for stealth, including alternate data streams that remove mark of the web (MOTW) from the malwares downloaded files.

This malware can be configured to delay execution by any number of seconds, a technique used mainly to avoid detection by various sandboxes.
It prevents antivirus software from running using an interesting technique. It adds keys to the registry location HKLM\Software\Windows NT\Current Version\Image File Execution Options and sets the Debugger value for certain processes to rundll32.exe, which prevents execution. It targets the following processes related to antivirus and other security software:

  • AvastSvc.exe
  • AvastUI.exe
  • avcenter.exe
  • avconfig.exe
  • avgcsrvx.exe
  • avgidsagent.exe
  • avgnt.exe
  • avgrsx.exe
  • avguard.exe
  • avgui.exe
  • avgwdsvc.exe
  • avp.exe
  • avscan.exe
  • bdagent.exe
  • ccuac.exe
  • ComboFix.exe
  • egui.exe
  • hijackthis.exe
  • instup.exe
  • keyscrambler.exe
  • mbam.exe
  • mbamgui.exe
  • mbampt.exe
  • mbamscheduler.exe
  • mbamservice.exe
  • MpCmdRun.exe
  • MSASCui.exe
  • MsMpEng.exe
  • msseces.exe
  • rstrui.exe
  • spybotsd.exe
  • wireshark.exe
  • zlclient.exe

Further, it blocks access to certain domains that are usually associated with antivirus or security updates. It does this by modifying the HOSTS file. The list of domains to be blocked is determined by the attacker using a config file.

This malware protects its own processes. It blocks the command prompt, registry editor, and task manager. It does this by modifying registry keys for local group policy administrative templates. It also constantly checks active windows and renders action buttons unusable if the window title matches ProcessHacker, Process Explorer, or Taskmgr.

Meanwhile, it prevents other malware from infecting the machine. It repeatedly scans and removes any new values to certain registry keys, stops associated processes, and deletes related files.

Hawkeye attempts to avoid automated analysis. The delay in execution is designed to defeat automated sandbox analysis that allots only a certain time for malware execution and analysis. It likewise attempts to evade manual analysis by monitoring windows and exiting when it finds the following analysis tools:

  • Sandboxie
  • Winsock Packet Editor Pro
  • Wireshark

Defending mailboxes, endpoints, and networks against persistent malware campaigns

Hawkeye illustrates the continuous evolution of malware in a threat landscape fueled by the cybercriminal underground. Malware services make malware accessible to even unsophisticated operators, while simultaneously making malware more durable with advanced techniques like in-memory unpacking and abuse of .NETs CLR engine for stealth. In this blog we covered the capabilities of its latest version, Hawkeye Keylogger – Reborn v8, highlighting some of the enhancements from the previous version. Given its history, Hawkeye is likely to release a new version in the future.

Organizations should continue educating their employees about spotting and preventing social engineering attacks. After all, Hawkeyes complicated infection chain begins with a social engineering email and lure document. A security-aware workforce will go a long way in securing networks against attacks.

More importantly, securing mailboxes, endpoints, and networks using advanced threat protection technologies can prevent attacks like Hawkeye, other malware operations, and sophisticated cyberattacks.

Our in-depth analysis of the latest version and our insight into the cybercriminal operation that drives this development allow us to proactively build robust protections against both known and unknown threats.

Office 365 Advanced Threat Protection (Office 365 ATP) protects mailboxes as well as files, online storage, and applications from malware campaigns like Hawkeye. It uses a robust detonation platform, heuristics, and machine learning to inspect attachments and links for malicious content in real-time, ensuring that emails that carry Hawkeye and other threats dont reach mailboxes and devices. Learn how to add Office 365 ATP to existing Exchange or Office 365 plans.

Windows Defender Antivirus (Windows Defender AV) provides an additional layer of protection by detecting malware delivered through email, as well as other infection vectors. Using local and cloud-based machine learning, Windows Defender AVs next-gen protection can block even new and unknown threats on Windows 10 and Windows 10 in S mode.

Additionally, endpoint detection and response (EDR) capabilities in Windows Defender Advanced Threat Protection (Windows Defender ATP) expose sophisticated and evasive malicious behavior, such as those used by Hawkeye. Sign up for free Windows Defender ATP trial.

Windows Defender ATPs rich detection libraries are powered by machine learning and allows security operations teams to detect and respond to anomalous attacks in the network. For example, machine learning detection algorithms surface the following alert when Hawkeye uses a malicious PowerShell to download the payload:

Figure 16: Windows Defender ATP alert for Hawkeyes malicious PowerShell component

Windows Defender ATP also has behavior-based machine learning algorithms that detect the payload itself:

Figure 17: Windows Defender ATP alert for Hawkeyes payload

These security technologies are part of the advanced threat protection solutions in Microsoft 365. Enhanced signal sharing across services in Windows, Office 365, and Enterprise Mobility + Security through the Microsoft Intelligent Security Graph enables the automatic update of protections and orchestration of remediation across Microsoft 365.



Office 365 ATP Research



Indicators of Compromise (Ioc)

Email subject lines

  • {EXT} NEW ORDER ENQUIRY #65563879884210#
  • Betreff: URGENT ENQ FOR Equipment
  • RFQ-GHFD456 ADCO 5647 deadline 7th May

Attachment file names

  • Betreff URGENT ENQ FOR Equipment.doc
  • NEW ORDER ENQUIRY #65563879884210#.doc
  • Scan Copy 001.doc
  • Swift Copy.doc


  • lokipanelhostingpanel[.]gq
  • stellarball[.]com
  • stemtopx[.]com
  • stevemike-fireforce[.]info

Shortened redirector links

  • hxxp://bit[.]ly/ASD8239ASdmkWi38AS (was also used in a Remcos campaign)
  • hxxp://bit[.l]y/loadingpleaswaitrr
  • hxxp://bit[.l]y/Loadingwaitplez

Files (SHA-256)

  • d97f1248061353b15d460eb1a4740d0d61d3f2fcb41aa86ca6b1d0ff6990210a – .eml
  • 23475b23275e1722f545c4403e4aeddf528426fd242e1e5e17726adb67a494e6 – .eml
  • 02070ca81e0415a8df4b468a6f96298460e8b1ab157a8560dcc120b984ba723b – .eml
  • 79712cc97a19ae7e7e2a4b259e1a098a8dd4bb066d409631fb453b5203c1e9fe – .eml
  • 452cc04c8fc7197d50b2333ecc6111b07827051be75eb4380d9f1811fa94cbc2 – .eml
  • 95511672dce0bd95e882d7c851447f16a3488fd19c380c82a30927bac875672a – .eml
  • 1b778e81ee303688c32117c6663494616cec4db13d0dee7694031d77f0487f39 – .eml
  • 12e9b955d76fd0e769335da2487db2e273e9af55203af5421fc6220f3b1f695e – .eml
  • 12f138e5e511f9c75e14b76e0ee1f3c748e842dfb200ac1bfa43d81058a25a28 – .eml
  • 9dfbd57361c36d5e4bda9d442371fbaa6c32ae0e746ebaf59d4ec34d0c429221 – .docx (stage 1)
  • f1b58fd2bc8695effcabe8df9389eaa8c1f51cf4ec38737e4fbc777874b6e752 – .rtf (stage 2)
  • 5ad6cf87dd42622115f33b53523d0a659308abbbe3b48c7400cc51fd081bf4dd – .doc
  • 7db8d0ff64709d864102c7d29a3803a1099851642374a473e492a3bc2f2a7bae – .rtf
  • 01538c304e4ed77239fc4e31fb14c47604a768a7f9a2a0e7368693255b408420 – .rtf
  • d7ea3b7497f00eec39f8950a7f7cf7c340cf9bf0f8c404e9e677e7bf31ffe7be – .vbs
  • ccce59e6335c8cc6adf973406af1edb7dea5d8ded4a956984dff4ae587bcf0a8 – .exe (packed)
  • c73c58933a027725d42a38e92ad9fd3c9bbb1f8a23b3f97a0dd91e49c38a2a43 – .exe (unpacked)

Categories: cybersecurity Tags:

P = NP: Cloud data protection in vulnerable non-production environments

July 11th, 2018 No comments

Data is the holy grail of your cloud workloads for attackers. Data breaches are the kind of breaches that make the news. With the recent European Union General Data Protection Regulations (GDPR), they will make even bigger headlines. From an enterprise point of view, the most challenging aspect of protecting data is knowing what it is and where it resides. Only when these two questions are answered can you drive data protection via organizational policies.

Most of your sensitive data is collected in production environmentsthe environments you know that you need to protect, and you usually do. But this is only part of the story. Even though best practices mandate that sensitive information be scrubbed before it transits in the organization, this cannot be ensured. It stands in contradiction to the growing adoption and improvements of the shift-left testing concept, as well as other business needs.

Shift-left testing is the movement of testing to earlier stages in the development lifecycle. Mature testing in early stages is appreciated as it helps developers find problems earlier and in a more cost-effective manner. It also helps quality assurance teams to reproduce bugs in the system and accelerates the debugging processes.

There are other business needs for pulling data to non-production environments. In the research and analytics space, data scientists and analysts prefer to use real data to do their research effectively, whether to offer models that improve the production systems, to perform forensic and log analysis, or to bring insight to product, strategy, and marketing teams, to name a few. In the customer service space, helpdesk personnel may need to pull sensitive records to allow them to perform their jobs efficiently.

For these purposes and others, production data is being pulled not only to the staging environment, but also to development and test environments, as well as research and analytics environments. Data may even reach personal or team playgrounds. Oftentimes, the reality is that organizations disperse data across various environments, making it hard to keep track of what and where.

The following schematic depicts the flow of code from development environments to staging and production environments, along with the flow of production data back to staging, development, and research environments to allow for mature testing and business improvement at earlier stages. The latter flow may even continue to leak outside the organizations IT.

From a security point of view, the data pull should be protected, and sensitive data should not be present in a non-production environment. Synthetic fake data generation should be applied when possible, and format-preserving masking should be applied when data needs to be more realistic. However, not using real data will always impose some loss of data properties and, in turn, the data will always lack some characteristics that may be crucial for testing, and certainly for research. Therefore, to enable advanced testing at earlier stages and allow for better analytics, real data will keep being pulled out of production environments, and the associated risk will be spread throughout the organizations data stores.

To address this risk, applying perimeter solutions is a good start. But if this is your answer to the risk, then you should think again! Are you sure that once an attacker gets a hold of your sensitive data, he cannot evade detection? Are you sure that you have no malicious insiders? What is a perimeter in the cloud?

Lets take a step back and rethink the basics of what is needed from a data protection solution: beyond basic security requirements, such as role-based access control, multifactor authentication, setting up firewalls, and encrypting data at rest and data in transit, advanced threat protection should be deployed. This comprises of:

  1. Visibility on where your sensitive data resides, what type of sensitive data it is, and who is accessing this data and how.
  2. Understanding the vulnerabilities of your data stores and being able to fix them.
  3. Detecting the threats and attempts made to infiltrate your data stores.

Any subset of these capabilities is going to leave weak spots in your organizations posture. For instance, if you have visibility regarding the whereabouts of sensitive data, but no knowledge of the vulnerabilities of your databases, can you be sure that any attempt to infiltrate/exfiltrate your database is detected? Test environments are commonly targeted for data breaches where real data is used for testing and development purposes, like the recent example of Shutterfly.

In addition, if you have a vulnerability in a non-production resource, most likely it exists in similar production resources as well. Finding this out gives a great deal of leverage in reconnaissance terms to attackers. They can probe and investigate non-production environments to find weak spots, then apply them to production environments, minimizing their contact with your production environments, and minimizing the probability of being caught by your threat detection solutionsin case the latter is only deployed on your production environments.

This establishes the following imperative: data protection must be an organization-wide solution, not only a production environment deployment! Hence, P = NP.

From a cloud workload protection perspective, you should build a vision of how to protect your data resources that considers your IT, DevOps, and research methodologies, as well as your data stewardship practices. Deriving a roadmap for this vision requires a solution that allows you to discover your organizations data resources, including any resources in your shadow IT infrastructure. The outcome of this methodic processwhether its manual, semi-automated, or fully automatedshould be a mapping of your data estate across all sorts of environments and an associated risk statement with each resource. This evaluation gives you a metric and can be used as a compass to secure your organization. The resources that were deemed eligible for advanced security should then be continuously monitored with advanced threat prevention solutions that keep you alerted with the vulnerabilities of your resources, the sensitivity of your data, and a real-time threat detection capability. Therefore, when we are asked by customers whether they should protect their non-production environments, our answer is: P = NP!

Azure Security Center is a great built-in tool with Azure that can help you protect all your environments. It helps you assess the security state of your cloud resources, both production and non-production environments and provides advanced threat protection against evolving threats. You can start a free trial for Azure and the Security Center, or if youre already using Azure, just open the Security Center blade to start using it today.

Categories: cybersecurity Tags:

Assessing Microsoft 365 security solutions using the NIST Cybersecurity Framework

This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series, youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blogNew FastTrack benefit: Deployment support for Co-management on Windows 10 devices.

Microsoft 365 security solutions align to many cybersecurity protection standards. One widely-adopted standard is the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). Developed for the US government, NIST CSF is now also used by governments and enterprises worldwide as a best practice for managing cybersecurity risk. Mapping your Microsoft 365 security solutions to NIST CSF can also help you achieve compliance with many certifications and regulations, such as FedRAMP, and others.

Microsoft 365 security solutions are designed to help you empower your users to do their best work securely, from anywhere and with the tools they love. Our security philosophy is built on four pillars: identity and access management, threat protection, information protection, and security management. Microsoft 365 E5 (see Figure 1.) includes products for each pillar that work together to keep your organization safe.

Figure 1.The Microsoft 365 security solutions

At the heart of NIST CSF is the Cybersecurity Framework Core a set of Functions and related outcomes for improving cybersecurity (see Figure 2). In this blog, well show you examples of how you can assess Microsoft 365 security capabilities using the four Function areas in the core: Identify, Protect, Detect and Respond.* Well also provide practical tips on how you can use Microsoft 365 Security to help achieve key outcomes within each function.

Figure 2.The NIST Cybersecurity Framework Core


Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

The purpose of this function is to gain a better understanding of your IT environment and identify exactly which assets are at risk of attack. From there, you can start to align these assets and associated risks to your overall business goals (including regulatory and industry requirements) and prioritize which assets require attention.

For example, the Asset management category is about identifying and managing the data, personnel, devices, and systems that enable an organization to achieve its business purpose in a way that is consistent with their relative importance to business objectives and the organizations risk strategy.

Microsoft 365 security solutions help identify and manage key assets such as user identity, company data, PCs and mobile devices, and cloud apps used by company employees. First, provisioning user identities in Microsoft Azure Active Directory (AD) provides fundamental asset and user identity management that includes application access, single sign-on, and device management. Through Azure AD Connect, you can integrate your on-premises directories with Azure Active Directory. (See Figure 3.) This capability allows for a common secure identity for users of Microsoft Office 365, Azure, and thousands of other Software as a Service (SaaS) applications pre-integrated into Azure AD.

Figure 3.Through Azure AD Connect, you can integrate your on-premises directories with Azure Active Directory

Deployment Tip:Start by managing identities in the cloud with Azure AD to get the benefit of single sign-on for all your employees. Azure AD Connect will help you integrate your on-premises directories with Azure Active Directory.


Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.

The Protect function focuses on policies and procedures to protect data from a potential cybersecurity attack.

Microsoft 365 security solutions support NIST CSF related categories in this function. For example, the Identity management and access control category is about managing access to assets by limiting authorization to devices, activities, and transactions. Your first safeguard against threats or attackers is to maintain strict, reliable, and appropriate access control. Azure Active Directory Conditional Access evaluates a set of configurable conditions, including user, device, application, and risk (see Figure 4.) Based on these conditions, you can then set the right level of access control. For access control on your networks.

Figure 4. Azure AD Conditional Access evaluates a set of configurable conditions, including user, device, application, and risk

Deployment Tip:Manage access control by configuring conditional access policies in Azure AD. Use conditional access to apply conditions that grant access depending on a range of factors or conditions, such as location, device compliance, and employee need.


Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

The Detect function covers systems and procedures that help you monitor your environment and detect a security breach as quickly as possible.

Microsoft 365 security solutions provide you with solutions that detect and protect against Anomalies and events in real time. Microsoft 365 security solutions offer advanced threat protection (see Figure 5.), security and audit log management, and application whitelisting to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. Microsoft 365 has capabilities to detect attacks across these three key attack vectors:

  • Device-based attacksWindows Defender Advanced Threat Protection provides near-instant detection and blocking of new and emerging threats using advanced file and process behavior monitoring and other heuristics. The Alerts queue shows a list of alerts that are flagged from machines in your network.
  • Email-based attacksOffice 365 Advanced Threat Protection protects your emails, attachments, online storage, files, and environment through a variety of technology, including Safe Attachments, Exchange Online Protection, and rich reporting and tracking insights
  • Identity credential attacksAzure Advanced Threat Protection Azure ATP takes information from logs and network events to learn the behavior of users in the organization and build a behavioral profile about them. Then it detects suspicious activities, searching for malicious attacks, abnormal behavior, and security issues and risks.

Figure 5.Threat detection integrated across Microsoft 365


Response processes and procedures are executed and maintained to ensure timely response to detected cybersecurity events

The Respond Function provides guidelines for effectively containing a cybersecurity incident once it has occurred through development and execution of an effective incident response plan.

Microsoft 365 security solutions directly support the Response Planning category based on a variety of visibility reports and insights. Azure AD Access and Usage reports allow you to view and assess the integrity and security of your organizations implementation of Azure AD. With this information, you can better determine where possible security risks may lie and adequately plan to mitigate those risks. These reports are also used for event Mitigation including anomaly reports, integrated application reports, error reports, user-specific reports, and activity logs that contain a record of all audited events within the last 24 hours, last 7 days, or last 30 days. Supporting the Analysis category, Microsoft offers guidance and education on Windows security and forensics to give organizations the ability to investigate cybercriminal activity and more effectively respond and recover from malware incidents.

Want to Learn More?

For more information and guidance on assessing Microsoft 365 security solutions using the NIST CSF, check out the whitepaper.

Deployment Tip:For more help with Microsoft 365 security, consider FastTrack for Microsoft 365. Whether youre planning your initial Microsoft 365 Security rollout, need to onboard your product, or want to drive end user adoption, FastTrack is your benefit service and is ready to assist you. Get started at FastTrack for Microsoft 365.

* Although Microsoft offers customers some guidance and tools to help with certain the fifth Recover function (data backup, account recovery), Microsoft 365 doesnt specifically address this function. Note also that Microsoft isnt endorsing this NIST framework – there are other standards for cybersecurity protection – but we find it helpful to baseline against commonly used scenarios.

More blog posts from this series:

Categories: Uncategorized Tags:

Perspectives of a former CISO: Disrupted security in digitalization

July 2nd, 2018 No comments

My passion is the connection of security to the business objectives, and it has been a part of my work with many CISOs across industries as well as my experience as a CISO. This blog series a compilation of my learnings as a CISO, as well as learnings from peers and customers who are actively working to figure out how to best align security organizations with their business. This first blog will cover why it is so critical for a security organization to shake off the total compliance mindset and be balanced with a focus closely on aligning to the business of the organization with a clear risk-based approach.

It is not news that the world changed in the last two decades through digital transformation and the requirements for security have also. Initially, it was mainly focused on protecting the network and building virtual walls around the digital assets of a company. The fast evolution of mobile technology, globalization, and digitalization has disrupted standard assumptions for business and they are transforming to adapt, and security needs to be in lock step or better yet – to lead this journey. The world is not what it used to be as it looks more like the graphic image below:

Security must be closely aligned to the business it serves and protects against attacks by the criminal groups working on the Internet. Crime went digital from vandalism to classical crime to nation states. The business, on the other hand, gets disrupted and must change at a speed never seen before. This is the place, where security needs to be.

Security must enable the business transformation and ensure acceptable business risks. This is a non-negotiable truth as securitys sole purpose of existence is to protect the organization that employs it. This is more difficult than it sounds because security started as a purely technical discipline with a common belief that success was achieved in compliance with standards. Many organizations are on the journey of shifting this mindset to a risk-based approach and a deep alignment with their business counterparts. This is a major shift for the security organization as it requires major cultural changes, different priorities, changing of processes and habits, as well as technology changes. I have seen a lot of security people hiding behind their policies instead of helping the business to be successful. This is not solving any problems in todays world.

Regardless of your industry, compliance does not bring security good security brings compliance. Success in security is all about running a reasonable risk management and risk mitigation program, which is leveraged and often even driven by the business leaders, and which clears the way for the business to be successful in a frequently hostile environment.

Chief Security Officers must re-think what they do, re-think the way they look at the world and constantly try to disrupt themselves. I recognize that this is something people in security are typically not good at, as most of us had been taught risk avoidance during our careers (sound familiar?).

Disruptive changes require going against this nature and taking risks where the outcome is uncertain. While this is uncomfortable, it is critically important for our future success.

Looking at it from a more outward view, the CSO has different constituencies to satisfy:

  • Top-Management: The top management wants to understand their key cyber risks, what they need to do with them and whether they invest the right amount in the right location. Key risk means comparable to the other business risks they must deal with. CSOs need to keep this in mind: The CEO has a lot of business risks on his/her table and the Cyber risks have to be aligned with them. Typically as a rule of thumb we might speak of 5-8 risks, where the CSO needs to see action and support by the CEO and the board.
  • Employees: Looking at the employees, security needs to enable them to run their business successfully and with acceptable risks. It is not about security or productivity, we talk of security AND productivity.
  • Customers/partners: Obviously, customers and partners have a certain expectation about what the supplier does with their data and how they protect them. This is not only compliance to data protection regulations, but gaining trust.
  • Regulator: Regulators are heavily challenged by todays situation. Rules which were valid a few years ago, do not apply anymore. New definitions of sovereignty need to be developed. Modern technologies suddenly change the rules of the game as it was known. Most regulators need help and they want to listen to the industry if the discussion happens with mutual respect.
  • Security Community: The security community is often ignored by companies, which can lead to rather dramatic security challenges. Think about what happens if somebody finds a vulnerability in an infrastructure and wants to responsibly disclose this vulnerability to the security organization. How do they find the right people and process? How are they dealt with?

Security needs to be re-thought and certain base assumptions need to be disrupted and re-thought. Progressing digitalization, as well as emerging technologies, will challenge the thoughts again and security functions will be constantly forced to look for new and creative ways to support the business. Our stakeholders are moving fast and so must we. We need to get more in a DevOps approach and align closely with the fast-moving criminal landscape, the fast-moving technology, and the fast-moving business.

For more information

Categories: Uncategorized Tags:

Taking apart a double zero-day sample discovered in joint hunt with ESET

In late March 2018, I analyzed an interesting PDF sample found by ESET senior malware researcher Anton Cherpanov. The sample was initially reported to Microsoft as a potential exploit for an unknown Windows kernel vulnerability. During my investigation in parallel with ESET researchers, I was surprised to discover two new zero-day exploits in the same PDF. One exploit affected Adobe Acrobat and Reader, while the other exploit affected older platforms, Windows 7 and Windows Server 2008. Microsoft and Adobe have since released corresponding security updates:

The first exploit attacks the Adobe JavaScript engine to run shellcode in the context of that module. The second exploit, which does not affect modern platforms like Windows 10, allows the shellcode to escape Adobe Reader sandbox and run with elevated privileges from Windows kernel memory. ESET provided an analysis of the exploitation routines in the sample PDF.

Although the PDF sample was found in VirusTotal, we have not observed actual attacks perpetrated using these exploits. The exploit was in early development stage, given the fact that the PDF itself did not deliver a malicious payload and appeared to be proof-of-concept (PoC) code.

Finding and neutralizing a double zero-day exploit before an attacker had a chance to use it was an amazing result of the great collaboration between ESET, Microsoft, and Adobe security researchers.

Heres some more information about the exploit process. This analysis is based on a sample we found after additional hunting (SHA-256: 4b672deae5c1231ea20ea70b0bf091164ef0b939e2cf4d142d31916a169e8e01).

Exploit overview

The Adobe Acrobat and Reader exploit is incorporated in a PDF document as a malicious JPEG 2000 stream containing the JavaScript exploit code. The following diagram provides an overview of the exploit process.

Figure 1. Overview of the exploit process

As shown in the diagram, the exploit process takes place in several stages:

  1. JavaScript lays out heap spray memory.
  2. Malicious JPEG 2000 stream triggers an out-of-bounds access operation.
  3. The access operation is called upon out-of-bounds memory laid out by the heap spray.
  4. The access operation corrupts the virtual function table (vftable).
  5. The corrupted vftable transfers execution to a return-oriented programming (ROP) chain.
  6. The ROP chain transfers execution to the main shellcode.
  7. The main elevation-of-privilege (EoP) module loads through reflective DLL loading.
  8. The main PE module launches the loaded Win32k EoP exploit.
  9. When the EoP exploit succeeds, it drops a .vbs file in the Startup folder. The .vbs file appears to be proof-of-concept malware designed to download additional payloads.

Malicious JPEG 2000 stream

The malicious JPEG 2000 stream is embedded with the following malicious tags.

Figure 2. Malicious JPEG 2000 stream

The following image shows the CMAP and PCLR tags with malicious values. The length of CMAP array (0xfd) is smaller than the index value (0xff) referenced in PCLR tagsthis results in the exploitation of the out-of-bounds memory free vulnerability.

Figure 3. Out-of-bounds index of CMAP array

Combined with heap-spray technique used in the JavaScript, the out-of-bounds exploit leads to corruption of the vftable.

Figure 4. vftable corruption with ROP chain to code execution

The shellcode and portable executable (PE) module is encoded in JavaScript.

Figure 5 Shellcode in JavaScript

Reflective DLL loading

The shellcode (pseudocode shown below) loads the main PE module through reflective DLL loading, a common technique seen in advanced attacks to attempt staying undetected in memory. On Windows 10, the reflective DLL loading technique is exposed by Windows Defender Advanced Threat Protection (Windows Defender ATP).

The shellcode searches for the start of the PE record and parses PE sections, copying them to the newly allocated memory area. It then passes control to an entry point in the PE module.

Figure 6. Copying PE sections to allocated memory

Figure 7. Passing control to an entry point in the loaded DLL

Main Win32k EoP exploit

The main Win32k elevation-of-privilege (EoP) exploit runs from the loaded PE module. It appears to target machines running Windows 7 SP1 and takes advantage of the previously unreported CVE-2018-8120 vulnerability, which is not present on Windows 10 and newer products. The exploit uses a NULL page to pass malicious records and copy arbitrary data to an arbitrary kernel location. The NULL page dereference exploitation technique is also mitigated by default for x64 platforms running Windows 8 or later.

Figure 8. EoP exploit flow

Heres how the main exploit proceeds:

  1. The exploit calls NtAllocateVirtualMemory following sgdt instructions to allocate a fake data structure at the NULL page.
  2. It passes a malformed MEINFOEX structure to the SetImeInfoEx Win32k kernel function.
  3. SetImeInfoEx picks up the fake data structure allocated at the NULL page.
  4. The exploit uses the fake data structure to copy malicious instructions to +0x1a0 on the Global Descriptor Table (GDT).
  5. It calls an FWORD instruction to call into the fake GDT entry instructions.
  6. The exploit successfully calls instructions in the fake GDT entry.
  7. The instructions run shellcode allocated in user mode from kernel mode memory space.
  8. The exploit modifies the EPROCESS.Token of the shellcode process to grant SYSTEM privileges.

On Windows 10, the EPROCESS.Token modification behavior would be surfaced by Windows Defender ATP.

The malformed IMEINFOEX structure in combination with fake data at the NULL page triggers corruption of the GDT entry as shown below.

Figure 9. Corrupted GDT entry

The corrupted GDT has actual instructions that run through call gate through a call FWORD instruction.

Figure 10. Patched GDT entry instructions

After returning from these instructions, the extended instruction pointer (EIP) returns to the caller code in user space with kernel privileges. The succeeding code elevates privileges of the current process by modifying the process token to SYSTEM.

Figure 11. Replacing process token pointer


After privilege escalation, the exploit code drops the .vbs, a proof-of-concept malware, into the local Startup folder.

Figure 12. Code that drops the .vbs file to the Startup folder

Recommended defenses

To protect against attacks leveraging the exploits found in the PDF:

While we have not seen attacks distributing the PDF, Office 365 Advanced Threat Protection (Office 365 ATP) would block emails that carry malformed PDF and other malicious attachments. Office 365 ATP uses a robust detonation platform, heuristics, and machine learning to inspect attachments and links for malicious content in real-time.

Windows 10 users are not impacted by the dual exploits, thanks to platform hardening and exploit mitigations. For attacks against Windows 10, Windows Defender Advanced Threat Protection (Windows Defender ATP) would surface kernel attacks with similar exploitation techniques that use process token modification to elevate privileges, as shown below (sample process privilege escalation alert).

Figure 13. Sample Windows Defender ATP alert for process token modification

With Advanced hunting in Windows Defender ATP, customers can hunt for related exploit activity using the following query we added to the Github repository:

Figure 14. Advanced hunting query

Windows Defender ATP provides complete endpoint protection platform (EPP) and endpoint detection response (EDR) solutions for Windows 10, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. Additional support for devices running Windows 7 and Windows 8.1 is currently in preview. Additionally, Windows Defender ATP can surface threats on macOS, Linux, and Android devices via security partners.

Windows Defender ATP integrates with other technologies in Windows, Office 365, and Enterprise Mobility + Security platforms to automatically update protection and detection and orchestrate remediation across Microsoft 365.

To experience the power of Windows Defender ATP for yourself, sign up for a free trial now.

Indicators of compromise

SHA-256: dd4e4492fecb2f3fe2553e2bcedd44d17ba9bfbd6b8182369f615ae0bd520933
SHA-1: 297aef049b8c6255f4461affdcfc70e2177a71a9
File type: PE
Description: Win32k exploit

SHA-256: 4b672deae5c1231ea20ea70b0bf091164ef0b939e2cf4d142d31916a169e8e01
SHA-1: 0d3f335ccca4575593054446f5f219eba6cd93fe
File type: PDF
Description: Test exploit

SHA-256: 0608c0d26bdf38e064ab3a4c5c66ff94e4907ccaf98281a104fd99175cdf54a8
SHA-1: c82cfead292eeca601d3cf82c8c5340cb579d1c6
File type: PDF
Description: PDF exploit testing sample (Win32k part missing)

SHA-256: d2b7065f7604039d70ec393b4c84751b48902fe33d021886a3a96805cede6475
SHA-1: edeb1de93dce5bb84752276074a57937d86f2cf7
File type: JavaScript
Description: JavaScript embedded in 0608c0d26bdf38e064ab3a4c5c66ff94e4907ccaf98281a104fd99175cdf54a8



Matt Oh
Windows Defender ATP Research





Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.


The need and opportunity for adaptive prevention in the cloud

This post is authored by Michael Bargury, Data Scientist, C+E Security.

The need

The cloud introduces new security challenges, which differ from classic ones by diversity and scale. Once a Virtual Machine (VM) is up and running with an open internet port, it is almost instantaneously subject to vulnerability scanning and Brute Force (BF) attacks. These attacks are usually not directed at a specific organizations environment. Instead, they cover a broad range of environments, hoping to infiltrate even a small fraction of them, to be used for their computational power or as part of a botnet.

The agile nature of the cloud allows organizations to build elaborate and highly customized environments. These environments constantly change, as customers utilize the clouds ability to adapt to variations in computational or network communication demands. Although this agility is one of the clouds top offerings, it also makes it harder to apply and maintain security best practices. As your environment changes, the security measurements needed to protect it might change as well. Moreover, while security experts can manually analyze common environment scenarios and offer security recommendations, the huge diversity in the cloud renders these recommendations useless for many organizations, which requires more tailor-suited solutions.

Proper security recommendations have the potential to make a huge impact on an organizations security. They can minimize attack surface, essentially blocking attacks before they occur.

The opportunity

On the other hand, the cloud provides unique opportunities, which are impossible or impractical for most organizations on their own. The broad visibility and the diversity of environments allow statistical models to detect abnormal activities across the cloud. Organizations can anonymously share their security-related data with trusted 3rd parties such as Azure Security Center (ASC), which can leverage this data to provide better detection and security recommendations for all organizations. Essentially, the cloud allows organizations to combine their knowledge in a way, which is much larger than the sum of its parts.

Leveraging these cloud-unique opportunities gives birth to a whole new world of customized security recommendations. Instead of a single one-fits-all best practice, the cloud allows customized best practices to be generated and updated constantly, as a cloud environment is built and evolved. Imagine an agent, which detects a security risk associated with a machine placed under the wrong subnet, or an automatically updating firewall.


Let us dive into a very basic, yet typical scenario. As a developer in a cloud-based organization, I would like to deploy a new SQL-Server on Windows. I deploy a new Windows VM, install SQL-Server and create an inbound rule in my Network Security Group (NSG) to allow for incoming communication in port 1433.

A few months later, the SQL-Server had long been deleted. The VM is being used for something else entirely. The only thing left from my initial deployment is the inbound rule on port 1433, which has been forgotten by the individual who deleted the SQL-Server. This leaves an opening for malicious intenders to gain access to my machine, or simply to cause an overuse of resources by bombarding it with requests. After a while, I get a security alert from ASC. There was a successful BF attack on my machine, and it is now compromised. Looking at the logs, I see that the attack was carried through port 1433.

A good security recommender system would have identified that port 1433 is no longer in use by SQL Server, and prompt me with a recommendation to close it before the machine was compromised.

Learning scenario

Taking the perspective of a cloud provider, we will now devise a way to detect the scenario mentioned above and recommend a mitigation on time.

We can safely assume that most Azure customers use port 1433 for SQL-Server communication, as it is the default port used in SQL-Server software. This reduces our problem to the following goal: find machines with an inbound rule for port 1433, which do not run SQL-Server software.

But wait, how do we know which SQL-Server software to look for the absence of? We can try to manually devise a list of executables with underline SQL-Server, but there must be a better way.

Remember, we have assumed that most Azure customers use port 1433 for SQL-Server communication. Utilizing this assumption, we can learn which executable is unusually common in machines with an inbound rule on port 1433, out of the entire population of Azure VMs.

And so, our final goal becomes: find machines with an inbound rule for port 1433, which do not run common executables within this group.

We can try to reach this goal in several ways. We can take a classification approach. We use two weeks of executable executions, from 30K Azure machines that use ASCs monitoring agent.

First, we devise a list of distinct executables. We are looking for executables of a very common software so we can filter the list by executables that run in more than 10 Azure VMs, to reduce noise. This leaves us with 4,361 distinct executables.

We represent each Azure VM as a vector of indicators of executables run by that VM. For example, consider A, which ran only a single executable. That VM would be represented by zero-vector, with a single coordinate containing a one, which represents that executable. Next, we label each VM by whether or not it has port 1433 open for inbound traffic.

We will treat our dataset as a classification problem: given a binary feature vector for each VM, predict whether its port 1433 is open for inbound traffic. Notice that we already know the answer to this question. Therefore, we will be able to measure the accuracy of our model.

We train a Random Forest (RF) model to solve the classification problem. We use an RF for multiple reasons. First, it forces the model to only consider a small subset of features, which corresponds to a small number of executables which we hope would be SQL-Server related. Second, allowing only a few trees in the RF will yield a simple classification model, easily interpretable and understandable.

To avoid overfitting, we use hypothesis validation. We split our dataset 70-30 percent to train-test dataset. We train the model on the training set and measure its performance on the test set.

// Error = (# wrong classifications) / (# samples)

Train error = 0.00095

Test error = 0.00128

The model performs very well, with low classification error both for the train and test sets.

Lets think about what happened here. The model was able to accurately predict whether a VM has an inbound rule for port 1433, using a small list of executables ran by that VM. This implies that there is some set of executables, which are extremely common among VMs which can be addressed on port 1433. To examine these executables, we can look at the top ten features by importance (significance to classification) provided by our classifier:

  1. \\program files\\microsoft sql server\\mssql_ver.mssqlserver\\mssql\\binn\\sqlagent.exe

  2. \\program files\\microsoft sql server iaas agent\\bin\\ma\\agentcore.exe

  3. \\packages\\plugins\\microsoft.compute.vmaccessagent\\version\\bin\\jsonvmaccessextension.exe

  4. \\program files\\microsoft sql server iaas agent\\bin\\sqlservice.exe

  5. \\program files\\microsoft sql server\\mssqlmssqlserver\\mssql\\binn\\databasemail.exe

  6. \\windows\\microsoft.net\\framework\\version\\ngen.exe

  7. \\program files (x86)\\microsoft sql server\\version\\tools\\binn\\sqlexe

  8. \\packages\\plugins\\microsoft.sqlmanagement.sqliaasagent\\version\\sqliaasextensiondeployer.exe

  9. \\packages\\plugins\\microsoft.enterprisecloud.monitoring.microsoftmonitoringagent\\version\\mmaextensionheartbeatservice.exe

  10. \\program files\\microsoft sql server\\mssqlmssqlserver\\mssql\\binn\\fdhost.exe

This is excellent. Our model found that the best indicators for port 1433 being open, is having SQL-Server related executables running on the VM. This validates our assumption that most Azure customers use port 1433 for SQL-Server communication! Otherwise, our model wasnt able to get such high accuracy scores by using SQL-Server executables as features.

Returning to our initial goal we are looking for machines which do not run executables which are very common within this group. For these machines, there is no way the model can detect that their port 1433 is open, judging from SQL-Server related executables. Hence, these machines should correspond with our models classification errors! More specifically, we are looking for false negatives (FN, the model wrongly classifies the VM to have a closed port 1433).

Let’s examine one of these VMs. Here is its list of ran executables:

  1. \windows\softwaredistribution\download\install\: [exe, windows-ver-delta.exe]

  2. \windowsazure\guestagent_ver\collectguestlogs.exe

  3. \program files\microsoft security client\mpcmdrun.exe

  4. \windows\servicing\trustedinstaller.exe

  5. \windows\winsxs\amd64_microsoft-windows-servicingstack_ver\tiworker.exe

  6. \program files\microsoft office 15\clientx64\officec2rclient.exe

  7. \program files\java\: [jre_ver\bin\jp2launcher.exe, 8.0_144\bin\javaws.exe]

  8. \program files (x86)\common files\java\java update\jucheck.exe

  9. \windows\microsoft.net\framework64\ver\: [exe, ngen.exe]

  10. \windows\microsoft.net\framework\ver\: [exe, ngentask.exe]

  11. \windows\system32\inetsrv\w3wp.exe

  12. \windows\system32\wbem\: [exe, wmiprvse.exe]

  13. \windows\system32\: [taskhostex.exe, mrt.exe, schtasks.exe, taskeng.exe, wsqmcons.exe, rundll32.exe, sc.exe, lpremove.exe, mpsigstub.exe, ceipdata.exe, defrag.exe, sppsvc.exe, cmd.exe, conhost.exe, svchost.exe, aitagent.exe, taskhost.exe, mrt-ver.exe, sppextcomobj.exe, wermgr.exe, werfault.exe, tzsync.exe, slui.exe]

Indeed,we dont see SQL-Server here! Actually, it seems like this VM is running mostly Windows/Azure updates. We can issue a recommendation for this VM to remove its inbound rule for port 1433. Looking at past ASC alerts, we can see that this machine was brute forced on six different days, providing valuable attack surface to malicious intenders. Our model can put an end to that!

Overall, we found five machines which might have port 1433 open for no reason (FN of the classification model).


Now that we have a working model and a nice Proof of Concept, we might consider applying it for similar scenarios. After all, why focus only on port 1433 and SQL-Server, when our model didnt depend on either of these as an assumption.

We can generalize our scenario and solution to the following:

  • Goal: find machines with an inbound rule for port X, which do not run executables which are very common within this group.
  • Method: Train an RF to predict whether or not a machine has port X open for inbound traffic, based on the executables ran. Output the machine that was misclassified by the RF.


The scenario developed above is only the tip on the iceberg. The Azure Security Center (ASC) team is working hard on providing adaptive prevention capabilities, to enable better security for Azure customers. For information about the first adaptive prevention feature in ASC, see How Azure Security Center uses machine learning to enable adaptive application control. To learn about the use of Machine Learning in ASC, see Machine Learning in Azure Security Center.

Categories: Uncategorized Tags:

Driving data security is a shared responsibility, here’s how you can protect yourself

June 19th, 2018 No comments

You’re driving a long, dark road on a rainy night. If you’re driving 20 miles over the speed limit and you don’t step on the brakes when the car in front of you comes to a sudden stop, is it your fault or your car manufacturers fault if you rear-end the car that is in front of you?

When we drive, we seamlessly understand that there are some things we depend on the manufacturer to provide (brakes that work, airbags that deploy) and some things we’re responsible for (using the brakes when needed, not turning off the airbag protection).

This is the concept of shared responsibility and was a core topic at this years Cybersecurity Law Institute panel Vendors and Cloud-Based Solutions: How Can All Stakeholders Protect Themselves?

When it comes to cloud computing and data protection, it is a shared responsibility between the cloud service provider (CSP) and the customer that is analogous to the relationship between the car owner and car manufacturer.

While the fundamentals of shared responsibility between drivers and car manufacturers seem relatively straightforward, its not always as clear-cut when analyzing the responsibilities between customers and CSPs for protecting cloud data.

The cloud, as a relatively new architectural model for many organizations, is unique because there are multiple organic models that can shift responsibilities between customers and CSPs. For example, customers can only configure the application layer software in Software as a Service (SaaS) applications. But when moving down the stack to Infrastructure as a Service (IaaS), customers have the responsibility for configuring and managing the servers theyve stood up in the cloud.

While on the Georgetown Law Institute panel in D.C., I explained how Microsoft views the shared responsibility model as a working partnership with customers to ensure they are clear on what we provide and what their responsibilities are across the stack. To be sure, there are some perceptible shifts in responsibility, which is illustrated in the graphic below.

The left-most column shows seven responsibilities that customers should consider when using different cloud service models. The model shows how customers are responsible for ensuring that data and its classification is done correctly and that the solution is compliant with regulatory obligations. Physical security falls to the CSP, and the rest of the responsibilities are shared. Note this a general rule of thumb, and every customer should talk to its CSP to ensure and understand the responsibilities are outlined and meet the organizational needs.

Once a customer has a solid handle on what the CSP is providing, consider the three tips below for managing the shared responsibilities. These could include things like network controls, host infrastructure, end-point protection, application level controls, and access management.

Consult the STARs

The CSA STAR registry consists of three levels of assurance, which cover four unique offerings based on a comprehensive list of cloud control objectives. Here customers can see what controls a provider has attested to. STAR also helps customers assess how different providers are using a harmonized model. Its also important to ask the CSP if it has completed a SOC 2 Type 2. This assessment is based on a mature attest standard, and ensure that evaluation takes place over time rather than at a point in time, among other helpful standards.

(Really!) Read the contracts

Yes, it’s tempting to skip over the long legalese, but the nuances of a contract between a customer and CSP can go a long way in helping each side understand its shared responsibilities. For example, if the contract allows for certain levels of transparency between the two in the form of allowing the customer to see an audit or compliance report. However, you should remember that seeing an overview isnt the same as being able to read every page of the report. A customer should know what level of transparency they’re getting. Customers should be certain there are clear roles and escalation paths that make sense, so if something goes wrong or a decision needs to be made about shutting off a service or reporting a breach, it can be done without hesitation. And don’t forget to engage your own counsel during contact review, no one understands legalese as well as a lawyer.

Follow the guides

To help organizations understand ways to protect their data in the cloud, Microsoft has blueprint guides for use cases like FFIEC and HIPAA regulations. We also have tools to help companies manage and improve their cloud controls, including Compliance manager and Secure score. Compliance manager enables organizations to manage their compliance activities from one place. Secure score is an assessment tool designed to make it easier for organizations to understand their security position in relation to other organizations while also providing advice on what controls they should consider enabling.

Microsoft takes its side of the shared responsibility model seriously and is continually looking for ways to help the customer identify weaknesses and put action plans in place to shore them up. Not unlike how car manufacturers continually iterate to make cars safer, safety enhancements are meant to lessen the burden of driver responsibilities, not remove them entirely. When it comes to protecting data, if you keep your eyes on your data road, well make sure the brakes are working.

For more information on shared responsibilities for cloud computing read this comprehensive white paper.

Categories: Uncategorized Tags:

New FastTrack benefit: Deployment support for Co-management on Windows 10 devices

This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blog Getting the most value out of your security deployment.

We are pleased to announce that FastTrack for Microsoft 365 (a benefit of your Microsoft 365 subscription for planning, deployment and adoption), now provides deployment support for Co-management on your Windows 10 devices. Id like to provide a few highlights on what you can expect.

What is Co-management?

Co-management is the integration between Configuration Manager and Microsoft Intune that enables a Windows 10 device to be managed by Configuration Manager and Intune at the same time. This provides you with an opportunity to enable remote actions that can be taken on the device, like remote factory reset or selective wipe for lost or stolen devices. Some additional advantages include conditional access, enabling you to ensure devices accessing your corporate network are compliant with your company policies and requirements. And, with your Windows 10 device you have Windows AutoPilot which is automatic enrollment that enrolls devices in Intune. This can let you lower your provisioning costs on new Windows 10 devices from the cloud. Co-management empowers you to complement Configuration Manager with Intune and more easily bring all this together where cloud makes sense for your organization as seen in Figure 1 below.

Figure 1: Co-management architecture

What can you expect

As part of our deployment support, the FastTrack team will provide guidance on the following activities:

  • Enabling Active Directory auto enrollment
  • Enabling hybrid Azure Active Directory
  • Enabling the Cloud Management Gateway
  • Enabling Co-management in Configuration Manager
  • Switch over supported device management capabilities from Configuration Manager to Intune:

    • Device conditional access policies
    • Resource Access profiles
    • Windows Update for Business policies
    • EndPoint Protection policies

  • Setting up Intune to deploy the Configuration Manager agent to new devices

FastTrack for Microsoft 365 benefits

FastTrack continues to invest in bringing you end to end services for planning, onboarding and driving adoption of your eligible subscriptions, and comes at no additional charge. It is our commitment to help you to realize the value of your Microsoft 365 investment with a faster deployment and time to value.

FastTrack lets you engage with our FastTrack specialists and provides best practices, tools and resources to help you quickly and easily enable Microsoft 365 in your environment, now including co-management for Windows 10 devices.

Get started

To request assistance from FastTrack, you can get started by going to our FastTrack website. Click on the Sign In prompt, and enter your company or school ID. Go to the dashboard, and from there follow the prompts to access the Request for Assistance form. Your submission will be reviewed and routed to the appropriate team that will address your specific needs and eligibility.

The FastTrack website also provides you with best practices, tools, and resources from the experts to help make your deployment experience with the Microsoft Cloud a great one.

More blog posts from this series:

Categories: Uncategorized Tags:

Building Zero Trust networks with Microsoft 365

The traditional perimeter-based network defense is obsolete. Perimeter-based networks operate on the assumption that all systems within a network can be trusted. However, todays increasingly mobile workforce, the migration towards public cloud services, and the adoption of Bring Your Own Device (BYOD) model make perimeter security controls irrelevant. Networks that fail to evolve from traditional defenses are vulnerable to breaches: an attacker can compromise a single endpoint within the trusted boundary and then quickly expand foothold across the entire network.

In 2013, a massive credit card data breach hit Target and exposed the credit card information of over 40 million customers. Attackers used malware-laced emails to steal credentials from contractors that had remote access to Targets network. They then used the stolen credentials to gain access to the network, effectively evading the perimeter defense mechanisms that Target had in place. Once inside the network, the attackers installed malware on payment systems used in Target stores across the US and stole customer credit card information.

Zero Trust networks eliminate the concept of trust based on network location within a perimeter. Instead, Zero Trust architectures leverage device and user trust claims to gate access to organizational data and resources. A general Zero Trust network model (Figure 1) typically comprises the following:

  • Identity provider to keep track of users and user-related information
  • Device directory to maintain a list of devices that have access to corporate resources, along with their corresponding device information (e.g., type of device, integrity etc.)
  • Policy evaluation service to determine if a user or device conforms to the policy set forth by security admins
  • Access proxy that utilizes the above signals to grant or deny access to an organizational resource

Figure 1. Basic components of a general Zero Trust network model

Gating access to resources using dynamic trust decisions allows an enterprise to enable access to certain assets from any device while restricting access to high-value assets on enterprise-managed and compliant devices. In targeted and data breach attacks, attackers can compromise a single device within an organization, and then use the “hopping” method to move laterally across the network using stolen credentials. A solution based on Zero Trust network, configured with the right policies around user and device trust, can help prevent stolen network credentials from being used to gain access to a network.

Zero Trust is the next evolution in network security. The state of cyberattacks drives organizations to take the assume breach mindset, but this approach should not be limiting. Zero Trust networks protect corporate data and resources while ensuring that organizations can build a modern workplace using technologies that empower employees to be productive anytime, anywhere, any which way.

Zero Trust networking based on Azure AD conditional access

Today, employees access their organization’s resources from anywhere using a variety of devices and apps. Access control policies that focus only on who can access a resource is not sufficient. To master the balance between security and productivity, security admins also need to factor in how a resource is being accessed.

Microsoft has a story and strategy around Zero Trust networking. Azure Active Directory conditional access is the foundational building block of how customers can implement a Zero Trust network approach. Conditional access and Azure Active Directory Identity Protection make dynamic access control decisions based on user, device, location, and session risk for every resource request. They combine (1) attested runtime signals about the security state of a Windows device and (2) the trustworthiness of the user session and identity to arrive at the strongest possible security posture.

Conditional access provides a set of policies that can be configured to control the circumstances in which users can access corporate resources. Considerations for access include user role, group membership, device health and compliance, mobile applications, location, and sign-in risk. These considerations are used to decide whether to (1) allow access, (2) deny access, or (3) control access with additional authentication challenges (e.g., multi-factor authentication), Terms of Use, or access restrictions. Conditional access works robustly with any application configured for access with Azure Active Directory.

Figure 2. Microsofts high-level approach to realizing Zero Trust networks using conditional access.

To accomplish the Zero Trust model, Microsoft integrates several components and capabilities in Microsoft 365: Windows Defender Advanced Threat Protection, Azure Active Directory, Windows Defender System Guard, and Microsoft Intune.

Windows Defender Advanced Threat Protection

Windows Defender Advanced Threat Protection (ATP) is an endpoint protection platform (EPP) and endpoint detection response (EDR) technology that provides intelligence-driven protection, post-breach detection, investigation, and automatic response capabilities. It combines built-in behavioral sensors, machine learning, and security analytics to continuously monitor the state of devices and take remedial actions if necessary. One of the unique ways Windows Defender ATP mitigates breaches is by automatically isolating compromised machines and users from further cloud resource access.

For example, attackers use the Pass-the-Hash (PtH) and the Pass the ticket for Kerberos techniques to directly extract hashed user credentials from a compromised device. The hashed credentials can then be used to make lateral movement, allowing attackers to leapfrog from one system to another, or even escalate privileges. While Windows Defender Credential Guard prevents these attacks by protecting NTLM hashes and domain credentials, security admins still want to know that such an attack occurred.

Windows Defender ATP exposes attacks like these and generates a risk level for compromised devices. In the context of conditional access, Windows Defender ATP assigns a machine risk level, which is later used to determine whether the client device should get a token required to access corporate resources. Windows Defender ATP uses a broad range of security capabilities and signals, including:

Windows Defender System Guard runtime attestation

Windows Defender System Guard protects and maintains the integrity of a system as it boots up and continues running. In the assume breach mentality, its important for security admins to have the ability to remotely attest the security state of a device. With the Windows 10 April 2018 Update, Windows Defender System Guard runtime attestation contributes to establishing device integrity. It makes hardware-rooted boot-time and runtime assertions about the health of the device. These measurements are consumed by Windows Defender ATP and contribute to the machine risk level assigned to the device.

The single most important goal of Windows Defender System Guard is to validate that the system integrity has not been violated. This hardware-backed high-integrity trusted framework enables customers to request a signed report that can attest (within guarantees specified by the security promises) that no tampering of the devices security state has taken place. Windows Defender ATP customers can view the security state of all their devices using the Windows Defender ATP portal, allowing detection and remediation of any security violation.

Windows Defender System Guard runtime attestation leverages the hardware-rooted security technologies in virtualization-based security (VBS) to detect attacks. On virtual secure mode-enabled devices, Windows Defender System Guard runtime attestation runs in an isolated environment, making it resistant to even a kernel-level adversary.

Windows Defender System Guard runtime attestation continually asserts system security posture at runtime. These assertions are directed at capturing violations of Windows security promises, such as disabling process protection.

Azure Active Directory

Azure Active Directory is a cloud identity and access management solution that businesses use to manage access to applications and protect user identities both in the cloud and on-premises. In addition to its directory and identity management capabilities, as an access control engine Azure AD delivers:

  • Single sign-on experience: Every user has a single identity to access resources across the enterprise to ensure higher productivity. Users can use the same work or school account for single sign-on to cloud services and on-premises web applications. Multi-factor authentication helps provide an additional level of validation of the user.
  • Automatic provisioning of application access: Users access to applications can be automatically provisioned or de-provisioned based on their group memberships, geo-location, and employment status.

As an access management engine, Azure AD makes a well-informed decision about granting access to organizational resources using information about:

  • Group and user permissions
  • App being accessed
  • Device used to sign in (e.g., device compliance info from Intune)
  • Operating system of the device being used to sign in
  • Location or IP ranges of sign-in
  • Client app used to sign in
  • Time of sign-in
  • Sign-in risk, which represents the probability that a given sign-in isnt authorized by the identity owner (calculated by Azure AD Identity Protections multiple machine learning or heuristic detections)
  • User risk, which represents the probability that a bad actor has compromised a given user (calculated by Azure AD Identity Protections advanced machine learning that leverages numerous internal and external sources for label data to continually improve)
  • More factors that we will continually add to this list

Conditional access policies are evaluated in real-time and enforced when a user attempts to access any Azure AD-connected application, for example, SaaS apps, custom apps running in the cloud, or on-premises web apps. When suspicious activity is discovered, Azure AD helps take remediation actions, such as block high-risk users, reset user passwords if credentials are compromised, enforce Terms of Use, and others.

The decision to grant access to a corporate application is given to client devices in the form of an access token. This decision is centered around compliance with the Azure AD conditional access policy. If a request meets the requirements, a token is granted to a client. The policy may require that the request provides limited access (e.g., no download allowed) or even be passed through Microsoft Cloud App Security for in-session monitoring.

Microsoft Intune

Microsoft Intune is used to manage mobile devices, PCs, and applications in an organization. Microsoft Intune and Azure have management and visibility of assets and data valuable to the organization, and have the capability to automatically infer trust requirements based on constructs such as Azure Information Protection, Asset Tagging, or Microsoft Cloud App Security.

Microsoft Intune is responsible for the enrollment, registration, and management of client devices. It supports a wide array of device types: mobile devices (Android and iOS), laptops (Windows and macOS), and employees BYOD devices. Intune combines the machine risk level provided by Windows Defender ATP with other compliance signals to determine the compliance status (isCompliant) of the device. Azure AD leverages this compliance status to block or allow access to corporate resources. Conditional access policies can be configured in Intune in two ways:

  • App-based: Only managed applications can access corporate resources
  • Device-based: Only managed and compliant devices can access corporate resources

More on how to configure risk-based conditional access compliance check in Intune.

Conditional access at work

The value of conditional access can be best demonstrated with an example. (Note: The names used in this section are fictitious, but the example illustrates how conditional access can protect corporate data and resources in different scenarios.)

SurelyMoney is one of the most prestigious financial institutions in the world, helping over a million customers carry out their business transactions seamlessly. The company uses Microsoft 365 E5 suite, and their security enterprise admins have enforced conditional access.

An attacker seeks to steal information about the companys customers and the details of their business transactions. The attacker sends seemingly innocuous e-mails with malware attachments to employees. One employee unwittingly opens the attachment on a corporate device, compromising the device. The attacker can now harvest the employees user credentials and try to access a corporate application.

Windows Defender ATP, which continuously monitors the state of the device, detects the breach and flags the device as compromised. This device information is relayed to Azure AD and Intune, which then denies the access to the application from that device. The compromised device and user credentials are blocked from further access to corporate resources. Once the device is auto-remediated by Windows Defender ATP, access is re-granted for the user on the remediated device.

This illustrates how conditional access and Windows Defender ATP work together to help prevent the lateral movement of malware, provide attack isolation, and ensure protection of corporate resources.

Azure AD applications such as Office 365, Exchange Online, SPO, and others

The executives at SurelyMoney store a lot of high-value confidential documents in Microsoft SharePoint, an Office 365 application. Using a compromised device, the attacker tries to steal these documents. However, conditional access tight coupling with O365 applications prevents this from taking place.

Office 365 applications like Microsoft Word, Microsoft PowerPoint, and Microsoft Excel allow an organizations employees to collaborate and get work done. Different users can have different permissions, depending on the sensitivity or nature of their work, the group they belong to, and other factors. Conditional access facilitates access management in these applications as they are deeply integrated with the conditional access evaluation. Through conditional access, security admins can implement custom policies, enabling the applications to grant partial or full access to requested resources.

Figure 3. Zero Trust network model for Azure AD applications

Line of business applications

SurelyMoney has a custom transaction-tracking application connected to Azure AD. This application keeps records of all transactions carried out by customers. The attacker tries to gain access to this application using the harvested user credentials. However, conditional access prevents this breach from happening.

Every organization has mission-critical and business-specific applications that are tied directly to the success and efficiency of employees. These typically include custom applications related to e-commerce systems, knowledge tracking systems, document management systems, etc. Azure AD will not grant an access token for these applications if they fail to meet the required compliance and risk policy, relying on a binary decision on whether access to resources should be granted or denied.

Figure 4. Zero Trust network model expanded for line of business apps

On-premises web applications

Employees today want to be productive anywhere, any time, and from any device. They want to work on their own devices, whether they be tablets, phones, or laptops. And they expect to be able to access their corporate on-premises applications. Azure AD Application Proxy allows remote access to external applications as a service, enabling conditional access from managed or unmanaged devices.

SurelyMoney has built their own version of a code-signing application, which is a legacy tenant application. It turns out that the user of the compromised device belongs to the code-signing team. The requests to the on-premises legacy application are routed through the Azure AD Application Proxy. The attacker tries to make use of the compromised user credentials to access this application, but conditional access foils this attempt.

Without conditional access, the attacker would be able to create any malicious application he wants, code-sign it, and deploy it through Intune. These apps would then be pushed to every device enrolled in Intune, and the hacker would be able to gain an unprecedented amount of sensitive information. Attacks like these have been observed before, and it is in an enterprises best interests to prevent this from happening.

Figure 5. Zero Trust network model for on-premises web applications

Continuous innovation

At present, conditional access works seamlessly with web applications. Zero Trust, in the strictest sense, requires all network requests to flow through the access control proxy and for all evaluations to be based on the device and user trust model. These network requests can include various legacy communication protocols and access methods like FTP, RDP, SMB, and others.

By leveraging device and user trust claims to gate access to organizational resources, conditional access provides comprehensive but flexible policies that secure corporate data while ensuring user productivity. We will continue to innovate to protect the modern workplace, where user productivity continues to expand beyond the perimeters of the corporate network.



Sumesh Kumar, Ashwin Baliga, Himanshu Soni, Jairo Cadena
Enterprise & Security

Updating your cybersecurity strategy to enable and accelerate digital transformation

This post is authored by Cyril Voisin, Cheif Security Advisor, Enterprise Cybersecurity Group.

Nowadays every company is becoming a digital company to some extent. Digital transformation changes the way business is done. For example, it puts more control into the hands of employees, who now demand anytime, anywhere connectivity to the solutions and data they need to accomplish their objectives. Adoption of digital technologies takes place at every level of the organization, and shadow IT reminds us that employees may procure their own IT solutions to be more productive. Solutions require careful security considerations before being approved. Therefore, its important to redefine your strategy to support both security and productivity, based on sound risk management.

Over the last decade, the security landscape has changed dramatically. Therefore, the security approach must be adapted to a new world of constant change and massive digitalization. With dramatic events such as Wannacry or NotPetya, cybersecurity has become a board conversation. Savvy enterprises now consider cybersecurity risks as strategic, the same way they consider financial risks.

Defining a crisp modern security strategy to support business success

A modern security agenda needs to define the purpose of the security team, its vision and mindset. It should also explain the high-level strategies it will employ, and how it will be organized, including the definition of priorities and deadlines and how the results will be measured. The figure below shows an example of a modern security agenda that can be summarized in a single slide for the purpose of sharing with your executive team.

Download the whitepaper on cybersecurity for digital transformation

More detailed information regarding enabling and accelerating digital transformation is available in this whitepaper. It is designed to articulate what a modern security strategy can look like, and is useful for CISOs, CIOs, CDOs, and potentially board members who want to learn more about secure transformation and benchmark their own teams. It was first released as an exclusive distribution in Dubai in October 2017, and now we are making it more broadly available today.

You can download the whitepaper here.

For more information on deployment planning and FastTrack guidance,check out related deployment series blogs.

Categories: Uncategorized Tags:

Machine learning vs. social engineering

Machine learning is a key driver in the constant evolution of security technologies at Microsoft. Machine learning allows Microsoft 365 to scale next-gen protection capabilities and enhance cloud-based, real-time blocking of new and unknown threats. Just in the last few months, machine learning has helped us to protect hundreds of thousands of customers against ransomware, banking Trojan, and coin miner malware outbreaks.

But how does machine learning stack up against social engineering attacks?

Social engineering gives cybercriminals a way to get into systems and slip through defenses. Security investments, including the integration of advanced threat protection services in Windows, Office 365, and Enterprise Mobility + Security into Microsoft 365, have significantly raised the cost of attacks. The hardening of Windows 10 and Windows 10 in S mode, the advancement of browser security in Microsoft Edge, and the integrated stack of endpoint protection platform (EPP) and endpoint detection and response (EDR) capabilities in Windows Defender Advanced Threat Protection (Windows Defender ATP) further raise the bar in security. Attackers intent on overcoming these defenses to compromise devices are increasingly reliant on social engineering, banking on the susceptibility of users to open the gate to their devices.

Modern social engineering attacks use non-portable executable (PE) files like malicious scripts and macro-laced documents, typically in combination with social engineering lures. Every month, Windows Defender AV detects non-PE threats on over 10 million machines. These threats may be delivered as email attachments, through drive-by web downloads, removable drives, browser exploits, etc. The most common non-PE threat file types are JavaScript and VBScript.

Figure 1. Ten most prevalent non-PE threat file types encountered by Windows Defender AV

Non-PE threats are typically used as intermediary downloaders designed to deliver more dangerous executable malware payloads. Due to their flexibility, non-PE files are also used in various stages of the attack chain, including lateral movement and establishing fileless persistence. Machine learning allows us to scale protection against these threats in real-time, often protecting the first victim (patient zero).

Catching social engineering campaigns big and small

In mid-May, a small-scale, targeted spam campaign started distributing spear phishing emails that spoofed a landscaping business in Calgary, Canada. The attack was observed targeting less than 100 machines, mostly located in Canada. The spear phishing emails asked target victims to review an attached PDF document.

When opened, the PDF document presents itself as a secure document that requires action a very common social engineering technique used in enterprise phishing attacks. To view the supposed secure document, the target victim is instructed to click a link within the PDF, which opens a malicious website with a sign-in screen that asks for enterprise credentials.

Phished credentials can then be used for further attacks, including CEO fraud, additional spam campaigns, or remote access to the network for data theft or ransomware. Our machine learning blocked the PDF file as malware (Trojan:Script/Cloxer.A!cl) from the get-go, helping prevent the attack from succeeding.

Figure 2. Phishing email campaign with PDF attachment

Beyond targeted credential phishing attacks, we commonly see large-scale malware campaigns that use emails with archive attachments containing malicious VBScript or JavaScript files. These emails typically masquerade as an outstanding invoice, package delivery, or parking ticket, and instruct targets of the attack to refer to the attachment for more details. If the target opens the archive and runs the script, the malware typically downloads and runs further threats like ransomware or coin miners.

Figure 3. Typical social engineering email campaign with an archive attachment containing a malicious script

Malware campaigns like these, whether limited and targeted or large-scale and random, occur frequently. Attackers go to great lengths to avoid detection by heavily obfuscating code and modifying their attack code for each spam wave. Traditional methods of manually writing signatures identifying patterns in malware cannot effectively stop these attacks. The power of machine learning is that it is scalable and can be powerful enough to detect noisy, massive campaigns, but also specific enough to detect targeted attacks with very few signals. This flexibility means that we can stop a wide range of modern attacks automatically at the onset.

Machine learning models zero in on non-executable file types

To fight social engineering attacks, we build and train specialized machine learning models that are designed for specific file types.

Building high-quality specialized models requires good features for describing each file. For each file type, the full contents of hundreds of thousands of files are analyzed using large-scale distributed computing. Using machine learning, the best features that describe the content of each file type are selected. These features are deployed to the Windows Defender AV client to assist in describing the content of each file to machine learning models.

In addition to these ML-learned features, the models leverage expert researcher-created features and other useful file metadata to describe content. Because these ML models are trained for specific file types, they can zone in on the metadata of these file types.

Figure 4. Specialized file type-specific client ML models are paired with heavier cloud ML models to classify and protect against malicious script files in real-time

When the Windows Defender AV client encounters an unknown file, lightweight local ML models search for suspicious characteristics in the files features. Metadata for suspicious files are sent to the cloud protection service, where an array of bigger ML classifiers evaluate the file in real-time.

In both the client and the cloud, specialized file-type ML classifiers add to generic ML models to create multiple layers of classifiers that detect a wide range of malicious behavior. In the backend, deep-learning neural network models identify malicious scripts based on their full file content and behavior during detonation in a controlled sandbox. If a file is determined malicious, it is not allowed to run, preventing infection at the onset.

File type-specific ML classifiers are part of metadata-based ML models in the Windows Defender AV cloud protection service, which can make a verdict on suspicious files within a fraction of a second.

Figure 5. Layered machine learning models in Windows Defender ATP

File type-specific ML classifiers are also leveraged by ensemble models that learn and combine results from the whole array of cloud classifiers. This produces a comprehensive cloud-based machine learning stack that can protect against script-based attacks, including zero-day malware and highly targeted attacks. For example, the targeted phishing attack in mid-May was caught by a specialized PDF client-side machine learning model, as well as several cloud-based machine learning models, protecting customers in real-time.

Microsoft 365 threat protection powered by artificial intelligence and data sharing

Social engineering attacks that use non-portable executable (PE) threats are pervasive in todays threat landscape; the impact of combating these threats through machine learning is far-reaching.

Windows Defender AV combines local machine learning models, behavior-based detection algorithms, generics, and heuristics with a detonation system and powerful ML models in the cloud to provide real-time protection against polymorphic malware. Expert input from researchers, advanced technologies like Antimalware Scan Interface (AMSI), and rich intelligence from the Microsoft Intelligent Security Graph continue to enhance next-generation endpoint protection platform (EPP) capabilities in Windows Defender Advanced Threat Protection.

In addition to antivirus, components of Windows Defender ATPs interconnected security technologies defend against the multiple elements of social engineering attacks. Windows Defender SmartScreen in Microsoft Edge (also now available as a Google Chrome extension) blocks access to malicious URLs, such as those found in social engineering emails and documents. Network protection blocks malicious network communications, including those made by malicious scripts to download payloads. Attack surface reduction rules in Windows Defender Exploit Guard block Office-, script-, and email-based threats used in social engineering attacks. On the other hand, Windows Defender Application Control can block the installation of untrusted applications, including malware payloads of intermediary downloaders. These security solutions protect Windows 10 and Windows 10 in S mode from social engineering attacks.

Further, Windows Defender ATP endpoint detection and response (EDR) uses the power of machine learning and AMSI to unearth script-based attacks that live off the land. Windows Defender ATP allows security operations teams to detect and mitigate breaches and cyberattacks using advanced analytics and a rich detection library. With the April 2018 Update, automated investigation and advance hunting capabilities further enhance Windows Defender ATP. Sign up for a free trial.

Machine learning also powers Office 365 Advanced Threat Protection to detect non-PE attachments in social engineering spam campaigns that distribute malware or steal user credentials. This enhances the Office 365 ATP comprehensive and multi-layered solution to protect mailboxes, files, online storage, and applications against threats.

These and other technologies power Microsoft 365 threat protection to defend the modern workplace. In Windows 10 April 2018 Update, we enhanced signal sharing across advanced threat protection services in Windows, Office 365, and Enterprise Mobility + Security through the Microsoft Intelligent Security Graph. This integration enables these technologies to automatically update protection and detection and orchestrate remediation across Microsoft 365.


Gregory Ellison and Geoff McDonald
Windows Defender Research





Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Cybersecurity Reference Architecture: Security for a Hybrid Enterprise

June 6th, 2018 No comments

The Microsoft Cybersecurity Reference Architecture describes Microsofts cybersecurity capabilities and how they integrate with existing security architectures and capabilities. We recently updated this diagram and wanted to share a little bit about the changes and the document itself to help you better utilize it.

How to use it

We have seen this document used for several purposes by our customers and internal teams (beyond a geeky wall decoration to shock and impress your cubicle neighbors).

  • Starting template for a security architecture – The most common use case we see is that organizations use the document to help define a target state for cybersecurity capabilities. Organizations find this architecture useful because it covers capabilities across the modern enterprise estate that now spans on-premise, mobile devices, many clouds, and IoT / Operational Technology.
  • Comparison reference for security capabilities – We know of several organizations that have marked up a printed copy with what capabilities they already own from various Microsoft license suites (many customers don’t know they own quite a bit of this technology), which ones they already have in place (from Microsoft or partner/3rd party), and which ones are new and could fill a need.
  • Learn about Microsoft capabilities – In presentation mode, each capability has a “ScreenTip” with a short description of each capability + a link to documentation on that capability to learn more.

  • Learn about Microsoft’s integration investments – The architecture includes visuals of key integration points with partner capabilities (e.g. SIEM/Log integration, Security Appliances in Azure, DLP integration, and more) and within our own product capabilities among (e.g. Advanced Threat Protection, Conditional Access, and more).
  • Learn about cybersecurity – We have also heard reports of folks new to cybersecurity using this as a learning tool as they prepare for their first career or a career change.

As you can see, Microsoft has been investing heavily in security for many years to secure our products and services as well as provide the capabilities our customers need to secure their assets. In many ways, this diagram reflects Microsoft massive ongoing investment into cybersecurity research and development, currently over $1 billion annually (not including acquisitions).

What has changed in the reference architecture and why

We made quite a few changes in v2 and wanted to share a few highlights on what’s changed as well as the underlying philosophy of how this document was built.

  • New visual style – The most obvious change for those familiar with the first version is the simplified visual style. While some may miss the “visual assault on the senses” effect from the bold colors in v1, we think this format works better for most people.
  • Interactivity instructions – Many people did not notice that each capability on the architecture has a quick description and link to more information, so we added instructions to call that out (and updated the descriptions themselves).
  • Complementary content – Microsoft has invested in creating cybersecurity reference strategies (success criteria, recommended approaches, how our technology maps to them) as well as prescriptive guidance for addressing top customer challenges like Petya/WannaCrypt, Securing Privileged Access, and Securing Office 365. This content is now easier to find with links at the top of the document.
  • Added section headers for each grouping of technology areas to make it easier to navigate, understand, and discuss as a focus area.
  • Added foundational elements – We added descriptions of some core foundational capabilities that are deeply integrated into how we secure our cloud services and build our cybersecurity capabilities that have been added to the bottom. These include:

    • Trust Center – This is where describe how we secure our cloud and includes links to various compliance documents such as 3rd party auditor reports.
    • Compliance Manager is a powerful (new) capability to help you report on your compliance status for Azure, Office 365, and Dynamics 365 for General Data Protection Regulation (GDPR), NIST 800-53 and 800-171, ISO 27001 and 27018, and others.
    • Intelligent Security Graph is Microsoft threat intelligence system that we use to protect our cloud, our IT environment, and our customers. The graph is composed of trillions of signals, advanced analytics, and teams of experts hunting for malicious activities and is integrated into our threat detection and response capabilities.
    • Security Development Lifecycle (SDL) is foundational to how we develop software at Microsoft and has been published to help you secure your applications. Because of our early and deep commitment to secure development, we were able to quickly conform to ISO 27034 after it was released.

  • Moved Devices/Clients together – As device form factors and operating systems continue to expand and evolve, we are seeing security organizations view devices through the lens of trustworthiness/integrity vs. any other attribute.

    • We reorganized the Windows 10 and Windows Defender ATP capabilities around outcomes vs. feature names for clarity.
    • We also reorganized windows security icons and text to reflect that Windows Defender ATP describes all the platform capabilities working together to prevent, detect, and (automatically) respond and recover to attacks. We added icons to show the cross-platform support for Endpoint Detection and Response (EDR) capabilities that now extend across Windows 10, Windows 7/8.1, Windows Server, Mac OS, Linux, iOS, and Android platforms.
    • We faded the intranet border around these devices because of the ongoing success of phishing, watering hole, and other techniques that have weakened the network boundary.

  • Updated SOC section – We moved several capabilities from their previous locations around the architecture into the Security Operations Center (SOC) as this is where they are primarily used. This move enabled us to show a clearer vision of a modern SOC that can monitor and protect the hybrid of everything estate. We also added the Graph Security API (in public preview) as this API is designed to help you integrate existing SOC components and Microsoft capabilities.
  • Simplified server/datacenter view – We simplified the datacenter section to recover the space being taken up by duplicate server icons. We retained the visual of extranets and intranets spanning on-premises datacenters and multiple cloud provider(s). Organizations see Infrastructure as a Service (IaaS) cloud providers as another datacenter for the intranet generation of applications, though they find Azure is much easier to manage and secure than physical datacenters. We also added Azure Stack capability that allows customers to securely operate Azure services in their datacenter.
  • New IoT/OT section – IoT is on the rise on many enterprises due to digital transformation initiatives. While the attacks and defenses for this area are still evolving quickly, Microsoft continues to invest deeply to provide security for existing and new deployments of Internet of Things (IoT) and Operational Technology (OT). Microsoft has announced $5 billion of investment over the next four years for IoT and has also recently announced an end to end certification for a secure IoT platform from MCU to the cloud called Azure Sphere.
  • Updated Azure Security Center – Azure Security Center grew to protect Windows and Linux operating system across Azure, on-premises datacenters, and other IaaS providers. Security Center has also added powerful new features like Just in Time access to VMs and applied machine learning to creating application whitelisting rules and North-South Network Security Group (NSG) network rules.
  • Added Azure capabilities including Azure Policy, Confidential Computing, and the new DDoS protection options.
  • Added Azure AD B2B and B2C – Many Security departments have found these capabilities useful in reducing risk by moving partner and customer accounts out of enterprise identity systems to leverage existing enterprise and consumer identity providers.
  • Added information protection capabilities for Office 365 as well as SQL Information Protection (preview).
  • Updated integration points – Microsoft invests heavily to integrate our capabilities together as well as to ensure use our technology with your existing security capabilities. This is a quick summary of some key integration points depicted in the reference architecture:

    • Conditional Access connecting info protection and threat protection with identity to ensure that authentications are coming from a secure/compliant device before accessing sensitive data.
    • Advanced Threat Protection integration across our SOC capabilities to streamline detection and response processes across Devices, Office 365, Azure, SaaS applications, and on Premises Active Directory.
    • Azure Information Protection discovering and protecting data on SaaS applications via Cloud App Security.
    • Data Loss Protection (DLP) integration with Cloud App Security to leverage existing DLP engines and with Azure Information Protection to consume labels on sensitive data.
    • Alert and Log Integration across Microsoft capabilities to help integrate with existing Security Information and Event Management (SIEM) solution investments.


We are always trying to improve everything we do at Microsoft and we need your feedback to do it! You can contact the primary author (Mark Simos) directly on LinkedIn with any feedback on how to improve it or how you use it, how it helps you, or any other thoughts you have.


Categories: Uncategorized Tags:

Virtualization-based security (VBS) memory enclaves: Data protection through isolation

The escalating sophistication of cyberattacks is marked by the increased use of kernel-level exploits that attempt to run malware with the highest privileges and evade security solutions and software sandboxes. Kernel exploits famously gave the WannaCry and Petya ransomware remote code execution capability, resulting in widescale global outbreaks.

Windows 10 remained resilient to these attacks, with Microsoft constantly raising the bar in platform security to stay ahead of threat actors. Virtualization-based security (VBS) hardens Windows 10 against attacks by using the Windows hypervisor to create an environment that isolates a secure region of memory known as secure memory enclaves.

Figure 1. VBS secure memory enclaves

An enclave is an isolated region of memory within the address space of a user-mode process. This region of memory is controlled entirely by the Windows hypervisor. The hypervisor creates a logical separation between the normal world and secure world, designated by Virtual Trust Levels, VTL0 and VT1, respectively. VBS secure memory enclaves create a means for secure, attestable computation in an otherwise untrusted environment.

VBS enclaves in Microsoft SQL Server

A key technology that will leverage VBS secure memory enclaves is Microsoft SQL Server. The upcoming SQL Server secure enclave feature ensures that sensitive data stored in an SQL Server database is only decrypted and processed inside an enclave. SQL Servers use of secure enclaves allows the processing of sensitive data without exposing the data to database administrators or malware. This reduces the risk of unauthorized access and achieves separation between those who own the data (and can view it) and those who manage the data (but should have no access). To learn more about the use of secure enclaves in SQL Server, see the blog post Enabling confidential computing with Always Encrypted using enclaves.

Data protection

One of the major benefits of secure memory enclaves is data protection. Data resident in an enclave is only accessible by code running inside that enclave. This means that there is a security boundary between VTL0 and VTL1. If a process tries to read memory that is within the secure memory enclave, an invalid access exception is thrown. This happens even when a kernel-mode debugger is attached to the normal process the debugger will fail when trying to step into the enclave.

Code integrity

Code integrity is another major benefit provided by enclaves. Code loaded into an enclave is securely signed with a key; therefore, guarantees can be made about the integrity of code running within a secure memory enclave. The code running inside an enclave is incredibly restricted, but a secure memory enclave can still perform meaningful work. This includes performing computations on data that is encrypted outside the enclave but can be decrypted and evaluated in plaintext inside the enclave, without exposing the plaintext to anything other than the enclave itself. A great example of why this is useful in a multi-tenant cloud computing scenario is described in the Azure confidential computing blog post. This move allowed us to continually make significant innovations in platform security.


Attestation is also a critical aspect of secure memory enclaves. Sensitive information, such as plaintext data or encryption keys, must only be sent to the intended enclave that must be trusted. VBS enclaves can be put into debug mode for testing but lose memory isolation. This is great for testing, but in production this impacts the security guarantees of the enclave. To ensure that a production secure enclave is never in debug mode, an attestation report is generated to state what mode the enclave is in (among various other configuration and identity parameters). This report is then verified by a trust relationship between the consumer and producer of the report.

To establish this trust, VBS enclaves can expose an enclave attestation report that is fully signed by the VBS-unique key. This can prove the relationship between the enclave and host, as well as the exact configuration of the enclave. This attestation report can be used to establish a secure channel of communication between two enclaves. In Windows this is possible simply by exchanging the report. For remote scenarios, an attestation service can use this report to establish a trust relationship between a remote enclave and a client application.

One feature that relies on secure memory enclave attestation is Windows Defender System Guard runtime attestation, which allows users to measure and attest to all interactions from the enclave to other capabilities, including areas of runtime and boot integrity.

Figure 2. Windows Defender System Guard runtime attestation

Elevating data security

There are many secure memory enclave technologies in the industry today. Each have pros and cons in capabilities. The benefit of using a VBS secure memory enclave is that there are no special hardware requirements, only that the processor supports hypervisor virtualization extensions:

Additionally, VBS enclaves do not have the same memory constraints as a hardware-based enclave, which are usually quite limited.

VBS secure memory enclaves provide hardware-rooted virtualization-based data protection and code integrity. They are leveraged for new data security capabilities, as demonstrated by Azure confidential computing and the Always Encrypted feature of Microsoft SQL Server. These are examples of the rapid innovation happening all throughout Microsoft to elevate security. This isnt the last youll hear of secure memory enclaves. As Microsoft security technologies continue to advance, we can expect secure memory enclaves to stand out in many more protection scenarios.



Maxwell Renke, Program manager, Windows

Chris Riggs, Principal Program Manager, Microsoft Offensive Security Research


Getting the most value out of your security deployment

This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blog Now that you have a plan, its time to start deploying.

In our previous blog, we covered some of the tactical issues that youll want to consider planning your Microsoft 365 Security deployment. Now well move to the third and final step of an effective planning process: Drive Value.

The Drive Value stage is about helping your employees to embrace and adopt the new tools and processes that are a part of your new Microsoft Security infrastructure.

The FastTrack team can help you create and implement an adoption plan that leads you and your team smoothly out of the test phase and into wider user adoption. Drawing from thousands of customer experiences, weve assembled a variety of proven engagement tactics that you can apply directly to your own rollout. Well make sure you have the knowledge, support, and materials you need for success.

Your checklist to Drive Value

The following checklist provides some of the items and actions that our FastTrack team can help you with you during the Drive Value step:

Implement the adoption plan

  • Going beyond your test group to a broader population of users can be difficult. Having a plan in place to help your users adopt and embrace change will make this easier. Microsoft FastTrack will help you build a multifaceted adoption plan using best practices.

Hold launch and training events

  • Make it informative and fun using Microsoft FastTrack resources to help you drive end-user adoption. One idea is to set up a booth or a kiosk outside your lunch area or host lunch and learn events for your users. These events serve to support your users with face-to-face questions & answers as well as driving excitement and adoption. They are a great way to distribute resources your users can take with them.

Encourage ongoing engagement

  • As you implement the adoption plan, FastTrack will monitor and assist you at designated points along the way. Together, youll work with your internal business stakeholders to drive adoption of new technology and work out any productivity issues. Leveraging the Service Management Toolkit and the Admin Learning Center helps you stay informed and effectively manage the new environment

Keep everyone informed: provide an FAQ and supporting materials

  • Microsoft FastTrack has templates you can send to your users to educate them about specific features, explain deployment within the organization, how they can register and enroll, and more. These tools and guides are specifically geared toward different departments within your organization, including individuals in HR, R&D, finance, legal, IT, and sales. You can also work with your internal communications teams to develop appropriate supporting collateral.

Ready to take the next step? Start your success plan

Our FastTrack Success Plan is an online tool that walks you through each step of Microsoft 365 Security planning process, from Envisioning to Onboarding to Driving Value.

The Success Plan can be launched by either you or your Microsoft Partner and provides all the guidance and resources you need to plan a successful Microsoft 365 Security deployment. Once completed, the plan also provides you with a clear path to help you get the most out of your FastTrack services. To get started, simply sign in to FastTrack at: https://fasttrack.microsoft.com/

FastTrack provides end to end guidance for planning, onboarding, and driving end user adoption for Microsoft 365 which is comprised of Enterprise Mobility + Security (EMS), Windows 10, and Office 365.

More blog posts from this series:

Categories: Uncategorized Tags:

From the ground up to the cloud: Microsoft’s Intelligent Security supporting CISOs’ cloud transformation

May 30th, 2018 No comments

Its no secret that Microsoft has embraced the cloud in a big wayfrom enterprise solutions like Microsoft Azure to Office 365 and Windows. But a recent research report by Forrester focuses on an equally important shift in our approach to securityintegrating workforce and cloud security in ways that make them much easier for enterprise IT leaders to purchase and manage.

As Dark Readings Kelly Sheridan points out, Microsoft is focusing on bringing protections to where people are moving their work: into the cloud. Microsoft, like other cloud providers, is stomping into the security market, ready to shake things up and address the weaknesses they see in todays tools, she adds.

Sheridan cites the Forrester research that includes a focus on Microsofts plan to build security into each part of Azure, Office 365, and Windowsa strategy, which, the researchers say, will be as disruptive to the security space as the cloud has been for the enterprise.

A shifting security challenge

Our emphasis on integration through and into the cloud, mirrors the shifts CISOs have made as their own enterprises have embraced the cloud, requiring them to coordinate cloud and on-premise security solutions.

As summarized succinctly in Sheridans Dark Reading post, Forresters research highlights Microsofts strengths in telemetry and artificial intelligence, which yield unparalleled insights into how attackers interact with not only our products, but also other applications that run on Windows and other Microsoft platforms.

The report also cites Microsofts efforts to target the enterprise market by making security easy to buy and use, Sheridan writes. Microsoft, she adds, bundles technologies and simplifies deployment for security teams, which can use preconfigured security policies for new servers and containers. From C-level execs to Sec-Ops, our customers tell us they are overwhelmed by the rapid pace at which new cyber threats are released in the wild. Microsoft believes there is a need for the industry to shift to this next generation of security defense.

Scale and integration

The Forrester report also notes that embedded solutions address one of the biggest challenges cloud-focused CISOs face: scalability.

Scalability isnt an issue, Sheridan writes. As infrastructure and applications grow, so do cloud platforms. Teams dont need to worry about whether hardware can handle bandwidth upgrades or whether management servers can handle new endpoints.

And we continue to expand the scope of our security offerings. At Aprils RSA Conference 2018, Microsoft made a series of announcements that deepen our commitment to end-to-end security. Azure Sphere brings our security efforts to the connected microcontroller units (MCUs) that make up the Internet of Things (IoT), while a broad suite of technologies that together we call Microsoft 365 Intelligent Security emphasizes our commitment to integration. Intelligent Security offerings announced at RSA include a new API for Microsoft Graph that provides integrated data and alert reporting across security products, our Secure Score and Attack Simulator to help companies assess their security profiles, and additional support for strong authentication and threat prevention capabilities.

Disruption and drive

These shifts, according to Forrester, represent a significant disruption in the security marketplace. For CISOs, they also provide a strong argument for new thinking about security products in the enterprise and significant cost savings for moving to the cloud having security built in from the ground up. Gone are the days when security leaders opted for separate antivirus tools in lieu of Windows Defender, Sheridan writes. Now many question the business choice to buy an endpoint suite when Microsofts services have security built in.

At the same time, Forresters researchers caution against going all in with any single vendor, and we agree. Cybersecurity is a broad and complex space, and no one vendor can do it all. Thats why were working with microcontroller unit manufacturers on our IoT solutions, participating in a cybersecurity technology agreement with nearly 35 companies across the industry, and acquiring best-of-breed technology from innovative companies like Adallom and Aorato to bolster our capabilities in such areas as cloud security and malware detection. And along with the millions of threat indicators identified by the Intelligent Security Graph API, we work with a wide range of organizations to gather and share intelligence on threat attacks in real time. Together, these moves represent our commitment to work with all partners to secure the enterprisea simple but powerful idea that, in the security space, may ultimately become the most disruptive force of all.

Categories: Uncategorized Tags:

Adding transparency and context into industry AV test results


Corporate Vice President Brad Anderson recently shared his insights on how Windows Defender Advanced Threat Protection (Windows Defender ATP) evolved to achieve important quality milestones. Our Windows Defender ATP team is committed to delivering industry-leading protection, customer choice, and transparency on the quality of our solutions. In the continued spirit of these principles, we want to share the results of the January-February 2018 test conducted by independent antivirus tester AV-TEST and provide a transparency report that augments the test findings with contextual information to help our customers make informed decisions about Windows Defender ATP adoption.

Download the complete transparency report on January-February 2018 test results


At a high-level, the transparency report shows:

Protection: Windows Defender Antivirus (Windows Defender AV) achieved a perfect score in Protection, maintaining consistently high scores in this category.
Usability (false positives): Windows Defender AV achieved an improved Usability score of 5.5/6.0. Per our telemetry, samples that Windows Defender AV incorrectly classified (false positive) had very low prevalence and are not commonly used in business context.
Performance: Windows Defender AV improved this cycle, achieving a 5.5/6.0 Performance score and outperforming the industry in almost all areas. These results reflect the investments we put in optimizing Windows Defender AV performance for high-frequency actions (e.g., application run).


While independent tests can help assess a security solutions capabilities and protections, it is important to understand that antivirus tests are only one part of a complete quality assessment. To truly understand the protection quality of an endpoint protection platform (EPP) and endpoint detection and response (EDR) solution like Windows Defender ATP, its entire set of capabilities must be evaluated.

For instance, while Windows Defender ATPs antivirus capability achieved a perfect overall Protection score in the January-February 2018 tests and only missed two out of thousands of samples tested, it performed even better than the results suggest. The Windows Defender Security Intelligence team tested the two missed samples against the entire Windows Defender ATP stack to assess these samples ability to infect machines in real-world enterprise environments. The team was able to confirm that the two missed samples were detected and mitigated by other components of the Windows Defender ATP stack.


As threats become more sophisticated, Microsoft and other security platform vendors continue evolving their product capabilities to detect threats across different attack stages. We hope to see independent testers evolve their methodologies as well. Our customers need greater transparency and optics into what an end-to-end solution can accomplish in terms of total preventive protection, including the quality of individual components like antivirus. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on end-to-end security stack testing.

Meanwhile, we continue to focus on improving our next-generation antivirus solution while at the same time delivering new innovative capabilities like attack surface reduction and hardware-based isolation, just to name a few. In the Windows 10 April 2018 Update, you can experience these new and improved capabilities in Windows Defender ATP, which provides a complete endpoint protection platform (EPP) and endpoint detection and response (EDR) solution. To see these capabilities for yourself sign up for a 90-day trial of Windows Defender ATP today, or enable Preview features on existing tenants.



Zaid Arafeh

Senior Program Manager, Windows Defender Research team


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.