Maintaining a secure and optimized digital environment allows new ideas to flourish wherever they occur. In the modern workplace, where devices and locations are no longer fixed, Microsoft Intune eases the task of managing and protecting the endpoints of businesses everywhere. It helps secure systems and simplify management, reduces costs, and frees up resources for creativity and innovation, which propel real business growth. The Forrester Wave Unified Endpoint Management, Q4 2023 report recognizes Intune as a Leader.
Propelling business growth
The Forrester report recognizes the advances made to the Microsoft Intune platform in the last year:
This new platform approach aims to help customers simplify management, reduce costs, and transform experiences with AI and automation, all factors that enable Microsoft to vastly outperform others across key metrics like devices under management and revenue growth.
Moving to cloud management with Intune aids customers in applying Zero Trust security principles, improves user experience, and streamlines operations with AI and automation. Exemplary endpoint management doesn’t often get the credit for propelling business growth like research and development initiatives. But companies that reduce the administrative overhead on their talent have more hours and focused attention available to tackle more challenges and innovate. And “talent” isn’t just made up of users; IT and security teams can tackle more valuable projects after simplifying and automating management tasks for themselves. As just one example, new cloud-based controls to manage the local admin passwords for Windows devices make this critical security operation simpler and reduces the need for on-premises resources.
The report also made note of the Microsoft Intune Suite, saying “it includes new support for mobile application management (MAM)-only, ruggedized, remote control, privilege management, and DEX (digital experience) use cases.”
The Intune Suite extends the capabilities of Intune and powers better digital experiences. Solutions like Endpoint Privilege Management ease the burdens on help desks and keep users productive, and Remote Help makes real-time troubleshooting faster, easier, and more secure for users and administrators alike. The time saved and frustration spared keep everyone focused on progress rather than process.
Defining the endpoint management experience
In The Unified Endpoint Management Landscape, Q3 2023 report, Forrester offers this market definition of unified endpoint management: “[Unified endpoint management] solutions help EUC (end user computing) professionals balance three priorities at once: exceptional DEX, cost-efficient management, and foundational threat prevention.”
Exceptional digital experience
How is the Intune digital experience exceptional? Devices are verified as healthy and made more secure without impeding the flow of work—or even rising to the notice of the user. Zero-touch provisioning with Autopilot creates a seamless out-of-box experience. Single sign-on, recently added to Intune’s now-comprehensive MacOS management capabilities, reduces password fatigue and helps users get to work with fewer interruptions. Mobile application management allows users to use their own mobile and Windows devices to access secure resources without enrollment, allowing them greater freedom to work (and be inspired) where they see fit. That Intune works so well with Microsoft Entra ID, Microsoft Defender, Windows, and Windows 365, further enhances the experience of work with fewer hassles and greater peace of mind.
Cost-efficient management
As a truly unified platform, Intune allows admins to manage Windows, Linux, MacOS, Android, iOS, and specialty devices. This reduces the burden of consolidating data from multiple sources and of switching between tools for privilege management, update management, and user experience. Intune instead offers broad management and protection capabilities and true visibility into endpoint performance in one place. With the Intune Suite, the productivity of admins and users can be accelerated even more.
Many enterprises are able to realize the value of Intune at no additional cost as part of their Microsoft 365 licenses. Additional savings can be realized by consolidating specialized management tools with redundant features, by retiring on-premises infrastructure, and by moving to true cloud-native management. Automation of tasks with flows, PowerShell runbooks, and scripts extends efficiency into the day-to-day operations of administrators, and the ability to grant Conditional Access to bring-your-own devices eases the need for dedicated, company-owned devices for employees. The reduction in support tickets and security incidents afforded by the baselines and tools that keep devices compliant and hardened against threat reduce costs of remediation.
Foundational threat prevention
Microsoft Intune offers fundamental capabilities for creating and enforcing Zero Trust security at enterprise scale, and was given the top score in the Security category of the report. Device health compliance capabilities help keep potentially compromised devices from accessing sensitive resources. Privilege management and Conditional Access policy enforcement permit users to remain productive without increasing risk. The ability to define and enforce data protection policies at the device level keeps information flowing to the right places and helps prevent it from leaking to the wrong ones. Using Intune in concert with Microsoft Defender for Endpoint extends the security capabilities even further.
Strategic strength
The Forrester Wave™: Unified Endpoint Management, Q4 2023 report evaluates product strategy in addition to current features when identifying leaders, and Microsoft received the highest possible score in this area. According to the Forrester report, The Unified Endpoint Management Landscape, Q3 2023, “AI will fundamentally change the job of endpoint administrators, allowing them to query endpoints faster and more granularly, help inform policy decisions, and even replace scripting.”
Microsoft has begun to realize that future today with insights driven by machine learning already informing the Intune service. SOC and IT admins using Intune and the Intune Suite will see data from those services used by Microsoft Security Copilot, and expanded capabilities will emerge as the technology evolves.
Innovation and improvements to Intune are driven by our engineers, partners, and customers. We’re grateful to all our stakeholders for the hard work, extensive feedback, and broad adoption of Intune (Forrester indicates Microsoft has the largest Market presence, too) that has enabled the solution to become a leader in unified endpoint management.
While we hope that this recognition gives confidence to all those who are interested in Intune, we know that diving deep into how a solution really works is key to making any investment. Check out Intune and Windows Tech Takeoff sessions to get technical breakdowns of existing workloads and explore what’s new. You can also subscribe to our ongoing news by returning to the Microsoft Intune blog home then join the conversation on Twitter at @MSIntune and LinkedIn.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (formerly known as “Twitter”) (@MSFTSecurity) for the latest news and updates on cybersecurity.
The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester’s call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave™. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.
Forrester Wave™: Unified Endpoint Management, Q4 2023, Andrew Hewitt, Glen O’Donnell, Angela Lozada, Rachel Birrell. November 19, 2023.
Microsoft Threat Intelligence has uncovered a supply chain attack by the North Korea-based threat actor Diamond Sleet (ZINC) involving a malicious variant of an application developed by CyberLink Corp., a software company that develops multimedia software products. This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload. The file, which was signed using a valid certificate issued to CyberLink Corp., is hosted on legitimate update infrastructure owned by CyberLink and includes checks to limit the time window for execution and evade detection by security products. Thus far, the malicious activity has impacted over 100 devices in multiple countries, including Japan, Taiwan, Canada, and the United States.
Microsoft attributes this activity with high confidence to Diamond Sleet, a North Korean threat actor. The second-stage payload observed in this campaign communicates with infrastructure that has been previously compromised by Diamond Sleet. More recently, Microsoft has observed Diamond Sleet utilizing trojanized open-source and proprietary software to target organizations in information technology, defense, and media.
To address the potential risk of further attacks against our customers, Microsoft has taken the following steps to protect customers in response to this malicious activity:
Microsoft has communicated this supply chain compromise to CyberLink
Microsoft is notifying Microsoft Defender for Endpoint customers that have been targeted or compromised in this campaign
Microsoft reported the attack to GitHub, which removed the second-stage payload in accordance with its Acceptable Use Policies
Microsoft has added the CyberLink Corp. certificate used to sign the malicious file to its disallowed certificate list
Microsoft Defender for Endpoint detects this activity as Diamond Sleet activity group.
Microsoft Defender Antivirus detects the malware as Trojan:Win32/LambLoad.
Microsoft may update this blog as additional insight is gained into the tactics, techniques, and procedures (TTPs) used by the threat actor in this active and ongoing campaign.
Who is Diamond Sleet?
The actor that Microsoft tracks as Diamond Sleet (formerly ZINC) is a North Korea-based activity group known to target media, defense, and information technology (IT) industries globally. Diamond Sleet focuses on espionage, theft of personal and corporate data, financial gain, and corporate network destruction. Diamond Sleet is known to use a variety of custom malware that is exclusive to the group. Recent Diamond Sleet malware is described in Microsoft’s reporting of the group’s weaponization of open source software and exploitation of N-day vulnerabilities. Diamond Sleet overlaps with activity tracked by other security companies as Temp.Hermit and Labyrinth Chollima.
Microsoft has observed suspicious activity associated with the modified CyberLink installer file as early as October 20, 2023. The malicious file has been seen on over 100 devices in multiple countries, including Japan, Taiwan, Canada, and the United States. While Microsoft has not yet identified hands-on-keyboard activity carried out after compromise via this malware, the group has historically:
Exfiltrated sensitive data from victim environments
Compromised software build environments
Moved downstream to additional victims for further exploitation
Used techniques to establish persistent access to victim environments
Diamond Sleet utilized a legitimate code signing certificate issued to CyberLink Corp. to sign the malicious executable. This certificate has been added to Microsoft’s disallowed certificate list to protect customers from future malicious use of the certificate:
Signer: CyberLink Corp. Issuer: DigiCert SHA2 Assured ID Code Signing CA SignerHash: 8aa3877ab68ba56dabc2f2802e813dc36678aef4 CertificateSerialNumber: 0a08d3601636378f0a7d64fd09e4a13b
Microsoft currently tracks the malicious application and associated payloads as LambLoad.
LambLoad
LambLoad is a weaponized downloader and loader containing malicious code added to a legitimate CyberLink application. The primary LambLoad loader/downloader sample Microsoft identified has the SHA-256 hash 166d1a6ddcde4e859a89c2c825cd3c8c953a86bfa92b343de7e5bfbfb5afb8be.
Before launching any malicious code, the LambLoad executable ensures that the date and time of the local host align with a preconfigured execution period.
Figure 1. Code for checking date and time of local host
The loader then targets environments that are not using security software affiliated with FireEye, CrowdStrike, or Tanium by checking for the following process names:
csfalconservice.exe (CrowdStrike Falcon)
xagt.exe (FireEye agent)
taniumclient.exe (Tanium EDR solution)
If these criteria are not met, the executable continues running the CyberLink software and abandons further execution of malicious code. Otherwise, the software attempts to contact one of three URLs to download the second-stage payload embedded inside a file masquerading as a PNG file using the static User-Agent ‘Microsoft Internet Explorer’:
The PNG file contains an embedded payload inside a fake outer PNG header that is, carved, decrypted, and launched in memory.
Figure 2. Payload embedded in PNG file
When invoked, the in-memory executable attempts to contact the following callbacks for further instruction. Both domains are legitimate but have been compromised by Diamond Sleet:
The crypted contents of the PNG file (SHA-256: 089573b3a1167f387dcdad5e014a5132e998b2c89bff29bcf8b06dd497d4e63d) may be manually carved using the following command:
To restore the in-memory payload statically for independent analysis, the following Python script can be used to decrypt the carved contents.
To crypt and verify:
Both the fake PNG and decrypted PE payload have been made available on VirusTotal.
Recommendations
Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.
Use Microsoft Defender Antivirus to protect from this threat. Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
Take immediate action to address malicious activity on the impacted device. If malicious code has been launched, the attacker has likely taken complete control of the device. Immediately isolate the system and perform a reset of credentials and tokens.
Investigate the device timeline for indications of lateral movement activities using one of the compromised accounts. Check for additional tools that attackers might have dropped to enable credential access, lateral movement, and other attack activities. Ensure data integrity with hash codes.
Turn on the following attack surface reduction rule: Block executable files from running unless they meet a prevalence, age, or trusted list criterion.
Detection details
Microsoft Defender Antivirus
Microsoft Defender Antivirus detects threat components as the following malware:
Alerts with the following title in the security center can indicate threat activity on your network:
Diamond Sleet activity group
The following alert might also indicate threat activity related to this threat. Note, however, that this alert can be also triggered by unrelated threat activity.
An executable loaded an unexpected dll
Threat intelligence reports
Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.
Microsoft Defender XDR (formerly Microsoft 365 Defender) customers can run the following query to find related activity in their networks:
let iocs = dynamic(["166d1a6ddcde4e859a89c2c825cd3c8c953a86bfa92b343de7e5bfbfb5afb8be",
"089573b3a1167f387dcdad5e014a5132e998b2c89bff29bcf8b06dd497d4e63d",
"915c2495e03ff7408f11a2a197f23344004c533ff87db4b807cc937f80c217a1"]);
DeviceFileEvents
| where ActionType == "FileCreated"
| where SHA256 in (iocs)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256
Microsoft Defender XDR and Microsoft Sentinel
This query can be used in both Microsoft Defender XDR advanced hunting and Microsoft Sentinel Log Analytics. It surfaces devices where the modified CyberLink installer can be found.
DeviceFileCertificateInfo
| where Signer contains "CyberLink Corp"
| where CertificateSerialNumber == "0a08d3601636378f0a7d64fd09e4a13b"
| where SignerHash == "8aa3877ab68ba56dabc2f2802e813dc36678aef4"
| join DeviceFileEvents on SHA1
| distinct DeviceName, FileName, FolderPath, SHA1, SHA256, IsTrusted, IsRootSignerMicrosoft, SignerHash
Microsoft Sentinel
Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.
The following YAMLs contain queries that surface activities related to this attack:
The list below provides IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.
To get notified about new publications and to join discussions on social media, follow us on X (formerly Twitter) at https://twitter.com/MsftSecIntel.
Protecting identity from compromise is top of mind for security professionals as identity attacks continue to intensify. Earlier this year we reported that we had observed a nearly three-fold increase in password attacks per second in the last two years, from 579 in 2021 to 4,000 in 2023.1 Identity and access stands between malicious actors and web and cloud resources, making it critical to have a solution that is seamlessly integrated.
Microsoft Entra is a unified identity and network access solution that protects any identity and secures access to any application or resource, in any cloud or on-premises. We’re grateful to all of you—our customers and partners, for your generous feedback that guides our product vision, roadmap, and innovation, and for the collaborative engineering approach that has enabled us to co-create modern identity and access solutions.
Today, we are honored to announce that for the seventh year in a row, Microsoft has been named a Leader in the 2023 Gartner® Magic Quadrant TM for Access Management. We believe Microsoft’s placement in the Leaders quadrant validates our commitment to empowering our customers with a comprehensive solution powered by AI and automation.
Making it easier to secure access
Microsoft Entra’s mission is to help you stay ahead of the evolving digital threat landscape by making it easier to secure access to everything, for everyone, from anywhere. This year, we released several key innovations in pursuit of this goal. Here are a few recent highlights:
First, we introduced Microsoft Entra ID Governance, our complete identity governance solution that helps ensure the right people have the right access to the right resources at the right time. This cloud-delivered product includes capabilities that were already available in Microsoft Entra ID, plus more advanced tools that automate identity and access lifecycle management, and simplify access governance for on-premises, software as a service, and cloud apps and resources.
Second, we made significant progress towards offering additional phishing-resistant authentication methods in alignment with Executive Order 14028: Users will be able to sign in using passkeys managed from the Microsoft Authenticator app, which is also Federal Information Processing Standards (FIPS) 140-compliant for both iOS and Android. We have also added more customization for our cloud-based certificate-based authentication (CBA) solution.
Third, Microsoft Entra ID introduced a series of marquee features, including Microsoft Entra ID Protection that help you proactively block identity takeover in real-time. These innovations include a brand-new dashboard with improved security posture insights and recommendations, new risk detections that can prevent attacks in their early phases, and an integration with Microsoft Defender XDR to correlate incidents. Strict location enforcement capabilities have also been added to continuous access evaluation (CAE), which enables Microsoft Entra ID to use those signals to revoke access and remediate potential compromise if a change in location was detected in in near real-time. As part of an ongoing commitment to token protection, Microsoft Entra ID also released sign-in session token protection to help defend against token theft attacks.
Fourth, we released the preview of new, unified capabilities in Microsoft Entra External ID, our next-generation customer identity and access management platform that unifies secure and engaging experiences for all external identities, including customers, partners, citizens, and others within a single integrated platform. These new capabilities deliver a more developer-centric platform with the latest security and governance capabilities of Microsoft Entra ID and deep integrations across Microsoft Security.
Fifth, we launched our new identity-centric Security Service Edge solution with the release of two products, Microsoft Entra Internet Access and Microsoft Entra Private Access. This solution unifies identity and network access controls under a single policy engine, extending universal Conditional Access controls to any user and any resource across identity, endpoint and network. By bringing these two solutions into the Microsoft Entra portfolio, we’re expanding our reach beyond identity and access management to a comprehensive solution that can help secure access holistically.
We can’t wait to bring more innovations to the Microsoft Entra portfolio in this new year and continue making progress against our goal to simplify securing access to everything, for everyone.
Discover the Microsoft Entra product family
The Microsoft Entra product family includes:
Microsoft Entra ID, part of Microsoft Entra, our flagship cloud identity product.
Are you a regular user of Microsoft Entra? Review your experience on Gartner Peer Insights™ and get a $25 gift card.
Microsoft Entra
Unified multicloud identity and network access help you protect and verify identities, manage permissions, and enforce intelligent access policies, all in one place.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (formerly known as “Twitter”) (@MSFTSecurity) for the latest news and updates on cybersecurity.
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.
Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Gartner and Magic Quadrant are registered trademarks and service marks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.
Gartner, Magic Quadrant for Access Management, by Henrique Teixeira, Abhyuday Data, Nathan Harris, Robertson Pimentel. 16 November 2023.
We are excited to announce the new Microsoft Defender Bounty Program with awards of up to $20,000 USD.
The Microsoft Defender brand encompasses a variety of products and services designed to enhance the security of the Microsoft customer experience. The Microsoft Defender Bounty Program invites researchers across the globe to identify vulnerabilities in Defender products and services and share them with our team.
Microsoft has observed ongoing activity from mobile banking trojan campaigns targeting users in India with social media messages designed to steal users’ information for financial fraud. Using social media platforms like WhatsApp and Telegram, attackers are sending messages designed to lure users into installing a malicious app on their mobile device by impersonating legitimate organizations, such as banks, government services, and utilities. Once installed, these fraudulent apps exfiltrate various types of sensitive information from users, which can include personal information, banking details, payment card information, account credentials, and more.
While not a new threat, mobile malware infections pose a significant threat to mobile users, such as unauthorized access to personal information, financial loss due to fraudulent transactions, loss of privacy, device performance issues due to malware consuming system resources, and data theft or corruption. In the past, we observed similar banking trojan campaigns sending malicious links leading users to download malicious apps, as detailed in our blog Rewards plus: Fake mobile banking rewards apps lure users to install info-stealing RAT on Android devices.
The current active campaigns have pivoted to sharing malicious APK files directly to mobile users located in India. Our investigation focused on two malicious applications that falsely present themselves as official banking apps. Spoofing and impersonating legitimate banks, financial institutions, and other official services is a common social engineering tactic for information-stealing malware. Importantly, legitimate banks themselves are not affected by these attacks directly, and the existence of these attacks is not related to legitimate banks’ own authentic mobile banking apps and security posture. That said, cybercriminals often target customers of large financial institutions by masquerading as a legitimate entity. This threat highlights the need for customers to install applications only from official app stores, and to be wary of false lures as we see in these instances.
In this blog, we shed light on the ongoing mobile banking trojan campaigns impacting various sectors by analyzing the attacks of two fraudulent apps targeting Indian banking customers. We also detail some of the additional capabilities of malicious apps observed in similar campaigns and provide recommendations and detections to defend against such threats. As our mobile threat research continuously monitors malware campaigns in the effort to combat attackers’ tactics, tools, and procedures (TTPs), we notified the organizations being impersonated by these fake app campaigns. Microsoft is also reporting on this activity to bring increased awareness to the threat landscape as mobile banking trojans and credential phishing fraud continues to persist, prompting an urgent call for robust and proactive defense strategies.
Case 1: Fake banking app targeting account information
We discovered a recent WhatsApp phishing campaign through our telemetry that led to banking trojan activity. In this campaign, the attacker shares a malicious APK file through WhatsApp with a message asking users to enter sensitive information in the app. The widely circulated fake banking message states “Your [redacted] BANK Account will be Blocked Today please update your PANCARD immediately open [redacted]-Bank.apk for update your PANCARD. Thank You.” and includes a APK file named [redacted]-BANK[.]apk.
Figure 1. A fake WhatsApp message sent to user to update KYC using shared APK file.
Upon investigation, we discovered that the APK file was malicious and interacting with it installs a fraudulent application on the victim device. The installed app impersonates a legitimate bank located in India and disguises itself as the bank’s official Know Your Customer (KYC) application to trick users into submitting their sensitive information, despite this particular banking organization not being affiliated with an official KYC-related app. This information is then sent to a command and control (C2) server, as well as to the attacker’s hard-coded phone number used in SMS functionality.
Figure 2. The attack flow of this campaign.
What users see
Upon installation, the fake app displays a bank icon posing as a legitimate bank app. Note that the app we analyzed is not an official bank app from the Google Play Store, but a fake app that we’ve observed being distributed through social media platforms.
The initial screen then proceeds to ask the user to enable SMS-based permissions. Once the user allows the requested permissions, the fake app displays the message “Welcome to [redacted]Bank fast & Secure Online KYC App” and requests users to signin to internet banking by entering their mobile number, ATM pin, and PAN card details.
Figure 3. Once installed on a device, the fake app asks users to allow SMS permissions and to sign-in to internet banking and submit their mobile number, ATM pin, and PAN card to update KYC.
After clicking the sign-in button, the app displays a verification prompt asking the user to enter the digits on the back of their banking debit card in grid format for authentication—a common security feature used as a form of multifactor authentication (MFA), where banks provide debit cards with 2-digit numbers in the form of a grid on the back of the card. Once the user clicks the authenticate button, the app claims to verify the shared details but fails to retrieve data, instead moving on to the next screen requesting additional user information. This can trick the user into believing that the process is legitimate, while remaining unaware of the malicious activity launching in the background.
Figure 4. The fake app’s authentication process asks the user to enter the correct digits as presented on their debit card.
Next, the user is asked to enter their account number followed by their account credentials. Once all the requested details are submitted, a suspicious note appears stating that the details are being verified to update KYC. The user is instructed to wait 30 minutes and not to delete or uninstall the app. Additionally, the app has the functionality to hide its icon, causing it to disappear from the user’s device home screen while still running in the background.
Figure 5. The fraudulent app steals the user’s account number and credentials and hides its icon from the home screen.
Technical analysis
To start our investigation and as part of our proactive research, we located and analyzed the following sample:
We first examined the app’s AndroidManifest file, which lists the permissions and components (such as activities, services, receivers, and providers) that can run in the background without requiring user interaction. We discovered that the malware requests two runtime permissions (also known as dangerous permissions) from users:
Permissions
Description
Receive_SMS
Intercept SMSs received on the victim’s device
Send_SMS
Allows an application to send SMS
The below image displays the requested Receive_SMS and Send_SMS permissions, the activities, receivers, and providers used in the application, and the launcher activity, which loads the application’s first screen.
Figure 6. AndroidManifest.xml file
Source code review
Main activity
The main activity, djhgsfjhfdgf[.]gjhdgsfsjde[.]myappl876786ication[.]M1a2i3n4A5c6t7i8v9i0t0y987654321, executes once the app is launched and shows as the first screen of the application. The OnCreate() method of this class requests permissions for Send_SMS and Receive_SMS and displays a form to complete the KYC application with text fields for a user’s mobile number, ATM pin, and PAN card. Once the user’s details are entered successfully, the collected data is added to a JSON object and sent to the attacker’s C2 at: https://biogenetic-flake.000webhostapp[.]com/add.php
The app displays a note saying “Data added successfully”. If the details are not entered successfully, the form fields will be empty, and an error note will be displayed.
Figure 7. Launcher activity page, asking the user to sign-in with their mobile number, ATM pin, and PAN card.
Additionally, the malware collects data and sends it to the attacker’s phone number specified in the code using SMS.
Figure 8. Collected data sent to the attacker’s mobile number as a SMS.
Stealing SMS messages and account information
The malware collects incoming SMS messages from the victim’s device using the newly granted Receive_SMS permission. These incoming messages may contain one-time passwords (OTPs) that can be used to bypass MFA and steal money from the victim’s bank account. Using the Send_SMS permission, the victim’s messages are then sent to the attacker’s C2 server (https[:]//biogenetic-flake[.]000webhostapp[.]com/save_sms[.]php?phone=) and to the attacker’s hardcoded phone number via SMS.
Figure 9. Steals incoming SMS to send to the attacker’s C2 and mobile number via SMS.
The user’s bank account information is also targeted for exfiltration—once the user submits their requested account number and account credentials, the malware collects the data and similarly sends it to the attacker’s C2 server and hard-coded phone number.
Figure 10. Collecting the user’s account number to send to the attacker.Figure 11. Collecting the user’s account credentials to send to the attacker.
Hiding app icon
Finally, the app has the functionality to hide its icon from the home screen and run in the background.
Figure 12. Hides app icon from home screen
Case 2: Fake banking app targeting payment card details
Similar to the first case, the second case involves a fraudulent app that deceives users into providing personal information. Unlike the first case, the banking trojan in the second case is capable of stealing credit card details, putting users at risk of financial fraud. User information targeted by the fraudulent app to be sent to the attacker’s C2 includes:
Personal information – Name, email ID, mobile number, date of birth
When the user interacts with the app, it displays a launch screen featuring the app icon and prompting the user to grant SMS-based permissions. Once the requested permissions are enabled, the app displays a form for the user to enter their personal details, including their name, email address, mobile number, and date of birth. The data provided by the user is then sent to C2 server. After this, the app displays a form for the user to enter their credit card details, including the 16-digit card number, CVV number, and card expiration date, which is also sent to the attacker’s C2.
Figure 13. Fake app collects SMS permissions, personal details and card details.
Additional features in some versions
In related campaigns, we observed some versions of the same malicious app include additional features and capabilities, such as capturing:
Financial information – Bank details, bank ID, card details
Personal information – PAN card, Aadhar number, permanent address, state, country, pin code, income
Verifying and stealing one-time passwords (OTPs)
Similar campaigns
Based on our telemetry, we have been observing similar campaigns using the names of legitimate organizations in the banking, government services, and utilities sectors, as app file names to target Indian mobile users. Like the two cases discussed above, these campaigns involve sharing the fraudulent apps through WhatsApp and Telegram, and possibly other social media platforms. Moreover, these campaigns select legitimate and even well-known institutions and services in the region to imitate and lure users into a false sense of security. Spoofing and impersonating legitimate organizations and official services is a common social engineering tactic for information-stealing malware. While these banks and other organizations themselves are not affected by the attack directly, attackers often target customers by imitating legitimate entities.
Conclusion
Mobile banking trojan infections can pose significant risks to users’ personal information, privacy, device integrity, and financial security. As the campaigns discussed in this blog display, these threats can often disguise themselves as legitimate apps and deploy social engineering tactics to achieve their goals and steal users’ sensitive data and financial assets. Being aware of the risks and common tactics used by banking trojans and other mobile malware can help users identify signs of infection and take appropriate action to mitigate the impacts of these threats.
Finding unfamiliar installed apps, increased data usage or battery drain, unauthorized transactions or account settings changes, device crashes, slow performance, unexpected pop-ups, and other unusual app behaviors can indicate a possible banking trojan infection. To help prevent such threats, we recommend the following precautionary measures:
Only install apps from trusted sources and official stores, like the Google Play Store and Apple App Store.
Never click on unknown links received through ads, SMS messages, emails, or similar untrusted sources.
Always keep Install unknown apps disabled on the Android device to prevent apps from being installed from unknown sources.
Figure 14. Example of the Install unknown apps feature on an Android device
Additionally, various Indian banks, governments services, and other organizations are conducting security awareness campaigns on social media using promotional videos to educate users and help combat the ongoing threat presented by these mobile banking trojan campaigns.
Abhishek Pustakala, Harshita Tripathi, and Shivang Desai
Microsoft Threat Intelligence
Appendix
Microsoft 365 Defender detections
Microsoft Defender Antivirus and Microsoft Defender for Endpoint on Android detect these threats as the following malware:
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.
To get notified about new publications and to join discussions on social media, follow us on X (formerly)Twitter at https://twitter.com/MsftSecIntel.
This year marks the tenth anniversary of the Microsoft Bug Bounty Program, an essential part of our proactive strategy to protect customers from security threats. Since its inception in 2013, Microsoft has awarded more than $60 million to thousands of security researchers from 70 countries. These individuals have discovered and reported vulnerabilities under Coordinated Vulnerability Disclosure, aiding Microsoft in navigating the continuously evolving security threat landscape and emerging technologies.
This year is a landmark moment for Microsoft as we observe the 20th anniversary of Patch Tuesday updates, an initiative that has become a cornerstone of the IT world’s approach to cybersecurity. Originating from the Trustworthy Computing memo by Bill Gates in 2002, our unwavering commitment to protecting customers continues to this day and is reflected in Microsoft’s Secure Future Initiative announced this month.
The increasing speed, scale, and sophistication of recent cyberattacks demand a new approach to security. Traditional tools are no longer enough to keep pace with the threats posed by cybercriminals. In just two years, the number of password attacks detected by Microsoft has risen from 579 per second to more than 4,000 per second.1 On average, organizations use 80 security tools to manage their environment, resulting in security teams facing data deluge, alert fatigue, and limited visibility across security solutions. Plus, the global cost of cybercrime is expected to reach $10.5 trillion by 2025, up from $3 trillion in 2015. Security teams face an asymmetric challenge: they must protect everything, while cyberattackers only need to find one weak point. And security teams must do this while facing regulatory complexity, a global talent shortage, and rampant fragmentation.
One of the advantages for security teams is their view of the data field—they know how the infrastructure, user posture, and applications, are set up before a cyberattack begins. To further tip the scale in favor of cyberdefenders, Microsoft Security offers a very large-scale data advantage—65 trillion daily signals, expertise of global threat intelligence, monitoring more than 300 cyberthreat groups, and insights on cyberattacker behaviors from more than 1 million customers and more than 15,000 partners.1
Our new generative AI solution—Microsoft Security Copilot—combined with our massive data advantage and end-to-end security, all built on the principles of Zero Trust, creates a flywheel of protection to change the asymmetry of the digital threat landscape and favor security teams in this new era of security.
To learn more about Microsoft Security’s vision for the future and the latest generative AI announcements and demos, watch the Microsoft Ignite keynote “The Future of Security with AI” presented by Charlie Bell, Executive Vice President, Microsoft Security, and I on Thursday, November 16, 2023, at 10:15 AM PT.
Changing the paradigm with Microsoft Security Copilot
One of the biggest challenges in security is the lack of cybersecurity professionals. This is an urgent need given the three million unfilled positions in the field, with cyberthreats increasing in frequency and severity.2
In a recent study to measure the productivity impact for “new in career” analysts, participants using Security Copilot demonstrated 44 percent more accurate responses and were 26 percent faster across all tasks.3
According to the same study:
86 percent reported that Security Copilot helped them improve the quality of their work.
83 percent stated that Security Copilot reduced the effort needed to complete the task.
86 percent said that Security Copilot made them more productive.
90 percent expressed their desire to use Security Copilot next time they do the same task.
Check out the Security Copilot Early Access Program—with Microsoft Defender Threat Intelligence included at no additional charge—that adds speed and scale for scenarios like security posture management, incident investigation and response, security reporting, and more—now available to interested and qualified customers. For example, one early adopter from Willis Towers Watson (WTW) said “I envision Microsoft Security Copilot as a change accelerator. The ability to do threat hunting at pace will mean that I’m able to reduce my mean time to investigate, and the faster I can do that, the better my security posture will become.” Keep reading for a full list of capabilities.
Introducing the industry’s first generative AI-powered unified security operations platform with built-in Copilot
Security operations teams struggle to manage disparate security toolsets from siloed technologies and apps. This challenge is only exacerbated given the scarcity of skilled security talent. And while organizations have been investing in traditional AI and machine learning to improve threat intelligence, deploying AI and machine learning comes with its unique challenges and its own shortage of data science talent. It’s time for a step-change in our industry, and thanks to generative AI, we can now close the talent gap for both security and data professionals. Securing an organization today requires an innovative approach that prevents, detects, and disrupts cyberattacks at machine speed, while delivering simplicity and and approachable, conversational experiences to help security operations center (SOC) teams move faster, and bringing together all the security signals and threat intelligence currently stuck in disconnected tools. Today, we are thrilled to announce the next major step in this industry-defining vision: combining the power of leading solutions in security information and event management (SIEM), extended detection and response (XDR), and generative AI for security into the first unified security operations platform.
By bringing together Microsoft Sentinel, Microsoft Defender XDR (previously Microsoft 365 Defender), and Microsoft Security Copilot, security analysts now have a unified incident experience that streamlines triage and provides a complete, end-to-end view of threats across the digital estate. With a single set of automation rules and playbooks enriched with generative AI, coordinating response is now easier and quicker for analysts of every level. In addition, unified hunting now gives analysts the ability to query all SIEM and XDR data in one place to uncover cyberthreats and take appropriate remediation action. Customers interested in joining the preview of the unified security operations platform should contact their account team.
Further, Microsoft Security Copilot is natively embedded into the analyst experience supporting both SIEM and XDR and equipping analysts with step-by-step guidance and automation for investigating and resolving incidents, without the reliance of data analysts. Complex tasks, such as analyzing malicious scripts or crafting Kusto Query Language (KQL) queries to hunt across data in Microsoft Sentinel and Defender XDR, can be accomplished simply by asking a question in natural language or accepting a suggestion from Security Copilot. If you need to update your chief information security officer (CISO) on an incident, you can now instantly generate a polished report that summarizes the investigation and the remediation actions that were taken to resolve it.
To keep up with the speed of cyberattackers, the unified security operations platform catches cyberthreats at machine speed and protects your organization by automatically disrupting advanced attacks. We are extending this capability to act on third-party signals, for example with SAP signals and alerts. For SIEM customers who have SAP connected, attack disruption will automatically detect financial fraud techniques and disable the native SAP and connected Microsoft Entra account to prevent the cyberattacker from transferring any funds—with no SOC intervention. The attack disruption capabilities will be further strengthened by new deception capabilities in Microsoft Defender for Endpoint—which can now automatically generate authentic-looking decoys and lures, so you can entice cyberattackers with fake, valuable assets that will deliver high-confidence, early stage signal to the SOC and trigger automatic attack disruption even faster.
Lastly, we are building on the native XDR experience by including cloud workload signals and alerts from Microsoft Defender for Cloud—a leading cloud-native application protection platform (CNAPP)—so analysts can conduct investigations that span across their multicloud infrastructure (Microsoft Azure, Amazon Web Services, and Google Cloud Platform environments) and identities, email and collaboration tools, software as a service (SaaS) apps, and multiplatform endpoints—making Microsoft Defender XDR one of the most comprehensive native XDR platforms in the industry.
Customers who operate both SIEM and XDR can add Microsoft Sentinel into their Microsoft Defender portal experience easily, with no migration required. Existing Microsoft Sentinel customers can continue using the Azure portal. The unified security operations platform is now available in private preview and will move to public preview in 2024.
Expanding Copilot for data security, identity, device management, and more
Security is a shared responsibility across teams, yet many don’t share the same tools or data—and they often don’t collaborate with one another. We are adding new capabilities and embedded experiences of Security Copilot across the Microsoft Security portfolio as part of the Early Access Program to empower all security and IT roles to detect and address cyberthreats at machine speed. And to enable all roles to protect against top security risks and drive operational efficiency, Microsoft Security Copilot now brings together signals across Microsoft Defender, Microsoft Defender for Cloud, Microsoft Sentinel, Microsoft Intune, Microsoft Entra, and Microsoft Purview into a single pane of glass.
New capabilities in Security Copilot creating a force multiplier for security and IT teams
Microsoft Purview:Data security and compliance teams review a multitude of complex and diverse alerts spread across multiple security tools, each alert containing a wealth of rich insights. To make data protection faster, more effective, and easier, Security Copilot is now embedded in Microsoft Purview, offering summarization capabilities directly within Microsoft Purview Data Loss Prevention, Microsoft Purview Insider Risk Management, Microsoft Purview eDiscovery, and Microsoft Purview Communication Compliance workflows, making sense of profuse and diverse data, accelerating investigation and response times, and enabling analysts at all levels to complete complex tasks with AI-powered intelligence at their fingertips. Additionally, with AI translator capabilities in eDiscovery, you can use natural language to define search queries, resulting in faster and more accurate search iterations and eliminating the need to use keyword query language. These new data security capabilities are also available now in the Microsoft Security Copilot standalone experience.
Secure access in the AI era: What’s new in Microsoft Entra
Microsoft Entra: Password-based attacks have increased dramatically in the last year, and new attack techniques are now trying to circumvent multifactor authentication. To strengthen your defenses against identity compromise, Security Copilot embedded in Microsoft Entra can assist in investigating identity risks and help with troubleshooting daily identity tasks, such as why a sign-in required multifactor authentication or why a user’s risk level increased. IT administrators can instantly get a risk summary, steps to remediate, and recommended guidance for each identity at risk, in natural language. Quickly get to the root of an issue for a sign-in with a summarized report of the most relevant information and context. Additionally, in Microsoft Entra ID Governance, admins can use Security Copilot to guide in the creation of a lifecycle workflow to streamline the process of creating and issuing user credentials and access rights. These new capabilities to summarize users and groups, sign-in logs, and high-risk users are also available now in the Microsoft Security Copilot standalone experience.
Fortified security and simplicity come together with Microsoft Intune
Microsoft Intune: The evolving device landscape is driving IT complexity and risk of endpoint vulnerabilities—and IT administrators play a critical security role in managing these devices and protecting organizational data. We are introducing Security Copilot embedded in Microsoft Intune in the coming weeks for select customers of the Early Access Program, marking a meaningful advancement in endpoint management and security. This experience offers unprecedented visibility across security data with full device context, provides real-time guidance when creating policies, and empowers security and IT teams to discover and remediate the root cause of device issues faster and easier. Now IT administrators and security analysts are empowered to drive better and informed outcomes with pre-deployment, AI-based guard rails to help them understand the impact of policy changes in their environment before applying them. With Copilot, they can save time and reduce complexity of gathering near real-time device, user, and app data and receive AI-driven recommendations to respond to threats, incidents, and vulnerabilities, fortifying endpoint security.
Boost multicloud security with a comprehensive code to cloud strategy
Microsoft Defender for Cloud: Maintaining a strong cloud security posture is a challenge for cybersecurity teams, as they face siloed visibility into risks and vulnerabilities across the application lifecycle, due to the rise of cloud-native development and multicloud environments. With Security Copilot now embedded in Microsoft Defender for Cloud, security admins are empowered to identify critical concerns to resources faster with guided risk exploration that summarizes risks, enriched with contextual insights such as critical vulnerabilities, sensitive data, and lateral movement. To address the uncovered critical risks more efficiently, admins can use Security Copilot in Microsoft Defender for Cloud to guide remediation efforts and streamline the implementation of recommendations by generating recommendation summaries, step-by-step remediation actions, and scripts in a preferred language, and directly delegate remediation actions to key resource users. These new cloud security capabilities are also available now in the Microsoft Security Copilot standalone experience.
Microsoft Defender for External Attack Surface Management (EASM):Keeping up with tracking assets and their vulnerabilities can be overwhelming for security teams, as it requires time, coordination, and research to understand which assets pose a risk to the organization. New Defender for EASM capabilities are available in the Security Copilot standalone experience and enable security teams to quickly gain insights into their external attack surface, regardless of where the assets are hosted, and feel confident in the outcomes. These capabilities provide security operations teams with a snapshot view of their external attack surface, help vulnerability managers understand if their external attack surface is impacted by a particular common vulnerability and exposure (CVE), and provide visibility into vulnerable critical and high priority CVEs to help teams know how pervasive they are to their assets, so they can prioritize remediation efforts.
Custom plugins to trusted third-party tools: Security Copilot provides more robust, enriched insight and guidance when it is integrated with a broader set of security and IT teams’ tools. To do so, Security Copilot must embrace a vast ecosystem of security partners. As part of this effort, we are excited to announce the latest integration now available to Security Copilot customers with ServiceNow. For customers who want to bring onboard their trusted security tools and integrate their own organizational data and applications, we’re also introducing a new set of custom plugins that will enable them to expand the reach of Security Copilot to new data and new capabilities.
Securing the use of generative AI for safeguarding your organization
As organizations quickly adopt generative AI, it is vital to have robust security measures in place to ensure safe and responsible use. This involves understanding how generative AI is being used, protecting the data that is being used or created by generative AI, and governing the use of AI. As generative AI apps become more popular, security teams need tools that secure both the AI applications and the data they interact with. In fact, 43 percent of organizations said lack of controls to detect and mitigate risk in AI is a top concern.4 Different AI applications pose various levels of risk, and organizations need the ability to monitor and control these generative AI apps with varying levels of protection.
Advanced cloud-native security with Microsoft Defender for Cloud
Microsoft Defender: Microsoft Defender for Cloud Apps is expanding its discovery capabilities to help organizations gain visibility into the generative AI apps in use, provide extensive protection and control to block risky generative AI apps, and apply ready-to-use customizable policies to prevent data loss in AI prompts and AI responses. This new feature supports more than 400 generative AI apps, and offers an easy way to sift through low- versus high-risk apps.
Microsoft Purview: New capabilities in Microsoft Purview help comprehensively secure and govern data in AI, including Microsoft Copilot and non-Microsoft generative AI applications. Customers can gain visibility into AI activity, including sensitive data usage in AI prompts, comprehensive protection with ready-to-use policies to protect data in AI prompts and responses, and compliance controls to help easily meet business and regulatory requirements. Microsoft Purview capabilities are integrated with Microsoft Copilot, starting with Copilot for Microsoft 365, strengthening the data security and compliance for Copilot for Microsoft 365.
Further, to enable customers to gain a better understanding of which AI applications are being used and how, we are announcing the preview of AI hub in Microsoft Purview. Microsoft Purview can provide organizations with an aggregated view of total prompts being sent to Copilot and the sensitive information included in those prompts. Organizations can also see an aggregated view of the number of users interacting with Copilot. And we are extending these capabilities to provide insights for more than 100 of the most commonly used consumer generative AI applications, such as ChatGPT, Bard, DALL-E, and more.
Expanding end-to-end security for comprehensive protection everywhere
Keeping up with daily protection requirements is a security challenge that can’t be ignored—and the struggle to stay ahead of cyberattackers and safeguard your organization’s data is why we’ve designed our security features to evolve with the digital threat landscape and provide comprehensive protection against cyberthreats.
Strengthen your code-to-cloud defenseswith Microsoft Defender for Cloud. To cope with the complexity of multicloud environments and cloud-native applications, security teams need a comprehensive strategy that enables code-to-cloud defenses on all cloud deployments. For posture management, the preview of Defender for Cloud’s integration with Microsoft Entra Permissions Management helps you apply the least privilege principle for cloud resources and shows the link between access permissions and potential vulnerabilities across Azure, AWS, and Google Cloud. Defender for Cloud also has an improved attack path analysis experience, which helps you predict and prevent complex cloud attacks—and provides more insights into your Kubernetes deployments across Amazon Elastic Kubernetes Service (EKS) and Google Kubernetes Engine (GKE) clusters and APIs insights to prioritize cloud risk remediation.
To strengthen security throughout the application lifecycle, preview of the GitLab Ultimate integration gives you a clear view of your application security posture and simplifies code-to-cloud remediation workflows across all major developer platforms—GitHub, Azure DevOps, and GitLab within Defender for Cloud. Additionally, general availability of Defender for APIs, which offers machine learning-driven protection against API threats and agentless vulnerability assessments for container images in Microsoft Azure Container Registries. Defender for Cloud now offers a unified vulnerability assessment engine spanning all cloud workloads, powered by the strong capabilities of Microsoft Defender Vulnerability Management.
MDTI: Now Anyone Can Tap Into Game-Changing Threat Intelligence
Leverage Microsoft Defender Threat Intelligence for elevating your threat intelligence. Available in Microsoft Defender XDR, Microsoft Defender Threat Intelligence offers valuable open-source intelligence and internet data sets found nowhere else. These capabilities now enhance Microsoft Defender products with crucial context around threat actors, tooling, and infrastructure at no additional cost to customers. Available in the Threat Intelligence blade of Defender XDR, Detonation Intelligence enables users to search, look up, and contextualize cyberthreats as well as detonate URLs and view results to quickly understand a malicious file or URL. Defender XDR customers can quickly submit an indicator of compromise (IoC) to immediately view the results. Vulnerability Profiles put intelligence collected from the Microsoft Threat Intelligence team about vulnerabilities all in one place. Profiles are updated when new information is discovered and contains a description, Common Vulnerability Scoring System scores (CVSS), a priority score, exploits, and deep and dark web chatter observations.
Use Microsoft Purview to extend data protection capabilities across structured and unstructured data types. In the past, securing and governing sensitive data across these diverse elements of your digital estate would have required multiple providers, adding a heavy integration tax. But today, with Microsoft Purview, you can gain visibility across your entire data estate, secure your structured and unstructured data, and detect risks across clouds. Microsoft Purview’s labeling and classification capabilities are expanding beyond Microsoft 365, offering access controls for both structured and unstructured data types. Users will have the ability to discover, classify, and safeguard sensitive information hosted in structured databases such as Microsoft Azure SQL and Azure Data Lake Storage (ADLS)—also extending these capabilities into Amazon Simple Storage Service (S3) buckets.
Detect insider risk with Microsoft Purview Insider Risk Management, which offers ready-to-use risk indicators to detect critical insider risks in Azure, AWS, and SaaS applications, including Box, Dropbox, Google Drive, and GitHub. Admins with appropriate permissions will no longer need to manually cross-reference signals in these environments. They can now utilize the curated and preprocessed indicators to obtain a more holistic view of a potential insider incident.
Simplify access security with Microsoft Entra. Securing access points is critical and can be complex when using multiple providers for identity management, network security, and cloud security. With Microsoft Entra, you can centralize all your access controls together to more fully secure and protect your environment. Microsoft’s Security Service Edge solution is expanding with several new features.
By the end of 2023, Microsoft Entra Internet Access preview will include context-aware secure web gateway (SWG) capabilities for all internet apps and resources with web content filtering, Conditional Access controls, compliant network check, and source IP restoration.
Microsoft Entra Private Access for private apps and resources has extended protocol support so you can seamlessly transition from your traditional VPN to a modern Zero Trust Network Access (ZTNA) solution, and the ability to add multifactor authentication to all private apps for remote and on-premises users.
Now with auto-enrollment into Microsoft Entra Conditional Access policies you can enhance security posture and reduce complexity for securing access. Easily create and manage a passkey, a free phishing-resistant credential based on open standards, in the Microsoft Authenticator app for signing into Microsoft Entra ID-managed apps.
Promote enforcement of least-privilege access for cloud resources with new integrations for Microsoft Entra Permissions Management. Permissions Management has a new integration with ServiceNow that enables organizations to incorporate time-bound access permission requests to existing approval workflows in ServiceNow.
Unify, simplify, and delight users by the Microsoft Intune Suite. We’re adding three new solutions to the Intune Suite, available in February 2024. These solutions further unify critical endpoint management workloads in Intune to fortify device security posture, power better experiences, and simplify IT and security operations end-to-end. We will also be able to offer these solutions coupled with the existing Intune Suite capabilities to agencies and organizations of the Government Community Cloud (GCC) in March 2024.
Microsoft Cloud PKI offers a comprehensive, cloud-based public key infrastructure and certificate management solution to simply create, deploy, and manage certificates for authentication, Wi-Fi, and VPN endpoint scenarios.
Microsoft Intune Advanced Analytics extends the Intune Suite anomaly detection capabilities and provides deep device data insights as well as battery health scoring for administrators to proactively power better, more secure user experiences and productivity improvements.
Partner opportunities and news
There are several partners participating in our engineer-led Security Copilot Partner Private Preview to validate usage scenarios and provide feedback on functionality, operations, and APIs to assist with extensibility. If you are joining us in person at Microsoft Ignite, watch the demos at the Customer Meet-up Hub, presented by Microsoft Intelligent Security Association (MISA) members sponsoring at Microsoft Ignite. And if you’re a partner interested in staying current, join the Security Copilot Partner Interest Community.
Join us in creating a more secure future
Embracing innovation has never been more important for an organization, not only with respect to today’s cyberthreats but also in anticipation of those to come. Recently, to create a more secure future, we launched the Secure Future Initiative—a new initiative to pursue our next generation of cybersecurity protection.
Microsoft Ignite 2023
Join Vasu Jakkal and Charlie Bell at Microsoft Ignite to watch "the Future of Security and AI" on November 16, 2023, at 10:15 AM PT.
AI is changing our world forever. It is empowering us to achieve the impossible and it will usher in a new era of security that favors security teams. Microsoft is privileged to be a leader in this effort and committed to a vision of security for all.
Learn more
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (formerly known as Twitter) (@MSFTSecurity) for the latest news and updates on cybersecurity.
Summary Summary The Microsoft Security Response Center (MSRC) was made aware of a vulnerability where Azure Command-Line Interface (CLI) could expose sensitive information, including credentials, through GitHub Actions logs. The researcher, from Palo Alto’s Prisma Cloud, found that Azure CLI commands could be used to show sensitive data and output to Continuous Integration and Continuous Deployment (CI/CD) logs.
We are pleased to announce the security review for Microsoft Edge, version 119!
We have reviewed the new settings in Microsoft Edge version 119 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 117 security baseline continues to be our recommended configuration which can be downloaded from theMicrosoft Security Compliance Toolkit.
Microsoft Edge version 119 introduced 8 new computer settings and 3 new user settings. We have included a spreadsheet listing the new settings in the release to make it easier for you to find them.
As a friendly reminder, all available settings for Microsoft Edge are documentedhere, and all available settings for Microsoft Edge Update are documentedhere.
At the CYBERWARCON 2023 conference, Microsoft and LinkedIn analysts are presenting several sessions detailing analysis across multiple sets of threat actors and related activity. This blog is intended to summarize the content of the research covered in these presentations and demonstrates Microsoft Threat Intelligence’s ongoing efforts to track threat actors, protect customers, and share information with the wider security community.
Reactive and opportunistic: Iran’s role in the Israel-Hamas war
This presentation compares and contrasts activity attributed to Iranian groups before and after the October 7, 2023 start of the Israel-Hamas war. It highlights a number of instances where Iranian operators leveraged existing access, infrastructure, and tooling, ostensibly to meet new objectives.
With the physical conflict approximately one month old, this analysis offers early conclusions in a rapidly evolving space, specific to observed Iranian actors, such as those linked to Iran’s Ministry of Intelligence and Security (MOIS) and Islamic Revolutionary Guard Corps (IRGC). While the presentation details attack techniques observed in specific regions, Microsoft is sharing this information to inform and help protect wider organizations around the world facing attack methods similar to those used by Iranian operators, such as social engineering methods for deceiving victims, and exploitation of vulnerable devices and sign-in credentials.
First, Microsoft does not see any evidence suggesting Iranian groups (IRGC and MOIS) had coordinated, pre-planned cyberattacks aligned to Hamas’ plans and the start of the Israel-Hamas war on October 7. Although media and other public accounts may suggest that Iran played an active role in planning the October 7 physical attacks on Israel, Microsoft data tells a different part of the story.
Observations from Microsoft telemetry suggest that, at least in the cyber domain, Iranian operators have largely been reactive since the war began, exploiting opportunities to try and take advantage of events on the ground as they unfold. It took 11 days from the start of the ground conflict before Microsoft saw Iran enter the war in the cyber domain. On October 18, 2023 Microsoft observed the first of two separate destructive attacks targeting infrastructure in Israel. While online personas controlled by Iran exaggerated the claims of impact from these attacks, the data suggests that both attacks were likely opportunistic in nature. Specifically, operators leveraged existing access or acquired access to the first available target. Further, the data shows that, in the case of a ransomware attack, Iranian actors’ claims of impact and precision targeting were almost certainly fabricated.
Second, Microsoft observes Iranian operators continuing to employ their tried-and-true tactics, notably exaggerating the success of their computer network attacks and amplifying those claims and activities via a well-integrated deployment of information operations. This is essentially creating online propaganda seeking to inflate the notoriety and impact of opportunistic attacks, in an effort to increase their effects. For example, Microsoft observed Iranian actors compromising connected webcams and framing the activity as more strategic, claiming they targeted and successfully compromised cameras at a specific Israeli military installation. In reality, the compromised cameras were located at scattered sites outside any one defined region. This suggests that despite Iran actors’ strategic claims, this camera example was ultimately a case of adversaries continuing to opportunistically discover and compromise vulnerable connected devices and try to reframe this routine work as more impactful in the context of the current conflict.
Third, Microsoft recognizes that, as more physical conflicts around the world spur cyber operations of varying levels of sophistication, this is a rapidly evolving space requiring close monitoring to assess potential escalations and impact on wider industries, regions, and customers. Microsoft Threat Intelligence anticipates Iranian operators will move from a reactive posture to more proactive activities the longer the current war plays out and continue to evolve their tactics in pursuit of their objectives.
The digital reality: A surge on critical infrastructure
In this presentation, Microsoft Threat Intelligence experts walk the audience through the timeline of Microsoft’s discovery of Volt Typhoon, a threat actor linked to China, and the adversary group’s activity observed against critical infrastructure and key resources in the U.S. and its territories, such as Guam. The presentation highlights some of the specific techniques, tactics, and procedures (TTPs) Volt Typhoon uses to carry out its operations. The talk features insights on how Microsoft tracked the threat actor and assessed that Volt Typhoon’s activity was consistent with laying the groundwork for use in potential future conflict situations. These insights show the backstory of threat intelligence collection and analysis, leading to Microsoft’s May 2023 blog on Volt Typhoon, sharing the actor’s reach and capabilities with the community.
At CYBERWARCON, Microsoft provides an update on Volt Typhoon activity, highlighting shifts in TTPs and targeting since Microsoft released the May blog post. Specifically, Microsoft sees Volt Typhoon trying to improve its operational security and stealthily attempting to return to previously compromised victims. The threat actor is also targeting university environments, for example, in addition to previously targeted industries. In this presentation, Microsoft experts compare their Volt Typhoon analysis with third-party research and studies of China’s military doctrine and the current geopolitical climate. This adds additional context for the security community on possible motivations behind the threat actor’s current and future operations.
Microsoft also describes gaps and limitations in tracking Volt Typhoon’s activity and how the security community can work together to develop strategies to mitigate future threats from this threat actor.
“You compile me. You had me at RomCom.” – When cybercrime met espionage
For many years, the security community has watched various Russian state-aligned actors intersect with cybercrime ecosystems to varying degrees and with different purposes. At CYBERWARCON 2022, Microsoft discussed the development of a never-before-seen “ransomware” strain known as Prestige by Seashell Blizzard (IRIDIUM), a group reported to be comprised of Russian military intelligence officers. The cyberattack, disguised as a new “ransomware” strain, was meant to cause disruption while providing a thin veneer of plausible deniability for the sponsoring organization.
This year at CYBERWARCON, Microsoft experts profile a different threat actor, Storm-0978, which emerged in the early 2022 as credibly conducting both cybercrime operations, as well as espionage/enablement operations benefiting Russia’s military and other geopolitical interests, with possible ties to Russian security services. The duality of this Storm-0978 adversary’s activity intersecting with both crime and espionage leads to questions Microsoft are engaging conference attendees in exploring. Is Storm-0978 a cybercrime group conducting espionage, or a government-sponsored espionage group conducting cybercrime? Why are we seeing the confluence of what historically have been separate crime and geopolitical objectives? Is this duality in some way a reflection of Russia becoming limited in its ability to scale wartime cyber operations? Is Russia activating cybercriminal elements for operations in order to provide a level of plausible deniability for future destructive attacks? The Ukraine war has illustrated that Russia has likely had to activate other capabilities on the periphery. Storm-0978 is one probable example where it’s clear that other elements have been co-opted to achieve objectives of both a wartime environment and strategic landscape either to achieve effects-led operations or prepositioning.
Microsoft’s extensive insight on the ransomware economy and other cybercrime trends, coupled with experience tracking Russian nation-state adversaries, allows for presenting this profile of the Storm-0978 actor at CYBERWARCON, which Microsoft hopes will be further enriched and analyzed by the wider security community’s experiences, data sets and conclusions.
A LinkedIn update on combating fake accounts
This presentation focuses on what LinkedIn’s Threat Prevention and Defense team has learned from its investigations of cyber mercenaries, also referred to as private-sector offensive actors (PSOAs), on the platform. The focus of this presentation is on Black Cube (Microsoft tracks this actor as Blue Tsunami), a well-known mercenary actor, and what we’ve learned about how they attempt to operate on LinkedIn. The discussion includes insights on how Black Cube has previously leveraged honeypot profiles, fake jobs, and fake companies to engage in reconnaissance or human intelligence (HUMINT) operations against targets with access to organizations of interest and/or concern to Black Cube’s clients.
Further reading
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.
To get notified about new publications and to join discussions on social media, follow us on X at https://twitter.com/MsftSecIntel.
To understand why customers are adopting generative AI solutions like Microsoft Security Copilot, we have to go back to the cyberthreat landscape—which continues to get more challenging. Organizations are facing a surge in cyberattacks while also dealing with a global shortage of security talent. In only the past 12 months, Microsoft has seen password attacks more than triple to more than 4,000 per second.1 And, if an organization falls victim to a phishing attack, it now only takes an attacker an average of 72 minutes to access private data. Add on the global shortage of 3.4 million skilled cybersecurity experts and many organizations are left feeling vulnerable and under protected.2
Generative AI: The game changer in cybersecurity
To tip the scales in favor of safety and security, we need to augment the work of our skilled security professionals. Human ingenuity and expertise will always be irreplaceable components of defense, but we need technology to expand the skill sets of our security teams with the lightning-fast processing speeds, rapid pattern recognition, and continual improvements of generative AI. By detecting hidden patterns and sharing informed responses back at machine speed—while always adhering to the latest, most advanced security practices—generative AI can help us regain an advantage against cybercriminals. AI provides near real-time visibility and context for potential threats, helping us investigate and mitigate threats faster. When we utilize solutions that incorporate generative AI, teams can become more effective and efficient, using natural language prompts rather than complex queries, and collaborate more easily with shared skills. Early preview customers of Microsoft Security Copilot agree.
Microsoft Security Copilot
Powerful new capabilities, new integrations, and industry-leading generative AI—now available in early access.
Early customers report Microsoft Security Copilot saves time
Greg Peterson, Senior Director of Security, Technology, and Operations at Avanade, shares the challenges his organization faces today and how Microsoft Security Copilot can help by empowering senior analysts, junior analysts, and even interns to get ahead of potential security threats.
“For senior analysts, Security Copilot might give them a different and new way to look at a problem. But for our more junior analysts, it’s really going to help bridge the skills gap—especially as we build more curated prompt playbooks and learn how to use those tools,” Peterson explained.
Beyond generative AI, our end-to-end security, identity, compliance, and privacy solutions allow us to cover more cyberthreat vectors and deliver more value with a coordinated, comprehensive customer experience across the entire digital estate. By embracing generative AI and simplifying otherwise complex toolsets, we help organizations gain an advantage against cyberattackers and allow them to refocus precious security resources on more important business tasks, like innovation. In our preview of Microsoft Security Copilot, customers reported saving up to 40 percent of their security analysts’ time on foundational tasks like investigation and response, threat hunting, and threat intelligence assessments.3 And on more mundane tasks like preparing reports or troubleshooting minor issues, Security Copilot delivered gains in efficiency up to and above 60 percent.3 But the most promising data coming out of our early research is not the numbers, but what customers can do with these gains in efficiency and time saved.
Upskilling with Security Copilot: Empowering junior security analysts
Our preview research data suggests that Security Copilot can enable junior security analysts, including Tier 1 and 2 team members, to take on tasks that were previously reserved for Tier 3 and 4 security professionals. To test this hypothesis, we asked our own Microsoft security operations center (SOC) analysts to evaluate the output of Security Copilot on tasks like incident summarization, script analysis, incident reporting, query assistance, and guided response. The results were impressive: experienced practitioners equated Security Copilot outputs to those of mid- to expert-level human analysts, particularly for tasks such as incident summarization, script analysis, and query assistance. This means that any analyst can use natural language prompts to initiate and perform tasks that they may not have a lot of experience or expertise in, and the outputs of Security Copilot will help them both accomplish the right results immediately and, more importantly, help them develop those critical skills for long-term use. With Security Copilot, your team can accomplish a lot more with the resources you already have.
The impact of Security Copilot on your organization
Microsoft Security Copilot is more than just an AI-powered, large language model working with your security technology. It builds on the latest innovation in large language models and uniquely goes beyond that, harnessing the foundational power of Microsoft’s security expertise, global threat intelligence, and technologies to deliver massive efficiency gains for the most vital security use cases. When you submit a prompt, Security Copilot improves it with the security-specific system built on deep Microsoft Security knowledge and continuous learning. Your prompt is enriched with the end-to-end Microsoft Security product portfolio and fresh threat intelligence informed by Microsoft’s 65 trillion signals and human intelligence.1 Finally, it translates the response according to your prompt instructions, taking the form of text or code that helps you see the full context of an incident, the impact, and the next steps you should take to deepen understanding or to take direct action for remediation and defense hardening.
Security Copilot is an AI assistant for daily operations in security and IT that can help organizations:
Outpace adversaries—Security Copilot helps analysts respond to and remediate incidents faster. The increased speed and efficiency of generative AI lets analysts refocus on critical security tasks, including more time spent on proactive initiatives like implementing Zero Trust principles.
Strengthen team expertise—Security Copilot helps junior security analysts complete more complex tasks with skills like natural language to Kusto Query Language (KQL) translation and malicious script analysis.
Simplify the complex—Analysts no longer need to write complex scripts or KQL. They can simply ask questions in English and Security Copilot understands the context, sets the plan in motion, and writes the script. This saves time, exposes junior security analysts to more complex skills, and yields gains in productivity for organizations.
Catch what others miss—Because Security Copilot uses generative AI to analyze data from many sources—including Microsoft Security products and Microsoft’s unrivaled threat intelligence—it can also help analysts catch what they might otherwise miss.
Cut through the noise—Despite an extremely busy signal-to-noise ratio, Security Copilot synthesizes data and detects “important” signals better than ever before, allowing security and IT professionals to access, summarize, and act on insights from their tools faster.
Broaden the hiring pool—Because of the upskilling potential, Security Copilot allows Tier 1 analysts to complete more complex tasks, which means organizations can recruit and develop talent from a broader, more diverse resource pool.
Lean into the AI era
At this year’s Microsoft Ignite, from November 14 to 17, 2023, learn how to lean into the AI era and protect your people, data, devices, and apps across clouds and platforms. We plan to share more big news about Security Copilot and more innovations—including new integrations to support a broader set of use cases. Join our free digital online experience to watch Scott Guthrie’s (Microsoft Executive Vice President, Cloud and AI) keynote titled AI transformation for your organization with the Microsoft Cloud. And catch Rob Lefferts’ (Corporate Vice President, Microsoft Threat Protection) breakout session titled Unifying XDR + SIEM: A new era in SecOps to supercharge your threat detection, response, and defense. For news on what’s next with generative AI and Microsoft Security Copilot, sign up for email updates.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (formerly known as Twitter) (@MSFTSecurity) for the latest news and updates on cybersecurity.
Thousands of security professionals will join us for Microsoft Ignite from November 14 to 17, 2023, where we will share how to embrace the AI era confidently, with protection for people, data, devices, and apps that extends across clouds and platforms. With more than 45 security sessions, there are many exciting keynotes, breakouts, and demonstrations to fill your time. To help you navigate the Microsoft Security experience at Microsoft Ignite, we’ve put together a guide of featured sessions for security professionals of all levels, whether you’re attending in person or online.
While our in-person tickets have sold out, registration for the virtual event is still available to participate in the Microsoft Security experience at Microsoft Ignite, which includes sessions on security strategies and practical applications. In both tracks, you’ll learn about the latest innovations and implementation strategies from Microsoft Security across comprehensive security, unified visibility, and Microsoft Security Copilot. Keep reading this blog post for ideas on keynotes, breakout sessions, and discussions to check out. Register to browse our session catalog and bookmark sessions you’d like to attend.
Catch the news highlights during our keynote
Start your day with our announcement-packed keynote from Charlie Bell, Executive Vice President, Microsoft Security, and Vasu Jakkal, Corporate Vice President, Security, Compliance, Identity, and Management, Microsoft. Don’t miss insights from them during their keynote, “The Future of Security with AI.” They will share how Microsoft is delivering AI for security with Microsoft Security Copilot, and how we enable organizations to secure and govern AI with new capabilities. This new era of AI offers unprecedented opportunities to elevate human potential but also challenges organizations with unknowns and risks.
Learn security strategies for today’s and tomorrow’s challenges
Our cybersecurity strategy sessions are focused on equipping you to leverage AI and Microsoft Security solutions to strengthen your threat defense strategy. Join these sessions to take your strategies to the next level across identity protection, code-to-cloud approaches, industry best practices for AI, and the latest learnings in threat intelligence.
Strategy sessions to consider joining include:
“How we secure the Microsoft estate”(BRK291H: in-person and online): Join a fireside chat with Bret Arsenault, Corporate Vice President and Chief Information Security Officer, on Microsoft’s approach to security and how Microsoft plans to adapt as the industry continues to embrace the new era of AI.
“Boosting ID Protection Amid Sophisticated Attacks”(BRK294H: in-person and online):Alex Weinert, Vice President, Identity Security, and Mia Reyes, Director, Foundational Security—Cybersecurity, will offer a deep dive into the escalating landscape of cyberthreats targeting digital identities amid the evolving tech realms of the Internet of Things, operational technology, and hybrid workspaces. Learn about innovation in automated key management and Hardware Security Modules for fortified key storage, crucial in mitigating human errors and bolstering defenses against sophisticated aggressors.
“This Year In Threats: Tales From Microsoft’s Global Fight Against APTs” (BRK299: in-person only):Sherrod DeGrippo, Director of Threat Intelligence, and John Lambert, Corporate Vice President, Distinguished Engineer, Microsoft Security Research, will discuss how Microsoft defends customers at the nexus of the cyber and physical worlds and how they can join our global alliance to help give bad actors nowhere to hide. This year, Microsoft Threat Intelligence stood with its partners on the leading edge of the global response to the most impactful threats and incidents. In this session, look back at the threat actors and campaigns that defined 2023 and hear our experts tell their favorite stories from the front line.
“Secure access in the AI era: What’s new in Microsoft Entra” (BRK297H: in-person and online): Jade D’Souza, Product Manager; John Savill, Cloud Solution Architect; and Joy Chik, President, Identity and Network Access, will offer details on innovations for Microsoft Entra ID (formerly Azure Active Directory) that can help you automatically prevent identity compromise, enforce granular access policies, govern permissions, and leverage AI to secure access for anyone to anything from anywhere. This demo-centric session will follow an employee as they onboard, access resources, and collaborate.
“Unifying XDR + SIEM: A new era in SecOps” (BRK293H: in-person and online): Preeti Krishna, Principal Product Manager, and Rob Lefferts, Corporate Vice President, Microsoft Threat Protection, will offer insights on how the latest innovations in generative AI, automatic attack disruption, embedded threat intelligence, decoy assets, a reimagined user interface, and cloud posture management capabilities will supercharge your threat detection, response, and defense.
“Secure and govern your data in the era of AI” (BRK296H: in-person and online): Erin Miyake, Principal Product Manager; Herain Oberoi, Marketing Leader; Tina Ying, Senior Product Marketing Manager, Insider Risk Management; and Rudra Mitra, Corporate Vice President, Microsoft Data Security and Compliance, will demonstrate how Microsoft Purview’s comprehensive approach to data security, compliance, and privacy helps empower organizations to protect and govern their data.
“Security for AI: Prepare, protect, and defend in the AI era” (BRK298H: in-person and online): Douglas Santos, Senior Product Manager; Maithili Dandige, Partner Group Program Manager, Microsoft 365 Security and Compliance; and Shilpa Bothra, Senior Product Marketing Manager, will discuss the importance of preventing sensitive data leaks in AI as third-party AI apps grow exponentially and hackers continue to launch adversarial attacks using generative AI. Leave this session with a solid defense and ways to secure data as you interact with AI using Microsoft’s comprehensive security suite.
Gain practical applications with in-depth product views
When strategizing a security approach, technology solutions play a critical role. To help you become an expert on security solutions and implement new features within your organization, Microsoft Ignite will include sessions exploring the use cases of Microsoft solutions, including Security Copilot, Microsoft Entra, Microsoft Purview, and Microsoft Intune.
Practical application sessions to consider joining include:
“Boost multicloud security with a comprehensive code to cloud strategy” (BRK261H: in-person and online):Safeena Begum, Principal Product Manager, and Yuri Diogenes, Principal Product Manager, will talk about how Microsoft Defender for Cloud can help you fortify your defenses and enhance your incident response strategy with cloud security graphic insights and tailored analytics from Defender for Cloud workload protection plans.
“Fortified security and simplicity come together with Microsoft Intune” (BRK263H: in-person and online): Archana Devi Sunder Rajan, Partner Group Product Manager, Microsoft Intune; Dilip Radhakrishnan, Partner Group Product Manager, Microsoft Intune; Jason Roszak, Chief Product Officer, Microsoft Intune; and Sangeetha Visweswaran, Partner Director of Engineering, will discuss how the next generation of endpoint management and security capabilities from Microsoft Intune help transform security and IT operations. Learn how to simplify app updates, cut the cost of public key infrastructure lifecycle management, mitigate risks with AI-derived insights, and free up resources by automating IT workflows.
“Modern management innovation shaping endpoint security” (BRK295H: in-person and online): Jeff Pinkston, Director of Engineering; Ramya Chitrakar, Corporate Vice President, Intune Engineering; and Steve Dispensa, Corporate Vice President, will explore how to defend against the evolving sophistication of cyberthreats while ensuring a productive workforce. The newest wave of Microsoft Intune innovation can shape your defense-in-depth strategy for a secure and productive end user computing estate.
“Beyond traditional DLP: Comprehensive and AI-powered data security” (BRK262H: in-person and online): Maithili Dandige, Shilpa Bothra, and Talhah Mir, Product Manager, will share how AI-powered Microsoft Purview Information Protection and Microsoft Purview Insider Risk Management can transform your data loss prevention (DLP) program, enabling Adaptive Protection and fortifying your data security posture. You will also hear about new features that enhance incident response and expand endpoint coverage and gain insights on how to enhance their data security strategies.
“How Microsoft Purview helps you protect your data” (OD07: online only): Anna Chiang, Senior Product Marketing Manager, and Tony Themelis, Principal Product Manager, will explore organizational paradoxes and how Microsoft Purview can help strengthen your data security posture. They will also demonstrate how our latest AI-powered and contextual classifiers can identify sensitive trade secrets, personally identifiable information, and more in seconds across your digital estate.
“Effortless application migration using Microsoft Entra ID” (OD03: online only): David Gregory, Director of Product Marketing, Identity Compete, will share how our newly proposed tool supplies a one-click configuration to integrate applications into Microsoft Entra ID. During this on-demand session, we will provide an overview of how our tool offers a guided experience to seamlessly facilitate the migration of your applications from Active Directory Federation Services to Microsoft Entra ID.
“Bringing Passkey into your Passwordless journey” (OD02: online only): Calvin Lui, Product Manager; Erik Dauner, Senior Program Manager; and Mayur Santani, Product Manager, walk you through the background of where passkeys came from, their impact on the passwordless ecosystem, and the product features and roadmap bringing passkeys into the Microsoft Entra passwordless portfolio and phishing-resistant strategy.
“The power of Microsoft’s XDR: they attempted, we disrupted” (BRK265H: in-person and online): Dustin Duran, Director of Security Research, and Kim Kischel, Director of Product Marketing—XDR, will discuss Microsoft 365 Defender’s automatic attack disruption technology and give you a clear understanding of attack disruption and how it’s providing immediate value to customers in the real world today.
“Making end-to-end security real”(BRK267H: in-person and online): Mark Simos, Lead Cybersecurity Architect, and Sarah Young, Senior Cloud Security Advocate, will share quick wins that solve real-world problems using Microsoft’s integrated security products. This session will show you how to make progress on end-to-end security across identity, security operations, and more.
Interact with the experts
Bring your questions about Microsoft solutions. Our experts have answers. Connect with them during live discussions to learn more.
Opportunities to interact with the experts include:
“Windows 11, Windows 365, & Microsoft Intune Q&A” (DIS657H: in-person and online): Gabe Frost, Group Product Manager; Harjit Dhaliwal, Senior Product Marketing Manager; Jason Githens, Principal Group Product Manager; and Joe Lurie, Senior Product Manager, will participate in a collaborative question and answer session about where we are today with Windows 11 and device management—and what you need to propel your organization and IT strategies. We’ll quickly outline a few of the latest commercial enhancements, but the focus here is on your thoughts and questions.
“Preventing loss of sensitive data: Microsoft Purview DLP Q&A” (DIS666H: in-person and online): Shekhar Palta, Principal Product Marketing Manager, and Shilpa Bothra will discuss Microsoft Purview DLP and the way it can prevent accidental or intentional loss of sensitive data across apps and devices. Join us to discuss how you can modernize your DLP and get started quickly, and learn how DLP works with Microsoft Defender products.
“Panel discussion: Resilient. Compliant. Secure by default” (DISFP375: online only): Joyce Purser, Global Lead, Field Cybersecurity, Veritas Technologies; Saurabh Sensharma, Principal Product Manager, Microsoft; Simon Jelley, General Manager for SaaS Protection, Endpoint and Backup Executive, Veritas Technologies; and Tim Burlowski, Senior Director of Product Management, Veritas Technologies, will discuss security strategies. Join Veritas experts for an interactive question and answer on ensuring your cloud applications are resilient and your data is protected, compliant, and recoverable when it matters most.
Socialize with us and your peers
As you’ve probably experienced yourself at previous conferences and business networking events, some of the best ideas are sparked during conversations with other security professionals. Get social and join us and your cybersecurity peers at two incredible networking events.
The Lounge at Microsoft Ignite: Located in the Hub on Level 5 (Summit Convention Center), the Lounge is the main gathering area for community. The Lounge will be staffed by Microsoft full time employees and attending Most Valuable Professionals (MVPs) to provide continuous question and answer opportunities.
Microsoft Ignite Security After Party: Network and connect over drinks and appetizers on Wednesday, November 15, 2023, at The Collective. Partners, customers, Microsoft MVPs, and Microsoft subject-matter experts will mix and mingle. Register to reserve your spot.
Register today for Microsoft Ignite
Join us online from anywhere from November 15 to 16, 2023, to hear major product announcements, inspiring messages, and expert insights on the future of cybersecurity and Microsoft solutions. And if you’re not able to participate at all this year, you can still check out plenty of session content, product announcements, and keynotes after Microsoft Ignite wraps up. It will be available on demand after the event. Reserve your spot today. Hope you can join us!
Join the Security Tech Accelerator
We’re also having a Tech Accelerator event on Wednesday, December 6, 2023. Ask questions about the latest product announcements from Ignite and connect with your security peers at this virtual skilling event hosted on the Security Tech Community—register today.
Learn more
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (formerly known as Twitter) (@MSFTSecurity) for the latest news and updates on cybersecurity.
Extending our commitment to help customers be secure by default, today we’re announcing the auto-rollout of Microsoft Entra Conditional Access policies that will automatically protect tenants based on risk signals, licensing, and usage.
We’ve designed these policies based on our deep knowledge of the current cyberthreat landscape to help our customers strengthen their security baseline, and we’ll adapt them over time to keep the security bar high.These policies are part of a broader initiative to strengthen security, which includes key engineering advances.
This blog post explains why we decided to create these policies, how they work, how they differ from security defaults, and what Microsoft Entra customers can expect as we roll them out.
Microsoft Entra Conditional Access
Increase protection without compromising productivity.
Buckle up, we’re going for a ride. I have a great security story to share—about multifactor authentication, seat belts, radical ideas, and the pit of success.
Ten years ago, in 2013, we had just started the identity security team and had a radical idea: We changed the policy in our Microsoft account ecosystem (the consumer identity system behind things like Outlook.com, Skype, Xbox, and OneDrive) to require multifactor authentication factors for every single account. Today, 100 percent of consumer Microsoft accounts older than 60 days have multifactor authentication—and it’s been this way for 10 years. We give accounts 60 days to meet this policy requirement, then we block sign-ins until the user adds a strong authentication factor.
This move caused a huge stir. Many of the teams within Microsoft that relied on consumer identity were convinced multifactor authentication would add too much friction. They feared users would hate it. Pundits predicted catastrophe, but by virtually all metrics, the multifactor authenticationrequirement was a smashing success. Because we could safely challenge suspicious sign-ins, Microsoft account hacking plummeted by more than 80 percent, and good user recovery increased from 57 percent to 81 percent when accounts were hacked.
Securing an email or phone number to use as a multifactor authentication factor raised costs for fraudsters enough that synthetic account creation plummeted by 99 percent. Before we enacted this policy, users who forgot their passwords recovered their accounts at a rate of only 16 percent. Under the new policy, unaided password recovery jumped to more than 90 percent. And the policy didn’t drive customers away. In fact, the multifactor authentication policy had such a positive effect on integrity, security, and recoverability that customer retention improved by more than 5 percent. Good security reduces friction.
When Microsoft account joined forces with the team responsible for Microsoft Entra ID (formerly Azure Active Directory) late in 2014, we sought to replicate the success of this consumer-focused program. But we found the going much harder in the commercial space because we weren’t in control of account policies—customers were. Not only did identity admins fear user friction the way we had, but they were also grappling with budget constraints and talent shortages, as well as security and technical backlogs (none of this has gotten easier!). If we wanted to help our enterprise customers adopt multifactor authentication, we’d need to do more.
We tried all kinds of promotional campaigns. We offered the same kind of risk-based multifactor authentication challenges we used to protect our consumer users in a commercial product, Microsoft Entra ID Protection (formerly Azure AD Identity Protection). Disappointingly, these efforts barely moved the needle. When Nitika Gupta (Principal Group Product Manager, Microsoft) and I presented monthly multifactor authentication usage rates at Microsoft Ignite in 2017, it was just 0.7 percent of monthly active users. And we calculated this metric with lenience, counting users who carry a multifactor authentication claim from any source—on-premises federation, third-party providers, or Microsoft Entra multifactor authentication.
To make progress, we needed another radical idea, so in 2018, we made multifactor authenticationavailable at no additional cost for all customers at all license levels. Even trial accounts included multifactor authentication. Over the next year—now that price wasn’t a barrier—multifactor authentication adoption rates only increased to 1.8 percent. At this rate, unless something changed, we wouldn’t reach 100 percent adoption for another 50 years. It was time to get even more radical.
So, in 2019, we came up with “security defaults,” which provides on-by-default multifactor authentication, and applied it to all new tenants. More than 80 percent of new tenants leave security defaults turned on, protecting tens of millions of users. Combining this uptick with pandemic-driven changes in work increased our multifactor authentication utilization to more than 25 percent. We were getting somewhere.
Our next move, starting in 2022, was to extend security defaults to existing tenants, often simpler, smaller customers, who haven’t touched their security settings. We’ve approached this carefully to minimize customer disruption. We’re still rolling out the program, but it has already protected tens of millions more users. More than 94 percent of existing tenants we’ve rolled security defaults out to have kept them enabled.
In just the past year, we’ve turned on security defaults for almost seven million new and existing tenants. These tenants experience 80 percent fewer compromises than tenants without security defaults. Today, security defaults drive more than half of today’s multifactor authentication usage in Microsoft Entra ID, and we’ve driven overall multifactor authentication utilization up to just over 37 percent.
But our goal is 100 percent multifactor authentication. Given that formal studies show multifactor authentication reduces the risk of account takeover by over 99 percent, every user who authenticates should do so with modern strong authentication.1 In a world where digital identity protects virtually every digital and physical assets and makes virtually all online experiences possible—and in a year when we’ve blocked more than 4,000 password attacks per second—we need to do more to drive multifactor authentication adoption. And so now, we’re kicking off the next radical idea.
Auto-rollout of Conditional Access policies
In the early 1960’s, if you wanted seat belts in your car, you could certainly have them. You just had to go to the store, buy some webbing and a buckle, figure out where to drill holes, and install the backing plates. Unsurprisingly, virtually no one did that. After 1965, when all manufacturers were required to install seat belts in all models, traffic injuries plummeted. And now, your car owes its safety rating in part to the annoying ding-ding-ding of the dashboard should you forget to buckle up. This approach—of making a secure posture easy to get into and hard to get out of—is sometimes called the “pit of success.”
Similarly, in the early days of cloud identity, if you wanted multifactor authentication for your accounts, you could certainly have it. You just had to pick a vendor, deploy the multifactor authentication service, configure it, and convince all your users to use it. Unsurprisingly, virtually no one did that. But when we applied the “pit of success” philosophy for consumer accounts in 2013 with multifactor authentication on by default, and for enterprise accounts in 2019 with security defaults, account compromise plummeted as multifactor authentication usage went up. And we’re incredibly excited about the next step in the journey: the automatic roll-out of Microsoft-managed Conditional Access policies.
Today, many customers use security defaults, but many others need more granular control than security defaults offer. Customers may not be in a position to disable legacy authentication for certain accounts (a requirement for security defaults), or they may need to make exceptions for certain automation cases. Conditional Access does a great job here, but often customers aren’t sure where to start. They’ve told us they want a clear policy recommendation that’s easy to deploy but still customizable to their specific needs. And that’s exactly what we’re providing with Microsoft-managed Conditional Access policies.
Microsoft-managed Conditional Access policies provide clear, self-deploying guidance. Customers can tune the policies (or disable them altogether), so even the largest, most sophisticated organizations can benefit from them. Over time, we’ll offer policies tailored to specific organizations, but we’re starting simple.
Because enabling multifactor authentication remains our top recommendation for improving your identity secure posture, our first three policies are multifactor authentication-related, as summarized in the table below:
Policy
Who it’s for
What it does
Require multifactor authentication for admin portals
All customers
This policy covers privileged admin roles and requires multifactor authentication when an admin signs into a Microsoft admin portal.
Require multifactor authentication for per-user multifactor authentication users
This policy applies to users with per-user multifactor authentication and requires multifactor authentication for all cloud apps. It helps organizations transition to Conditional Access.
Require multifactor authentication for high-risk sign-ins
Microsoft Entra ID Premium Plan 2 customers
This policy covers all users and requires multifactor authentication and reauthentication during high-risk sign-ins.
Pay lots of attention to the first policy. It’s our strong recommendation—and a policy we’ll deploy your behalf—that multifactor authenticationprotect all user access to admin portals such as https://portal.azure.com, Microsoft 365 admin center, and Exchange admin center. Please note that while you can opt out of these policies, teams at Microsoft will increasingly require multifactor authentication for specific interactions, as they already do for certain Azure subscription management scenarios, Partner Center, and Microsoft Intune device enrollment.
You can view the policies and their impact using the new policy view user experience, which includes a policy summary, alerts, recommended actions, and a policy impact summary. You can also monitor them using sign-in and audit logs. You can customize the policies by excluding users, groups, or roles that you want to be exceptions, such as emergency and break glass accounts. If you require more extensive customizations, you can clone a policy and then make as many changes as you want.
We’ll begin a gradual rollout of these policies to all eligible tenants starting next week. We’ll notify you in advance, of course. Once the policies are visible in your tenant, you’ll have 90 days to review and customize (or disable) them before we turn them on. For those 90 days, the policies will be in report-only mode, which means Conditional Access will log the policy results without enforcing them.
The Conditional Access policies you need, based on the latest cyberthreat information
As with security defaults, we’ve carefully considered the managed policies we’re rolling out automatically. We want the experience to feel like consulting directly with Microsoft’s identity security team, as though we examined your environment and said, based on everything we’ve learned from securing thousands of customers, “These are the policies you need.”
What’s more, we’ll keep improving the policies over time. Our eventual goal is to combine machine learning-based policy insights and recommendations with automated policy rollout to strengthen your security posture on your behalf with the right controls. In other words, as the cyberthreat landscape evolves, we’d not only recommend policy changes based on the trillions of signals we process every day, but we’d also safely apply them for you ahead of bad actors.
Not only will the seat belts already be in your car, but we’ll also help you fasten them to keep everyone safer. That way, you can keep your eyes on the road ahead.
The auto-rollout of Conditional Access policies is just one initiative we’re taking to strengthen your security. Learn about engineering advances we’re making in a recent memo to all Microsoft engineers from Charlie Bell, Executive Vice President, Microsoft Security.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (formerly known as “Twitter”) (@MSFTSecurity) for the latest news and updates on cybersecurity.
All statistics listed throughout this blog are based on Microsoft internal data.
Extending our commitment to help customers be secure by default, today we’re announcing the auto-rollout of Microsoft Entra Conditional Access policies that will automatically protect tenants based on risk signals, licensing, and usage.
We’ve designed these policies based on our deep knowledge of the current cyberthreat landscape to help our customers strengthen their security baseline, and we’ll adapt them over time to keep the security bar high.These policies are part of a broader initiative to strengthen security, which includes key engineering advances.
This blog post explains why we decided to create these policies, how they work, how they differ from security defaults, and what Microsoft Entra customers can expect as we roll them out.
Microsoft Entra Conditional Access
Increase protection without compromising productivity.
Buckle up, we’re going for a ride. I have a great security story to share—about multifactor authentication, seat belts, radical ideas, and the pit of success.
Ten years ago, in 2013, we had just started the identity security team and had a radical idea: We changed the policy in our Microsoft account ecosystem (the consumer identity system behind things like Outlook.com, Skype, Xbox, and OneDrive) to require multifactor authentication factors for every single account. Today, 100 percent of consumer Microsoft accounts older than 60 days have multifactor authentication—and it’s been this way for 10 years. We give accounts 60 days to meet this policy requirement, then we block sign-ins until the user adds a strong authentication factor.
This move caused a huge stir. Many of the teams within Microsoft that relied on consumer identity were convinced multifactor authentication would add too much friction. They feared users would hate it. Pundits predicted catastrophe, but by virtually all metrics, the multifactor authenticationrequirement was a smashing success. Because we could safely challenge suspicious sign-ins, Microsoft account hacking plummeted by more than 80 percent, and good user recovery increased from 57 percent to 81 percent when accounts were hacked.
Securing an email or phone number to use as a multifactor authentication factor raised costs for fraudsters enough that synthetic account creation plummeted by 99 percent. Before we enacted this policy, users who forgot their passwords recovered their accounts at a rate of only 16 percent. Under the new policy, unaided password recovery jumped to more than 90 percent. And the policy didn’t drive customers away. In fact, the multifactor authentication policy had such a positive effect on integrity, security, and recoverability that customer retention improved by more than 5 percent. Good security reduces friction.
When Microsoft account joined forces with the team responsible for Microsoft Entra ID (formerly Azure Active Directory) late in 2014, we sought to replicate the success of this consumer-focused program. But we found the going much harder in the commercial space because we weren’t in control of account policies—customers were. Not only did identity admins fear user friction the way we had, but they were also grappling with budget constraints and talent shortages, as well as security and technical backlogs (none of this has gotten easier!). If we wanted to help our enterprise customers adopt multifactor authentication, we’d need to do more.
We tried all kinds of promotional campaigns. We offered the same kind of risk-based multifactor authentication challenges we used to protect our consumer users in a commercial product, Microsoft Entra ID Protection (formerly Azure AD Identity Protection). Disappointingly, these efforts barely moved the needle. When Nitika Gupta (Principal Group Product Manager, Microsoft) and I presented monthly multifactor authentication usage rates at Microsoft Ignite in 2017, it was just 0.7 percent of monthly active users. And we calculated this metric with lenience, counting users who carry a multifactor authentication claim from any source—on-premises federation, third-party providers, or Microsoft Entra multifactor authentication.
To make progress, we needed another radical idea, so in 2018, we made multifactor authenticationavailable at no additional cost for all customers at all license levels. Even trial accounts included multifactor authentication. Over the next year—now that price wasn’t a barrier—multifactor authentication adoption rates only increased to 1.8 percent. At this rate, unless something changed, we wouldn’t reach 100 percent adoption for another 50 years. It was time to get even more radical.
So, in 2019, we came up with “security defaults,” which provides on-by-default multifactor authentication, and applied it to all new tenants. More than 80 percent of new tenants leave security defaults turned on, protecting tens of millions of users. Combining this uptick with pandemic-driven changes in work increased our multifactor authentication utilization to more than 25 percent. We were getting somewhere.
Our next move, starting in 2022, was to extend security defaults to existing tenants, often simpler, smaller customers, who haven’t touched their security settings. We’ve approached this carefully to minimize customer disruption. We’re still rolling out the program, but it has already protected tens of millions more users. More than 94 percent of existing tenants we’ve rolled security defaults out to have kept them enabled.
In just the past year, we’ve turned on security defaults for almost seven million new and existing tenants. These tenants experience 80 percent fewer compromises than tenants without security defaults. Today, security defaults drive more than half of today’s multifactor authentication usage in Microsoft Entra ID, and we’ve driven overall multifactor authentication utilization up to just over 37 percent.
But our goal is 100 percent multifactor authentication. Given that formal studies show multifactor authentication reduces the risk of account takeover by over 99 percent, every user who authenticates should do so with modern strong authentication.1 In a world where digital identity protects virtually every digital and physical assets and makes virtually all online experiences possible—and in a year when we’ve blocked more than 4,000 password attacks per second—we need to do more to drive multifactor authentication adoption. And so now, we’re kicking off the next radical idea.
Auto-rollout of Conditional Access policies
In the early 1960’s, if you wanted seat belts in your car, you could certainly have them. You just had to go to the store, buy some webbing and a buckle, figure out where to drill holes, and install the backing plates. Unsurprisingly, virtually no one did that. After 1965, when all manufacturers were required to install seat belts in all models, traffic injuries plummeted. And now, your car owes its safety rating in part to the annoying ding-ding-ding of the dashboard should you forget to buckle up. This approach—of making a secure posture easy to get into and hard to get out of—is sometimes called the “pit of success.”
Similarly, in the early days of cloud identity, if you wanted multifactor authentication for your accounts, you could certainly have it. You just had to pick a vendor, deploy the multifactor authentication service, configure it, and convince all your users to use it. Unsurprisingly, virtually no one did that. But when we applied the “pit of success” philosophy for consumer accounts in 2013 with multifactor authentication on by default, and for enterprise accounts in 2019 with security defaults, account compromise plummeted as multifactor authentication usage went up. And we’re incredibly excited about the next step in the journey: the automatic roll-out of Microsoft-managed Conditional Access policies.
Today, many customers use security defaults, but many others need more granular control than security defaults offer. Customers may not be in a position to disable legacy authentication for certain accounts (a requirement for security defaults), or they may need to make exceptions for certain automation cases. Conditional Access does a great job here, but often customers aren’t sure where to start. They’ve told us they want a clear policy recommendation that’s easy to deploy but still customizable to their specific needs. And that’s exactly what we’re providing with Microsoft-managed Conditional Access policies.
Microsoft-managed Conditional Access policies provide clear, self-deploying guidance. Customers can tune the policies (or disable them altogether), so even the largest, most sophisticated organizations can benefit from them. Over time, we’ll offer policies tailored to specific organizations, but we’re starting simple.
Because enabling multifactor authentication remains our top recommendation for improving your identity secure posture, our first three policies are multifactor authentication-related, as summarized in the table below:
Policy
Who it’s for
What it does
Require multifactor authentication for admin portals
All customers
This policy covers privileged admin roles and requires multifactor authentication when an admin signs into a Microsoft admin portal.
Require multifactor authentication for per-user multifactor authentication users
This policy applies to users with per-user multifactor authentication and requires multifactor authentication for all cloud apps. It helps organizations transition to Conditional Access.
Require multifactor authentication for high-risk sign-ins
Microsoft Entra ID Premium Plan 2 customers
This policy covers all users and requires multifactor authentication and reauthentication during high-risk sign-ins.
Pay lots of attention to the first policy. It’s our strong recommendation—and a policy we’ll deploy your behalf—that multifactor authenticationprotect all user access to admin portals such as https://portal.azure.com, Microsoft 365 admin center, and Exchange admin center. Please note that while you can opt out of these policies, teams at Microsoft will increasingly require multifactor authentication for specific interactions, as they already do for certain Azure subscription management scenarios, Partner Center, and Microsoft Intune device enrollment.
You can view the policies and their impact using the new policy view user experience, which includes a policy summary, alerts, recommended actions, and a policy impact summary. You can also monitor them using sign-in and audit logs. You can customize the policies by excluding users, groups, or roles that you want to be exceptions, such as emergency and break glass accounts. If you require more extensive customizations, you can clone a policy and then make as many changes as you want.
We’ll begin a gradual rollout of these policies to all eligible tenants starting next week. We’ll notify you in advance, of course. Once the policies are visible in your tenant, you’ll have 90 days to review and customize (or disable) them before we turn them on. For those 90 days, the policies will be in report-only mode, which means Conditional Access will log the policy results without enforcing them.
The Conditional Access policies you need, based on the latest cyberthreat information
As with security defaults, we’ve carefully considered the managed policies we’re rolling out automatically. We want the experience to feel like consulting directly with Microsoft’s identity security team, as though we examined your environment and said, based on everything we’ve learned from securing thousands of customers, “These are the policies you need.”
What’s more, we’ll keep improving the policies over time. Our eventual goal is to combine machine learning-based policy insights and recommendations with automated policy rollout to strengthen your security posture on your behalf with the right controls. In other words, as the cyberthreat landscape evolves, we’d not only recommend policy changes based on the trillions of signals we process every day, but we’d also safely apply them for you ahead of bad actors.
Not only will the seat belts already be in your car, but we’ll also help you fasten them to keep everyone safer. That way, you can keep your eyes on the road ahead.
The auto-rollout of Conditional Access policies is just one initiative we’re taking to strengthen your security. Learn about engineering advances we’re making in a recent memo to all Microsoft engineers from Charlie Bell, Executive Vice President, Microsoft Security.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (formerly known as “Twitter”) (@MSFTSecurity) for the latest news and updates on cybersecurity.
All statistics listed throughout this blog are based on Microsoft internal data.
Extending our commitment to help customers be secure by default, today we’re announcing the auto-rollout of Microsoft Entra Conditional Access policies that will automatically protect tenants based on risk signals, licensing, and usage.
We’ve designed these policies based on our deep knowledge of the current cyberthreat landscape to help our customers strengthen their security baseline, and we’ll adapt them over time to keep the security bar high.These policies are part of a broader initiative to strengthen security, which includes key engineering advances.
This blog post explains why we decided to create these policies, how they work, how they differ from security defaults, and what Microsoft Entra customers can expect as we roll them out.
Microsoft Entra Conditional Access
Increase protection without compromising productivity.
Buckle up, we’re going for a ride. I have a great security story to share—about multifactor authentication, seat belts, radical ideas, and the pit of success.
Ten years ago, in 2013, we had just started the identity security team and had a radical idea: We changed the policy in our Microsoft account ecosystem (the consumer identity system behind things like Outlook.com, Skype, Xbox, and OneDrive) to require multifactor authentication factors for every single account. Today, 100 percent of consumer Microsoft accounts older than 60 days have multifactor authentication—and it’s been this way for 10 years. We give accounts 60 days to meet this policy requirement, then we block sign-ins until the user adds a strong authentication factor.
This move caused a huge stir. Many of the teams within Microsoft that relied on consumer identity were convinced multifactor authentication would add too much friction. They feared users would hate it. Pundits predicted catastrophe, but by virtually all metrics, the multifactor authenticationrequirement was a smashing success. Because we could safely challenge suspicious sign-ins, Microsoft account hacking plummeted by more than 80 percent, and good user recovery increased from 57 percent to 81 percent when accounts were hacked.
Securing an email or phone number to use as a multifactor authentication factor raised costs for fraudsters enough that synthetic account creation plummeted by 99 percent. Before we enacted this policy, users who forgot their passwords recovered their accounts at a rate of only 16 percent. Under the new policy, unaided password recovery jumped to more than 90 percent. And the policy didn’t drive customers away. In fact, the multifactor authentication policy had such a positive effect on integrity, security, and recoverability that customer retention improved by more than 5 percent. Good security reduces friction.
When Microsoft account joined forces with the team responsible for Microsoft Entra ID (formerly Azure Active Directory) late in 2014, we sought to replicate the success of this consumer-focused program. But we found the going much harder in the commercial space because we weren’t in control of account policies—customers were. Not only did identity admins fear user friction the way we had, but they were also grappling with budget constraints and talent shortages, as well as security and technical backlogs (none of this has gotten easier!). If we wanted to help our enterprise customers adopt multifactor authentication, we’d need to do more.
We tried all kinds of promotional campaigns. We offered the same kind of risk-based multifactor authentication challenges we used to protect our consumer users in a commercial product, Microsoft Entra ID Protection (formerly Azure AD Identity Protection). Disappointingly, these efforts barely moved the needle. When Nitika Gupta (Principal Group Product Manager, Microsoft) and I presented monthly multifactor authentication usage rates at Microsoft Ignite in 2017, it was just 0.7 percent of monthly active users. And we calculated this metric with lenience, counting users who carry a multifactor authentication claim from any source—on-premises federation, third-party providers, or Microsoft Entra multifactor authentication.
To make progress, we needed another radical idea, so in 2018, we made multifactor authenticationavailable at no additional cost for all customers at all license levels. Even trial accounts included multifactor authentication. Over the next year—now that price wasn’t a barrier—multifactor authentication adoption rates only increased to 1.8 percent. At this rate, unless something changed, we wouldn’t reach 100 percent adoption for another 50 years. It was time to get even more radical.
So, in 2019, we came up with “security defaults,” which provides on-by-default multifactor authentication, and applied it to all new tenants. More than 80 percent of new tenants leave security defaults turned on, protecting tens of millions of users. Combining this uptick with pandemic-driven changes in work increased our multifactor authentication utilization to more than 25 percent. We were getting somewhere.
Our next move, starting in 2022, was to extend security defaults to existing tenants, often simpler, smaller customers, who haven’t touched their security settings. We’ve approached this carefully to minimize customer disruption. We’re still rolling out the program, but it has already protected tens of millions more users. More than 94 percent of existing tenants we’ve rolled security defaults out to have kept them enabled.
In just the past year, we’ve turned on security defaults for almost seven million new and existing tenants. These tenants experience 80 percent fewer compromises than tenants without security defaults. Today, security defaults drive more than half of today’s multifactor authentication usage in Microsoft Entra ID, and we’ve driven overall multifactor authentication utilization up to just over 37 percent.
But our goal is 100 percent multifactor authentication. Given that formal studies show multifactor authentication reduces the risk of account takeover by over 99 percent, every user who authenticates should do so with modern strong authentication.1 In a world where digital identity protects virtually every digital and physical assets and makes virtually all online experiences possible—and in a year when we’ve blocked more than 4,000 password attacks per second—we need to do more to drive multifactor authentication adoption. And so now, we’re kicking off the next radical idea.
Auto-rollout of Conditional Access policies
In the early 1960’s, if you wanted seat belts in your car, you could certainly have them. You just had to go to the store, buy some webbing and a buckle, figure out where to drill holes, and install the backing plates. Unsurprisingly, virtually no one did that. After 1965, when all manufacturers were required to install seat belts in all models, traffic injuries plummeted. And now, your car owes its safety rating in part to the annoying ding-ding-ding of the dashboard should you forget to buckle up. This approach—of making a secure posture easy to get into and hard to get out of—is sometimes called the “pit of success.”
Similarly, in the early days of cloud identity, if you wanted multifactor authentication for your accounts, you could certainly have it. You just had to pick a vendor, deploy the multifactor authentication service, configure it, and convince all your users to use it. Unsurprisingly, virtually no one did that. But when we applied the “pit of success” philosophy for consumer accounts in 2013 with multifactor authentication on by default, and for enterprise accounts in 2019 with security defaults, account compromise plummeted as multifactor authentication usage went up. And we’re incredibly excited about the next step in the journey: the automatic roll-out of Microsoft-managed Conditional Access policies.
Today, many customers use security defaults, but many others need more granular control than security defaults offer. Customers may not be in a position to disable legacy authentication for certain accounts (a requirement for security defaults), or they may need to make exceptions for certain automation cases. Conditional Access does a great job here, but often customers aren’t sure where to start. They’ve told us they want a clear policy recommendation that’s easy to deploy but still customizable to their specific needs. And that’s exactly what we’re providing with Microsoft-managed Conditional Access policies.
Microsoft-managed Conditional Access policies provide clear, self-deploying guidance. Customers can tune the policies (or disable them altogether), so even the largest, most sophisticated organizations can benefit from them. Over time, we’ll offer policies tailored to specific organizations, but we’re starting simple.
Because enabling multifactor authentication remains our top recommendation for improving your identity secure posture, our first three policies are multifactor authentication-related, as summarized in the table below:
Policy
Who it’s for
What it does
Require multifactor authentication for admin portals
All customers
This policy covers privileged admin roles and requires multifactor authentication when an admin signs into a Microsoft admin portal.
Require multifactor authentication for per-user multifactor authentication users
This policy applies to users with per-user multifactor authentication and requires multifactor authentication for all cloud apps. It helps organizations transition to Conditional Access.
Require multifactor authentication for high-risk sign-ins
Microsoft Entra ID Premium Plan 2 customers
This policy covers all users and requires multifactor authentication and reauthentication during high-risk sign-ins.
Pay lots of attention to the first policy. It’s our strong recommendation—and a policy we’ll deploy your behalf—that multifactor authenticationprotect all user access to admin portals such as https://portal.azure.com, Microsoft 365 admin center, and Exchange admin center. Please note that while you can opt out of these policies, teams at Microsoft will increasingly require multifactor authentication for specific interactions, as they already do for certain Azure subscription management scenarios, Partner Center, and Microsoft Intune device enrollment.
You can view the policies and their impact using the new policy view user experience, which includes a policy summary, alerts, recommended actions, and a policy impact summary. You can also monitor them using sign-in and audit logs. You can customize the policies by excluding users, groups, or roles that you want to be exceptions, such as emergency and break glass accounts. If you require more extensive customizations, you can clone a policy and then make as many changes as you want.
We’ll begin a gradual rollout of these policies to all eligible tenants starting next week. We’ll notify you in advance, of course. Once the policies are visible in your tenant, you’ll have 90 days to review and customize (or disable) them before we turn them on. For those 90 days, the policies will be in report-only mode, which means Conditional Access will log the policy results without enforcing them.
The Conditional Access policies you need, based on the latest cyberthreat information
As with security defaults, we’ve carefully considered the managed policies we’re rolling out automatically. We want the experience to feel like consulting directly with Microsoft’s identity security team, as though we examined your environment and said, based on everything we’ve learned from securing thousands of customers, “These are the policies you need.”
What’s more, we’ll keep improving the policies over time. Our eventual goal is to combine machine learning-based policy insights and recommendations with automated policy rollout to strengthen your security posture on your behalf with the right controls. In other words, as the cyberthreat landscape evolves, we’d not only recommend policy changes based on the trillions of signals we process every day, but we’d also safely apply them for you ahead of bad actors.
Not only will the seat belts already be in your car, but we’ll also help you fasten them to keep everyone safer. That way, you can keep your eyes on the road ahead.
The auto-rollout of Conditional Access policies is just one initiative we’re taking to strengthen your security. Learn about engineering advances we’re making in a recent memo to all Microsoft engineers from Charlie Bell, Executive Vice President, Microsoft Security.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (formerly known as “Twitter”) (@MSFTSecurity) for the latest news and updates on cybersecurity.
All statistics listed throughout this blog are based on Microsoft internal data.
Today Microsoft’s Vice Chair and President Brad Smith shared insight on the global cybersecurity landscape and introduced our Secure Future Initiative. These engineering advances anticipatefuture cyberthreats, such as increasing digital attacks on identity systems. They also address how we will continue to build secure foundations necessary for the AI era and beyond.
In the spirit of transparency and to emphasize the importance of this moment, we are sharing the internal email sent earlier about our Secure Future Initiative’s strategy and objectives.
Hi all,
As I’m sure you’ve all seen, cyberattacks have grown rapidly and dangerously in recent years. We now see daily headlines of major industrial disruption, attacks on medical services, and other critical aspects of our daily lives. The sheer speed, scale, and sophistication of the attacks we’re seeing is a reminder for our industry and the world on how advanced digital threats have become. As computing has evolved from packaged software to cloud services, from waterfall to agile development, and with the new advances in AI, we must also evolve how we do security.
At Microsoft, we have a unique responsibility and leading role to play in securing the future for our customers and our community. We have a long and proud history of delivering innovative and impactful products and services that have shaped the industry and transformed the lives of billions of people around the world. We have also been at the forefront of developing and adopting security best practices, standards and tools that have helped us protect our customers and ourselves from cyberthreats and risks. Our move to Zero Trust, multifactor authentication, modern device management, and enhanced telemetry and detections have driven an embedded security culture across our company.
Satya Nadella, Microsoft Chief Executive Officer; Rajesh Jha, Microsoft Executive Vice President, Experiences and Devices; Scott Guthrie, Microsoft Executive Vice President, Cloud and AI; and I have put significant thought into how we should anticipate and adapt to the increasingly more sophisticated cyberthreats. We have carefully considered what we see across Microsoft and what we have heard from customers, governments, and partners to identify our greatest opportunities to impact the future of security. As a result, we have committed to three specific areas of engineering advancement we will add to our journey of continually improving the built-in security of our products and platforms. We will focus on 1. transforming software development, 2. implementing new identity protections, and 3. driving faster vulnerability response.
These advances comprise what we’re calling the Secure Future Initiative. Collectively, they improve security for customers both in the near term and in the future, against cyberthreats we anticipate will increase over the horizon. We recognize that not all of you will be deeply involved in all of the advances we must make. After all, the first priority is security by default. But all of you will be engaged and, more importantly, your constant attention to security in everything you build and operate will be the source of continuous innovation for our collective secure future. Please read on, absorb the “what” and the “why,” and contribute your ideas on innovation. We are all security engineers.
First, we will transform the way we develop software with automation and AI so that we do our best work in delivering software that is secure by design, by default, in deployment, and in operation. Microsoft invented the Security Development Lifecycle (SDL) and made it a bedrock principle of software trust and engineering. We will evolve it to “dynamic SDL” (dSDL). This means we’re going to apply the concept of continuous integration and continuous delivery (CI/CD) to continuously integrate protections against emerging patterns as we code, test, deploy, and operate. Think of it as continuous integration and continuous security.
We will accelerate and automate threat modeling, deploy CodeQL for code analysis to 100 percent of commercial products, and continue to expand Microsoft’s use of memory safe languages (such as C#, Python, Java, and Rust), building security in at the language level and eliminating whole classes of traditional software vulnerability.
We must continue to enable customers with more secure defaults to ensure they have the best available protections that are active out-of-the-box. We all realize no enterprise has the luxury of jettisoning legacy infrastructure. At the same time, the security controls we embed in our products, such as multifactor authentication, must scale where our customers need them most to provide protection. We will implement our Azure tenant baseline controls (99 controls across nine security domains) by default across our internal tenants automatically. This will reduce engineering time spent on configuration management, ensure the highest security bar, and provide an adaptive model where we add capability based on new operational learning and emerging adversary threats. In addition to these defaults, we will ensure adherence and auto-remediation of settings in deployment. Our goal is to move to 100 percent auto-remediation without impacting service availability.
One example from the past of secure defaults is widescale multifactor authentication adoption. Over the past year, we have learned a great deal as we made multifactor authentication on by default for new customers. Those learnings and our communications with customers helped pave the way for our introduction of wider multifactor authentication default policies for wider bands of customer tenants. By focusing on communications as well as engineering—explaining where we are focused on defaults and how customers benefit—we achieve more durable security for our customers. Multifactor authentication is just one area of defaults for us, but over the next year you will see us accelerate security defaults across the board, energized by our learnings and customer feedback. You will all be “customer zero” as we introduce these.
Second, we will extend what we have already created in identity to provide a unified and consistent way of managing and verifying the identities and access rights of our users, devices, and services, across all our products and platforms. Our goal is to make it even harder for identity-focused espionage and criminal operators to impersonate users. Microsoft has been a leader in developing cutting-edge standards and protocol work to defend against rising cyberattacks like token theft, adversary-in-the-middle attacks, and on-premises infrastructure compromise. We will enforce the use of standard identity libraries (such as Microsoft Authentication Library) across all of Microsoft, which implement advanced identity defenses like token binding, continuous access evaluation, advanced application attack detections, and additional identity logging support. Because these capabilities are critical for all applications our customers use, we are also making these advanced capabilities freely available to non-Microsoft application developers through these same libraries.
To stay ahead of bad actors, we are moving identity signing keys to an integrated, hardened Azure HSM and confidential computing infrastructure. In this architecture, signing keys are not only encrypted at rest and in transit, but also during computational processes as well. Key rotation will also be automated allowing high-frequency key replacement with no potential for human access, whatsoever.
Lastly, we are continuing to push the envelope in vulnerability response and security updates for our cloud platforms. As a result of these efforts, we plan to cut the time it takes to mitigate cloud vulnerabilities by 50 percent. We are in a position to achieve this because of our long investment and learnings in automation, monitoring, safe deployment, and AI-driven tools and processes. We will also take a more public stance against third-party researchers being put under non-disclosure agreements by technology providers. Without full transparency on vulnerabilities, the security community cannot learn collectively—defending at scale requires a growth mindset. Microsoft is committed to transparency and will encourage every major cloud provider to adopt the same approach.
These advances are not independent or isolated, but interdependent. They will work together to create a more holistic and comprehensive security infrastructure that can address both current and future cyberthreats. They are also aligned and consistent with our company’s mission, vision, and values, and they support and enable our business goals and objectives. Over the coming months and year, you will see us announce milestones along the execution paths of the above.
As we enter the age of AI, it has never been more important for us to innovate, not only with respect to today’s cyberthreats but also in anticipation of those to come. We are confident making these changes will improve the security, availability and resilience of our systems as well as increase our speed of innovation. In the coming weeks, Rajesh, Scott, and I will be meeting with our teams to share more details about these changes and how they will affect our organization, our processes, and our deliverables. We will also solicit your feedback and input on how we can implement them effectively and efficiently. We want this to be a collaborative and transparent effort that involves all of you as key stakeholders and contributors.
Security is not just a technical problem, but a human one. It affects millions of people around the world who rely on our products and services to communicate, work, learn, and play. We have the talent, the passion, and the vision to make a positive impact on the world through our work.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (formerly known as “Twitter”) (@MSFTSecurity) for the latest news and updates on cybersecurity.
There’s no doubt we are living through a time of rapid technological change. Advances in ubiquitous computing and ambient intelligence transform nearly every aspect of work and life. As the world moves forward with new advancements and distributed technologies, so too does the need to understand the potential security risks. At Microsoft, our mission has always been focused on keeping our customers’ and partners’ information and data safe and secure, and this is why we’re committed to advancing encryption solutions, in order to enable responsible use of new technologies such as AI and quantum computing. As one important example,while scaled quantum computing will help solve some of our toughest problems, like helping us discover new ways of addressing climate change and food scarcity, its development may also create a new set of security challenges and in turn require new encryption standards. As this future quickly approaches, how can we ensure that we reap the benefits of quantum computing while remaining safe in a post-quantum world?
Start your journey with Microsoft towards quantum-safety.
We believe the first step every organization should take toward quantum safety is to be aware of the need to organize, plan, and begin an impact assessment. We recommend prioritizing symmetric encryption where applicable and subsequently adopting post-quantum cryptography (PQC) for asymmetric encryption once standardized and approved by relevant setting bodies and governments, as recommended by cybersecurity agencies globally. Furthermore, we are exploring and experimenting with additional classical and quantum security solution layers through internal experiments, POCs, and collaborations with partners.
Given that preparing for such an objective will be a multi-year and iterative process that requires strategic foresight, it’s crucial for organizations to start investing time in their planning and execution efforts today. Thanks to our extensive experience in quantum engineering and expertise as a service and security provider, we can serve as a trusted partner to navigate this process across industry and government.
Tomorrow’s quantum computers threaten today’s data
In our previous blog post, we discussed the limitations of current quantum computers in terms of breaking today’s encryption technology. In parallel, the emergence of scaled quantum computers with specific algorithms—such as Shor’s algorithm—could put public key encryption at risk and compromise sensitive information.
While it may take at least 1 million qubits for a quantum computer to break certain encryption algorithms using Shor’s algorithm, today’s long-term and sensitive data could already be at risk: bad actors could carry out a “Harvest Now, Decrypt Later” scenario by recording data today and decrypting it later when cryptographically relevant quantum computers become available. Therefore, knowing which data to secure now is a first step on the path to a quantum-safe future.
Microsoft’s commitment to keeping our customers and partners secure
Putting our recommendations into practice, we have taken a comprehensive approach to quantum safety. Because quantum will have a material impact on today’s classical encryption of both hardware and software, we’ve invested time and efforts to set cross-company goals and establish accountability at the most senior levels of our organization.This led to the establishment of the Microsoft Quantum Safe Program, which aims to accelerate and advance all quantum-safe efforts across Microsoft from both technical and business perspectives. The program focuses on Microsoft’s transition to quantum safety and the adoption of PQC algorithms across our products, services, and datacenters. Additionally, it aims to assist and empower our customers and partners on their own journey to quantum safety across their processes, priorities, and requirements.
As the first step and highest priority, we are ensuring the compliance of our existing symmetric key encryption and hash function algorithms. Symmetric algorithms, such as Advanced Encryption Standard (AES), and hash functions, such as Secure Hash Algorithm (SHA), are resilient to quantum attacks, and can therefore still be used in deployed systems. At Microsoft, we are already using protocols based on symmetric encryption, such as Media Access Control Security (MACsec) point-to-point protocol.
On top of symmetric encryption, we will prioritize PQC algorithms—still in the process of being standardized by global bodies such as the National Institute of Standards and Technology (NIST), International Standards Organization (ISO), and Internet Engineering Task Force (IETF)—to handle future threats where asymmetric encryption is currently used. Today, much of the internet’s data, from e-commerce to Wi-Fi access, is kept secure by public key, or asymmetric key cryptography. Currently used public key algorithms rely on complex mathematical problems considered infeasible for classical computers to break, but that are a perfect task for quantum computers running Shor’s algorithm. This undermines the effectiveness of public key algorithms like RSA and Elliptic Curve Cryptography (ECC), and means that PQC algorithms will need to be deployed quickly once standardized, starting with hybrid encryption schemes in tandem with classical algorithms to accelerate adoption.
Empowering and collaborating with the global community
We see the effort to achieve quantum safety as a collaborative effort, and this is why we invest heavily in our ecosystems, global partnerships, and close collaborations with standards-setting bodies, academia, and industry partners alike to foster continuous innovation in the quantum security landscape. The standardization of PQC algorithms, driven by NIST’s efforts, is a key step to achieving PQC compliance.
Because we believe that PQC adoption is the ideal path to follow, we’re collaborating with standard-setting bodies while conducting experiments and assessments to facilitate the adoption of these algorithms across our services and products as needed. As an example, we are participating in the NIST/NCCoE Migration to PQC to demonstrate vulnerable cryptography detection and drive PQC experiments and integration capabilities. Those efforts, along with our participation in the Open Quantum Safe project, will allow the members to implement and test PQC candidates together, so we can be ready for adoption once the final specs are out.
Furthermore, as part of our investment to empower and collaborate with the global security community, we co-authored FrodoKEM, a quantum-safe key encapsulation mechanism that has been selected, together with Kyber and Classic McEliece, to be part of the first international ISO standard for PQC (in addition, we are participating as co-editors of the standard). We also recently submitted SQISign, a new quantum-safe signature scheme that we co-authored with several industry and academia partners, to NIST’s call for additional signature schemes. Lastly, we continue to actively participate as founding members of the new post-quantum cryptography coalition by MITRE and will help to drive progress toward a broader understanding of the public adoption of PQC and NIST’s recommendations.
While we continue to conduct research to further develop state-of-the-art security solutions, we are also exploring the potential of other classical and quantum technologies, such as Quantum Key Distribution (QKD). Holistically, at the core of our mission is a commitment to achieving quantum-safety and ensuring the security of our customers.
Getting started with your PQC transition today
To support our customers in preparing for and navigating their quantum-safe journey, we offer assistance and guidance: we invite you to start your path with us by filling out this questionnaire. Based on your responses, we can understand your status and priorities, and provide the necessary support, including access to experts.
As a first step, we recommend starting with a comprehensive planning process and a definition of your organization’s criteria for what constitutes your critical areas and sensitive information, alongside a cryptography inventory and impact assessment of your essential data, code, cryptographic technologies, and the critical services of your organization. This will help you to identify any asymmetric encryption in use that will need to be replaced with the latest PQC standardized algorithms. This process is especially important to identify critical areas and systems that involve or protect sensitive data with a value that extends beyond 10 years and should be prioritized in migrating to PQC.
By considering which data and code need to be secured now, and which may become less relevant over time, as well as uncovering specific instances where cryptography could be used inappropriately or not ideally, your organization will have a better understanding of where to best mitigate potential risks as a quantum future approaches. This will enable you to confidently make the switch to the latest PQC standardized algorithms and safeguard your sensitive data for years to come.
Explore CodeQL
To help, we are contributing to CodeQL: a next-generation program code analysis tool provided by GitHub in collaboration with organizations including NIST and NCCoE. With CodeQL, we are building out a comprehensive set of detections that can empower users to create a complete inventory of all encryption usage within the application layer, helping to produce a cryptographic bill of materials and identify legacy cryptography that requires remediation. This tool can thus help create a cryptography inventory and impact assessment that will drive operational planning and create understanding and clarity around the timeline, resources, and level of risk for which to account.
Try now the Crypto Experience for Resource Estimator
Furthermore, we recently launched the Crypto Experience for Azure Quantum Resource Estimator. Drawing on published research from Microsoft, this new interactive cryptography experience will show you why a symmetric key could remain safe from quantum attacks, but the current public key is vulnerable. And because it is integrated with Copilot in Azure Quantum, you can use the universal user interface of natural language to ask, learn, and explore more topics within the intersection of quantum computing and cryptography.
The opportunity to usher in a quantum, and quantum-safe, future is immense. We see how the collective genius of scientists and businesses will revolutionize the building blocks of everyday products to usher in a new era of innovation and growth in many fields. That’s what motivates us at Microsoft to drive new breakthroughs and empower every person and every organization on the planet. Our commitment to our customers, partners, and ecosystem to become quantum-safe and remain secure has never been stronger. We are accountable for having our products and services quantum-resistant and safe and will support and guide our customers through this journey to quantum safety.
Learn more
Start your journey with Microsoft towards quantum-safety by filling out this questionnaire.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (formerly known as “Twitter”) (@MSFTSecurity) for the latest news and updates on cybersecurity.
Microsoft is pleased to announce the release of the security baseline package for Windows 11, version 23H2!
Please download the content from the Microsoft Security Compliance Toolkit, test the recommended configurations, and customize / implement as appropriate.
This release includes several changes to further assist in the security of enterprise customers. Changes have been made to provide additional protections to the local admin account, Microsoft Defender Antivirus updates, and a new setting in response to an MSRC bulletin.
Re-introducing the Local Administrator Password Solution (LAPS)
LAPS is a feature that has been around for some time but was always a bolt-on solution. The legacy version of Microsoft LAPS has been deprecated as of October 23, 2023 as noted in our article on Microsoft LAPS deprecation. We have now moved the control for Windows LAPS natively inbox and its settings are located under Administrative Templates/System/LAPS. We have configured three settings:
Configure password backup directory to a value of Enabled: Active Directory
Enable password backup for DSRM accounts to a value of Enabled
Enable password encryption to a value of Enabled
For the backup directory setting, we have selected the option to backup to Active Directory as the baselines are already targeted as such. For Microsoft Entra ID, the best selection will be the Azure Active Directory option which will be reflected in the Intune security baseline when it releases.
A new custom setting has been added to the SecGuide.admx/l, Enable Certificate Padding. Certificate Padding was first introduced in 2013 and republished in January of 2022. This setting affects Portable Executables and should be tested before implementation to a more secure state. At this time, the security baseline does not intend to enforce stricter verification behaviors. For additional information on Certificate Padding, see CVE-2013-3900 – Security Update Guide – Microsoft – WinVerifyTrust Signature Validation Vulnerability.
Microsoft Defender Antivirus
With each release the security baseline a full settings review is completed, based on the latest review we are updating the recommended settings for Microsoft Defender Antivirus (MDAV) with the addition of ten settings. These settings are as follows:
Microsoft Defender Antivirus\Configure local administrator merge behavior for lists – set to a value of Disabled
Microsoft Defender Antivirus\Control whether or not exclusions are visible to Local Admins – set to a value of Enabled
Microsoft Defender Antivirus\Turn off routine remediation – set to a value of Disabled
Microsoft Defender Antivirus\MAPS\Send file samples when further analysis is required – set to a value of Enabled: Send all samples
Added Configure monitoring for incoming and outgoing file and program activity – set to a value of Enabled: bi-directional
Added Monitor file and program activity on your computer – set to a value of Enabled
Added Turn on process scanning whenever real-time protection is enabled – set to a value of Enabled
Added Scan packed executables – set to a value of Enabled
There is an additional setting located at Windows Components\Microsoft Defender Antivirus\MpEngine\Enable file hash computation feature that should be configured to an enabled state as long as you have Microsoft Defender for Endpoint deployed as this setting is used in conjunction with File Hash Allow/Block.
Controlled folder access
Controlled folder access (CFA) is a very powerful feature to help protect data from nefarious activity like ransomware. Configure Controlled folder access is not configured in the baseline but it is highly encouraged for the organization to set it to Enabled: Audit Mode for a period of time, until enough logging has occurred to make informed decisions. From there organizations are encourage to fully configure CFA and move from Audit Mode to Block state. For additional information on CFA, see Enable controlled folder access.
Tamper protection
While you are enabling the Microsoft Security Baseline, a friendly reminder to make sure to enable Microsoft Defender for Endpoint tamper protection for an additional layer of protection against human-operated ransomware. Want to learn more? See Protect security settings with tamper protection.
Other changes
The MSS Legacy custom administrative template titles were changed to remove the recommendation from the actual setting name. Based on feedback this was causing confusion as the settings changed over time but the recommendation in the title was static. The legacy Microsoft LAPS admx/l have been removed due to its deprecation.
Advanced Audit Policy\Audit Policies\Privilege Use\Audit Sensitive Privilege Use is being changed to success only (removing failure) from the baseline as we are seeing an increase in noise coming from the failure option. There is low security value to keep both Success and Failure at this point.
In a world where the digital frontier is expanding and cyberattacks are becoming more sophisticated with speed and scale, the guardians of our virtual realms have never been in greater demand.1 It’s important to leverage this year’s Cybersecurity Awareness Month to celebrate the people who keep us safe and to raise visibility on the need for education and awareness—for everyone. With a staggering 3.4 million unfilled cybersecurity jobs, almost 70 percent of organizations report not having enough cybersecurity staff to be effective.2
And security leaders are sounding the alarm as they want to keep cybersecurity professionals equipped with the right resources to avoid burn out. Yet, this isn’t merely about technical prowess. The ideal cybersecurity workforce harmoniously merges technical expertise with invaluable soft skills. While cutting-edge technology offers part of the remedy, the heart of our defense lies in human expertise—the minds that craft strategies, wielding these tools to ward off potential cyberthreats. The gap in cybersecurity talent is a collective concern, and Microsoft is eager to support the mission to bridge this gap through educational programs that include diversity, providing guidance to security professionals and their organizations on how to be cybersmart and generative AI technology to augment the talent that prevails.
Be Cybersmart
Help educate everyone in your organization with cybersecurity awareness resources and training curated by the security experts at Microsoft.
There are still a lot of misconceptions about what is required to be a successful professional in this industry.
Common fallacies that may hold people back from exploring cybersecurity careers include that only science, technology, engineering, and mathematics graduates—or college graduates in general—can get cybersecurity jobs. The industry is growing more inclusively and attracting a broader range of people, including professionals outside IT. In fact, half of employees younger than 30 join the industry with a non-IT background.3 To take on cybersecurity challenges, security teams must be as diverse as attackers in terms of background, race, and gender. As we like to say, the door is open for anyone to become a cyber defender.
“Almost everything needs cybersecurity. It’s just going to keep growing and it will never go away, so we need more people in it. To get people into cybersecurity we need to break that stigma of what the industry is about. Cybersecurity is not just coding, and we legitimately need all types of people, like psychology majors, English majors, business majors, besides computer science, because there are so many different areas you can get into” says Caitlin Sarian, also known as Cybersecurity Girl, a prominent digital influencer that joined an episode of our Secure the Job Podcast and whose main goal is to help more people understand cybersecurity and consider joining the industry.
“We need to change the security narrative from fear-filled dark tones to hope-filled, optimistic, innovative tones for several reasons. First and foremost, security is a prime driver for innovation, and it needs to inspire and empower people. If we don’t involve everyone, if we continue to think of security as exclusive and fear-filled, then we are creating barriers to entry for defenders to participate,” says Vasu Jakkal, Corporate Vice President, Security, Compliance, Identity, and Management, Microsoft.
Creating real impact in a new and more diverse generation of cybersecurity experts
However, there is still a long way to go, and we know that one way to reduce the skills gap is to bring more underrepresented groups into the workforce. One important effort we’ve been focusing on is attracting more women to the industry. Women offer diverse points of view, deep analytics and risk assessment skills, and emotional intelligence that are hallmarks for a successful cyber defender, but they represent around only 25 percent of the cybersecurity workforce today.4 In a Microsoft-commissioned survey, we learned that the reasons for this underrepresentation include gender bias, not enough female mentors and role models, insufficient education opportunities, and uncertainty about cybersecurity career pathways.5 That’s why we partner globally with projects that practice similar values and have the same commitment to diversity in cybersecurity, such as Minorities in Cybersecurity, Executive Women’s Forum, and WOMCY. In the United States, two of our main education partners, Women in Cybersecurity (WiCyS) and Girl Security, have been recently recognized by the White House’s National Cyber Workforce and Education Strategy as key players in changing the diversity landscape of the cybersecurity workforce.
“Part of the challenge is driving the message that diversity is not just about numbers. It’s about innovating security solutions that we can’t possibly conceive right now because we don’t have diverse voices in the room to yield those outcomes. When we bring first-generation college and immigrant students to the table, the effects are remarkable.”
—Lauren Buitta, Chief Executive Officer and Founder, Girl Security
At Microsoft we’ve also been using technology innovation to spread interest in cybersecurity while doing it earlier in the process, as early exposure strongly impacts career choices in the future. To help with that and to enable kids from all ages to behave safer online, we’ve developed the Minecraft Education Cybersecurity Collection, with levels that go from kindergarten to college and focus on teaching cyberskills at every level with fun, accessible lessons for the modern digital citizen, followed by learning resources.
How AI is empowering a stronger workforce
The latest generative AI revolution has gotten plenty of people excited because of its potential to advance business initiatives, but there’s also a great potential impact of AI adoption in cybersecurity talent. Vasu Jakkal recently shared how AI can improve cybersecurity by harnessing diversity and offered other suggestions for how to encourage cybersecurity interest.6 Human ingenuity and expertise will always be a precious and irreplaceable component of security, and AI has the power to tip the scales in favor of cyber defenders by augmenting human capabilities, enabling machine speed cyberthreat detection, and fostering a stronger collective skillset of diverse backgrounds and points of view.
Among other things, generative AI also has the potential to expand the number of cybersecurity professionals and help them refine and strengthen their skills. Using AI tools in recruiting can also help “transcend biases, optimize talent acquisition, promote inclusive training and education,” and lead to more hiring of diverse candidates.7
Recognizing the increasing importance of AI skills in the global workforce, Microsoft has launched the AI Skills Initiative to enhance AI education and address emerging skills gaps. In partnership with LinkedIn, the initiative offers a Professional Certificate on Generative AI and the Generative AI Skills Grant Challenge, a collaboration with other organizations that focus on underserved communities.
Champion the advocacy to propel cybersecurity education and careers forward
There is a lot we all can do to support cybersecurity education and help narrow the skills gap. If you’re a security professional, consider being a sponsor for someone or supporting one of these many mentoring programs mentioned in this blog.
Many remain unaware of the vast opportunities awaiting them in cybersecurity, so we invite you to amplify these prospects to a broader audience. Check with your local area school if they have a TEALS program and let them know about the career path the Last Mile Education Fund offers. Amplify free cybersecurity content, training, and learning opportunities by earning a Microsoft Learn and LinkedIn Learning Certificate and show the wonders the Minecraft Cybersecurity education game can provide to the younger generation.
In the spirit of security being a team sport, explore our Cybersecurity Awareness Website to continue your education and to help educate your organization and community. It takes a village to make a difference in the lives of others and to support our cybersecurity professionals who tirelessly keep us safe. It is vital that no matter what role we play in our workplace, family or community, we all become a cyber defender.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.
