Author Archive

Now that you have a plan, it’s time to start deploying

This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series, youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blog First Things First: Envisioning Your Security Deployment.

In our previous blog post, we covered how FastTrack for Microsoft 365 can help you envision a successful Microsoft 365 security deployment. Now, well cover the next phase of our three-phase planning approach: Onboard. This is where you move from strategy and objectives to the practical details of your deployment planning.

The Onboard phase is a critical time to remove any blockers you have, clean up any issues that might prevent your preferred deployment approach, and then start setting up services and users that integrate with your environment. The FastTrack team can help coordinate the setup, configuration, and provisioning of many of your Microsoft 365 services.

We will cover how to Drive Value with FastTrack for Microsoft 365 in our next blog. But first

Your onboard checklist

The following checklist provides some of the items and actions that our FastTrack team can help you work through during the Onboard phase:

Network and Client

  • Identify and prepare DNS, network, and infrastructure needs
  • Configure DNS for eligible services
  • Configure TCP/IP protocols and firewall ports
  • Identify and prepare client needs (Internet browser, client operating system, and services’ needs)
  • Enable eligible services that have been purchased and defined as part of onboarding
  • Establish the timeline for remediation activities
  • Activate your Microsoft online service tenant or subscription
  • Validate connectivity to Microsoft online services


  • Provision user identity including licensing
  • Configure Azure AD Identity Protection
  • Configure Self Service Password Reset (SSPR)
  • Configure Azure Multi-Factor Authentication
  • Configure Privileged Identity Management
  • Set up Azure AD Conditional Access policies
  • Synchronize Azure AD Connect directory (with password writeback and password hash sync)

Access Management

  • Configure identities to be used by Intune, by either leveraging your on-premises Active Directory or cloud identities (Azure AD)
  • Add users to your Intune subscription, define IT admin roles (Helpdesk operator, admins, etc.), and create user and device groups
  • Configure and deploy Intune app protection policies for each supported platform and prepare line-of-business apps for app protection policies

Mobile Device Management (MDM)

  • Configure your MDM authority and policies and test to validate MDM management policies
  • Configure profiles on devices for supported platforms
  • Enroll devices of each supported platform to Intune or Configuration Manager with Microsoft Intune service

Ready for action? Start with a Success Plan

Our FastTrack Success Plan is an online tool that walks you through each step of Microsoft 365 Security planning process, from Envisioning to Onboarding to Driving Value and adoption with users.

The Success Plan can be launched by either you or your Microsoft Partner and provides all the guidance and resources you need to plan a successful Microsoft 365 Security deployment. Once completed, the plan also provides you with a clear path to help you get the most out of your FastTrack services. To get started, simply sign in to FastTrack.

FastTrack provides end to end guidance for planning, onboarding, and driving end user adoption for Microsoft 365 which is comprised of Enterprise Mobility + Security (EMS), Windows 10, and Office 365.

More blog posts from this series:

Categories: Uncategorized Tags:

Securing the modern workplace with Microsoft 365 threat protection – part 4

This post is authored by Debraj Ghosh, Senior Product Marketing Manager, Microsoft 365 Security.

Responding to ransomware in the Modern Workplace

Over the last few weeks, we have shared the roots of Microsoft 365 threat protection and how Microsoft 365 threat protection helps protect against and detect a modern ransomware attack. Today, we conclude our blog series by discussing how Microsoft 365 threat protection can help respond to attacks and also helps educate and raise awareness of threats to end users. In our ransomware scenario, once the threat has been detected, Microsoft 365 also helps respond and remediate with automation playing a key role in making the response more manageable, accurate, and less time consuming for administration. Microsoft 365 threat protection response and remediation services are shown in figure 1 below.

Ransomware Detection with Microsoft 365
Windows Defender Advanced Threat Protection
Azure Advanced Threat Protection
Microsoft Cloud App Security
Azure Security Center
Office 365 Advanced Threat Protection
Office 365 Threat Intelligence

Figure 1. Microsoft 365 threat protection helps detect threats to the modern workplace

In our ransomware scenario, Windows Defender Advance Threat Protection (WDATP) alerts security operations teams about suspicious activities such as programs launching self-replicating copies. If the ransomware does manage to infect multiple devices, WDATP automatically investigates alerts, applies artificial intelligence to determine whether a threat is real and then decides what action to take. It then automatically remediates the threat from affected endpoints to stop further damage as shown in figure 2.

Figure 2. WDATP automation mapping the propagation of a threat

WDATP provides manual machine level responses, such as isolating a machine to contain the threat. Further, forensic data is collected to better understand the attack and the attacker. WDATP also includes file level response by quarantining or blocking malicious files. Azure Security Center also leverages automation by helping orchestrate these common security workflows:

  • Routing alerts to a ticketing system
  • Applying additional security controls
  • Gathering additional information
  • Asking a user to validate an action
  • Blocking a suspicious user account
  • Restricting traffic from an IP address

Azure Security Center employs behavioral analytics to uncover patterns and malicious activity to enable proactive policies to be set in place to help prevent impact from future attacks. Response times are also improved with expanded signal from Azure Security Centers 3rd party integrations with firewalls and anti-malware engines. While Azure Security Center enables security operations personnel to respond to threats to the enterprise infrastructure, admins can quickly respond to threats to user identities by creating activity policies with Microsoft Cloud App Security (shown in figure 3) which can take the action of suspending a user account when the predefined conditions are met. In our example, the ransomware propagates using the brute force password technique which requires multiple logins, thus login failures from a unique account are likely and this can be a trigger for Microsoft Cloud App Security to suspend an account. One of the powerful benefits of Microsoft Cloud App Security is that it extends protection beyond the Microsoft ecosystem. Even if login attempts are made from popular enterprise applications that are not Microsoft client apps, Microsoft Cloud App Security enables admins to respond to the anomalous activity.


Figure 3. Microsoft Cloud App Security General Dashboard

In Microsoft 365, threat response and remediation is offered with Office 365 Threat Intelligence. Using the Threat Explorer feature, security analysts and administrators can search for all instances of potentially malicious emails that may contain ransomware. The back-end is designed for efficient threat investigation and remediation. Emails that are part of a ransomware campaign can easily be discovered using a variety of search filters with the Threat Explorer shown in figure 4. The admin can select all the emails that need to be investigated from a specific sender and choose to take immediate action on potentially malicious emails including: move to junk, move to deleted items, soft delete, hard delete, and move to inbox. Choosing the delete action purges the malicious emails from all tenant mailboxes. There is also the option of creating an incident so that a manager must approve the action.

Figure 4. Office 365 Threat Explorer email remediation actions

Educating end users about ransomware in the modern workplace

We discussed cyber education as an important element for protecting organizations. Having end users who are prepared and informed on spotting potential cyber attacks is a powerful manner to preventing attacks from harming an organization. Attack Simulator, shown in figure 5, is a new feature of Office 365 Threat Intelligence currently in public preview. Among several simulations is the Display Name Spear Phishing Attack. Spear phishing is a subset of phishing, aimed at a specific group, individual, or organization and as we discussed before, a method of spreading ransomware. Attack Simulator harnesses signal from Office 365 Threat Intelligence which provides visibility into an organizations most targeted and potentially most vulnerable users and enables admins to launch simulated threats targeting those very same users. This provides the most targeted users with training on recognizing phish emails which include ransomware and provides admins visibility on how those users behave during an attack, enabling optimal policy updates and security protocols.

Figure 5. Attack Simulator UI

Since the attack surface of the modern workplace is complex and broad, Attack Simulator will begin to offer simulated attacks made through other attack vectors as it moves from preview to GA. Attack Simulator will help raise user awareness and effectiveness at spotting attacks from all the common attack vectors.

Microsoft 365 threat protection

Microsoft has heavily invested in helping secure our customers for many years by building security in our products from the ground up. In the last few years, as the level of cybercrime has increased, we have also increased our efforts and focus on developing and continuously updating advanced security solutions to protect customers from a wide variety of threats and types of attack. In this ransomware scenario, you see as an example, our continued focus on security which provides end users ultimate protection from modern threats, while giving administrators a powerful set of tools to help protect, detect, respond and even educate against these threats. Threat protection is only one key aspect of Microsoft 365. Learn more about Microsoft 365 and understand how it can help your organization through its digital transformation journey. Additionally, follow the links below to learn more about the Microsoft 365 threat protections services and experience them by starting a trial.

Categories: Uncategorized Tags:

Use Windows Information Protection (WIP) to help make accidental data leakage a thing of the past

Have you always wished you could have mobile application management (MAM) on Windows?

Now you can!

Windows Information Protection (WIP) is an out-of-the box data leakage prevention feature for Windows 10 that can automatically apply protection for work files and data to prevent accidental data leakage. With 600 million active Windows 10 devices, corporate customers continuing to deploy in earnest throughout 2018, and support for WIP built right into Office 365 ProPlus, its benefits are within easy reach.

Sixty to eighty percent of data leakage is accidental (see ICO data for 2016 and 2017). WIP is a key feature that offers much needed data protection for files at rest on the Windows platform, for any organization with sensitive data, big or small. In todays security ecosystem, companies are spending $93B on security features (enough to host seven Olympic Games!). Yet companies still saw a 29 percent increase in data leakage worldwide between 2016 and 2017. WIP comes as a timely solution.

With Windows 10, Microsoft is providing a fundamental solution to this growing problem. Recognizing that the risk of leak comes from both fully managed devices and personal devices accessing work resources, we designed WIP to be deployed on PC and mobile devices running Windows 10. WIP is designed for organizations of all shapes and sizes, as a scalable solution that works to prevent accidental data leakage for end users.

WIP protects users and organizations from accidental leaks via copy-and-paste, drag-and-drop, removable storage (e.g., USB thumb drives), and unauthorized applications (e.g., non-work cloud storage providers). Windows shell integration appears in clear but unobtrusive ways. Elements like File Ownership are displayed and selectable in Explorer and File Save As dialog. Helpful briefcase icons mark resources when you are in a work context in places like window title bars, and Microsoft Edges navigation bar. Unauthorized applications are blocked from single sign-in with work credentials. WIP also includes the ability to perform selective wipe of business information, while leaving personal data behind.

WIP has three simple policy enforcement modes. It lets you choose how and whether the user experience in the clipboard, save dialog, and similar data-sharing cases have options (overrides) to move work content to non-work context. You can decide to Hide Overrides, Allow Overrides for your users, or even deploy in Silent mode just for auditing. Silent mode does not restrict unmanaged apps from opening work data the way Hide Overrides and Allow Overrides do, so you can get away with configuring less, yet still benefiting from the BYOD selective wipe capability for your work data, such as data downloaded from OneDrive for Business and Outlook email. This means when you or your user decides to unenroll their work account from their personal device, that work data stops being accessible.

WIP policy can be deployed in a few clicks in Microsoft Intune for MAM-only (without enrollment) targeting, MDM (with enrollment), or both. Being able to apply MAM-only policy will help you finally enable BYOD in regions and situations where fully managing the personal device is unacceptable. For companies that are not yet fully in the cloud, WIP policy can also be set on domain-joined computers using System Center Configuration Manager. Then, when youre ready for co-management, you can move the WIP policy management authority to Microsoft Intune.

Your corporate files can also be automatically encrypted with a local key when downloaded to WIP-managed devices. You can do this by configuring your corporate network boundary. Using network isolation policies, you can identify your LAN and corporate cloud resources, which Edge and other applications will use to recognize work sites and encrypt the data that comes from there. This works even better when combined with Conditional Access controls on Exchange Online and SharePoint Online to ensure that only managed devices can reach that data.

Additionally, WIP Learning lets you see the applications you didnt know are used with work data. It reports any app not in your policy that tries to access a work resource. You can see this data in Microsoft Intune or your Windows Analytics portal, if you have Azure Log Analytics (formerly Microsoft Operations Management Suite or OMS). WIP Learning allows you to tune your app policy to add legitimate work apps and even detect apps that should not be trying to access work data. Combined with Silent mode, you can deploy and see the immediate benefit of selective wipe control and auditing, while tuning your app list for different deployment groups in preparation for enabling boundary enforcement.

WIP provides a robust and automatic solution for protecting work data coming to the Windows device, but it also pairs well with Azure Information Protection (AIP). AIP adds the ability to control and help secure email, documents, and sensitive data that are shared, even outside your company and in the Azure cloud. WIP, combined with AIP, provides application-level access control capabilities while preventing unauthorized applications from accessing business information at rest and in flight. At the same time, WIPs simple business vs personal information classification system ensures simplicity and ease of use.

USB flash drives arent the only way data can leave a device. With the app restrictions on accessing work data, you can use WIP to guide users to use Outlook with their corporate email account to send work attachments, and SharePoint or OneDrive for Business to collaborate on work documents. This lets you enhance your overall data protection with Office DLP outbound rules, send email notifications, policy tips, and Office 365 Information Protection for GDPR.

WIP originally shipped in the Windows 10 Anniversary Update (version 1607) and since then, working across Microsoft and with industry, we have made a number of improvements, including:

  1. Support for Office 365 ProPlus, Microsoft Teams, and numerous inbox apps
  2. Simplified management Intune quick setup, WIP Learning for Apps and Network Boundary policy
  3. Manageable as MAM-only (i.e. without full device enrollment)
  4. Improved Recovery (e.g. data access resumes via re-enrollment or re-adding your work account)
  5. AIP integration to enable roaming data on removable storage (e.g. USB thumb drives)
  6. Support from 3rd party apps such as from Citrix (ShareFile), DropBox (desktop sync client), Foxit (Reader, PhantomPDF), and WinZip (WinZip 21, WinZip 22)

With all these features available, WIP is easier than ever to deploy and maintain. Enable this fast, robust, user-friendly security solution to help ensure a more effortlessly secure user experience for your organization.

More information on Windows Information Protection (WIP) found in the following resources:

The final compliance countdown: Are you ready for GDPR?

On May 25, the General Data Protection Regulation (GDPR) will replace the Data Protection Directive as the new standard on data privacy for all organizations that do business with European Union (EU) citizens.[1]When GDPR goes into effect, government agencies and organizations that control, maintain, or process information involving EU citizens will be required to comply with strict new rules regarding the protection of personal customer data.

GDPRs broad scope and holistic interpretation of personal information leaves these agencies and organizations responsible for protecting a wide range of data types, including genetic and biometric data.[2]Leading up to the GDPR rollout, many companies will be reevaluating their current data storage and sharing methods, and determining whether they need to implement new strategies. More than ever, this regulatory transition highlights the importance of prioritizing a strong and comprehensive security stance within your organization.

According to a recent GDPR benchmarking survey, although 89 percent of organizations have (or plan to have) a formal GDPR-readiness program, only 45 percent have completed a readiness assessment.[3]Regardless of where your organization and its security protocols are in terms of GDPR-readiness, Microsoft can help. Microsoft has been working on GDPR-compliant business and engineering solutions for the better part of a year. Because of our extensive experience developing products with security built-in, weve been a leading voice on privacy and GDPR-related issues with EU regulators.

Weve turned these conversations and insights into a free, four-part video series. Watch the Countdown: Preparing for GDPR series today to hear from industry experts and learn more about Microsofts commitment to helping your organization achieve GDPR-compliance.

You can also read more about our point of view on this transition as the first hyper-scale cloud vendor to offer GDPR terms and conditions in the enterprise space.

Finally, you are invited to a free May 25th GDPR live webcast, Safeguarding individual privacy rights with the Microsoft Cloud. Youll learn how you can:

  • Use GDPR fundamentals to assess and manage you compliance risk.
  • Help protect your customers’ data with our built-in, intelligent security capabilities.
  • Meet your own compliance obligations by streamlining their processes.




Categories: Uncategorized Tags:

Securing the modern workplace with Microsoft 365 threat protection – part 3

This post is authored by Debraj Ghosh, Senior Product Marketing Manager, Microsoft 365 Security.

Detecting ransomware in the modern workplace

Over the last two weeks, we have shared with you the roots of Microsoft 365 threat protection and how Microsoft 365 threat protect helps protect the modern workplace from ransomware. This week, we discuss how Microsoft 365 threat protection helps detect ransomware in the modern workplace. Detection is critical for any best in class security solution especially when the person does not use Microsoft Edge with the benefits of its web protection. In our web-based scenario, the user can access the website through another browser, download the “software update” and infect their machine with ransomware. Microsoft 365 offers detection capabilities across all threat vectors and figure 1 summarizes the services which help to detect threats.

Ransomware Detection with Microsoft 365
Windows Defender Advanced Threat Protection
Azure Advanced Threat Protection
Microsoft Cloud App Security
Azure Security Center
Office 365 Advanced Threat Protection
Office 365 Threat Intelligence

Figure 1. Microsoft 365 threat protection helps detect threats to the modern workplace

For example, with ransomware downloads from the web, Windows Defender ATPs (WDATP) next-gen antivirus protection does an initial analysis of the file and sends all suspicious files to a detonation chamber. The file verdict is quickly determined. If a malicious verdict is returned, WDATP immediately begins blocking the threat. Todays most sophisticated ransomware is designed to spread laterally across networks increasing its potential impact. Fortunately, WDATP enables security operations specialists to isolate machines from the network, stopping threats from spreading. Also, WDATP provides granular visibility into the device ecosystem so that a compromised device can be easily identified. Built-in threat intelligence is leveraged to help detect the latest threats and provide real-time threat monitoring. As we alluded to, signal sharing via the intelligent security graph is a powerful differentiator of Microsoft 365, enabling threat detection across any threat vector. Once WDATP determines the downloaded files are malicious, it shares this signal with the Intelligent Security Graph enabling our other platforms to become aware of the threat.

The seamless integration, for example, allows admins to pivot directly from the device analysis in WDATP to user profiles in Azure ATP without losing context allowing a detailed investigation of the incident as shown in Figure 2 below.

Figure 2. Signal sharing and event timeline shared between WDATP and Azure ATP

Often, ransomware uses a brute force password method to move laterally through a network which our Azure ATP service is specifically designed to detect. A brute force password attack may attempt multiple logins until a correct password is used to enter an account. This anomalous behavior would be detected by Azure ATP and with signals shared from WDATP, the anomaly would be quickly assigned to the ransomware and blocked from being downloaded onto any part of the network (device, user, etc). Azure ATP enables security operations analysts to investigate the type of intrusions and methods used by attackers to gain privileged access to user identities and provides a clear attack and event timeline. While Azure ATP detects anomalies at the network level, Microsoft Cloud App Security can detect abnormal file and user behavior within native Microsoft cloud apps such as Office 365, as well as third-party cloud applications. To detect ransomware attacks, Microsoft Cloud App Security identifies behavioral patterns that reflect ransomware activity; for example, a high rate of file uploads or file deletion activities, coupled with threat intelligence capabilities, such as the detection of known ransomware extensions. Microsoft Cloud App Security will alert on these abnormalities using anomaly detection policies that provide out-of-the-box user and entity behavioral analytics (UEBA) and machine learning (ML) capabilities, as well as fully customizable activity policies, enabling SecOps to detect these anomalies instantly. Learn more about how Microsoft Cloud App Security and Azure ATP work in tandem to help detect an actual ransomware attack.

Azure Security Center is also connected with WDATP and provides infrastructure level alerts and even provides an investigation path so admins can fully view the threat propagation details. The service includes threat intelligence which maps the threat source and provides the potential objectives of the threat campaign. What happens if an attacker senses that the web-based attack vector is being blocked and pivots to sending the ransomware via email as an attachment download? Microsoft 365 integration is again crucial as WDATP also shares the signal with Office 365 and once our ransomware is identified by WDATP, Office 365 will begin blocking the threat too. With Office 365 ATPs real-time reporting and Office 365 threat intelligence, admins gain full visibility into all users who receive ransomware via email. Both Office ATP and Office threat intelligence services also track threats found in SharePoint Online, OneDrive for Business, and Teams so detection extends to the entire Office 365 suite. With Microsoft 365 threat protection, threats can be easily detected no matter how an attack is launched. Figure 3 shows the new Microsoft 365 Security and Compliance Center which is the hub from where admins can access the information from the different services.

Figure 3. Microsoft 365 Security and Compliance center which connects the Azure, Office 365, and Windows workloads

Next week we conclude our Microsoft 365 threat protection blog series by covering the remediation and education capabilities offered by Microsoft 365 threat protection. We will demonstrate how Microsoft 365 threat protection workloads can help quickly remediate a ransomware attack and also help educate end users on how to behave and react when under attack.

More blog posts from this series:

Categories: Uncategorized Tags:

Securing the modern workplace with Microsoft 365 threat protection – part 2

This post is authored by Debraj Ghosh, Senior Product Marketing Manager, Microsoft 365 Security.

Protecting the modern workplace against Ransomware

Last week, we shared the roots of Microsoft 365 threat protection. This week, we want to share how Microsoft 365 threat protection services work together to help organizations protect themselves. Figure 1 is a graphical representation of the Microsoft advanced threat protection services which secure the attack surface.

Figure 1. Microsoft 365 advanced threat protection services work together to protect the modern workplace from attacks.

We continue with our ransomware scenario. Ransomware restricts data access by encrypting the user’s files or locking computers. Victims are required to pay a ransom to regain access to their machine and/or files. Microsoft closely monitors the threat landscape and our security intelligence provided in figure 2shows ransomware remains a prevalent and lethal threat type. All forms of ransomware can be launched at an organization through email, the device ecosystem, or through the enterprise infrastructure.

Figure 2. Monthly ransomware and ransomware downloader encounters, July 2016 to June 2017.

With so many different attack vectors a point service will be unable to mitigate the variety of potential ransomware attacks. Having services that protect specific parts of the attack surface that can also share signals to alert services protecting other surfaces of the enterprise is the only way to help ensure full and near real-time security. In many ransomware scenarios, users receive an email suggesting a necessary software update which can be done downloading an attachment. The attachment will contain a trojan downloader which can run a ransomware payload once opened. Figure 3 shows the Microsoft 365 threat protection services which can help protect the modern workplace from ransomware attacks.

Ransomware Protection with Microsoft 365
Windows Defender Advanced Threat Protection
Office 365 Advanced Threat Protection
Azure Security Center

Figure 3. Ransomware protection services for M365 threat protection.

All Microsoft 365 threat protection users have email protected with Office 365 ATP which helps stop unknown advanced threats sent via email. Office ATP will detonate all email attachments, determine if the file is malicious, and remove the file before final delivery of the email to a user mailbox. Additionally, Office ATP will assess links at the time of click when in both the body of an email and detonate links embedded in attachments to determine if they point to a malicious website. Since the attack surface is broad often attacks are made directly at devices. As such, several new enhancements helping prevent ransomware are built into the latest version of Windows 10, leveraging machine learning and behavior based technologies which lead the evolution of malware prevention. To directly attack the device, imagine if our attacker creates a website hosting exploit kits containing ransomware. Users visiting the site mistakenly download ransomware directly from the website. In such an event, Microsofts Edge leverages Windows Defender ATPs browser protection capability which determines if a site is malicious and can block access, helping secure the ransomware entry point. Ransomware attacks also target workloads running in the cloud. Azure Security Center helps provide visibility into your cloud infrastructure leveraging machine learning backed up by the Intelligent Security Graph to provide actionable alerts and recommendations on mitigating such threats as shown in figure 4. While none of these services alone can protect the entire modern workplace, together as Microsoft 365 threat protection, organizations can have confidence that Microsoft helps reduce threats from all vectors. Next week, well demonstrate how Microsoft 365 threat protection services help detect ransomware attacks.

Figure 4. The Azure Security Center Dashboard.

More blog posts from this series:

Categories: Uncategorized Tags:

First things first: Envisioning your security deployment

This blog post is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 Security solutions. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blog Accelerate your security deployment with FastTrack for Microsoft 365.

Every successful project begins with a planning phase and planning a successful Microsoft 365 Security deployment is no different. Before digging into how you will roll out your new security infrastructure, start by asking what you want to achieve from both a business and technical standpoint. We will cover how to Onboard with FastTrack for Microsoft 365 in our next blog post.

Do all end users need anytime, anyplace access of data? Do they require access across all devices, or just selected devices? What data do you need to protect? Are different levels of security required for different users or groups? What about compliance considerations and company policies? Do you want your partners and customers to have secure access? This may not even be an option if government regulations restrict what controls you need to put in place.

FastTrack for Microsoft 365 can help work through these and other critical security planning considerations. FastTrack provides end to end guidance for planning, onboarding, and driving end user adoption for Microsoft 365 which is comprised of Enterprise Mobility + Security (EMS), Windows 10, and Office 365.

Based on thousands of customer experiences, we developed a three-step planning approach: Envision, Onboard, and Drive Value. The Envisioning phase can help you lay the groundwork for an effective security deployment plan.

Envisioning is a systematic way to match Microsoft 365 Security features with relevant company goals. It involves identifying and prioritizing relevant scenarios while learning about the tools and resources available as you plan for your rollout. In many ways, this stage is the most critical part of your journey, as youre setting the business goals youll measure your success against later.

Your Envisioning Checklist

The following checklist provides a few tips that our FastTrack for Microsoft 365 managers and engineers use to help you get your Envision step underway.

  • Know your goals and scenarios
    Decide what specific products and feature sets you want to enable and why by understanding what they will do for your company and your end users. Here are some examples:

    • Do you plan to secure your cloud resources and force users to provide additional verification to access them? For instance, are you thinking about

      • MFA (Multi-Factor Authentication).
      • Mobile Device Management
      • Azure Active Directory Domain Join
      • App access management

    • Are you considering empowering users to manage their own password resets?
    • Consider how you control admin access to cloud services (like O365), such as permanent rights granted to their account, or requiring MFA for admins.
    • What will be your device management strategy?

      • Which platforms (iOS, Android, Windows, etc.)?
      • Do you have corporate owned devices, will you allow BYOD (Bring Your Own Device), or both?

  • Leverage the resources to build your understanding
    Define the minimum requirements to deploy and determine if those requirements will work on your legacy architecture. You can find product videos, infographics, and demos at Microsoft Docs and FastTrack resources.
  • Map your key stakeholders and influencers
    Determine who will lead your organizations various teams and departments in this transformation, which employees will need special training based on how the new security tools affect their work, and who will own deployment and ongoing operations. FastTrack will use this information to identify the context of your deployment as it maps to your employees.

As youll discover, Envisioning can quickly add clarity and focus to an otherwise complex security roll-out. Ready to kick off a successful Envisioning process?

Start with a Success Plan

Our FastTrack Success Plan is an online tool that walks you through each step of your Envisioning experience. The Success Plan can be launched by either you or your Microsoft Partner and provides all the guidance and resources you need to plan a successful Microsoft 365 Security deployment. Once completed, the plan also provides you with a clear path to help you get the most out of your FastTrack services. To get started, simply sign in to FastTrack.

More blog posts from this series:

Categories: Uncategorized Tags:

Securing the modern workplace with Microsoft 365 threat protection – part 1

This post is authored by Debraj Ghosh, Senior Product Marketing Manager, Microsoft 365 Security.

The roots of Microsoft 365 threat protection

Over the next few weeks, well introduce you to Microsoft 365s threat protection services and demonstrate how Microsoft 365s threat protection leverages strength of signal, integration, machine learning and AI to help secure the modern workplace from a ransomware attack. Previously, we showcased how Office 365 helps mitigate modern phishing attacks. Microsoft 365 threat protection goes even further, providing robust protection, detection, and response capabilities across an organizations entire attack surface. For those not aware, Microsoft 365 was introduced at last years Microsoft Inspire conference, to provide an intelligent, integrated, and secure solution for the modern workplace, combining the benefits of Microsofts flagship Windows, Office 365, and Enterprise Mobility Suite (EMS) platforms. Figure 1 shows the services which are part of Microsoft 365 threat protection and jointly help secure the modern workplace so organizations can initiate and drive their digital transformation.

Figure 1. The Microsoft 365 threat protection security services

Microsoft is committed to a security first mindset

Microsoft has always been securing products and platforms to protect our customers who rely on our software and cloud services. Our security focus is essential to meet the 24/7 business cycle demands and helps ensure our customers rarely experience downtime from a security event. Microsoft invests $1B+ annually on security, employs 3500+ security professionals, and has built several strong ecosystem partnerships. As the modern workplace grows in complexity, Microsoft continues building and enhancing its security capabilities to help our customers stay ahead of modern threats. Microsoft itself is one of the worlds largest enterprises and uses the same security products to protect our organization that we offer our customers.

The Microsoft Intelligent Security Graph

For our teams at Microsoft (both in operations and development), security really begins with the Microsoft Intelligent Security Graph. It is the platform that powers Microsoft security products and services by using advanced analytics to link threat intelligence and security signals from Microsoft and partners to identify and mitigate cyberthreats. Intelligence in the Intelligent Security Graph comes from consumer and commercial services that Microsoft operates on a global scale, such as Windows, Office 365, and Azure as shown in figure 2. At Microsoft, we have massive depth and breadth of intelligence. Across our global services, each month we scan 400 billion email messages for phishing and malware, process 450 billion authentications, execute more than 18 billion web page scans, and scan more than 1.2 billion devices for threats, nearly 2.6 billion monthly unique file scans, and more than 200 cloud services. Importantly, this data always goes through strict privacy and compliance boundaries before being used for security.

Figure 2. Microsofts Global Threat Intelligence is one of the largest in industry

Signal from the graph is analyzed using a combination of Microsofts industry leading artificial intelligence and machine learning capabilities coupled with the expertise of security researchers, analysts, hunters, and engineers across the company to quickly identify attacks and emerging trends so that we can evolve the immediate detections and capabilities of Microsoft 365. All our security capabilities leverage the graph, including the threat protection services comprised of Windows Defender Advanced Threat Protection (WDATP), Office 365 Advanced Threat protection (ATP), Office 365 Threat Intelligence, Microsoft Cloud App Security, Azure Security Center, and the newly launched Azure Advanced Threat Protection (Azure ATP).

These threat protection services also share threat signal with each other through the graph and this signal sharing enables each service to leverage threat data from not only the threats blocked by that service but also threat in the entire threat landscape. While this post uses the example of a sophisticated ransomware attack, customers who leverage the entire Microsoft 365 threat protection stack will have near real-time protection from many types of new and unknown threats (e.g. 0-days, advanced phishing, advanced malware, etc) for their device ecosystem, Office 365 ecosystem, and cloud, on-premises, or hybrid infrastructures by leveraging the Intelligent Security Graph.

Microsoft 365 threat protection

The modern workplace is exposed to the rapid evolution of cyber threats, from individual threats, to sophisticated organizational breaches, to rapid cyberattacks. With the growing complexity of the modern workplace, the attack surface has rapidly expanded, to a point where no single service can adequately protect an organization. To address this, we focused on developing different services that specialize on the main threat vectors and then integrating them together via the Intelligent Security Graph. The modern workplace is composed of employee identities, enterprise applications and data, devices, and infrastructure. Microsoft 365 threat protection helps mitigate advanced threats from each of these potential threat vectors providing an end to end, holistic solution securing an organizations entire attack surface enabling:

  • Protection against advanced threats such as 0-days, targeted phishing, ransomware, and others
  • Detection when a breach has occurred, who has been breached, what data has been compromised
  • Response remediate from an attack and return the organization to a no threat state
  • Education end users on how to react or respond to different types of threats

While most security solutions do not include an educational component, we have seen that many of our customers now help educate their end users on how to react and behave in the event of a cyberattack. To help address this important aspect of security, we now offer tools that can help educate end users. While the majority of attacks are still initiated via email, 2017s most destructive attacks, NotPetya and WannaCry, were not email based. One of the benefits of Microsoft 365 threat protection is seamless integration that enables rapid transfer of information across platforms and services to help ensure all attack surfaces are quickly secured no matter where a threat originates. Over the next few weeks, we will cover Microsoft 365 and how to enable (1) Protection (2) Detection (3) Response and Education. Next week, well demonstrate how Microsoft 365 threat protection helps organizations protect an enterprise from a ransomware attack.

Categories: Uncategorized Tags:

Connect to the Intelligent Security Graph using a new API

Most organizations deal with high volumes of security data and have dozens of security solutions in their enterprise, making the task of integrating various products and services daunting and complex. The cost, time, and resources necessary to connect systems, enable correlation of alerts, and provide access to contextual data is extremely high. These challenges hinder the ability for organizations to move quickly when detecting and remediating threats in a world of fast-moving, disruptive attacks.

By connecting security data and systems, we can gain an advantage over todays adversaries. At Microsoft, our security products are powered by the Intelligent Security Graph which synthesizes massive amounts of threat intelligence and security signals from across Microsoft products, services, and partners using advanced analytics to identify and mitigate cyberthreats. This week at the RSA conference, we announced the public preview of a Security API that empowers customers and partners to build on the Intelligent Security Graph. By connecting security solutions and integrating with existing workflows, alerts and contextual information from multiple solutions can be easily consolidated and correlated to inform threat detection, and actions can be taken to streamline incident response. The unified API will make these connections easier by providing a standard interface and uniform schema to integrate and correlate security alerts from multiple sources, enrich investigations with contextual data, and automate security operations for greater efficiency.

The Security API is part of the Microsoft Graph, which is a unified rest API for integrating data and intelligence from Microsoft products and services. Using Microsoft Graph, developers can rapidly build solutions that authenticate once and use a single API call to access or act on security insights from multiple security solutions. Additional value is uncovered when you explore the other Microsoft Graph entities (Office 365, Azure Active Directory, Intune, and more) to tie business context with your security insights.

This public preview supports API access of Alerts from Azure Security Center and Azure Active Directory Identity Protection with Intune and Azure Information Protection coming soon. We are also announcing support for high volume streaming of alerts to a SIEM through Security API integration with Azure Monitor. This will enable seamless ingestion of alerts from multiple sources directly into a SIEM. Over the coming months, well add many more Microsoft and partner security solutions integrations as data providers. We will also add new capabilities that unlock new security context through Security Inventory and take Actions to automation security operations through the same Security API.

Enabling ecosystem partners

The Security API opens up new possibilities for integration partners to build with the Intelligent Security Graph. Partners can not only consume security insights from the Graph but they can allow their alerts, context, and automation to be enabled in the Graph at peer level with integrated Microsoft products. By forming a connected, extended ecosystem of security technologies, Microsoft and partners can deliver better protections for our customers. Some partners have already onboarded to the Security APIs and many other integrations are in progress:


Anomali integrates with the Security API to correlate alerts from Microsoft Graph with threat intelligence, providing earlier detection and response to cyber threats.

The Security Graph API allows us to receive not only actionable alert information but allows security analysts to pivot and enrich alerts with asset and user information. Colby DeRodeff, Co-founder and Chief Strategy Officer of Anomali


Palo Alto Networks can enrich alerts from Microsoft Graph Security with threat intelligence speeding up detection and prevention of cyberattacks for our shared customers.

The adoption of public clouds is accelerating, but so is the threat level to the applications and data inside organizations. Todays announcement of the Microsoft Graph Security API sets the stage for expanding the built-in security features we can offer our joint customers and to help organizations safely embrace the cloud. Andy Horwitz, Vice President, Business and Corporate Development, Palo Alto Networks


PwC uses alerts and context from Microsoft Graph in its Secure Terrain solution to deliver improved visibility and protection.

The integration with Secure Terrain offers users a streamlined way to investigate Microsoft Graph alerts in the context of the broader enterprise and perform threat hunting investigations. Christopher Morris, Principal at PricewaterhouseCoopers

Building intelligent security applications

Customers, managed service providers, and technology partners, can leverage the Security APIs to build and integrate a variety of applications. Some examples include:

  • Custom security dashboards. Surface rich alerts in your custom Security Operations Center dashboards streamline alerts and add contextual information about related entities
  • Security operations tools. Manage alerts in your ticketing, security or IT management system keep alert status and assignments in sync, automate common tasks
  • Threat protection solutions. Correlate alerts and contextual information for improved detections, take action on threats block an IP on firewall or run an AV scan
  • Other applications. Add security functionality to non-security applications HR, financial, and healthcare apps

Get started today:

Join us at the Microsoft booth, N3501 in the north expo hall, at RSA Conference 2018 in San Francisco. Youll get the chance to speak to experts and see how our partners are using the API.

To learn more and get started today with using the Microsoft Graph Security API, check out the following resources:

Categories: Uncategorized Tags:

Microsoft to deliver new products and strategies for security innovation at 2018 RSA Conference

At the 2018 RSA Conference, our senior leaders will dissect modern cyber defense strategies, and reveal new products to detect and block cyber attacks when they happen. Our objective is to arm business, government and consumers with deeply integrated intelligence and threat protection capabilities across platforms and products. To this end, we have much to share, joining tech giants and top security leaders and pioneers to expand the frontlines of cyber defense.

The theme of this years RSA Conference is Now Matters, a nod to the pressure and urgency to protect governments, economies, and nearly half of the worlds population who connects to the Internet. Microsoft President Brad Smith keynotes a valuable session, The Price of Cyber Warfare, detailing a new reality that emerged for people and infrastructure from the WannaCry and Not Petya attacks.

In addition to the keynote, several of our senior leaders will host the following industry leading sessions:

Within these sessions, we will preview our new products and strategies, dive into IoT, and explore commercial scenarios that touch the gig economy.

Join us at booth 3501 in the North Expo which will be stocked with rich content and product experts to help answer your questions, including anything from our recently released Microsoft Security Intelligence Report. The booth schedule is also loaded with engaging demo stations showcasing identity and access management, information protection, threat protection, security management, GDPR and compliance solutions, and Intelligent Security Graph. Were also holding a variety of presentations on key topics in our booth, such as:

  • Windows Defender ATP Unified platform for endpoint security
  • Anti-phish Technologies to Protect Your Office 365 Environment
  • Our Journey to a World without Passwords with Windows Hello
  • Secure IaaS Deployments Using Microsoft Azure Security Center
  • Simplify Compliance with Compliance Manager

Stop by our booth 3501 in the North Expo any time to view to these demos and presentations or visit to help plan your conference schedule. Be sure to check back on the Microsoft Secure blog to get more information on the Microsoft announcements as they take place and for post RSA content.

Categories: Uncategorized Tags:

Join Microsoft for a security in a day workshop

Let’s talk about an integrated security experience. Many of our customers are in various stages of cybersecurity maturity:


  • Firefighting
  • No formal security program


  • Point solutions/tools for basic controls
  • Pockets of expertise


  • Aligned to frameworks
  • Documented controls
  • Begins to integrate signals for faster response


  • Intelligence driven response and recovery
  • Organization wide emphasis
  • C-suite sponsorship


  • Continuous improvement through innovation
  • Aims to be predictive
  • Trusted intel sharing

But what is the goal at the end of the day as you move up the maturity model? Some people may say “to be secure.” The problem with that is there is no checkbox for “you are secure.” So, the question customers must ask themselves is, am I secure enough? If you look at the security model and say, no, I’m not mature enough, I’m not predictive enough – how can I improve that? Then there is almost a limitless number of investments you can make into security. But how do you know where to invest and what is the real strategy behind those investments?

One of the frameworks you can take up is to switch the question from a defender’s dilemma and into an attacker’s dilemma and ruin the attackers, economic model. There are a few components you can put together to drive that outcome.

Break the known attack playbook

To decide where to make the investments, you can try to be predictive and see what some of the known attack playbooks (e.g. phishing, ransomware) are in use and break them down. Take a look at the opportunities to disrupt those plays. Can you identify what that play is and how to disrupt it? Different plays require different options so that you can proactively take the time to raise the cost to the attacker.

Agile response & recovery

If the attacker gets past the first line of defense, have a next line of defense thats ready. Assume breach as an approach to thinking like the attacker. As you start to proactively identify what is the targeted asset, what is the threat to your company? What are the attack vectors your company is most vulnerable to? What are the trends you are seeing? You can then start to answer how to set up your response and recovery against those playbooks in an intelligent and holistic way.

Eliminate other attack vectors

This can be done as you’re able to over time or you can pivot very quickly towards future attacks. The better you get at the first two pieces, the more components you have in play to make up the puzzle to get here. Nobody really knows what those other attack vectors may be, but to be very solid in breaking the known attack playbook and agile response and recovery will help set you up for success, because similar components may be used.

Where do I start?

We have a series of Security in a Day Workshops in April and June (schedule for June coming soon) at our local Microsoft Technology Centers where you can spend the day digging into different risk profiles and learn how to strategize your move up the maturity model. Our Microsoft Security partners will cover the why, the how, and strategies to dig into the attack profiles and how to mitigate those risks so that you can build your integrated security experience. Find a local event near you or click on the link down below:

Chicago April 11th, 2018
Reston April 11th, 2018
New York April 12th, 2018
Bellevue April 12th, 2018
Philadelphia, April 17th, 2018
San Francisco, April 18th, 2018
Irvine, April 26th, 2018

Categories: Uncategorized Tags:

Security baselines should underpin efforts to manage cybersecurity risk across sectors

This post is authored byAngela McKay, Director of Cybersecurity Policy and Amanda Craig, Senior Cybersecurity Strategist, CELA.

Organizations are leveraging technology to transform their operations, products, and services, and governments are increasingly focusing on how to enable such dynamic change while also managing risks to their critical infrastructure, economies, and societies. Across sectors and regions, theyre developing, updating, and gathering feedback on cybersecurity policies and legislation, aiming to build resiliency into their nations approaches to digital transformation.

Industry and governments must collaborate to build a more resilient ecosystem. In sharing lessons learned from operating across diverse environments, global companies can accelerate efforts to protect global infrastructure and technology. Similarly, by leveraging lessons learned through not only their own experiences but also those of industry, governments can ensure their efforts to enhance resiliency are both practicable and effective. This mutual collaboration through public-private partnerships can help to drive meaningful outcomes, which will continue to be critical to improving collective cybersecurity defense and responding to evolving threats.

On March 27, 2018, Microsoft demonstrated its commitment to this mission by joining with five other companies to launch the Coalition to Reduce Cyber Risk (CR2), a global, cross-sector group that will partner with governments to advance cyber risk management. Collaboration with leaders from other sectors and regions will highlight how cybersecurity impacts the global, interdependent economy. It will also provide unique insights as CR2 contributes to governments efforts.

Today, we are further pursuing this mission by publishing a whitepaper on the role of security baselines, a set of foundational activities through which organizations can advance cyber risk management. We advocate for baselines that engage executives and embed flexibility, enabling organizations security capabilities and investments to evolve with rapidly changing threats. We also advocate for baselines that are applicable across sectors and regions.

Cross-sector, globally relevant security baselines are increasingly essential because they address the reality that interdependencies between sectors and regions are significant and growing, fuelled by regional and global economic integration and by the horizontal growth of technology across previously unrelated vertical sectors. Todays cybersecurity threats, risk mitigations, and infrastructure operations are unlikely to be confined to just one sector or region, creating a need for interoperability across sectoral approaches and jurisdictions.

There are some existing examples of cross-sector, globally relevant security baselines that engage executives and embed flexibility in risk management. In particular, the recently published ISO/IEC 27103 is relevant across sectors and geographies, based on risk management principles, and grounded in a flexible approach. Specifically, it integrates an outcomes-focused approach with controls-based ISO/IEC references that are supported globally and used by different sectors.

Governments that are cognizant of sectoral and geographic interdependencies while developing or updating security baselines could make progress in managing risk while supporting growth within their domestic infrastructure and economy. In addition, governments that engage technology providers, business leaders, critical infrastructure operators, and civil society organizations while developing or updating baselines will have more seamless implementation of cybersecurity policies.

Through CR2 and in direct engagements, we look forward to the opportunity to continue to partner with governments, others in industry, and other stakeholders to build or update security baselines. In our experience, around the world, cybersecurity policies built through partnerships are likely to operate more consistently and predictably, not only helping cybersecurity but also giving businesses, innovators, and citizens the confidence they need to make the most of technology and innovation.

Categories: Uncategorized Tags:

Take these steps to stay safe from counterfeit software and fraudulent subscriptions

This post is authored by Matt Lundy, Assistant General Counsel, Microsoft.

Software piracy and fraudulent subscriptions are serious, industry-wide problems affecting consumers and organizations around the world.

In 2016, 39 percent of all software installed on computers was not properly licensed, according to a survey conducted by BSA and The Software Alliance. And each year, tens of thousands of people report to Microsoft that they bought software that they later learned was counterfeit.

What can appear to be a too-good-to-be-true deal for a reputable software program, can in fact be a counterfeit copy or a fraudulent subscription. In many cases, such illegitimate software downloads may also be riddled with malware including computer viruses, Trojan horses, spyware, or even botware, designed to damage your computer, destroy your data, compromise your security, or steal your identity. And in the world of cloud computing, where many applications are often delivered as a subscription service, consumers could be unwittingly sending payments to cybercriminals, unaware that cybercriminals selling fraudulent subscriptions will not provide needed administrative support.

Curbing the proliferation of software piracy

Cybercriminals are always looking for ways to trick consumers and the outcome can be costly. According to report released by the Ponemon Institute in 2017, the average cost of cybercrime globally climbed to $11.7M per organization, a staggering 62 percent increase over the last five years. And a recent Juniper Research report, Cybercrime & the Internet of Threats 2017, states that “the estimated cost to the global economy as a result of cybercrime is projected to be $8 trillion by 2022.

How do cybercriminals deceive consumers? There are many ways. One common technique is to set up a fake website that falsely claims the software subscriptions or copies offered for sale on the site are legitimate. Sophisticated cybercriminals go to great lengths to make their websites look authentic to trick consumers into buying fraudulent subscriptions or counterfeit software.

For decades, through partnerships with industry, governments, and other agencies, Microsoft has been working to fight software counterfeiting and to protect consumers from the dangers posed by this and other types of cybercrime. Today, Microsofts Digital Crimes Unit (DCU), a unique group of cybercrime-fighting investigators, analysts, and lawyers, works globally to detect and prevent fraud targeting our customers. Our priority is to protect our customers and help create a secure experience for everyone. One of the key ways we do this is to work with law enforcement and other organizations to bring the perpetrators of cybercrime to justice.

In addition to the innovative technology and legal strategies that the Microsoft DCU uses to combat counterfeit products and fraudulent subscriptions globally, the company also aims to raise awareness of this issue among consumers and help protect them from the risks associated with counterfeit software and fraudulent subscriptions.

Protect yourself from software piracy and fraud

While software companies and law enforcement are working to curb cybercriminals ability to counterfeit and sell software and services, consumers can help protect themselves by remaining vigilant and only purchasing through legitimate sources. In addition, if you do come across illegitimate sources or you discover you have inadvertently purchased suspect counterfeit Microsoft software, report your experiences to Microsoft.

Here are a few useful Microsoft resources to help you protect yourself from inadvertently purchasing counterfeit software or fraudulent software subscriptions as well as resources in case you think you may have done so:


Categories: Uncategorized Tags:

Accelerate your security deployment with FastTrack for Microsoft 365

This blog is part of a series that responds to common questions we receive from customers about Microsoft 365 Security and Enterprise Mobility + Security. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization. Inpart one of this series, we outlined Tips for getting started on your security deployment.

Microsoft has a service designed specifically to help you deploy and drive adoption of Microsoft Security across your organization: FastTrack for Microsoft 365.

FastTrack is included with your subscription and gives you access to Microsoft engineers and managers in 13 different languages to support your deployments. With more than 40,000 new customers deployed, FastTrack has experience and best practices that can really help make your deployment smoother as our customer success stories can attest. FastTrack follows a proven and highly recommended modelcomprised of stages for envisioning, deploying and driving adoptionthat can be applied to any point of your deployment journey.

FastTrack also has a track record of success with customers:

  • 38 percent reduction in time to onboard
  • 3.5x increase in active usage
  • 67 percent increase satisfaction

We saw what Microsoft was putting into Intune and saw that it could protect our data while helping us remain productive, and that it would grow with our future needs. And the other thing was the magnitude of positive experience and support from the FastTrack Center.
– Willem Bagchus: Messaging and Collaboration Specialist, United Bank


We’re thrilled with what we are hearing from customers and learning through FastTrack. Here’s a sampling of some of the best practices FastTrack has developed for driving a successful deployment of Microsoft Security:

  1. Take time at the outset to envision your success: Know your goals and key scenarios you want to enable, familiarize yourself with the products, map key stakeholders, and influencers, tackle quick wins, build a communications plan, and remember the end user.
  2. Deploy and realize your vision thoughtfully: Test and pilot thoroughly, have a migration strategy, and get experts to help with the tough questions.
  3. Drive adoption across your organization with great communications: Hold launch events, provide trainings, encourage ongoing engagement and thoroughly communicate the changes (and how users can get started) through assets like an FAQ, posters, brown bags, etc.

Of course, there are far too many tips, nuances, and best practices to list hereyoull get far more when you reach out to the FastTrack team directly.

To recap, Microsoft 365 Security, including Office 365, Windows 10 and EMS, is a critical part of your organizational security strategy and FastTrack for Microsoft 365 provides the optimum deployment and adoption support. Get started on your journey today with a request for assistance from the FastTrack security page.

Categories: Uncategorized Tags:

Microsoft Security Intelligence Report volume 23 is now available

As security incidents and events keep making headlines, Microsoft is committed to helping our customers and the rest of the security community to make sense of the risks and offer recommendations. Old and new malware continues to get propagated through massive botnets, attackers are increasing focus on easier attack methods such as phishing, and ransomware attacks have evolved to be more rapid and destructive. The latest Microsoft Security Intelligence Report, which is now available for download at, dives deep into each of these key themes and offers insight into additional threat intelligence.

The report, which is based on Microsofts analysis of on-premises systems and cloud services, focuses on threat trends since February 2017. Anonymous data sources for the report come from consumer and commercial on-premises systems and cloud services that Microsoft operates on a global scale, such as Windows, Bing, Office 365, and Azure. At Microsoft, we have massive depth and breadth of intelligence. Across these services, each month we scan 400 billion email messages for phishing and malware, process 450 billion authentications, execute more than 18 billion web page scans, and scan more than 1.2 billion devices for threats.

Here are three key themes from the report:

Botnets continue to impact millions of computers globally.
In November 2017, as part of a public/private global partnership, Microsoft disrupted the command-and-control infrastructure of one of the largest malware operations in the world the Gamarue botnet. Microsoft analyzed over 44,000 malware samples, which uncovered the botnets sprawling infrastructure, and discovered that Gamarue distributed over 80 different malware families. The top three malware classes distributed by the Gamarue botnet were ransomware, trojans, and backdoors. The disruption resulted in a 30% drop in infected devices in just a three month-period.

Easy marks methods like phishing are commonly used by cybercriminals.
As software vendors incorporate stronger security measures into their products, it is becoming more expensive for hackers to successfully penetrate software. By contrast, it is easier and less costly to trick a user into clicking a malicious link or opening a phishing email. In 2017 we saw low-hanging fruit methods being used such as phishing — to trick users into handing over credentials and other sensitive information. In fact, phishing was the top threat vector for Office 365-based threats during the second half of 2017. Other low-hanging fruit for attackers are poorly secured cloud apps. In our research, we found that 79% of SaaS storage apps and 86% of SaaS collaboration apps do not encrypt data both at rest and in transit.

Ransomware remains a force to be reckoned with.
Money is ultimately what drives cybercriminals, so extorting cryptocurrency and other payments by threatening potential victims with the loss of their data remains an attractive strategy. During 2017, three global ransomware outbreaksWannaCrypt, Petya/NotPetya, and BadRabbitaffected corporate networks and impacted hospitals, transportation, and traffic systems. We found that the region with the greatest number of ransomware encounters was Asia. The ransomware attacks observed last year were very destructive and moved at an incredibly rapid pace. Because of the automated propagation techniques, they infected computers faster than any human could respond and they left most victims without access to their files indefinitely.

A key insight in the report is that these threats are interrelated. For example, ransomware was one of the most prominent types of malware distributed by the Gamarue botnet. Another example is that cybercriminals are attempting to take advantage of legitimate platform features to attach a ‘weaponized’ document (for example, a Microsoft Office document) containing ransomware in a phishing email.

What can be done in the enterprise? Following standard information security practices, such as keeping software and security solutions up-to-date, is important. The proliferation of low-cost attack methods such as social engineering is a reminder of the importance of security awareness training for employees to keep them apprised of latest phishing techniques. The report covers more detailed recommendations.

Research and engineering teams from Windows Defender, Office, Azure, Bing, the Microsoft Digital Crimes Unit, and others generously contributed their findings and insights to this Security Intelligence Report. You can download it today at

Finally, tune into our webcast on April 10, 2018 at 10am PDT: Microsoft Security Intelligence Report Volume 23Breaking Botnets and Wrestling Ransomware, where well do a deep dive on the insights from the Security Intelligence Report and discuss recommendations on how to protect your organization. Register today.

For our perspectives on additional trending threats and topics, check out the Microsoft Secure Blog, and the Microsoft Security site to learn about Microsoft’s enterprise cybersecurity solutions.

Categories: Uncategorized Tags:

How Office 365 protects your organization from modern phishing campaigns

This post is authored by Debraj Ghosh, Senior Product Marketing Manager, Microsoft 365 Security.

We often allude to the benefits of having an integrated threat protection stack in Office 365. Today we wanted to take the opportunity to walk you through how the combined features and services in the Office 365 threat management stack help your organization protect, detect, and respond to a potential phishing attack. Phishing is the term for socially engineered attacks designed to harvest credentials or personally identifiable information (PII). Attackers use a variety of strategies to make the recipient believe the email is coming from a legitimate source. Phish emails often convey a sense of urgency to the recipient to take an action described in the email. We see phishing emails come in a variety of forms including:

  • Spoofing: where the sending domain matches a legitimate business
  • Impersonation: of users, domain, and brands (where emails are crafted to look like they are coming from specific users, domains and brands)
  • Content Based Attacks: emails contain malicious links or attachments

In this post, well review how Office 365 threat protection services provide holistic end-to-end protection against todays most sophisticated phishing campaigns.

End to end security focus

The Office 365 threat protection stack combines a rich set of features designed to prevent phishing attacks, as well as capabilities offered to security teams that more effectively and efficiently enable detection and response to phishing attacks. Our services help:

  1. Protect set up and configure Office 365s security services to keep end users secure.
  2. Detect determine if a threat has entered the tenant and who or what was impacted.
  3. Respond remediate a threat or attack to return your tenant to a safe, no threat state


Our protection investments begin with a view to eliminating attacks before they impact your organization. Office 365 offers a rich, robust, comprehensive, and multi-layered solution to address phish attacks. Figure 1 shows the Anti-Phish stack leveraged by Office 365. During the mail-flow protection stage, all emails must pass our authentication which includes explicit anti-spoof frameworks including SPF, DMARC, and DKIM. Emails must also pass implicit authentication built on additional machine learning models which determine email authenticity. Additionally, our newly launched anti-impersonation features are designed to flag highly targeted and advanced spear-phishing emails. Content in the form of attachments, links, and images are examined. Further, attachments and links are detonated and examined for malicious content. Soon we will launch internal safe links enabling protection from compromised user accounts.

Figure 1. Office 365 threat protection anti-phish stack

Office 365 threat protection also offers organizations the ability to train users to be more vigilant against the variety of threat scenarios that impact organizations. Attack Simulator is a new feature in public previewoffered to Office 365 Threat Intelligence customers. One of the initial threat simulations available in Attack Simulator is a Display Name Spear Phishing Attack. Spear phishing is a subset of phishing attacks which is targeted, often aimed at a specific group, individual, or organization. These attacks are customized and tend to leverage a sender name or common domain that creates trust with the recipient. Attack Simulator harnesses signal from Office 365 Threat Intelligence which provides visibility into an organizations most targeted and potentially most vulnerable users and enables admins to launch simulated threats targeting those very same users. This provides the most targeted users with training on how to recognize phish emails and provides admins visibility on how those users behave during an attack – enabling optimal policy updates and security protocols. Figure 2 shows an example of a simulated phish email created with Attack Simulator.

Figure 2. Example spear phishing email created with Attack Simulator

We believe customers will benefit from Attack Simulator and the ability to help train end users to spot malicious emails. One key aspect of that training is to inspect the URL behind the hyperlink. With the Native Link Rendering feature launching later this year, end users can hover over hyperlinks in their email and view where the link is pointing to. This is useful since the actual destination of a link can provide important indicators of whether the link is trustworthy or linking to a malicious site. Figure 3 demonstrates how native link rendering allows the user to inspect a link in the body of an email.

Figure 3. Native Link Rendering


If an Office 365 Advanced Threat Protection (ATP) user does click on a malicious link, they will be protected by ATP Safe Links at the time of click. This is part of the post-delivery protection layer shown in Figure 1. Time-of-click protection offered by ATP Safe Links is important because many of todays advanced threats leverage some form of link morphing. The email initially includes a benign link and passes through basic security filters undetected. Once past these filters, the link morphs and points to a malicious site. Therefore, time-of-click protection is essential for protecting users from these threats.

In the event an end user believes a link might be malicious, they can submit the email directly to Microsoft for analysis. Admins should enable the Report Message (Figure 4) add-in which end users can use to submit suspicious emails directly to Microsoft. Our 3500+ security engineering team will review the email and determine if it is actually malicious. If Microsoft classifies the email as malicious, new instances of the email are flagged and blocked across all Office 365 tenants.

Figure 4. Report Message Button

Giving end users the ability to report messages directly enables Microsoft to quickly expand its telemetry and depth of the threat landscape and broaden protection for all our customers. In fact, customers using the Exchange Online Protection (EOP) secure email gateway service, which is available with every Office 365 license, also benefit from our powerful integration and signal sharing across the Microsoft ecosystem.

Another key post-delivery anti-phishing feature is Zero-hour Auto Purge (ZAP), which moves all instances of malicious emails that Microsoft discovers to the junk mail folder – even after it has landed in a user inbox. This process happens quickly and emails that are not initially classified malicious but flagged by Office 365 ATP (or even services from our Windows platform such as Windows Defender Advanced Threat Protection) will be ZAPed to the junk mail folder. This new threat telemetry integrates with the Microsoft Intelligent Security Graph so that future instances of the newly classified malicious email will be blocked across the entire Microsoft ecosystem. We can evolve and stay ahead of the changing threat landscape by leveraging the direct threat telemetry from end users, continuously, and rapidly enhancing our protection for all our customers.

Figure 5. EOP ZAP Protection


With the newly released real-time ATP reports, customers have visibility into all malicious emails that targeted the tenant and blocked by Office 365. Administrators that use ATP can also see all emails that have been flagged and submitted by their end users as potential threats. With the User-reported threats view (Figure 6), admins can identify the sender of the email, the number of instances of the email, and the number of users who received the email. The ability to view emails submitted by end users is an extremely valuable tool because it empowers organizations security teams to identify malicious emails and trigger investigations on potential threats and impacts. The combination of these reports provides administrators and security teams a comprehensive view into the breadth and depth of different phishing campaigns targeting their organization. The User-reported submissions are also sent to Microsoft for further analysis.

Figure 6. User submissions report


We have demonstrated how Office 365 protects organizations from phishing campaigns using a multi-layered approach. Office 365 Threat Intelligence completes the threat protection stack by allowing organizations to more effectively and efficiently investigate, respond to, and remediate attacks to the organization. In fact, since Microsoft IT began leveraging Office 365 Threat Intelligence average time to resolution for social engineering incidents has reduced by 80 percent, and case throughput has increased 37 percent per month. Many enterprises have security operations teams whose goal is to assess the impact of threats to an organization. Using the Threat Explorer feature in the Security and Compliance Center, security analysts and administrators can search for all instances of potentially malicious emails. Thanks to a back-end designed specifically for efficient threat investigation and remediation, malicious emails can be quickly and easily identified with Threat Explorer. As shown in Figure 7, Threat Explorer provides many filtering and search options such as sender, recipient, subject, and several more to find the malicious emails. From the User-reported threats view, admins gain visibility into the sender of the email. This is critical since emails that are part of a phishing campaign often come from a unique sender address. Threat Explorer allows admins to filter by sender to find all emails sent from a specific email address. Once this filter has been applied, all emails sent from the unique address will be displayed in Threat Explorer. The admin can then select all the emails that need to be investigated from a specific sender from the message list at the bottom of the Threat Explorer.

Figure 7. Threat Explorer

After selecting the emails to investigate, admins can choose a variety of actions that can be taken on the messages including: move to junk, move to deleted items, soft delete, hard delete, and move to inbox as shown in Figure 8. Analysts can easily trigger the action to purge the malicious email campaign from all mailboxes in the organization or queue the incident for a manager to approve the action.

Figure 8. Triggering an action

There are common security issues admins may need to check over time for phish or other problems. Whether just reviewing events, getting alerts, or determining threat trends and reporting, Office 365’s Threat Intelligence Threat Tracker enables ongoing supervision of your security tasks. The Tracker Saved Query feature shown in Figure 9 allows you to save frequent searches, so admins can navigate quickly to a consistent set of events in Explorer. In case you need ongoing monitoring, you can setup tracking on the queries to get trending information on phish, malware, or other security events.

Figure 9. Saving an Explorer query in Office 365 Threat Intelligence

Office 365 Threat Protection

Microsoft has heavily invested in helping secure our customers for several years. In the last few years, as the level of cybercrime has increased, we have also increased our efforts and focus on developing and continuously enhancing advanced security solutions to protect customers from a wide variety of threats and types of attack. In this phishing scenario, you see a part of this continued focus on engineering security services giving end users ultimate protection from modern threats, while giving administrators a powerful set of tools with maximum control and flexibility for their security requirements. To begin experiencing best of breed protection for all your Office 365 users, we invite you to sign up for an Office 365 E5 trial today. Make sure to provide us your feedback so we can continue delivering the features and enhancements needed to keep your organization secure.

Categories: Uncategorized Tags:

Tips for getting started on your security deployment

This blog is part of a series that responds to common questions we receive from customers about how to most effectively deploy Microsoft 365 Security. In this series youll find context, answers, and guidance for deployment and driving adoption within your organization.

This past year, weve been listening to our customers questions about how to deploy and drive adoption around the full suite of Microsoft 365 Security products. The questions we get most often include:

  • In what order should I deploy security features?
  • How do I deploy quickly and with minimal business disruption?
  • How do I as an IT Pro get buy-in from my business decision makers?
  • How do I get my users to actually use the solution?
  • How will this impact my end users?

This blog series will provide you with our best answers to these and related questions and offer tips from our security deployment experts.

The good news is that Microsoft 365 customers already have a powerful security solution to address security challenges. Together with Enterprise Mobility + Security, Windows 10, Office 365, our Microsoft 365 Security products deliver on todays most pressing security needs.

The Security capabilities in Microsoft 365 integrate where it counts and offers specialized tools for different functions. The result is a comprehensive security solution across your identity, devices, apps, and infrastructure:

One of the most common questions we receive is Where do I begin? Microsoft has provided a sampling of the most common security scenarios customers like you may be wanting to accomplish. To help you envision your plan, we provided the optimum combination of Microsoft 365 products and features you need to bring your scenarios to life Microsoft Security such as:

  • Work securely from anywhere, anytime
  • Detect and protect against external threats
  • Protect your data on files, apps, and devices
  • Protect your users and their accounts

How do I get started?

The first step to any effective security strategy is careful planning. Here are a few best practices to get you started:

  • Know your goals and tackle quick wins first. Trying to address every security challenge that comes along can quickly become overwhelming. Get very specific about what you are hoping to gain from a solution. And dont let the search for the perfect setup stand in the way of getting started with quick wins today. For example, setting up self-service password resets or getting company apps securely behind your cloud firewall can quickly show business value.
  • Map your key stakeholders and influencers. In addition to key influencers (CTO, CSO, CEO, business development managers, etc.), make sure to involve department managers and explore how the new security will impact people, processes, and data internally as well as externally with customers and partners.
  • Build a good communications plan. Quick user adoption starts with early user communication. Prepare your end users for the changes in advance so that there are no surprises. Communicate every step of the way during pilot and deployment phases. Dont just provide technical details, but try to capture also what they care abouthow the new scenarios will help them to do their job better, how to get started with the new software, where to go for more training, etc.

Well explore these and other planning best practices in future blog posts. Then well move on to key deployment and adoption considerations as well as specific security scenarios. Check back in a few weeks for our next blog post when we drill into FastTrack for Microsoft 365 Security.

Need help getting started? FastTrack provides you with a set of best practices, tools, resources, and experts committed to making your experience with the Microsoft Cloud a great one. Get started on your journey today with a request for assistance from the FastTrack security page.


Categories: Uncategorized Tags:

Cyber resilience for the modern enterprise

Many organizations are undergoing a digital transformation that leverages a mix of cloud and on-premises assets to increase business efficiency and growth. While increased dependence on technology is necessary for this transformation, and to position the business for success, it does pose risks from security threats. An organization cannot afford to wait until after users and systems have been compromised; it must be proactive.

It is impossible to be 100 percent secure. It can take less than 48 hours for attackers to gain complete control of a network,[1] and the median time to discover a breach is 99 days[2]. With incidents costing an average of $141 per lost or stolen record[3]and some cybersecurity events such as Petya costing $200-310 million[4], organizations must develop comprehensive risk management plans. These plans must keep a hybrid infrastructure resilient to a range of cyber threats encompassing both established and emerging threats. In addition, plans must help to manage the risk of emerging vulnerabilities, such as the recently disclosed processor vulnerabilities named Spectre and Meltdown.

Microsoft helps multiple global enterprises mitigate business impact by offering prescriptive guidance, as well as partnering with them to build a cyber resiliency plan and roadmap.

To learn more about how Microsoft views the importance of cyber resilience for the modern enterprise, get prescriptive guidance on building a cyber resiliency plan and roadmap, and find out what Microsoft is doing to help enterprises rapidly become resilient to commonly encountered attacks and vulnerabilities, check out these resources:

  1. Microsoft as a Trusted Advisor and Partner on Cyber Resilience white paper co-authored by members of Microsoft Enterprise Cybersecurity Group
  2. Cyber Resilience for the Modern Enterprise webinar featuring Diana Kelley (Field Chief Technology Officer) and Shawn Anderson (Executive Security Advisor) from the Microsoft Enterprise Cybersecurity Group
  3. Securing Azure customers from CPU vulnerability blog from the Microsoft Azure team

[1]Anatomy of a Breach. 2016. Microsoft. (

[2] M-Trends 2016. 2016. Mandiant Consulting. (

[3]2017 Cost of a Data Breach Study: Global Overview: Ponemon Institute. (

[4] NotPetya ransomware cost Merck more than $310 million. (

Categories: Uncategorized Tags:

Overview of rapid cyberattacks

Rapid cyberattacks like Petya and WannaCrypt have reset our expectations on the speed and scope of damage that a cyberattack can inflict. The Microsoft Enterprise Cybersecurity Group Detection and Response team worked extensively to help customers respond to and recover from these kinds of attacks. In 2017, among the global enterprise customers that we worked with, these rapid cyberattacks took down most or all IT systems in just about one hour, resulting in $200M – 300M USD of damage at several customers. [1]

Attackers assembled several existing techniques into a new form of attack that was both:

  • Fast – Took about an hour to spread throughout the enterprise
  • Disruptive – Created very significant business disruption at global enterprises

What is a rapid cyberattack?

Rapid cyberattacks are fast, automated, and disruptivesetting them apart from the targeted data theft attacks and various commodity attacks, including commodity ransomware, that security programs typically encounter:

Figure 1: Characteristics of rapid cyberattacks

  • Rapid and Automated – Much like the worms of decades past (remember Nimda? SQL Slammer?), these attacks happen very rapidly because self-propagation is fully automated once the malware is launched.
  • Disruptive Rapid cyberattacks are designed to be disruptive to business and IT operations by encrypting data and rebooting systems.

What are the technical and business impacts of a rapid cyberattack?

From a technical perspective, this represents the near-worst case technical risk, and resulting business risk, from a cybersecurity attack. While many of us in cybersecurity have grown accustomed to and jaded with sales presentations describing doomsday scenario tactics, these attacks indisputably represent real world cases of mass business impact on organizations.

For many of the Petya victims, most or all their computers were taken down in about one hour (~62,000 servers and workstations in a global network, in one case). In these customer environments where our incident response teams were engaged, many critical business operations came to a full stop while the IT team recovered systems.

From a business perspective, some organizations suffered losses in the range $200M – 300M USD and had to change the operating results they reported to shareholders. Note that the actual level of business impact can vary by industry, organization size, existing risk management controls, and other factors. However, its clear that the monetary and resource impacts from rapid attacks can be significant.

What makes rapid cyberattacks different from other attacks?

Petya differed from several accepted attack norms, taking many defenders by surprise. Here are four of the ways it did so:

Figure 2: What made Petya different

  1. Supply chain – One of the more unusual aspects of the Petya attack is that it used a supply chain attack to enter target environments instead of phishing or browsing, which are vastly more prevalent methods used by threat actors for most attacks. While we are seeing an emerging trend of supply chain attacks, particularly in IT supply chain components like the MEDoc application, it is still a small minority of attack volume vs. the usual phishing/browsing attack methods.
  2. Multi-technique While Petya wasnt the first malware to automate propagation or use multiple propagation techniques, its implementation was an extremely effective combination of exploiting a powerful software vulnerability and using impersonation techniques.
  3. Fast The propagation speed of Petya cannot be understated. Prior to AV signatures being available, it left very little time for defenders to react (detect + manually respond or detect + write automatic response rules), leaving defenders completely reliant on preventive controls under Protect function in the NIST cybersecurity frameworkand recovery processes.
  4. Destructive Petya rebooted the system and encrypted the master file table (MFT) of the filesystem. This made it more difficult to recover individual machines, but also spared many enterprises an even worse impact because it didnt encrypt storage which wasnt accessible after this reboot (e.g. Petyas boot code didnt have SAN drivers and couldnt reach that storage).

More information

To learn more about rapid cyber attacks and how to protect against them, watch the on-demand webinar: Protect Against Rapid Cyberattacks (Petya [aka NotPetya], WannaCrypt, and similar).

Look out for the next blog post of a 3-part series to learn how Petya works and key takeaways.


Categories: Uncategorized Tags:

Azure Backup offers several mechanisms to protect against ransomware

The start of a new year is the perfect time to reassess your security strategy and tactics especially when looking back at the new levels of ransomwares reach and damage in 2017.

Its no secret that ransomware attacks are increasing. In fact, a business is hit with ransomware every 40 seconds. If ransomware does get a hold of your data, you can pay a large amount of money hoping that you will get your data back. The alternative is to not pay anything and begin your recovery process. Whether you pay the ransom or not, your enterprise loses time and resources dealing with the aftermath. Microsoft invests in several ways to help you mitigate the effects of ransomware.

For example, in the Windows 10 Fall Creators Update, Windows Defender Exploit Guard has a feature that prevents unauthorized access to important files. The feature, controlled folder access, works with Windows Defender Advanced Threat Protection. All applications are assessed, which includes any executable file, including .exe, .scr, .dll files and others, and determineif they are malicious or safe. If an application is determined to be malicious or suspicious, it will not be allowed to make any changes to any files in a protected folder. In cases of ransomware, this helps protect files from attempted encryption by the malware. As malware becomes increasingly more sophisticated, older platforms are much more susceptible to ransomware attacks. Windows 10 has several defenses against ransomware that could help in case of a future attack.

One area to reconsider is your current backup policy and the potential outcomes to your business if your backup data is compromised by ransomware.

With Azure Backup, we are changing the ransomware story. You, not ransomware, are in control of your data. Azure Backup gives you three ways you can proactively protect your data in Azure and on-premises from ransomware. The first step is to back up your data. You need to back up virtual machines running in Azure and on-premises virtual machines, physical services, and files to Azure. If your on-premises data is compromised, youll have several copies of your data in Azure. This gives you the flexibly to restore your data back to a specific period in time and keep your business moving forward.

Next, you can set up a six-digit PIN directly from the Azure portal as an additional layer of protection for your Azure Backups. Only users with valid Azure credentials can then create and receive this security PIN required to be entered before any backup operation is performed.

Finally, Azure Backup provides just-in-time notifications to alert you to potential ransomware attacks. If a suspicious activity is attempted with your backups, a notification is immediately sent to you to get involved before ransomware has the chance.

If you are an IT professional, you can get started today by creating a free Azure Backup account. For more information on how Azure Backup protects against ransomware, check out our interactive infographic.

Microsoft is committed to helping you protect against and respond to evolving attacks. To learn more about other Microsoft security solutions, visit

  • Kaspersky Security Bulletin 2016

Categories: Uncategorized Tags: