Archive for the ‘Security Intelligence’ Category

Small businesses targeted by highly localized Ursnif campaign

September 6th, 2018 No comments

Cyber thieves are continuously looking for new ways to get people to click on a bad link, open a malicious file, or install a poisoned update in order to steal valuable data. In the past, they cast as wide a net as possible to increase the pool of potential victims. But attacks that create a lot of noise are often easier to spot and stop. Cyber thieves are catching on that we are watching them, so they are trying something different. Now were seeing a growing trend of small-scale, localized attacks that use specially crafted social engineering to stay under the radar and compromise more victims.

In social engineering attacks, is less really more?

A new malware campaign puts that to the test by targeting home users and small businesses in specific US cities. This was a focused, highly localized attack that aimed to steal sensitive info from just under 200 targets. Macro-laced documents masqueraded as statements from legitimate businesses. The documents are then distributed via email to target victims in cities where the businesses are located.

With Windows Defender AVs next gen defense, however, the size of the attack doesnt really matter.

Several cloud-based machine learning algorithms detected and blocked the malicious documents at the onset, stopping the attack and protecting customers from what would have been the payload, info-stealing malware Ursnif.

The map below shows the location of the targets.

Figure 1. Geographic distribution of target victims

Highly localized social engineering attack

Heres how the attack played out: Malicious, macro-enabled documents were delivered as email attachments to target small businesses and users. Each document had a file name that spoofed a legitimate business name and masqueraded as a statement from that business. In total, we saw 21 unique document file names used in this campaign.

The attackers sent these emails to intended victims in the city or general geographic area where the businesses are located. For example, the attachment named Dolan_Care_Statement.doc was sent almost exclusively to targets in Missouri. The document file name spoofs a known establishment in St. Louis. While we do not believe the establishment itself was affected or targeted by this attack, the document purports to be from the said establishment when its really not.

The intended effect is for recipients to get documents from local, very familiar business or service providers. Its part of the social engineering scheme to increase likelihood that recipients will think the document is legitimate and take the bait, when in reality it is a malicious document.

Most common lure document file names Top target cities
Dockery_FloorCovering_Statement Johnson City, TN
Kingsport, TN
Knoxville, TN
Dolan_Care_Statement St. Louis, MO
Chesterfield, MO
Lees Summit, MO
DMS_Statement Omaha, NE
Wynot, NE
Norwalk, OH
Dmo_Statement New Braunfels, TX
Seguin, TX
San Antonio, TX
DJACC_Statement Miami, FL
Flagler Beach, FL
Niles, MI
Donovan_Construction_Statement Alexandria, VA
Mclean, VA
Manassas, VA

Table 1. Top target cities of most common document file names

When recipients open the document, they are shown a message that tricks the person into enabling the macro.

Figure 2. Document tricks victim into enabling the macro

As is typical in social engineering attacks, this is not true. If the recipient does enable the macro, no content is shown. Instead the following process is launched to deobfuscate a PowerShell command.

Figure 3. Process to deobfuscate PowerShell

Figure 4. PowerShell command

The PowerShell script connects to any of 12 different URLs that all deliver the payload.

Figure 5. Deobfuscated PowerShell command

The payload is Ursnif, info-stealing malware. When run, Ursnif steals information about infected devices, as well as sensitive information like passwords. Notably, this infection sequence (i.e., cmd.exe process deobfuscates a PowerShell that in turn downloads the payload) is a common method used by other info-stealing malware like Emotet and Trickbot.

How machine learning stopped this small-scale, localized attack

As the malware campaign got under way, four different cloud-based machine learning models gave the verdict that the documents were malicious. These four models are among a diverse set of models that help ensure we catch a wide range of new and emerging threats. Different models have different areas of expertise; they use different algorithms and are trained on their unique set of features.

One of the models that gave the malicious verdict is a generic model designed to detect non-portable executable (PE) threats. We have found that models like this are effective in catching social engineering attacks, which typically use non-PE files like scripts and, as is the case for this campaign, macro-laced documents.

The said non-PE model is a simple averaged perceptron algorithm that uses various features, including expert features, fuzzy hashes of various file sections, and contextual data. The simplicity of the model makes it fast, enabling it to give split-second verdicts before suspicious files could execute. Our analysis into this specific model showed that the expert features and fuzzy hashes had the biggest impact in the models verdict and the eventual blocking of the attack.

Figure 6. Impact of features used by one ML model that detected the attack

Next-generation protection against malware campaigns regardless of size

Machine learning and artificial intelligence power Windows Defender AV to detect and stop new and emerging attacks before they can wreak havoc. Every day, we protect customers from millions of distinct, first-seen malware. Our layered approach to intelligent, cloud-based protection employs a diverse set of machine learning models designed to catch the wide range of threats: from massive malware campaigns to small-scale, localized attacks.

The latter is a growing trend, and we continue to watch the threat landscape to keep machine learning effective against attacks. In a recent blog post, we discussed how we continue to harden machine learning defenses.

Windows Defender AV delivers the next-gen protection capabilities in the Windows Defender Advanced Threat Protection (Windows Defender ATP). Windows Defender ATP integrates attack surface reduction, next-gen protection, endpoint detection and response (EDR), automatic investigation and response, security posture, and advanced hunting capabilities. .

Because of this integration, antivirus detections, such as those related to this campaign, are surfaced in Windows Defender Security Center. Using EDR capabilities, security operations teams can then investigate and respond to the incident. Attack surface reduction rules also block this campaign, and these detections are likewise surfaced in Windows Defender ATP.To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free trial.

Across the whole Microsoft 365 threat protection, detections and other security signals are shared among Office 365 ATP, Windows Defender ATP, and Azure ATP. In this Ursnif campaign, the antivirus detection also enables the blocking of related emails in Office 365. This demonstrates how signal sharing and orchestration of remediation across solutions in Microsoft 365 results in better integrated threat protection.



Bhavna Soman
Windows Defender Research


Indicators of compromise (IOCs)



File names

Payload (Ursnif)





*Note: The first four domains above are all registered in Russia and are hosted on the IP address 185[.]212[.]44[.]114. The other domains follow the same URL pattern and are also pushing Ursnif, but no registration info is available.






Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Building the security operations center of tomorrow—harnessing the law of data gravity

August 30th, 2018 No comments

This post was coauthored by Diana Kelley, Cybersecurity Field CTO, and , EMEA Chief Security Advisor, Cybersecurity Solutions Group.

Youve got a big dinner planned and your dishwasher goes on the fritz. You call the repair company and are lucky enough to get an appointment for that afternoon. The repairperson shows up and says, Yes, its broken, but to figure out why I will need to run some tests. They start to remove your dishwasher from the outlet. What are you doing? you ask. Im taking it back to our repair shop for analysis and then repair, they reply. At this point, youre annoyed. You have a big party in three hours, and taking the dishwasher all the way back to the shop for analysis means someone will be washing dishes by hand after your partywhy not test it right here and right now so it can be fixed on the spot?

Now, imagine the dishwasher is critical business data located throughout your organization. Sending all that data to a centralized location for analysis will give you insights, eventually, but not when you really need it, which is now. In cases where the data is extremely large, you may not be able to move it at all. Instead it makes more sense to bring services and applications to your data. This at the heart of a concept called data gravity, described by Dave McCrory back in 2010. Much like a planet, your data has mass, and the bigger that mass, the greater its gravitational pull, or gravity well, and the more likely that apps and services are drawn to it. Gravitational movement is accelerated when bandwidth and latency are at a premium, because the closer you are to something the faster you can process and act on it. This is the big driver of the intelligent cloud/intelligent edge. We bring analytics and compute to connected devices to make use of all the data they collect in near real-time.

But what might not be so obvious is what, if anything, does data gravity have to do with cybersecurity and the security operations center (SOC) of tomorrow. To have that discussion, lets step back and look at the traditional SOCs, built on security information and event management (SIEM) solutions developed at the turn of the century. The very first SIEM solutions were predominantly focused on log aggregation. Log information from core security tools like firewalls, intrusion detection systems, and anti-virus/malware tools were collected from all over a company and moved to a single repository for processing.

That may not sound super exciting from our current vantage point of 2018, but back in 2000 it was groundbreaking. Admins were struggling with an increasing number of security tools, and the ever-expanding logs from those tools. Early SIEM solutions gave them a way to collect all that data and apply security intelligence and analytics to it. The hope was that if we could gather all relevant security log and reporting data into one place, we could apply rules and quickly gather insights about threats to our systems and security situational awareness. In a way this was antidata gravity, where data moved to the applications and services rather than vice versa.

After the initial hype for SIEM solutions, SOC managers realized a few of their limitations. Trying to write rules for security analytics proved to be quite hard. A minor error in a rule led to high false positives that ate into analyst investigative time. Many companies were unable to get all the critical log data into the SIEM, leading to false negatives and expensive blind spots. And one of the biggest concerns with traditional SIEM was the latency. SIEM solutions were marketed as real-time analytics, but once an action was written to a log, collected, sent to the SIEM, and then parsed through the SIEM analytics engine, quite a bit of latency was introduced. When it comes to responding to fast moving cyberthreats, latency is a distinct disadvantage.

Now think about these challenges and add the explosive amounts of data generated today by the cloud and millions of connected devices. In this environment its not uncommon that threat campaigns go unnoticed by an overloaded SIEM analytics engine. And many of the signals that do get through are not investigated because the security analysts are overworked. Which brings us back to data gravity.

What was one of the forcing factors for data gravity? Low tolerance for latency. What was the other? Building applications by applying insights and machine learning to data. So how can we build the SOC of tomorrow? By respecting the law of data gravity. If we can perform security analytics close to where the data already is, we can increase the speed of response. This doesnt mean the end of aggregation. Tomorrows SOC will employ a hybrid approach by performing analytics as close to the data mass as possible, and then rolling up insights, as needed, to a larger central SOC repository for additional analysis and insight across different gravity wells.

Does this sound like an intriguing idea? We think so. Being practitioners, though, we most appreciate when great theories can be turned into real-world implementations. Please stay tuned for part 2 of this blog series, where we take the concept of tomorrows SOC and data gravity into practice for today.

Attack inception: Compromised supply chain within a supply chain poses new risks

A new software supply chain attack unearthed by Windows Defender Advanced Threat Protection (Windows Defender ATP) emerged as an unusual multi-tier case. Unknown attackers compromised the shared infrastructure in place between the vendor of a PDF editor application and one of its software vendor partners, making the apps legitimate installer the unsuspecting carrier of a malicious payload. The attack seemed like just another example of how cybercriminals can sneak in malware using everyday normal processes.

The plot twist: The app vendors systems were unaffected. The compromise was traceable instead to a second software vendor that hosted additional packages used by the app during installation. This turned out be an interesting and unique case of an attack involving “the supply chain of the supply chain”.

The attackers monetized the campaign using cryptocurrency miners going as far as using two variants, for good measure adding to an expanding list of malware attacks that install coin miners.

We estimate based on evidence from Windows Defender ATP that the compromise was active between January and March 2018 but was very limited in nature. Windows Defender ATP detected suspicious activity on a handful of targeted computers; Automated investigation automatically resolved the attack on these machines.

While the impact is limited, the attack highlighted two threat trends: (1) the escalating frequency of attacks that use software supply chains as threat vector, and (2) the increasing use of cryptocurrency miners as primary means for monetizing malware campaigns.

This new supply chain incident did not appear to involve nation-state attackers or sophisticated adversaries but appears to be instigated by petty cybercriminals trying to profit from coin mining using hijacked computing resources. This is evidence that software supply chains are becoming a risky territory and a point-of-entry preferred even by common cybercriminals.

Hunting down the software supply chain compromise

As with most software supply chain compromises, this new attack was carried out silently. It was one of numerous attacks detected and automatically remediated by Windows Defender ATP on a typical day.

While customers were immediately protected, our threat hunting team began an in-depth investigation when similar infection patterns started emerging across different sets of machines: Antivirus capabilities in Windows Defender ATP was detecting and blocking a coin mining process masquerading as pagefile.sys, which was being launched by a service named xbox-service.exe. Windows Defender ATP’s alert timeline showed that xbox-service.exe was installed by an installer package that was automatically downloaded from a suspicious remote server.

Figure 1. Windows Defender ATP alert for the coin miner used in this incident

A machine compromised with coin miner malware is relatively easy to remediate. However, investigating and finding the root cause of the coin miner infection without an advanced endpoint detection and response (EDR) solution like Windows Defender ATP is challenging; tracing the infection requires a rich timeline of events. In this case, Advanced hunting capabilities in Windows Defender ATP can answer three basic questions:

  • What created xbox-service.exe and pagefile.sys files on the host?
  • Why is xbox-service.exe being launched as a service with high privileges?
  • What network and process activities were seen just before xbox-service.exe was launched?

Answering these questions is painless with Windows Defender ATP. Looking at the timeline of multiple machines, our threat hunting team was able to confirm that an offending installer package (MSI) was downloaded and written onto devices through a certain PDF editor app (an alternative app to Adobe Acrobat Reader).

The malicious MSI file was installed silently as part of a set of font packages; it was mixed in with other legitimate MSI files downloaded by the app during installation. All the MSI files were clean and digitally signed by the same legitimate company except for the one malicious file. Clearly, something in the download and installation chain was subverted at the source, an indication of software supply chain attack.

Figure 2. Windows Defender ATP answers who, when, what (xbox-service.exe created right after MSI installation)

As observed in previous supply chain incidents, hiding malicious code inside an installer or updater program gives attackers the immediate benefit of having full elevated privileges (SYSTEM) on a machine. This gives malicious code the permissions to make system changes like copying files to the system folder, adding a service, and running coin mining code.

Confident with the results of our investigation, we reported findings to the vendor distributing the PDF editor app. They were unaware of the issue and immediately started investigating on their end.

Working with the app vendor, we discovered that the vendor itself was not compromised. Instead, the app vendor itself was the victim of a supply chain attack traceable to their dependency on a second software vendor that was responsible for creating and distributing the additional font packages used by the app. The app vendor promptly notified their partner vendor, who was able to identify and remediate the issue and quickly interrupted the attack.

Multi-tier software supply chain attack

The goal of the attackers was to install a cryptocurrency miner on victim machines. They used the PDF editor app to download and deliver the malicious payload. To compromise the software distribution chain, however, they targeted one of the app vendors software partners, which provided and hosted additional font packages downloaded during the apps installation.

Figure 3. Diagram of the software distribution infrastructure of the two vendors involved in this software supply chain attack

This software supply chain attack shows how cybercriminals are increasingly using methods typically associated with sophisticated cyberattacks. The attack required a certain level of reconnaissance: the attackers had to understand how the normal installation worked. They eventually found an unspecified weakness in the interactions between the app vendor and partner vendor that created an opportunity.

The attackers figured out a way to hijack the installation chain of the MSI font packages by exploiting the weakness they found in the infrastructure. Thus, even if the app vendor was not compromised and was completely unaware of the situation, the app became the unexpected carrier of the malicious payload because the attackers were able to redirect downloads.

At a high level, heres an explanation of the multi-tier attack:

  1. Attackers recreated the software partners infrastructure on a replica server that the attackers owned and controlled. They copied and hosted all MSI files, including font package, all clean and digitally signed, in the replica sever.
  2. The attackers decompiled and modified one MSI file, an Asian fonts pack, to add the malicious payload with the coin mining code. With this package tampered with, it is no longer trusted and signed.
  3. Using an unspecified weakness (which does not appear to be MITM or DNS hijack), the attackers were able to influence the download parameters used by the app. The parameters included a new download link that pointed to the attacker server.
  4. As a result, for a limited period, the link used by the app to download MSI font packages pointed to a domain name registered with a Ukrainian registrar in 2015 and pointing to a server hosted on a popular cloud platform provider. The app installer from the app vendor, still legitimate and not compromised, followed the hijacked links to the attackers replica server instead of the software partners server.

While the attack was active, when the app reached out to the software partners server during installation, it was redirected to download the malicious MSI font package from the attackers replica server. Thus, users who downloaded and installed the app also eventually installed the coin miner malware. After, when the device restarts, the malicious MSI file is replaced with the original legitimate one, so victims may not immediately realize the compromise happened. Additionally, the update process was not compromised, so the app could properly update itself.

Windows Defender ATP customers were immediately alerted of the suspicious installation activity carried out by the malicious MSI installer and by the coin miner binary, and the threat was automatically remediated.

Figure 4. Windows Defender ATP alert process tree for download and installation of MSI font packages: all legitimate, except for one

Since the compromise involved a second-tier software partner vendor, the attack could potentially expand to customers of other app vendors that share the same software partner. Based on PDF application names hardcoded by the attackers in the poisoned MSI file, we have identified at least six additional app vendors that may be at risk of being redirected to download installation packages from the attackers server. While we were not able to find evidence that these other vendors distributed the malicious MSI, the attackers were clearly operating with a broader distribution plot in mind.

Another coin miner malware campaign

The poisoned MSI file contained malicious code in a single DLL file that added a service designed to run a coin mining process. The said malware, detected as Trojan:Win64/CoinMiner, hid behind the name xbox-service.exe. When run, this malware consumed affected machines computing resources to mine Monero coins.

Figure 5. Malicious DLL payload extracted from the MSI installer

Another interesting aspect of the DLL payload is that during the malware installation stage, it tries to modify the Windows hosts file so that the infected machine cant communicate with the update servers of certain PDF apps and security software. This is an attempt to prevent remote cleaning and remediation of affected machines.

Figure 6. Preventing further download of updates from certain PDF app vendors

Inside the DLL, we also found some traces of an alternative form of coin mining: browser scripts. Its unclear if this code was the attackers potential secondary plan or simply a work in progress to add one more way to maximize coin mining opportunities. The DLL contained strings and code that may be used to launch a browser to connect to the popular Coinhive library to mine Monero coins.

Figure 7. Browser-based coin mining script

Software supply chain attacks: A growing industry problem

In early 2017, we discovered operation WilySupply, an attack that compromised a text editors software updater to install a backdoor on targeted organizations in the financial and IT sectors. Several weeks later, another supply chain attack made headlines by initiating a global ransomware outbreak. We confirmed speculations that the update process for a tax accounting software popular in Ukraine was the initial infection vector for the Petya ransomware. Later that same year, a backdoored version of CCleaner, a popular freeware tool, was delivered from a compromised infrastructure. Then, in early 2018, we uncovered and stopped a Dofoil outbreak that poisoned a popular signed peer-to-peer application to distribute a coin miner.

These are just some of many similar cases of supply chain attacks observed in 2017 and 2018. We predict, as many other security researchers do, that this worrisome upward trend will continue.

Figure 8. Software supply chain attacks trends (source: RSA Conference 2018 presentation “The Unexpected Attack Vector: Software Updaters“)

The growing prevalence of supply chain attacks may be partly attributed to hardened modern platforms like Windows 10 and the disappearance of traditional infection vectors like browser exploits. Attackers are constantly looking for the weakest link; with zero-day exploits becoming too expensive to buy or create (exploit kits are at their historically lowest point), attackers search for cheaper alternative entry points like software supply chains compromise. Benefiting from unsafe code practices, unsecure protocols, or unprotected server infrastructure of software vendors to facilitate these attacks.

The benefit for attackers is clear: Supply chains can offer a big base of potential victims and can result in big returns. Its been observed targeting a wide range of software and impacting organizations in different sectors. Its an industry-wide problem that requires attention from multiple stakeholders – software developers and vendors who write the code, system admins who manage software installations, and the information security community who find these attacks and create solutions to protect against them, among others.

For further reading, including a list of notable supply chain attacks, check out our RSA Conference 2018 presentation on the topic of software supply chain attack trends: The Unexpected Attack Vector: Software Updaters.

Recommendations for software vendors and developers

Software vendors and developers need to ensure they produce secure as well as useful software and services. To do that, we recommend:

  • Maintain a highly secure build and update infrastructure.

    • Immediately apply security patches for OS and software.
    • Implement mandatory integrity controls to ensure only trusted tools run.
    • Require multi-factor authentication for admins.

  • Build secure software updaters as part of the software development lifecycle.

    • Require SSL for update channels and implement certificate pinning.
    • Sign everything, including configuration files, scripts, XML files, and packages.
    • Check for digital signatures, and dont let the software updater accept generic input and commands.

  • Develop an incident response process for supply chain attacks.

    • Disclose supply chain incidents and notify customers with accurate and timely information.

Defending corporate networks against supply chain attacks

Software supply chain attacks raise new challenges in security given that they take advantage of common everyday tasks like software installation and update. Given the increasing prevalence of these types of attacks, organizations should investigate the following security solutions:

  • Adopt a walled garden ecosystem for devices, especially for critical systems.Windows 10 in S mode is designed to allow only apps installed from the Microsoft Store, ensuring Microsoft-verified security
  • Deploy strong code integrity policies.Application control can be used to restrict the applications that users are allowed to run. It also restricts the code that runs in the system core (kernel) and can block unsigned scripts and other forms of untrusted code for customers who cant fully adopt Windows 10 in S mode.
  • Use endpoint detection and response (EDR) solutions.Endpoint detection and response capabilities in Windows Defender ATP can automatically detect and remediate suspicious activities and other post-breach actions, so even when entry vector is stealthy like for software supply chain, Windows Defender ATP can help to detect and contain such incidents sooner.

In supply chain attacks, the actual compromise happens outside the network, but organizations can detect and block malware that arrive through this method. The built-in security technologies in Windows Defender Advanced Threat Protection (Windows Defender ATP) work together to create a unified endpoint security platform. For example, as demonstrated in this investigation, antivirus capabilities detected the coin mining payload. The detection was surfaced on Windows Defender ATP, where automated investigation resolved the attack, protecting customers. The rich alert timeline and advanced hunting capabilities in Windows Defender ATP showed the extent of the software supply chain attack. Through this unified platform, Windows Defender ATP delivers attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, and advanced hunting.



Elia Florio
with Lior Ben Porat
Windows Defender ATP Research team



Indicators of compromise (IOCs)

Malicious MSI font packages:
– a69a40e9f57f029c056d817fe5ce2b3a1099235ecbb0bcc33207c9cff5e8ffd0
– ace295558f5b7f48f40e3f21a97186eb6bea39669abcfa72d617aa355fa5941c
– 23c5e9fd621c7999727ce09fd152a2773bc350848aedba9c930f4ae2342e7d09
– 69570c69086e335f4b4b013216aab7729a9bad42a6ce3baecf2a872d18d23038

Malicious DLLs embedded in MSI font packages:
– b306264d6fc9ee22f3027fa287b5186cf34e7fb590d678ee05d1d0cff337ccbf

Coin miner malware:
– fcf64fc09fae0b0e1c01945176fce222be216844ede0e477b4053c9456ff023e (xbox-service.exe)
– 1d596d441e5046c87f2797e47aaa1b6e1ac0eabb63e119f7ffb32695c20c952b (pagefile.sys)

Software supply chain download server:
– hxxp://vps11240[.]hyperhost[.]name/escape/[some_font_package].msi (IP: 91[.]235 [.]129 [.]133)

Command-and-control/coin mining:
– hxxp://data28[.]somee [.]com/data32[.]zip
– hxxp://carma666[.]byethost12 [.]com/32[.]html





Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Taking apart a double zero-day sample discovered in joint hunt with ESET

In late March 2018, I analyzed an interesting PDF sample found by ESET senior malware researcher Anton Cherpanov. The sample was initially reported to Microsoft as a potential exploit for an unknown Windows kernel vulnerability. During my investigation in parallel with ESET researchers, I was surprised to discover two new zero-day exploits in the same PDF. One exploit affected Adobe Acrobat and Reader, while the other exploit affected older platforms, Windows 7 and Windows Server 2008. Microsoft and Adobe have since released corresponding security updates:

The first exploit attacks the Adobe JavaScript engine to run shellcode in the context of that module. The second exploit, which does not affect modern platforms like Windows 10, allows the shellcode to escape Adobe Reader sandbox and run with elevated privileges from Windows kernel memory. ESET provided an analysis of the exploitation routines in the sample PDF.

Although the PDF sample was found in VirusTotal, we have not observed actual attacks perpetrated using these exploits. The exploit was in early development stage, given the fact that the PDF itself did not deliver a malicious payload and appeared to be proof-of-concept (PoC) code.

Finding and neutralizing a double zero-day exploit before an attacker had a chance to use it was an amazing result of the great collaboration between ESET, Microsoft, and Adobe security researchers.

Heres some more information about the exploit process. This analysis is based on a sample we found after additional hunting (SHA-256: 4b672deae5c1231ea20ea70b0bf091164ef0b939e2cf4d142d31916a169e8e01).

Exploit overview

The Adobe Acrobat and Reader exploit is incorporated in a PDF document as a malicious JPEG 2000 stream containing the JavaScript exploit code. The following diagram provides an overview of the exploit process.

Figure 1. Overview of the exploit process

As shown in the diagram, the exploit process takes place in several stages:

  1. JavaScript lays out heap spray memory.
  2. Malicious JPEG 2000 stream triggers an out-of-bounds access operation.
  3. The access operation is called upon out-of-bounds memory laid out by the heap spray.
  4. The access operation corrupts the virtual function table (vftable).
  5. The corrupted vftable transfers execution to a return-oriented programming (ROP) chain.
  6. The ROP chain transfers execution to the main shellcode.
  7. The main elevation-of-privilege (EoP) module loads through reflective DLL loading.
  8. The main PE module launches the loaded Win32k EoP exploit.
  9. When the EoP exploit succeeds, it drops a .vbs file in the Startup folder. The .vbs file appears to be proof-of-concept malware designed to download additional payloads.

Malicious JPEG 2000 stream

The malicious JPEG 2000 stream is embedded with the following malicious tags.

Figure 2. Malicious JPEG 2000 stream

The following image shows the CMAP and PCLR tags with malicious values. The length of CMAP array (0xfd) is smaller than the index value (0xff) referenced in PCLR tagsthis results in the exploitation of the out-of-bounds memory free vulnerability.

Figure 3. Out-of-bounds index of CMAP array

Combined with heap-spray technique used in the JavaScript, the out-of-bounds exploit leads to corruption of the vftable.

Figure 4. vftable corruption with ROP chain to code execution

The shellcode and portable executable (PE) module is encoded in JavaScript.

Figure 5 Shellcode in JavaScript

Reflective DLL loading

The shellcode (pseudocode shown below) loads the main PE module through reflective DLL loading, a common technique seen in advanced attacks to attempt staying undetected in memory. On Windows 10, the reflective DLL loading technique is exposed by Windows Defender Advanced Threat Protection (Windows Defender ATP).

The shellcode searches for the start of the PE record and parses PE sections, copying them to the newly allocated memory area. It then passes control to an entry point in the PE module.

Figure 6. Copying PE sections to allocated memory

Figure 7. Passing control to an entry point in the loaded DLL

Main Win32k EoP exploit

The main Win32k elevation-of-privilege (EoP) exploit runs from the loaded PE module. It appears to target machines running Windows 7 SP1 and takes advantage of the previously unreported CVE-2018-8120 vulnerability, which is not present on Windows 10 and newer products. The exploit uses a NULL page to pass malicious records and copy arbitrary data to an arbitrary kernel location. The NULL page dereference exploitation technique is also mitigated by default for x64 platforms running Windows 8 or later.

Figure 8. EoP exploit flow

Heres how the main exploit proceeds:

  1. The exploit calls NtAllocateVirtualMemory following sgdt instructions to allocate a fake data structure at the NULL page.
  2. It passes a malformed MEINFOEX structure to the SetImeInfoEx Win32k kernel function.
  3. SetImeInfoEx picks up the fake data structure allocated at the NULL page.
  4. The exploit uses the fake data structure to copy malicious instructions to +0x1a0 on the Global Descriptor Table (GDT).
  5. It calls an FWORD instruction to call into the fake GDT entry instructions.
  6. The exploit successfully calls instructions in the fake GDT entry.
  7. The instructions run shellcode allocated in user mode from kernel mode memory space.
  8. The exploit modifies the EPROCESS.Token of the shellcode process to grant SYSTEM privileges.

On Windows 10, the EPROCESS.Token modification behavior would be surfaced by Windows Defender ATP.

The malformed IMEINFOEX structure in combination with fake data at the NULL page triggers corruption of the GDT entry as shown below.

Figure 9. Corrupted GDT entry

The corrupted GDT has actual instructions that run through call gate through a call FWORD instruction.

Figure 10. Patched GDT entry instructions

After returning from these instructions, the extended instruction pointer (EIP) returns to the caller code in user space with kernel privileges. The succeeding code elevates privileges of the current process by modifying the process token to SYSTEM.

Figure 11. Replacing process token pointer


After privilege escalation, the exploit code drops the .vbs, a proof-of-concept malware, into the local Startup folder.

Figure 12. Code that drops the .vbs file to the Startup folder

Recommended defenses

To protect against attacks leveraging the exploits found in the PDF:

While we have not seen attacks distributing the PDF, Office 365 Advanced Threat Protection (Office 365 ATP) would block emails that carry malformed PDF and other malicious attachments. Office 365 ATP uses a robust detonation platform, heuristics, and machine learning to inspect attachments and links for malicious content in real-time.

Windows 10 users are not impacted by the dual exploits, thanks to platform hardening and exploit mitigations. For attacks against Windows 10, Windows Defender Advanced Threat Protection (Windows Defender ATP) would surface kernel attacks with similar exploitation techniques that use process token modification to elevate privileges, as shown below (sample process privilege escalation alert).

Figure 13. Sample Windows Defender ATP alert for process token modification

With Advanced hunting in Windows Defender ATP, customers can hunt for related exploit activity using the following query we added to the Github repository:

Figure 14. Advanced hunting query

Windows Defender ATP provides complete endpoint protection platform (EPP) and endpoint detection response (EDR) solutions for Windows 10, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. Additional support for devices running Windows 7 and Windows 8.1 is currently in preview. Additionally, Windows Defender ATP can surface threats on macOS, Linux, and Android devices via security partners.

Windows Defender ATP integrates with other technologies in Windows, Office 365, and Enterprise Mobility + Security platforms to automatically update protection and detection and orchestrate remediation across Microsoft 365.

To experience the power of Windows Defender ATP for yourself, sign up for a free trial now.

Indicators of compromise

SHA-256: dd4e4492fecb2f3fe2553e2bcedd44d17ba9bfbd6b8182369f615ae0bd520933
SHA-1: 297aef049b8c6255f4461affdcfc70e2177a71a9
File type: PE
Description: Win32k exploit

SHA-256: 4b672deae5c1231ea20ea70b0bf091164ef0b939e2cf4d142d31916a169e8e01
SHA-1: 0d3f335ccca4575593054446f5f219eba6cd93fe
File type: PDF
Description: Test exploit

SHA-256: 0608c0d26bdf38e064ab3a4c5c66ff94e4907ccaf98281a104fd99175cdf54a8
SHA-1: c82cfead292eeca601d3cf82c8c5340cb579d1c6
File type: PDF
Description: PDF exploit testing sample (Win32k part missing)

SHA-256: d2b7065f7604039d70ec393b4c84751b48902fe33d021886a3a96805cede6475
SHA-1: edeb1de93dce5bb84752276074a57937d86f2cf7
File type: JavaScript
Description: JavaScript embedded in 0608c0d26bdf38e064ab3a4c5c66ff94e4907ccaf98281a104fd99175cdf54a8



Matt Oh
Windows Defender ATP Research





Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.


Machine learning vs. social engineering

Machine learning is a key driver in the constant evolution of security technologies at Microsoft. Machine learning allows Microsoft 365 to scale next-gen protection capabilities and enhance cloud-based, real-time blocking of new and unknown threats. Just in the last few months, machine learning has helped us to protect hundreds of thousands of customers against ransomware, banking Trojan, and coin miner malware outbreaks.

But how does machine learning stack up against social engineering attacks?

Social engineering gives cybercriminals a way to get into systems and slip through defenses. Security investments, including the integration of advanced threat protection services in Windows, Office 365, and Enterprise Mobility + Security into Microsoft 365, have significantly raised the cost of attacks. The hardening of Windows 10 and Windows 10 in S mode, the advancement of browser security in Microsoft Edge, and the integrated stack of endpoint protection platform (EPP) and endpoint detection and response (EDR) capabilities in Windows Defender Advanced Threat Protection (Windows Defender ATP) further raise the bar in security. Attackers intent on overcoming these defenses to compromise devices are increasingly reliant on social engineering, banking on the susceptibility of users to open the gate to their devices.

Modern social engineering attacks use non-portable executable (PE) files like malicious scripts and macro-laced documents, typically in combination with social engineering lures. Every month, Windows Defender AV detects non-PE threats on over 10 million machines. These threats may be delivered as email attachments, through drive-by web downloads, removable drives, browser exploits, etc. The most common non-PE threat file types are JavaScript and VBScript.

Figure 1. Ten most prevalent non-PE threat file types encountered by Windows Defender AV

Non-PE threats are typically used as intermediary downloaders designed to deliver more dangerous executable malware payloads. Due to their flexibility, non-PE files are also used in various stages of the attack chain, including lateral movement and establishing fileless persistence. Machine learning allows us to scale protection against these threats in real-time, often protecting the first victim (patient zero).

Catching social engineering campaigns big and small

In mid-May, a small-scale, targeted spam campaign started distributing spear phishing emails that spoofed a landscaping business in Calgary, Canada. The attack was observed targeting less than 100 machines, mostly located in Canada. The spear phishing emails asked target victims to review an attached PDF document.

When opened, the PDF document presents itself as a secure document that requires action a very common social engineering technique used in enterprise phishing attacks. To view the supposed secure document, the target victim is instructed to click a link within the PDF, which opens a malicious website with a sign-in screen that asks for enterprise credentials.

Phished credentials can then be used for further attacks, including CEO fraud, additional spam campaigns, or remote access to the network for data theft or ransomware. Our machine learning blocked the PDF file as malware (Trojan:Script/Cloxer.A!cl) from the get-go, helping prevent the attack from succeeding.

Figure 2. Phishing email campaign with PDF attachment

Beyond targeted credential phishing attacks, we commonly see large-scale malware campaigns that use emails with archive attachments containing malicious VBScript or JavaScript files. These emails typically masquerade as an outstanding invoice, package delivery, or parking ticket, and instruct targets of the attack to refer to the attachment for more details. If the target opens the archive and runs the script, the malware typically downloads and runs further threats like ransomware or coin miners.

Figure 3. Typical social engineering email campaign with an archive attachment containing a malicious script

Malware campaigns like these, whether limited and targeted or large-scale and random, occur frequently. Attackers go to great lengths to avoid detection by heavily obfuscating code and modifying their attack code for each spam wave. Traditional methods of manually writing signatures identifying patterns in malware cannot effectively stop these attacks. The power of machine learning is that it is scalable and can be powerful enough to detect noisy, massive campaigns, but also specific enough to detect targeted attacks with very few signals. This flexibility means that we can stop a wide range of modern attacks automatically at the onset.

Machine learning models zero in on non-executable file types

To fight social engineering attacks, we build and train specialized machine learning models that are designed for specific file types.

Building high-quality specialized models requires good features for describing each file. For each file type, the full contents of hundreds of thousands of files are analyzed using large-scale distributed computing. Using machine learning, the best features that describe the content of each file type are selected. These features are deployed to the Windows Defender AV client to assist in describing the content of each file to machine learning models.

In addition to these ML-learned features, the models leverage expert researcher-created features and other useful file metadata to describe content. Because these ML models are trained for specific file types, they can zone in on the metadata of these file types.

Figure 4. Specialized file type-specific client ML models are paired with heavier cloud ML models to classify and protect against malicious script files in real-time

When the Windows Defender AV client encounters an unknown file, lightweight local ML models search for suspicious characteristics in the files features. Metadata for suspicious files are sent to the cloud protection service, where an array of bigger ML classifiers evaluate the file in real-time.

In both the client and the cloud, specialized file-type ML classifiers add to generic ML models to create multiple layers of classifiers that detect a wide range of malicious behavior. In the backend, deep-learning neural network models identify malicious scripts based on their full file content and behavior during detonation in a controlled sandbox. If a file is determined malicious, it is not allowed to run, preventing infection at the onset.

File type-specific ML classifiers are part of metadata-based ML models in the Windows Defender AV cloud protection service, which can make a verdict on suspicious files within a fraction of a second.

Figure 5. Layered machine learning models in Windows Defender ATP

File type-specific ML classifiers are also leveraged by ensemble models that learn and combine results from the whole array of cloud classifiers. This produces a comprehensive cloud-based machine learning stack that can protect against script-based attacks, including zero-day malware and highly targeted attacks. For example, the targeted phishing attack in mid-May was caught by a specialized PDF client-side machine learning model, as well as several cloud-based machine learning models, protecting customers in real-time.

Microsoft 365 threat protection powered by artificial intelligence and data sharing

Social engineering attacks that use non-portable executable (PE) threats are pervasive in todays threat landscape; the impact of combating these threats through machine learning is far-reaching.

Windows Defender AV combines local machine learning models, behavior-based detection algorithms, generics, and heuristics with a detonation system and powerful ML models in the cloud to provide real-time protection against polymorphic malware. Expert input from researchers, advanced technologies like Antimalware Scan Interface (AMSI), and rich intelligence from the Microsoft Intelligent Security Graph continue to enhance next-generation endpoint protection platform (EPP) capabilities in Windows Defender Advanced Threat Protection.

In addition to antivirus, components of Windows Defender ATPs interconnected security technologies defend against the multiple elements of social engineering attacks. Windows Defender SmartScreen in Microsoft Edge (also now available as a Google Chrome extension) blocks access to malicious URLs, such as those found in social engineering emails and documents. Network protection blocks malicious network communications, including those made by malicious scripts to download payloads. Attack surface reduction rules in Windows Defender Exploit Guard block Office-, script-, and email-based threats used in social engineering attacks. On the other hand, Windows Defender Application Control can block the installation of untrusted applications, including malware payloads of intermediary downloaders. These security solutions protect Windows 10 and Windows 10 in S mode from social engineering attacks.

Further, Windows Defender ATP endpoint detection and response (EDR) uses the power of machine learning and AMSI to unearth script-based attacks that live off the land. Windows Defender ATP allows security operations teams to detect and mitigate breaches and cyberattacks using advanced analytics and a rich detection library. With the April 2018 Update, automated investigation and advance hunting capabilities further enhance Windows Defender ATP. Sign up for a free trial.

Machine learning also powers Office 365 Advanced Threat Protection to detect non-PE attachments in social engineering spam campaigns that distribute malware or steal user credentials. This enhances the Office 365 ATP comprehensive and multi-layered solution to protect mailboxes, files, online storage, and applications against threats.

These and other technologies power Microsoft 365 threat protection to defend the modern workplace. In Windows 10 April 2018 Update, we enhanced signal sharing across advanced threat protection services in Windows, Office 365, and Enterprise Mobility + Security through the Microsoft Intelligent Security Graph. This integration enables these technologies to automatically update protection and detection and orchestrate remediation across Microsoft 365.


Gregory Ellison and Geoff McDonald
Windows Defender Research





Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

How artificial intelligence stopped an Emotet outbreak

February 14th, 2018 No comments

At 12:46 a.m. local time on February 3, a Windows 7 Pro customer in North Carolina became the first would-be victim of a new malware attack campaign for Trojan:Win32/Emotet. In the next 30 minutes, the campaign tried to attack over a thousand potential victims, all of whom were instantly and automatically protected by Windows Defender AV.

How did Windows Defender AV uncover the newly launched attack and block it at the outset? Through layered machine learning, including use of both client-side and cloud machine learning (ML) models. Every day, artificial intelligence enables Windows Defender AV to stop countless malware outbreaks in their tracks. In this blog post, well take a detailed look at how the combination of client and cloud ML models detects new outbreaks.

Figure 1. Layered detected model in Windows Defender AV

Client machine learning models

The first layer of machine learning protection is an array of lightweight ML models built right into the Windows Defender AV client that runs locally on your computer. Many of these models are specialized for file types commonly abused by malware authors, including, JavaScript, Visual Basic Script, and Office macro. Some models target behavior detection, while other models are aimed at detecting portable executable (PE) files (.exe and .dll).

In the case of the Emotet outbreak on February 3, Windows Defender AV caught the attack using one of the PE gradient boosted tree ensemble models. This model classifies files based on a featurization of the assembly opcode sequence as the file is emulated, allowing the model to look at the files behavior as it was simulated to run.

Figure 2. A client ML model classified the Emotet outbreak as malicious based on emulated execution opcode machine learning model.

The tree ensemble was trained using LightGBM, a Microsoft open-source framework used for high-performance gradient boosting.

Figure 3a. Visualization of the LightBGM-trained client ML model that successfully classified Emotet’s emulation behavior as malicious. A set of 20 decision trees are combined in this model to classify whether the files emulated behavior sequence is malicious or not.

Figure 3b. A more detailed look at the first decision tree in the model. Each decision is based on the value of a different feature. Green triangles indicate weighted-clean decision result; red triangles indicate weighted malware decision result for the tree.

When the client-based machine learning model predicts a high probability of maliciousness, a rich set of feature vectors is then prepared to describe the content. These feature vectors include:

  • Behavior during emulation, such as API calls and executed code
  • Similarity fuzzy hashes
  • Vectors of content descriptive flags optimized for use in ML models
  • Researcher-driven attributes, such as packer technology used for obfuscation
  • File name
  • File size
  • Entropy level
  • File attributes, such as number of sections
  • Partial file hashes of the static and emulated content

This set of features form a signal sent to the Windows Defender AV cloud protection service, which runs a wide array of more complex models in real-time to instantly classify the signal as malicious or benign.

Real-time cloud machine learning models

Windows Defender AVs cloud-based real-time classifiers are powerful and complex ML models that use a lot of memory, disk space, and computational resources. They also incorporate global file information and Microsoft reputation as part of the Microsoft Intelligent Security Graph (ISG) to classify a signal. Relying on the cloud for these complex models has several benefits. First, it doesnt use your own computers precious resources. Second, the cloud allows us to take into consideration the global information and reputation information from ISG to make a better decision. Third, cloud-based models are harder for cybercriminals to evade. Attackers can take a local client and test our models without our knowledge all day long. To test our cloud-based defenses, however, attackers have to talk to our cloud service, which will allow us to react to them.

The cloud protection service is queried by Windows Defender AV clients billions of times every day to classify signals, resulting in millions of malware blocks per day, and translating to protection for hundreds of millions of customers. Today, the Windows Defender AV cloud protection service has around 30 powerful models that run in parallel. Some of these models incorporate millions of features each; most are updated daily to adapt to the quickly changing threat landscape. All together, these classifiers provide an array of classifications that provide valuable information about the content being scanned on your computer.

Classifications from cloud ML models are combined with ensemble ML classifiers, reputation-based rules, allow-list rules, and data in ISG to come up with a final decision on the signal. The cloud protection service then replies to the Windows Defender client with a decision on whether the signal is malicious or not all in a fraction of a second.

Figure 4. Windows Defender AV cloud protection service workflow.

In the Emotet outbreak, one of our cloud ML servers in North America received the most queries from customers; corresponding to where the outbreak began. At least nine real-time cloud-based ML classifiers correctly identified the file as malware. The cloud protection service replied to signals instructing the Windows Defender AV client to block the attack using two of our ML-based threat names, Trojan:Win32/Fuerboos.C!cl and Trojan:Win32/Fuery.A!cl.

This automated process protected customers from the Emotet outbreak in real-time. But Windows Defender AVs artificial intelligence didnt stop there.

Deep learning on the full file content

Automatic sample submission, a Windows Defender AV feature, sent a copy of the malware file to our backend systems less than a minute after the very first encounter. Deep learning ML models immediately analyzed the file based on the full file content and behavior observed during detonation. Not surprisingly, deep neural network models identified the file as a variant of Trojan:Win32/Emotet, a family of banking Trojans.

While the ML classifiers ensured that the malware was blocked at first sight, deep learning models helped associate the threat with the correct malware family. Customers who were protected from the attack can use this information to understand the impact the malware might have had if it were not stopped.

Additionally, deep learning models provide another layer of protection: in relatively rare cases where real-time classifiers are not able to come to a conclusive decision about a file, deep learning models can do so within minutes. For example, during the Bad Rabbit ransomware outbreak, Windows Defender AV protected customers from the new ransomware just 14 minutes after the very first encounter.

Intelligent real-time protection against modern threats

Machine learning and AI are at the forefront of the next-gen real-time protection delivered by Windows Defender AV. These technologies, backed by unparalleled optics into the threat landscape provided by ISG as well as world-class Windows Defender experts and researchers, allow Microsoft security products to quickly evolve and scale to defend against the full range of attack scenarios.

Cloud-delivered protection is enabled in Windows Defender AV by default. To check that its running, go to Windows Settings > Update & Security > Windows Defender. Click Open Windows Defender Security Center, then navigate to Virus & threat protection > Virus &threat protection settings, and make sure that Cloud-delivered protection and Automatic sample submission are both turned On.

In enterprise environments, the Windows Defender AV cloud protection service can be managed using Group Policy, System Center Configuration Manager, PowerShell cmdlets, Windows Management Instruction (WMI), Microsoft Intune, or via the Windows Defender Security Center app.

The intelligent real-time defense in Windows Defender AV is part of the next-gen security technologies in Windows 10 that protect against a wide spectrum of threats. Of particular note, Windows 10 S is not affected by this type of malware attack. Threats like Emotet wont run on Windows 10 S because it exclusively runs apps from the Microsoft Store. Learn more about Windows 10 S. To know about all the security technologies available in Windows 10, read Microsoft 365 security and management features available in Windows 10 Fall Creators Update.


Geoff McDonald, Windows Defender Research
with Randy Treit and Allan Sepillo



Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

A worthy upgrade: Next-gen security on Windows 10 proves resilient against ransomware outbreaks in 2017

January 10th, 2018 No comments

Adopting reliable attack methods and techniques borrowed from more evolved threat types, ransomware attained new levels of reach and damage in 2017. The following trends characterize the ransomware narrative in the past year:

  • Three global outbreaks showed the force of ransomware in making real-world impact, affecting corporate networks and bringing down critical services like hospitals, transportation, and traffic systems
  • Three million unique computers encountered ransomware; millions more saw downloader trojans, exploits, emails, websites and other components of the ransomware kill chain
  • New attack vectors, including compromised supply chain, exploits, phishing emails, and documents taking advantage of the DDE feature in Office were used to deliver ransomware
  • More than 120 new ransomware families, plus countless variants of established families and less prevalent ransomware caught by heuristic and generic detections, emerged from a thriving cybercriminal enterprise powered by ransomware-as-a-service

The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack vectors, makes older platforms so much more susceptible to ransomware attacks. From June to November, Windows 7 devices were 3.4 times more likely to encounter ransomware compared to Windows 10 devices. Considering that Windows 10 has a much larger install base than Windows 7, this difference in ransomware encounter rate is significant.

Figure 1. Ransomware encounter rates on Windows 7 and Windows 10 devices. Encounter rate refers to the percentage of computers running the OS version with Microsoft real-time security that blocked or detected ransomware.

The data shows that attackers are targeting Windows 7. Given todays modern threats, older platforms can be infiltrated more easily because these platforms dont have the advanced built-in end-to-end defense stack available on Windows 10. Continuous enhancements further make Windows 10 more resilient to ransomware and other types of attack.

Windows 10: Multi-layer defense against ransomware attacks

The year 2017 saw three global ransomware outbreaks driven by multiple propagation and infection techniques that are not necessarily new but not typically observed in ransomware. While there are technologies available on Windows 7 to mitigate attacks, Windows 10s comprehensive set of platform mitigations and next-generation technologies cover these attack methods. Additionally, Windows 10 S, which is a configuration of Windows 10 thats streamlined for security and performance, locks down devices against ransomware outbreaks and other threats.

In May, WannaCry (Ransom:Win32/WannaCrypt) caused the first global ransomware outbreak. It used EternalBlue, an exploit for a previously fixed SMBv1 vulnerability, to infect computers and spread across networks at speeds never before observed in ransomware.

On Windows 7, Windows AppLocker and antimalware solutions like Microsoft Security Essentials and System Center Endpoint Protection (SCEP) can block the infection process. However, because WannaCry used an exploit to spread and infect devices, networks with vulnerable Windows 7 devices fell victim. The WannaCry outbreak highlighted the importance of keeping platforms and software up-to-date, especially with critical security patches.

Windows 10 was not at risk from the WannaCry attack. Windows 10 has security technologies that can block the WannaCry ransomware and its spreading mechanism. Built-in exploit mitigations on Windows 10 (KASLR, NX HAL, and PAGE POOL), as well as kCFG (control-flow guard for kernel) and HVCI (kernel code-integrity), make Windows 10 much more difficult to exploit.

Figure 2. Windows 7 and Windows 10 platform defenses against WannaCry

In June, Petya (Ransom:Win32/Petya.B) used the same exploit that gave WannaCry its spreading capabilities, and added more propagation and infection methods to give birth to arguably the most complex ransomware in 2017. Petyas initial infection vector was a compromised software supply chain, but the ransomware quickly spread using the EternalBlue and EternalRomance exploits, as well as a module for lateral movement using stolen credentials.

On Windows 7, Windows AppLocker can stop Petya from infecting the device. If a Windows 7 device is fully patched, Petyas exploitation behavior did not work. However, Petya also stole credentials, which it then used to spread across networks. Once running on a Windows 7 device, only an up-to-date antivirus that had protection in place at zero hour could stop Petya from encrypting files or tampering with the master boot record (MBR).

On the other hand, on Windows 10, Petya had more layers of defenses to overcome. Apart from Windows AppLocker, Windows Defender Application Control can block Petyas entry vector (i.e., compromised software updater running an untrusted binary), as well as the propagation techniques that used untrusted DLLs. Windows 10s built-in exploit mitigations can further protect Windows 10 devices from the Petya exploit. Credential Guard can prevent Petya from stealing credentials from local security authority subsystem service (LSASS), helping curb the ransomwares propagation technique. Meanwhile, Windows Defender System Guard (Secure Boot) can stop the MBR modified by Petya from being loaded at boot time, preventing the ransomware from causing damage to the master file table (MFT).

Figure 3. Windows 7 and Windows 10 platform defenses against Petya

In October, another sophisticated ransomware reared its ugly head: Bad Rabbit ransomware (Ransom:Win32/Tibbar.A) infected devices by posing as an Adobe Flash installer available for download on compromised websites. Similar to WannaCry and Petya, Bad Rabbit had spreading capabilities, albeit more traditional: it used a hardcoded list of user names and passwords. Like Petya, it can also render infected devices unbootable, because, in addition to encrypting files, it also encrypted entire disks.

On Windows 7 devices, several security solutions technologies can block the download and installation of the ransomware, but protecting the device from the damaging payload and from infecting other computers in the network can be tricky.

With Windows 10, however, in addition to stronger defense at the infection vector, corporate networks were safer from this damaging threat because several technologies are available to stop or detect Bad Rabbits attempt to spread across networks using exploits or hardcoded user names and passwords.

More importantly, during the Bad Rabbit outbreak, detonation-based machine learning models in Windows Defender AV cloud protection service, with no human intervention, correctly classified the malware 14 minutes after the very first encounter. The said detonation-based ML models are a part of several layers of machine learning and artificial intelligence technologies that evaluate files in order to reach a verdict on suspected malware. Using this layered approach, Windows Defender AV protected Windows 10 devices with cloud protection enabled from Bad Rabbit within minutes of the outbreak.

Figure 4. Windows 7 and Windows 10 platform defenses against Bad Rabbit

As these outbreaks demonstrated, ransomware has indeed become a highly complex threat that can be expected to continue evolving in 2018 and beyond. The multiple layers of next-generation security technologies on Windows 10 are designed to disrupt the attack methods that we have previously seen in highly specialized malware but now also see in ransomware.

Ransomware protection on Windows 10

For end users, the dreaded ransom note announces that ransomware has already taken their files hostage: documents, precious photos and videos, and other important files encrypted. On Windows 10 Fall Creators Update, a new feature helps stop ransomware from accessing important files in real-time, even if it manages to infect the computer. When enabled, Controlled folder access locks down folders, allowing only authorized apps to access files.

Controlled folder access, however, is but one layer of defense. Ransomware and other threats from the web can be blocked by Microsoft Edge, whose exploit mitigation and sandbox features make it a very secure browser. Microsoft Edge significantly improves web security by using Windows Defender SmartScreens reputation-based blocking of malicious downloads and by opening pages within low-privilege app containers.

Windows Defender Antivirus also continues to enhance defense against threats like ransomware. Its advanced generic and heuristic techniques and layered machine learning models help catch both common and rare ransomware families. Windows Defender AV can detect and block most malware, including never-before-seen ransomware, using generics and heuristics, local ML models, and metadata-based ML models in the cloud. In rare cases that a threat slips past these layers of protection, Windows Defender AV can protect patient zero in real-time using analysis-based ML models, as demonstrated in a real-life case scenario where a customer was protected from a very new Spora ransomware in a matter of seconds. In even rarer cases of inconclusive initial classification, additional automated analysis and ML models can still protect customers within minutes, as what happened during the Bad Rabbit outbreak.

Windows 10 S locks down devices from unauthorized content by working exclusively with apps from the Windows Store and by using Microsoft Edge as the default browser. This streamlined, Microsoft-verified platform seals common entry points for ransomware and other threats.

Reducing the attack surface for ransomware and other threats in corporate networks

For enterprises and small businesses, the impact of ransomware is graver. Losing access to files can mean disrupted operations. Big enterprise networks, including critical infrastructures, fell victim to ransomware outbreaks. The modern enterprise network is under constant assault by attackers and needs to be defended on all fronts.

Windows Defender Exploit Guard locks down devices against a wide variety of attack vectors. Its host intrusion prevention capabilities include the following components, which block behaviors commonly used in malware attacks:

  • Attack Surface Reduction (ASR) is a set of controls that blocks common ransomware entry points: Office-, script-, and email-based threats that download and install ransomware; ASR can also protect from emerging exploits like DDEDownloader, which has been used to distribute ransomware
  • Network protection uses Windows Defender SmartScreen to block outbound connections to untrusted hosts, such as when trojan downloaders connect to a malicious server to obtain ransomware payloads
  • Controlled folder access blocks ransomware and other untrusted processes from accessing protected folders and encrypting files in those folders
  • Exploit protection (replacing EMET) provides mitigation against a broad set of exploit techniques that are now being used by ransomware authors

Additionally, the industry-best browser security in Microsoft Edge is enhanced by Windows Defender Application Guard, which brings Azure cloud grade isolation and security segmentation to Windows applications. This hardware isolation-level capability provides one of the highest levels of protection against zero-day exploits, unpatched vulnerabilities, and web-based malware.

For emails, Microsoft Exchange Online Protection (EOP) uses built-in anti-spam filtering capabilities that help protect Office 365 customers against ransomware attacks that begin with email. Office 365 Advanced Threat Protection helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection.

Integrated security for enterprises

Windows Defender Advanced Threat Protection allows SecOps personnel to stop the spread of ransomware through timely detection of ransomware activity in the network. Windows Defender ATPs enhanced behavioral and machine learning detection libraries flag malicious behavior across the ransomware attack kill-chain, enabling SecOps to promptly investigate and respond to ransomware attacks.

With Windows 10 Fall Creators Update, Windows Defender ATP was expanded to include seamless integration across the entire Windows protection stack, including Windows Defender Exploit Guard, Windows Defender Application Guard, and Windows Defender AV. This integration is designed to provide a single pane of glass for a seamless security management experience.

With all of these security technologies, Microsoft has built the most secure Windows version ever with Windows 10. While the threat landscape will continue to evolve in 2018 and beyond, we dont stop innovating and investing in security solutions that continue to harden Windows 10 against attacks. The twice-per-year feature update release cycle reflects our commitment to innovate and to make it easier to disrupt successful attack techniques with new protection features. Upgrading to Windows 10 not only means decreased risk; it also means access to advanced, multi-layered defense against ransomware and other types of modern attacks.


Tanmay Ganacharya (@tanmayg)
Principal Group Manager, Windows Defender Research



Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.


Detonating a bad rabbit: Windows Defender Antivirus and layered machine learning defenses

December 11th, 2017 No comments

Windows Defender Antivirus uses a layered approach to protection: tiers of advanced automation and machine learning models evaluate files in order to reach a verdict on suspected malware. While Windows Defender AV detects a vast majority of new malware files at first sight, we always strive to further close the gap between malware release and detection.

In a previous blog post, we looked at a real-world case study showing how Windows Defender Antivirus cloud protection service leverages next-gen security technologies to save “patient zero” from new malware threats in real-time. In that case study, a new Spora ransomware variant was analyzed and blocked within seconds using a deep neural network (DNN) machine learning classifier in the cloud. In this blog post well look at how additional automated analysis and machine learning models can further protect customers within minutes in rare cases where initial classification is inconclusive.

Layered machine learning models

In Windows Defender AVs layered approach to defense, if the first layer doesnt detect a threat, we move on to the next level of inspection. As we move down the layers, the amount of time required increases. However, we catch the vast majority of malware at the first (fastest) protection layers and only need to move on to a more sophisticated (but slower) level of inspection for rarer/more advanced threats.

For example, the vast majority of scanned objects are evaluated by the local Windows Defender client machine learning models, behavior-based detection algorithms, generic and heuristic classifications, and more. This helps ensure that users get the best possible performance. In rare cases where local intelligence cant reach a definitive verdict, Windows Defender AV will use the cloud for deeper analysis.

Figure 1. Layered detection model

For a more detailed look at our approach to protection, see The evolution of malware prevention.

Detonation-based machine learning classification

We use a variety of machine learning models that use different algorithms to predict whether a certain file is malware. Some of these algorithms are binary classifiers that give a strict clean-or-malware verdict (0 or 1), while others are multi-class classifiers that provide a probability for each classification (malware, clean, potentially unwanted application, etc). Each machine learning model is trained against a set of different features (often thousands, sometimes hundreds of thousands) to learn to distinguish between different kinds of programs.

For the fastest classifiers in our layered stack, the features may include static attributes of the file combined with events (for example, API calls or behaviors) seen while the scanning engine emulates the file using dynamic translation. If the results from these models are inconclusive, well take an even more in-depth look at what the malware does by actually executing it in a sandbox and observing its run-time behavior. This is known as dynamic analysis, or detonation, and happens automatically whenever we receive a new suspected malware sample.

The activities seen in the sandbox machine (for example, registry changes, file creation/deletion, process injection, network connections, and so forth) are recorded and provided as features to our ML models. These models can then combine both the static features obtained from scanning the file with the dynamic features observed during detonation to arrive at an even stronger prediction.

Figure 2. Detonation-based machine learning classification

Ransom:Win32/Tibbar.A Protection in 14 minutes

On October 24, 2017, in the wake of recent ransomware outbreaks such as Wannacry and NotPetya, news broke of a new threat spreading, primarily in Ukraine and Russia: Ransom:Win32/Tibbar.A (popularly known as Bad Rabbit).

This threat is a good example of how detonation-based machine learning came into play to protect Windows Defender AV customers. First though, lets look at what happened to patient zero.

At 11:17 a.m. local time on October 24, a user running Windows Defender AV in St. Petersburg, Russia was tricked into downloading a file named FlashUtil.exe from a malicious website. Instead of a Flash update, the program was really the just-released Tibbar ransomware.

Windows Defender AV scanned the file and determined that it was suspicious. A query was sent to the cloud protection service, where several metadata-based machine learning models found the file suspicious, but not with a high enough probability to block. The cloud protection service requested that Windows Defender AV client to lock the file, upload it for processing, and wait for a decision.

Within a few seconds the file was processed, and sample-analysis-based ML models returned their conclusions. In this case, a multi-class deep neural network (DNN) machine learning classifier correctly classified the Tibbar sample as malware, but with only an 81.6% probability score. In order to avoid false positives, cloud protection service is configured by default to require at least 90% probability to block the malware (these thresholds are continually evaluated and fine-tuned to find the right balance between blocking malware while avoiding the blocking of legitimate programs). In this case, the ransomware was allowed to run.

Figure 3. Ransom:Win32/Tibbar.A ransom note

Detonation chamber

In the meantime, while patient zero and eight other unfortunate victims (in Ukraine, Russia, Israel, and Bulgaria) contemplated whether to pay the ransom, the sample was detonated and details of the system changes made by the ransomware were recorded.

Figure 4. Sample detonation events used by the machine learning model

As soon as the detonation results were available, a multi-class deep neural network (DNN) classifier that used both static and dynamic features evaluated the results and classified the sample as malware with 90.7% confidence, high enough for the cloud to start blocking.

When a tenth Windows Defender AV customer in the Ukraine was tricked into downloading the ransomware at 11:31 a.m. local time, 14 minutes after the first encounter, cloud protection service used the detonation-based malware classification to immediately block the file and protect the customer.

At this point the cloud protection service had “learned” that this file was malware. It now only required metadata from the client with the hash of the file to issue blocking decisions and protect customers. As the attack gained momentum and began to spread, Windows Defender AV customers with cloud protection enabled were protected. Later, a more specific detection was released to identify the malware as Ransom:Win32/Tibbar.A.

Closing the gap

While we feel good about Windows Defender AV’s layered approach to protection, digging deeper and deeper with automation and machine learning in order to finally reach a verdict on suspected malware, we are continually seeking to close the gap even further between malware release and protection. The cases where we cannot block at first sight are increasingly rare, but there is so much to be done. As our machine learning models are continuously updated and retrained, we are able to make better predictions over time. Yet malware authors will not rest, and the ever-changing threat landscape requires continuous investment in new and better technologies to detect new threats, but also to effectively differentiate the good from the bad.

What about systems that do get infected while detonation and classification are underway? One area that we’re actively investing in is advanced remediation techniques that will let us reach back out to those systems in an organization that were vulnerable and, if possible, get them back to a healthy state.

If you are organization that is willing to accept a higher false positive risk in exchange for stronger protection, you can configure the cloud protection level to tell the Windows Defender AV cloud protection service to take a more aggressive stance towards suspicious files, such as blocking at lower machine learning probability thresholds. In the Tibbar example above, for example, a configuration like this could have protected patient zero using the initial 81% confidence score, and not wait for the higher confidence (detonation-based) result that came later. You can also configure the cloud extended timeout to give the cloud protection service more time to evaluate a first-seen threat.

As another layer of real-time protection against ransomware, enable Controlled folder access, which is one of the features of the new Windows Defender Exploit Guard. Controlled folder access protects files from tampering by locking folders so that ransomware and other unauthorized apps cant access them.

For enterprises, Windows Defender Exploit Guards other features (Attack Surface Reduction, Exploit protection, and Network protection) further protect networks from advanced attacks. Windows Defender Advanced Threat Protection can also alert security operations personnel about malware activities in the network so that personnel can promptly investigate and respond to attacks.

For users running Windows 10 S, malware like Tibbar simply wont run. Windows 10 S provides advanced levels of security by exclusively running apps from the Microsoft Store. Threats such as Tibbar are non-issues for Windows 10 S users. Learn more about Windows 10 S.

New machine learning and AI techniques, in combination with both static and dynamic analysis, gives Windows Defender AV the ability to block more and more malware threats at first sight and, if that fails, learn as quickly as possible that something is bad and start blocking it. Using a layered approach, with different ML models at each layer, gives us the ability to target a wide variety of threats quickly while maintaining low false positive rates. As we gather more data about a potential threat, we can provide predictions with higher and higher confidence and take action accordingly. It is an exciting time to be in the fray.


Randy Treit

Senior Security Researcher, Windows Defender Research



Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.


Microsoft teams up with law enforcement and other partners to disrupt Gamarue (Andromeda)

December 4th, 2017 No comments

Today, with help from Microsoft security researchers, law enforcement agencies around the globe, in cooperation with Microsoft Digital Crimes Unit (DCU), announced the disruption of Gamarue, a widely distributed malware that has been used in networks of infected computers collectively called the Andromeda botnet.

The disruption is the culmination of a journey that started in December 2015, when the Microsoft Windows Defender research team and DCU activated a Coordinated Malware Eradication (CME) campaign for Gamarue. In partnership with internet security firm ESET, we performed in-depth research into the Gamarue malware and its infrastructure.

Our analysis of more than 44,000 malware samples uncovered Gamarues sprawling infrastructure. We provided detailed information about that infrastructure to law enforcement agencies around the world, including:

  • 1,214 domains and IP addresses of the botnets command and control servers
  • 464 distinct botnets
  • More than 80 associated malware families

The coordinated global operation resulted in the takedown of the botnets servers, disrupting one of the largest malware operations in the world. Since 2011, Gamarue has been distributing a plethora of other threats, including:

A global malware operation

For the past six years, Gamarue has been a very active malware operation that, until the takedown, showed no signs of slowing down. Windows Defender telemetry in the last six months shows Gamarues global prevalence.

Figure 1. Gamarues global prevalence from May to November 2017

While the threat is global, the list of top 10 countries with Gamarue encounters is dominated by Asian countries.

Figure 2. Top 10 countries with the most Gamarue encounters from May to November 2017

In the last six months, Gamarue was detected or blocked on approximately 1,095,457 machines every month on average.

Figure 3. Machines, IPs, and unique file encounters for Gamarue from May to November 2017; data does not include LNK detections

The Gamarue bot

Gamarue is known in the underground cybercrime market as Andromeda bot. A bot is a program that allows an attacker to take control of an infected machine. Like many other bots, Gamarue is advertised as a crime kit that hackers can purchase.

The Gamarue crime kit includes the following components:

  • Bot-builder, which builds the malware binary that infects computers
  • Command-and-control application, which is a PHP-based dashboard application that allows hackers to manage and control the bots
  • Documentation on how to create a Gamarue botnet

A botnet is a network of infected machines that communicate with command-and-control (C&C) servers, which are computer servers used by the hacker to control infected machines.

The evolution of the Gamarue bot has been the subject of many thorough analyses by security researchers. At the time of takedown, there were five known active Gamarue versions: 2.06, 2.07, 2.08, 2.09, and 2.10. The latest and the most active is version 2.10.

Gamarue is modular, which means that its functionality can be extended by plugins that are either included in the crime kit or available for separate purchase. The Gamarue plugins include:

  • Keylogger ($150) Used for logging keystrokes and mouse activity in order to steal user names and passwords, financial information, etc
  • Rootkit (included in crime kit) Injects rootkit codes into all processes running on a victim computer to give Gamarue persistence
  • Socks4/5 (included in crime kit) Turns victim computer into a proxy server for serving malware or malicious instructions to other computers on the internet
  • Formgrabber ($250) Captures any data submitted through web browsers (Chrome, Firefox, and Internet Explorer)
  • Teamviewer ($250) Enables attacker to remotely control the victim machine, spy on the desktop, perform file transfer, among other functions
  • Spreader Adds capability to spread Gamarue malware itself via removable drives (for example, portable hard drives or flash drives connected via a USB port); it also uses Domain Name Generation (DGA) for the servers where it downloads updates

Gamarue attack kill-chain

Over the years, various attack vectors have been used to distribute Gamarue. These include:

  • Removable drives
  • Social media (such as Facebook) messages with malicious links to websites that host Gamarue
  • Drive-by downloads/exploit kits
  • Spam emails with malicious links
  • Trojan downloaders

Once Gamarue has infected a machine, it contacts the C&C server, making the machine part of the botnet. Through the C&C server, the hacker can control Gamarue-infected machines, steal information, or issue commands to download additional malware modules.

Figure 4. Gamarues attack kill-chain

Gamarues main goal is to distribute other prevalent malware families. During the CME campaign, we saw at least 80 different malware families distributed by Gamarue. Some of these malware families include:

The installation of other malware broadens the scale of what hackers can do with the network of infected machines.

Command-and-control communication

When the Gamarue malware triggers the infected machine to contact the C&C server, it provides information like the hard disks volume serial number (used as the bot ID for the computer), the Gamarue build ID, the operating system of the infected machine, the local IP address, an indication whether the signed in user has administrative rights, and keyboard language setting for the infected machine. This information is sent to the C&C server via HTTP using the JSON format:

Figure 5. Information sent by Gamarue to C&C server

The information about keyboard language setting is very interesting, because the machine will not be further infected if the keyboard language corresponds to the following countries:

  • Belarus
  • Russia
  • Ukraine
  • Kazahkstan

Before sending to the C&C server, this information is encrypted with RC4 algorithm using a key hardcoded in the Gamarue malware body.

Figure 6. Encrypted C&C communication

Once the C&C server receives the message, it sends a command that is pre-assigned by the hacker in the control dashboard.

Figure 7. Sample control dashboard used by attackers to communicate to Gamarue bots

The command can be any of the following:

  • Download EXE (i.e., additional executable malware files)
  • Download DLL (i.e., additional malware; removed in version 2.09 and later)
  • Install plugin
  • Update bot (i.e., update the bot malware)
  • Delete DLLs (removed in version 2.09 and later)
  • Delete plugins
  • Kill bot

The last three commands can be used to remove evidence of Gamarue presence in machines.

The reply from the C&C server is also encrypted with RC4 algorithm using the same key used to encrypt the message from the infected machine.

Figure 8. Encrypted reply from C&C server

When decrypted, the reply contains the following information:

  • Time interval in minutes time to wait for when to ask the C2 server for the next command
  • Task ID – used by the hacker to track if there was an error performing the task
  • Command one of the command mentioned above
  • Download URL – from which a plugin/updated binary/other malware can be downloaded depending on the command.

Figure 9. Decrypted reply from C&C server

Anti-sandbox techniques

Gamarue employs anti-AV techniques to make analysis and detection difficult. Prior to infecting a machine, Gamarue checks a list hashes of the processes running on a potential victims machine. If it finds a process that may be associated with malware analysis tools, such as virtual machines or sandbox tools, Gamarue does not infect the machine. In older versions, a fake payload is manifested when running in a virtual machine.

Figure 10. Gamarue checks if any of the running processes are associated with malware analysis tools

Stealth mechanisms

Gamarue uses cross-process injection techniques to stay under the radar. It injects its code into the following legitimate processes:

  • msiexec.exe (Gamarue versions 2.07 to 2.10)
  • wuauclt.exe, wupgrade.exe, svchost.exe (version 2.06)

It can also use a rootkit plugin to hide the Gamarue file and its autostart registry entry.

Gamarue employs a stealthy technique to store and load its plugins as well. The plugins are stored fileless, either saved in the registry or in an alternate data stream of the Gamarue file.

OS tampering

Gamarue attempts to tamper with the operating systems of infected computers by disabling Firewall, Windows Update, and User Account Control functions. These functionalities cannot be re-enabled until the Gamarue infection has been removed from the infected machine. This OS tampering behavior does not work on Windows 10

Figure 11. Disabled Firewall and Windows Update


There are several ways hackers earn using Gamarue. Since Gamarues main purpose is to distribute other malware, hackers earn using pay-per-install scheme. Using its plugins, Gamarue can also steal user information; stolen information can be sold to other hackers in cybercriminal underground markets. Access to Gamarue-infected machines can also be sold, rented, leased, or swapped by one criminal group to another.


To help prevent a Gamarue infection, as well as other malware and unwanted software, take these precautions:

  • Be cautious when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.

More importantly, ensure you have the right security solutions that can protect your machine from Gamarue and other threats. Windows Defender Antivirus detects and removes the Gamarue malware. With advanced machine learning models, as well as generic and heuristic techniques, Windows Defender AV detects new as well as never-before-seen malware in real-time via the cloud protection service. Alternatively, standalone tools, such as Microsoft Safety Scanner and the Malicious Software Removal Tool (MSRT), can also detect and remove Gamarue.

Microsoft Edge can block Gamarue infections from the web, such as those from malicious links in social media messages and drive-by downloads or exploit kits. Microsoft Edge is a secure browser that opens pages within low privilege app containers and uses reputation-based blocking of malicious downloads.

In enterprise environments, additional layers of protection are available. Windows Defender Advanced Threat Protection can help security operations personnel to detect Gamarue activities, including cross-process injection techniques, in the network so they can investigate and respond to attacks. Windows Defender ATPs enhanced behavioral and machine learning detection libraries flag malicious behavior across the malware infection process, from delivery and installation, to persistence mechanisms, and command-and-control communication.

Microsoft Exchange Online Protection (EOP) can block Gamarue infections from email uses built-in anti-spam filtering capabilities that help protect Office 365 customers. Office 365 Advanced Threat Protection helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection.

Windows Defender Exploit Guard can block malicious documents (such as those that distribute Gamarue) and scripts. The Attack Surface Reduction (ASR) feature in Windows Defender Exploit Guard uses a set of built-in intelligence that can block malicious behaviors observed in malicious documents. ASR rules can also be turned on to block malicious attachments from being run or launched from Microsoft Outlook or webmail (such as Gmail, Hotmail, or Yahoo).

Microsoft is also continuing the collaborative effort to help clean Gamarue-infected computers by providing a one-time package with samples (through the Virus Information Alliance) to help organizations protect their customers.



Microsoft Digital Crimes Unit and Windows Defender Research team



Get more info on the Gamarue (Andromeda) takedown from the following sources:



Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.


Windows Defender ATP machine learning and AMSI: Unearthing script-based attacks that ‘live off the land’

December 4th, 2017 No comments

Data center

Scripts are becoming the weapon of choice of sophisticated activity groups responsible for targeted attacks as well as malware authors who indiscriminately deploy commodity threats.

Scripting engines such as JavaScript, VBScript, and PowerShell offer tremendous benefits to attackers. They run through legitimate processes and are perfect tools for living off the landstaying away from the disk and using common tools to run code directly in memory. Often part of the operating system, scripting engines can evaluate and execute content from the internet on-the-fly. Furthermore, integration with popular apps make them effective vehicles for delivering malicious implants through social engineering as evidenced by the increasing use of scripts in spam campaigns.

Malicious scripts are not only used as delivery mechanisms. We see them in various stages of the kill chain, including during lateral movement and while establishing persistence. During these latter stages, the scripting engine of choice is clearly PowerShellthe de facto scripting standard for administrative tasks on Windowswith the ability to invoke system APIs and access a variety of system classes and objects.

While the availability of powerful scripting engines makes scripts convenient tools, the dynamic nature of scripts allows attackers to easily evade analysis and detection by antimalware and similar endpoint protection products. Scripts are easily obfuscated and can be loaded on-demand from a remote site or a key in the registry, posing detection challenges that are far from trivial.

Windows 10 provides optics into script behavior through Antimalware Scan Interface (AMSI), a generic, open interface that enables Windows Defender Antivirus to look at script contents the same way script interpreters doin a form that is both unencrypted and unobfuscated. In Windows 10 Fall Creators Update, with knowledge from years analyzing script-based malware, weve added deep behavioral instrumentation to the Windows script interpreter itself, enabling it to capture system interactions originating from scripts. AMSI makes this detailed interaction information available to registered AMSI providers, such as Windows Defender Antivirus, enabling these providers to perform further inspection and vetting of runtime script execution content.

This unparalleled visibility into script behavior is capitalized further through other Windows 10 Fall Creators Update enhancements in both Windows Defender Antivirus and Windows Defender Advanced Threat Protection (Windows Defender ATP). Both solutions make use of powerful machine learning algorithms that process the improved optics, with Windows Defender Antivirus delivering enhanced blocking of malicious scripts pre-breach and Windows Defender ATP providing effective behavior-based alerting for malicious post-breach script activity.

In this blog, we explore how Windows Defender ATP, in particular, makes use of AMSI inspection data to surface complex and evasive script-based attacks. We look at advanced attacks perpetrated by the highly skilled KRYPTON activity group and explore how commodity malware like Kovter abuses PowerShell to leave little to no trace of malicious activity on disk. From there, we look at how Windows Defender ATP machine learning systems make use of enhanced insight about script characteristics and behaviors to deliver vastly improved detection capabilities.

KRYPTON: Highlighting the resilience of script-based attacks

Traditional approaches for detecting potential breaches are quite file-centric. Incident responders often triage autostart entries, sorting out suspicious files by prevalence or unusual name-folder combinations. With modern attacks moving closer towards being completely fileless, it is crucial to have additional sensors at relevant choke points.

Apart from not having files on disk, modern script-based attacks often store encrypted malicious content separately from the decryption key. In addition, the final key often undergoes multiple processes before it is used to decode the actual payload, making it is impossible to make a determination based on a single file without tracking the actual invocation of the script. Even a perfect script emulator would fail this task.

For example, the activity group KRYPTON has been observed hijacking or creating scheduled tasksthey often target system tasks found in exclusion lists of popular forensic tools like Autoruns for Windows. KRYPTON stores the unique decryption key within the parameters of the scheduled task, leaving the actual payload content encrypted.

To illustrate KRYPTON attacks, we look at a tainted Microsoft Word document identified by John Lambert and the Office 365 Advanced Threat Protection team.

KRYPTON lure document

Figure 1. KRYPTON lure document

To live off the land, KRYPTON doesnt drop or carry over any traditional malicious binaries that typically trigger antimalware alerts. Instead, the lure document contains macros and uses the Windows Scripting Host (wscript.exe) to execute a JavaScript payload. This script payload executes only with the right RC4 decryption key, which is, as expected, stored as an argument in a scheduled task. Because it can only be triggered with the correct key introduced in the right order, the script payload is resilient against automated sandbox detonations and even manual inspection.

KRYPTON script execution chain through wscript.exe

Figure 2. KRYPTON script execution chain through wscript.exe

Exposing actual script behavior with AMSI

AMSI overcomes KRYPTONs evasion mechanisms by capturing JavaScript API calls after they have been decrypted and ready to be executed by the script interpreter. The screenshot below shows part of the exposed content from the KRYPTON attack as captured by AMSI.

Part of the KRYPTON script payload captured by AMSI and sent to the cloud for analysis

Figure 3. Part of the KRYPTON script payload captured by AMSI and sent to the cloud for analysis

By checking the captured script behavior against indicators of attack (IoAs) built up by human experts as well as machine learning algorithms, Windows Defender ATP effortlessly flags the KRYPTON scripts as malicious. At the same time, Windows Defender ATP provides meaningful contextual information, including how the script is triggered by a malicious Word document.

Windows Defender ATP machine learning detection of KRYPTON script captured by AMSI

Figure 4. Windows Defender ATP machine learning detection of KRYPTON script captured by AMSI

PowerShell use by Kovter and other commodity malware

Not only advanced activity groups like KRYPTON are shifting from binary executables to evasive scripts. In the commodity space, Kovter malware uses several processes to eventually execute its malicious payload. This payload resides in a PowerShell script decoded by a JavaScript (executed by wscript.exe) and passed to powershell.exe as an environment variable.

Windows Defender ATP machine learning alert for the execution of the Kovter script-based payload

Figure 5. Windows Defender ATP machine learning alert for the execution of the Kovter script-based payload

By looking at the PowerShell payload content captured by AMSI, experienced analysts can easily spot similarities to PowerSploit, a publicly available set of penetration testing modules. While such attack techniques involve file-based components, they remain extremely hard to detect using traditional methods because malicious activities occur only in memory. Such behavior, however, is effortlessly detected by Windows Defender ATP using machine learning that combines detailed AMSI signals with signals generated by PowerShell activity in general.

Part of the Kovter script payload captured by AMSI and sent to the cloud for analysis

Figure 6. Part of the Kovter script payload captured by AMSI and sent to the cloud for analysis

Fresh machine learning insight with AMSI

While AMSI provides rich information from captured script content, the highly variant nature of malicious scripts continues to make them challenging targets for detection. To efficiently extract and identify new traits differentiating malicious scripts from benign ones, Windows Defender ATP employs advanced machine learning methods.

As outlined in our previous blog, we employ a supervised machine learning classifier to identify breach activity. We build training sets based on malicious behaviors observed in the wild and normal activities on typical machines, augmenting that with data from controlled detonations of malicious artifacts. The diagram below conceptually shows how we capture malicious behaviors in the form of process trees.

Process tree augmented by instrumentation for AMSI data

Figure 7. Process tree augmented by instrumentation for AMSI data

As shown in the process tree, the kill chain begins with a malicious document that causes Microsoft Word (winword.exe) to launch PowerShell (powershell.exe). In turn, PowerShell executes a heavily obfuscated script that drops and executes the malware fhjUQ72.tmp, which then obtains persistence by adding a run key to the registry. From the process tree, our machine learning systems can extract a variety of features to build expert classifiers for areas like registry modification and file creation, which are then converted into numeric scores that are used to decide whether to raise alerts.

With the instrumentation of AMSI signals added as part of the Windows 10 Fall Creators Update (version 1709), Windows Defender ATP machine learning algorithms can now make use of insight into the unobfuscated script content while continually referencing machine state changes associated with process activity. Weve also built a variety of script-based models that inspect the nature of executed scripts, such as the count of obfuscation layers, entropy, obfuscation features, ngrams, and specific API invocations, to name a few.

As AMSI peels off the obfuscation layers, Windows Defender ATP benefits from growing visibility and insight into API calls, variable names, and patterns in the general structure of malicious scripts. And while AMSI data helps improve human expert knowledge and their ability to train learning systems, our deep neural networks automatically learn features that are often hidden from human analysts.

Machine-learning detections of JavaScript and PowerShell scripts

Figure 8. Machine learning detections of JavaScript and PowerShell scripts

While these new script-based machine learning models augment our expert classifiers, we also correlate new results with other behavioral information. For example, Windows Defender ATP correlates the detection of suspicious script contents from AMSI with other proximate behaviors, such as network connections. This contextual information is provided to SecOps personnel, helping them respond to incidents efficiently.

Machine learning combines VBScript content from AMSI and tracked network activity

Figure 9. Machine learning combines VBScript content from AMSI and tracked network activity

Detection of AMSI bypass attempts

With AMSI providing powerful insight into malicious script activity, attacks are more likely to incorporate AMSI bypass mechanisms that we group into three categories:

  • Bypasses that are part of the script content and can be inspected and alerted on
  • Tampering with the AMSI sensor infrastructure, which might involve the replacement of system files or manipulation of the load order of relevant DLLs
  • Patching of AMSI instrumentation in memory

The Windows Defender ATP research team proactively develops anti-tampering mechanisms for all our sensors. We have devised heuristic alerts for possible manipulation of our optics, designing these alerts so that they are triggered in the cloud before the bypass can suppress them.

During actual attacks involving CVE-2017-8759, Windows Defender ATP not only detected malicious post-exploitation scripting activity but also detected attempts to bypass AMSI using code similar to one identified by Matt Graeber.

Windows Defender ATP alert based on AMSI bypass pattern

Figure 10. Windows Defender ATP alert based on AMSI bypass pattern

AMSI itself captured the following bypass code for analysis in the Windows Defender ATP cloud.

AMSI bypass code sent to the cloud for analysis

Figure 11. AMSI bypass code sent to the cloud for analysis

Conclusion: Windows Defender ATP machine learning and AMSI provide revolutionary defense against highly evasive script-based attacks

Provided as an open interface on Windows 10, Antimalware Scan Interface delivers powerful optics into malicious activity hidden in encrypted and obfuscated scripts that are oftentimes never written to disk. Such evasive use of scripts is becoming commonplace and is being employed by both highly skilled activity groups and authors of commodity malware.

AMSI captures malicious script behavior by looking at script content as it is interpreted, without having to check physical files or being hindered by obfuscation, encryption, or polymorphism. At the endpoint, AMSI benefits local scanners, providing the necessary optics so that even obfuscated and encrypted scripts can be inspected for malicious content. Windows Defender Antivirus, specifically, utilizes AMSI to dynamically inspect and block scripts responsible for dropping all kinds of malicious payloads, including ransomware and banking trojans.

With Windows 10 Fall Creators Update (1709), newly added script runtime instrumentation provides unparalleled visibility into script behaviors despite obfuscation. Windows Defender Antivirus uses this treasure trove of behavioral information about malicious scripts to deliver pre-breach protection at runtime. To deliver post-breach defense, Windows Defender ATP uses advanced machine learning systems to draw deeper insight from this data.

Apart from looking at specific activities and patterns of activities, new machine learning algorithms in Windows Defender ATP look at script obfuscation layers, API invocation patterns, and other features that can be used to efficiently identify malicious scripts heuristically. Windows Defender ATP also correlates script-based indicators with other proximate activities, so it can deliver even richer contextual information about suspected breaches.

To benefit from the new script runtime instrumentation and other powerful security enhancements like Windows Defender Exploit Guard, customers are encourage to install Windows 10 Fall Creators Update.

Read the The Total Economic Impact of Microsoft Windows Defender Advanced Threat Protection from Forrester to understand the significant cost savings and business benefits enabled by Windows Defender ATP. To directly experience how Windows Defender ATP can help your enterprise detect, investigate, and respond to advance attacks, sign up for a free trial.


Stefan Sellmer, Windows Defender ATP Research


Shay Kels, Windows Defender ATP Research

Karthik Selvaraj, Windows Defender Research


Additional readings


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.


Microsoft Security Intelligence Report Volume 21 is now available

The latest volume of the Microsoft Security Intelligence Report is now available for free download at

This new volume of the report includes threat data from the first half of 2016 as well as longer term trend data on industry vulnerabilities, exploits, malware, and malicious websites. The report also provides specific threat data for over 100 countries/regions.

Our Featured Intelligence content for this volume of the report includes three deep dive sections:

Protecting cloud infrastructure; detecting and mitigating threats using Azure Security Center:
As organizations move workloads to cloud-based services it is important that security teams keep abreast of changes in their threat posture. New threats can be encountered when adopting solutions that are fully cloud based, or when connecting on-premises environments to cloud services. This section of the report details common threats that organizations may encounter, and explains how security teams can use Azure Security Center to protect, detect, and respond to security threats against Azure cloud-based resources.

PROMETHIUM and NEODYMIUM: parallel zero-day attacks targeting individuals in Europe:
Microsoft proactively monitors the threat landscape for emerging threats, including observing the activities of targeted activity groups. The new report chronicles two activity groups, code-named PROMETHIUM and NEODYMIUM, both of which target individuals in a specific area of Europe. Both attack groups launched attack campaigns in May 2016 using the same zero-day exploit to seek information about specific individuals. Microsoft is sharing information about these groups to raise awareness of their activities, and to help individuals and organizations implement existing mitigation options that significantly reduce risk from these attack groups and other similar groups.

Ten years of exploits: a long-term study of exploitation of vulnerabilities in Microsoft software:
Microsoft researchers conducted a study of security vulnerabilities and the exploitation of the most severe vulnerabilities in Microsoft software over a 10-year period ending in 2015. In the past five years vulnerability disclosures have increased across the entire industry. However, the number of remote code execution (RCE) and elevation of privilege (EOP) vulnerabilities in Microsoft software has declined significantly. The results of the study suggest that while the risk posed by vulnerabilities appeared to increase in recent years, the actualized risk of exploited vulnerabilities in Microsoft software has steadily declined.

There is a lot of other new data in this report that I hope you’ll find useful.

You can download Volume 21 of the Microsoft Security Intelligence Report at

Ken Malcolmson
Executive Security Advisor, Microsoft Enterprise Cybersecurity Group

What’s Been Happening in the Threat Landscape in the European Union

June 14th, 2016 No comments

Recently, I had the opportunity to visit customers in several countries in the European Union (EU). The threat landscape in the EU has been changing rapidly, and in some unpredictable ways. I thought it was time to share some new data and insights based on data from the latest volume of the Microsoft Security Intelligence Report.

I have written about the threat landscape in the EU many times in the past. If you are interested in reading some of these previously published articles, here’s a partial list:

The Latest Picture of the Threat Landscape in the European Union – part 1
The Latest Picture of the Threat Landscape in the European Union – part 2
The Latest Picture of the Threat Landscape in the European Union – part 3
Ransomware is on the Rise, Especially in Europe
The Threat Landscape in the European Union at RSA Conference Europe 2013
European Union check-up: Locations with Lowest Infection Rates in the EU and What We Can Learn From Them
European Union Check-Up: Malicious Websites Hosted in the EU
European Union check-up: Romania still tops the list of most infected in the EU
Cyber-Threats in the European Union: First Half 2012
Cyber-Threats in the European Union
The Threat Landscape Shifts Significantly in the European Union – Part 1
The Threat Landscape Shifts Significantly in the European Union – Part 2
The Threat Landscape Shifts Significantly in the European Union – Part 3

Let’s start by looking at the locations in the EU with the lowest and highest malware encounter rates (ER). ER is the percentage of computers running Microsoft real-time security software that report detecting malware or unwanted software during a given period of time. The worldwide average ER in the fourth quarter of 2015 was 20.8%. As Figure 1 illustrates, the “usual suspects” have the lowest ERs in the EU including Finland (8.6%), Sweden (11.4%), and Denmark (11.7%).

Figure 1: Locations in the EU with the lowest encounter rates in the fourth quarter of 2015 (4Q15)

Figure 2 shows us that the locations with the highest ERs in the EU include Romania (31.3%), Bulgaria (29.8%), and Croatia (27.5%). As high as the ERs for these locations were in the fourth quarter of 2015, they were significantly lower than the countries/regions with the highest ERs in the world during the same period. These locations include Pakistan (63.0%), Indonesia (60.6%), the Palestinian Territories (57.3%), and Bangladesh (57.2%).

Figure 2: Locations in the EU with the highest encounter rates in the fourth quarter of 2015 (4Q15)

You might have noticed the upward ER trend in figures 1 and 2. This is upward trend even more pronounced when looking at the malware infection rates in the region as seen in figures 3 and 4; these are systems that encountered malware and were successfully infected, a measure called computers cleaned per mille (CCM). The worldwide average infection rate in the fourth quarter of 2015 was 16.9 systems infected with malware for every 1,000 scanned by the Malicious Software Removal Tool (MSRT) or 1.69% of the 600 to 700 million systems the MSRT executes on each month. The worldwide infection rate almost tripled from the same period a year earlier. The average infection rate for the 28 countries/regions in the EU during the same period was a CCM of 21.1 or 2.1%. This is a CCM increase of 15.5 from a year earlier.

Figure 3: Locations in the EU with the lowest malware infection rates (CCM) in the fourth quarter of 2015 (4Q15)

Even locations with consistently low malware infection rates saw large increases between the third and fourth quarters of 2015. As seen in Figure 3, Finland’s CCM, for example, nearly quadrupled in the fourth quarter. Figure 4 illustrates the locations with the highest infection rates in the EU, which include Romania (36.4), Croatia (35.2), Spain (34.0), while the worldwide average was 16.9. For context, the locations with the highest CCMs in the world during the same period include Mongolia (93.3), Libya (85.3), the Palestinian Territories (80.0).

Figure 4: Locations in the EU with the highest malware infection rates (CCM) in the fourth quarter of 2015 (4Q15)

You are probably wondering what caused such a rapid increase in infection rates in the EU and worldwide? It would be easy to believe that the threat landscape just got a whole lot worse, but that’s not really the case. Every month, the Microsoft Malware Protection Center typically adds detection capabilities to the MSRT for one or more new families of malware that researchers believe are globally prevalent. Then the MSRT executes on 600 to 700 million systems worldwide. If researchers were correct about the families they added to the MSRT, the MSRT will clean the newly added threats from systems infected with those threats around the world.

Sometimes, like in the fourth quarter of 2015, one of the threats they added detection for was really prevalent and gets cleaned from lots of systems. The worldwide infection rate increased 175.9 percent in the final quarter of 2015, from a CCM of 6.1 in the third quarter to 16.9 in fourth quarter. Almost all of this increase was due to Win32/Diplugem, a browser modifier that shows extra advertisements as the user browses the web. The CCM for Diplugem alone in 4Q15 was 11.7, nine times as high as the CCM for the next most prevalent family, Win32/Gamarue.

As seen in Figure 5, detection for Win32/Diplugem, was added to the MSRT in the fourth quarter and was removed from more computers in the EU in 4Q15 than any other family by a significant margin. In the EU, Win32/Diplugem was removed from 15.4 computers for every 1,000 computers the MSRT executed on in the fourth quarter, or 1.54% of systems.

Figure 5: The top 10 families of threats cleaned by the MSRT in the EU during the fourth quarter of 2015

One other threat family I will call your attention to is Win32/CompromisedCert. This is the third threat family listed in the top threats cleaned in the EU, in Figure 5. This is a detection for the Superfish VisualDiscovery advertising program that was preinstalled on some Lenovo laptops sold in 2014 and 2015. It installs a compromised trusted root certificate on the computer, which can be used to conduct man-in-the-middle attacks on the computer. This threat was cleaned consistently on systems in the EU throughout 2015. I was surprised to see Win32/CompromisedCert on the top 4 list of threats cleaned in locations like the UK, Germany and the Netherlands.

Almost everyone I talked to during my recent trip to some locations in the EU, was concerned about Ransomware. I wrote an article on Ransomware recently that provides some good context on this type of threat: Ransomware: Understanding the Risk. The data for the last half of 2015 suggests there was a slight increase in the ER for ransomware (0.26 percent in 3Q15, 0.40 percent in 4Q15), but it’s still a fraction of 1 percent and much lower than almost every other category of malware.

In the EU, 18 of the 28 countries had Ransomware encounter rates above the worldwide average as Figure 6 illustrates. Systems in Portugal and Italy encountered Ransomware more than any other locations in the EU. This isn’t surprising – I wrote that Ransomware was on the rise, especially in Europe, years ago. The good news is that Ransomware is one of the least encountered threats in the EU as Figure 7 illustrates.

Figure 6: Ransomware Encounter Rates in the EU during the fourth quarter of 2015

Figure 7 illustrates shows us which locations in the EU have the highest and lowest encounter rates across different threat categories. The numbers in red are the highest ERs for that threat category while the numbers in pink are above the worldwide average. The numbers that aren’t shaded are the lowest ERs for that threat category and are below the worldwide average. With this data, I find it especially noteworthy that every location in the EU, with the exception of Finland, had encounter rates for Exploits above the worldwide average, in many cases two or three times higher. A contributing factor is that the Angler exploit kit (JS/Axpergle) was one of the most encountered threats in the EU in 2015, being encountered by more than 1% of systems in the fourth quarter of 2015.

Figure 7: Encounter Rates for Threat Categories in the EU during the fourth quarter of 2015

From drive-by download URL data provided by Bing, Slovakia and Cyprus hosted the highest number of drive-by download pages per 1,000 URLs in the EU, as seen in Figure 8.

Figure 8: Drive-by download pages indexed by Bing at the end of the fourth quarter of 2015, per 1,000 URLs in each country/region

Guidance to Protect Your Organization

Based on the specific threats we see in the EU, let me give you some guidance to help protect your organization.

  • Security Updates: given most locations in the EU have above average Exploit encounter rates and that the Angler exploit kit (JS/Axpergle) is a top threat encountered in the region, its critical for organizations to keep all software up to date with the latest security updates. This isn’t just your Microsoft software, it includes software from Adobe, Oracle, and every other vendor your organization procures software from. If you have vendors that don’t provide you with security updates, your organization isn’t getting its money’s worth. Data from the new Security Intelligence Report on industry vulnerability disclosures, shows us that there were 6,384 vulnerabilities disclosed across the industry in 2015 alone, which is a typical year. Organizations need to patch all of those vulnerabilities in their environment to protect themselves from the high level of exploit activity in the EU. Demand security updates from all of your vendors.
  • Up-to-date Anti-Malware Software: don’t let security experts convince you that anti-virus software is a waste of time. No software or hardware can protect your organization from all current and future threats. But running up-to-date anti-malware software from a trusted vendor will protect your organization from millions of current and future threats. We know from many studies over the years, using data from hundreds of millions of systems around the world, systems that run current anti-malware solutions have significantly lower malware infection rates than those that don’t (as seen in Figure 9).Figure 9: Infection rates for protected and unprotected computers in 2015
  • Ransomware: if you are trying to evaluate the risk to your organization that Ransomware poses, keep calm and stay vigilant; this is a low probability, high impact threat where there are numerous mitigations available. The best mitigation is maintaining current offline backups for critical data. Check out these two articles: Ransomware: Understanding the Risk, How to Deal with Ransomware.
  • Malicious Websites: one of the best ways organizations can protect their users from malicious and compromised websites is by mandating the use of web browsers with appropriate protection features built in and by promoting safe browsing practices. For in-depth guidance, see this article.
  • Modern Operating Systems and Browsers: the latest data clearly shows us that using a modern operating system, like Windows 10, and a modern browser, like Microsoft Edge, provides significant protection against the type of modern day threats I discussed in this article. If you haven’t done so yet, evaluate these newer products versus the older products your organization might be using. On older operating systems, like Windows 7, use the Enhanced Mitigation Experience Toolkit (EMET), if possible, to minimize exploitation of vulnerabilities in the software in your environment. See for more information.
  • Regional Security Experts’ Advice: there are six things that security experts in the consistently least infected countries/regions in the world (like Finland) tell us helps them. Here’s the list:
    • Strong public – private partnerships that enable proactive and response capabilities
    • CERTs, ISPs and others actively monitoring for threats in the region enable rapid response to emerging threats
    • An IT culture where system administrators respond rapidly to reports of system infections or abuse is helpful
    • Enforcement policies and active remediation of threats via quarantining infected systems on networks in the region is effective
    • Regional education campaigns and media attention that help improve the public’s awareness of security issues can pay dividends
    • Low software piracy rates and widespread usage of Windows Update/Microsoft Update has helped keep infection rates relatively low

This was a long article, but I hope it was worth the time you spent reading it. You can get more details on every country/region in the EU and almost a hundred more locations, by visiting and clicking on Regional Threat Assessment.

Tim Rains
Director, Security

Protecting Identities in the Cloud: Mitigating Password Attacks

May 5th, 2016 No comments

We just released a new volume of the Microsoft Security Intelligence Report. Included in the report, for the first time, is security data from the Microsoft cloud that reveals how we are leveraging an intelligent security graph to inform how we protect endpoints, better detect attacks and accelerate our response, to help protect our customers.

In November we outlined Microsoft’s new approach to how we Protect, Detect and Respond to security threats. We have been evolving our ability to get real-time insights and predictive intelligence across our network so we can stay a step ahead of the threats and protect customers.

The challenge is to correlate our security data with our threat intelligence data. To do this, we collect trillions of signals from billions of sources to build an intelligent security graph that can learn from one area and apply across the Microsoft platform. The intelligent security graph is powered by inputs we receive across our endpoints, consumer services, commercial services and on-premises technologies.

The new Security Intelligence Report contains many insights from this data and analysis. Here are some examples:

  • From a sensor network made up of hundreds of millions of systems running Microsoft anti-malware software, the data shows us that:
    • The number of systems that encountered malware in 2015 increased in the second half of the year. The worldwide encounter rate increased to 20.5% by the end of 2015, an increase of 5.5% from six months earlier.
    • The locations with the highest encounter rates were Pakistan, Indonesia, the Palestinian territories, Bangladesh, and Nepal which all had encounter rates above 50%.
    • Exploit kits accounted for four of the 10 most commonly encountered exploits during the second half of 2015. The Angler exploit kit was the most commonly encountered exploit kit family.
    • Although ransomware had relatively low encounter rates (worldwide ER for ransomware in the first quarter of 2015 was 0.35 percent and 0.16 percent in the second quarter), its use in ransomware-as-a-service kits and targeted attacks is increasing.
  • SmartScreen Filter is a feature in Internet Explorer and Microsoft Edge that offers users protection against phishing sites and sites that host malware. Based on phishing data from the SmartScreen:
    • Phishing sites that targeted online services received the largest share of impressions during the period, and accounted for the largest number of active phishing URLs
    • Sites that targeted financial institutions accounted for the largest number of active phishing attacks during the period

As I mentioned we’ve published cloud service security data in this Security Intelligence Report, for the first time. Let me share some of that data with you and why we are excited about how the cloud is improving the insights from our intelligent security graph.

Mitigating Password Attacks

The massive scale of Microsoft’s cloud enables us to gather an enormous amount of intelligence on malicious behavior, which in turn allows us to prevent the compromise of Microsoft Accounts and Azure Active Directory accounts, and block the use of leaked or stolen credentials.

Azure Active Directory provides single sign-on to thousands of cloud (SaaS) apps such as Office 365, Workday, Box, Google Apps and more, and access to web apps organizations run on-premises, and Microsoft Accounts are used by consumers to sign into services like Bing,, OneDrive, Skype, and Xbox LIVE.
The scale of these services provides tremendous insight into attackers’ efforts to compromise the user accounts of consumers and enterprises.
  1. At the end of 2015, Azure Active Directory was being used by 8.24 million tenants with over 550 million users.
  2. Azure Active Directory averaged over 1.3 billion requests per day.
  3. Every day, Microsoft processed over 13 billion logins from hundreds of millions of Microsoft Account users.

To prevent and mitigate attacks on the consumers and organizations using these services, we use a multi-layered system of protection mechanisms. The keystone of these protection systems is machine learning. Every day, our machine learning systems process more than 10 terabytes of data, including information on over 13 billion logins from hundreds of millions of Microsoft Account users.

We combine this with other protection algorithms and data feeds from:

  • The Microsoft Digital Crimes Unit
  • The Microsoft Security Response Center
  • Phishing attack data from and Exchange Online
  • Information acquired by partnering with academia, law enforcement, security researchers, and industry partners around the world

All this data helps us create a comprehensive protection system that helps keep our customers’ accounts safe. The system deflects tens of thousands of location-based attacks per day, and automatically blocks tens of thousands of requests each day that use credentials that have likely been stolen or leaked. Microsoft Accounts that are determined to be compromised are automatically entered into an account recovery process that allows only the rightful owner to regain sole access to the account.

Multiple algorithms look at a wide range of data produced by our systems working in real-time to stop attacks before they are successful, and, retroactively, to swiftly remediate accounts for whom an attack worked and remove access from a bad actor. For example, we also use tools such as incorrect password lockout and location-based blocking.

The Advantages of Machine Learning

Microsoft’s machine learning systems use various data points to determine when an account login attempt, even with a valid password, is likely fraudulent.

For Microsoft Accounts, these login attempts are blocked until a second factor of authentication is provided. For Azure Active Directory, Identity Protection allows administrators to create policies that do the same, requesting MFA or outright blocking the attempt based on the risk score of the login.

One of the factors the machine learning system uses to block login attempts is whether the location of the login attempt is a familiar location to the legitimate user.

New Threat Intelligence Provides Details on Attacks
Here is some the new data published we in this Security Intelligence Report:

  1. Compromised login attempts were blocked from unfamiliar locations nearly three quarters of the time.
  2. Attackers were located in different parts of the world:
    • 49% in Asia
    • 20% in South America
    • 14% in Europe
    • 13% in North America
    • 4% in Africa

Understanding where attacks are originating from, allows us to recognize attack patterns which we can then use to protect other systems and customers.

From all this data gathering and analysis, each day Microsoft’s account protection systems automatically detect and prevent more than 10 million attacks, from tens of thousands of locations, including millions of attacks where the attacker has valid credentials. That’s over 4 billion attacks prevented last year alone.

Very few organizations can access this much high quality data, aggregate it, and analyze it, every day, on-premises, and use it to make timely security decisions. Through our machine learning capabilities, the Microsoft cloud protects customers in a highly sophisticated way, faster than most organizations could do on-premises.


In every Security Intelligence Report, we provide some guidance that helps protect people and organizations. There are a few things people can do to protect their accounts and devices from password based attacks:

  • The security of your account is particularly important if your username is an email address, because other services may rely on your email address to verify your identity. If an attacker takes over your account, they may be able to take over your other accounts too (like banking and online shopping) by resetting your passwords by email.
  • Tips for creating a strong and unique password:
    • Don’t use a password that is the same or similar to one you use on any other website. A cybercriminal who can break into that website can steal your password from it and use it to steal your account.
    • Don’t use a single word (e.g. “princess”) or a commonly-used phrase (e.g. “Iloveyou”).
    • Do make your password hard to guess even by those who know a lot about you (such as the names and birthdays of your friends and family, your favorite bands, and phrases you like to use).
  • Two-step verification boosts account security by making it more difficult for hackers to sign in—even if they know or guess your password.
  • If you turn on two-step verification and then try to sign in on a device we don’t recognize, we’ll ask you for two things:
    • Your password.
    • An extra security code.
    • We can send a new security code to your phone or your alternate email address, or you can get one through an authenticator app on your smartphone.
  • If your organization hasn’t started leveraging the cloud because you don’t think you can get the visibility or control you need, it’s time to re-evaluate it – the scale, and the threat intelligence and new security capabilities it enables, are likely going to provide higher ROI than you can get on-premises.
  • Organizations should evaluate how the cloud will help them evolve to a “protect, detect, respond” security strategy. Evaluate Azure Active Directory Identity Protection, which is in preview right now.

The new Security Intelligence Report is available at

Tim Rains
Director, Security

Microsoft Security Intelligence Report Volume 20 is now available

May 5th, 2016 No comments

The latest volume of the Microsoft Security Intelligence Report (SIR) is now available for free download at

We’ve been publishing threat intelligence reports for our customers, partners and the industry for 10 years now. During that time, we’ve published over 12,500 pages of threat intelligence, 100+ blog posts, many videos, and delivered thousands of customer briefings all over the world.

This new volume of the report includes threat data from the second half of 2015 as well as longer term trend data on industry vulnerabilities, exploits, malware, and malicious websites. The report also provides deep dive threat data for over 100 countries/regions.

There are a couple of new sections in this volume of the SIR that I’m excited to share.

First, the report includes a section called “PLATINUM: Targeted attacks in South and Southeast Asia.” This section provides details on a newly discovered determined adversary group, which Microsoft has code-named PLATINUM. This group has conducted several cyber espionage campaigns since 2009, focusing on targets associated with governments and related organizations in southeast Asia. This information can help you understand mitigations that can significantly reduce the risks that organizations face from such groups.

The other section I’m excited about is called “Protecting Identities in the Cloud: Mitigating Password Attacks.” This section of the report focuses on some of the things that Microsoft does to prevent account compromise inside our cloud services. This is the first time we’ve published data like this in the SIR.

There is a lot of other new data in this report that I hope you’ll find useful.

You can download Volume 20 of the Microsoft Security Intelligence Report at

Tim Rains
Director, Security

Ransomware: Understanding the Risk

April 22nd, 2016 No comments

Ransomware is a type of malware that holds computers or files for ransom by encrypting files or locking the desktop or browser on systems that are infected with it, then demanding a ransom in order to regain access. Criminals have used high pressure techniques to get victims to pay the ransom, such as:

  • Make encrypted data unrecoverable after a certain period of time
  • Threaten to post captured (potentially sensitive) data publicly
  • Use fear by claiming to be law enforcement and threaten prosecution
  • Increase the ransom payment amount as time goes on
  • Render the machine unbootable when it overwrites the Master Boot Record and encrypts physical sectors on disk
  • Threaten to erase all data and render all enterprise computers inoperable

Figure 1: An example of a ransomware ransom demand

There is heightened concern across the industry about ransomware because of some high profile cases that illustrate ransomware isn’t just a threat for consumers to worry about, as it is being used in attacks on enterprises as well.

Although we know attackers that leverage ransomware are motivated by profit, the underlying reasons they have attacked specific organizations or industries are not as straight forward. Some attackers might very well be targeting specific industries with ransomware attacks. Other attackers might simply be leveraging their capabilities; i.e. they have developed the capability to exploit specific vulnerabilities in specific platforms or specific line-of-business applications that happen to be primarily used in, or get heavy use by, specific industries.

Ransomware is a topic that I have written about in the past (Ransomware: Ways to Protect Yourself & Your Business, Ransomware is on the Rise, Especially in Europe) and that we have covered extensively in some volumes of the Microsoft Security Intelligence Report. The Microsoft Malware Protection Center has provided extensive information about this category of threats (Ransomware, No mas, Samas: What’s in this ransomware’s modus operandi?, The three heads of the Cerberus-like Cerber ransomware, Locky malware, lucky to avoid it, MSRT October 2015: Tescrypt, MSRT September 2015: Teerac, MSRT July 2015: Crowti, Emerging ransomware: Troldesh, Your Browser is (not) Locked, etc.)

Given the heightened concern in the industry, I thought it was time to examine if the risk associated with this threat category has been increasing. This will help CISOs, security teams, and risk managers understand if they should prioritize this risk differently now than they have in the past. As always, risk is the combination of probability and impact.

Let me start by providing some data and insights that will help organizations understand the probability component associated with the risk of ransomware. Using data from the Microsoft Security Intelligence Report, which includes data based on telemetry from hundreds of millions of systems around the world, we can see that ransomware has been encountered worldwide much less frequently than almost all other types of malware. Figure 2 illustrates the encounter rates for malware categories for each quarter ending in the second quarter of 2015. The encounter rate (ER) is the percentage of computers running Microsoft real-time security software that report detecting malware or potentially unwanted software during a quarter. Most of these encounters are from systems running Microsoft Security Essentials or Windows Defender reporting that they blocked malware from installing on them.

Figure 2: Encounter rates for significant malware categories, third quarter of 2014 (3Q14) – second quarter of 2015 (2Q15)

The worldwide ER for ransomware in the first quarter of 2015 (1Q15) was 0.35 percent and 0.16 percent in the second quarter (2Q15) as seen in Figure 2. While the ER for Trojans was 3.92 percent and 4.45 percent in 1Q15 and 2Q15 respectively. That means the ER for Trojans was 11 times higher than the ransomware ER in 1Q15 and 28 times higher in 2Q15. More recent data for the last half of 2015 suggests there was a slight increase in the ER for ransomware (0.26 percent in 3Q15, 0.40 percent in 4Q15), but it’s still a fraction of 1 percent and much lower than almost every other category of malware. The most recent data, from the last month (March 2016), suggests that the worldwide ER for ransomware was 0.2 percent, putting it almost on par with the ER for Trojan Downloaders & Droppers, but still lower than viruses (file infectors) and most other threat categories.

Although the global encounter rate is just a fraction of a percent, there are some countries/regions that have higher ransomware encounter rates. i.e. the probability of encountering ransomware is higher in some locations than others. For example, the ER in Mexico was 5 times higher at 0.8 percent during the same period. France and Canada had ransomware encounter rates 4.4 times higher than the worldwide average at 0.7 percent, while the United States, Russia and Turkey all had elevated ransomware encounter rates, 3.75 times higher than the worldwide average, at 0.6 percent.

The locations that had the highest ransomware ERs in the world in 2015 are listed in Figures 3 and 4. Portugal and Italy were among the locations with the highest ransomware ERs in both halves of 2015.

Figure 3 (left): The countries/regions with the highest ransomware encounter rates in the world in the first half of 2015; Figure 4 (right): The countries/regions with the highest ransomware encounter rates in the world in the second half of 2015

Although the ransomware ER in the UAE, for example, in the first half of 2015 was the highest in the world, ransomware is still one of the least encountered categories of threats there as Figure 5 illustrates. A ransomware family does not appear in the top 10 list of threats in the UAE.

Figure 5: Malware encountered in the United Arab Emirates in the second quarter of 2015, by category

The infection rate is typically a fraction of the ER because systems have to encounter malware before they can get infected. Data in several volumes of the Security Intelligence Report suggests that 70 percent to 80 percent of systems that run the MSRT also run up-to-date real time antivirus. This means most systems will be able to block the installation of known commodity ransomware before they can become infected. Thus ER is typically much greater than the actual infection rate.

The malware infection rate, called the Computers Cleaned per Mille (CCM), is measured by the number of computers cleaned for every 1,000 unique computers that run the Windows Malicious Software Removal Tool (MSRT). For example, if MSRT has 50,000 executions in a particular location in the first quarter of the year and removes infections from 200 computers, the CCM for that location in the first quarter of the year is 4.0 (200 ÷ 50,000 × 1,000).

Detection for new malware families are typically added to the MSRT every month. The MSRT cleans many of the most prevalent families of ransomware like Win32/Crowti, Ransom: Win32/Reveton, and Win32/Samas. Of these, Crowti had the highest CCM in the second half of 2015, 0.04 in 3Q15 and 0.01 in 4Q15. This means that for every 1,000 systems the MSRT executed on in the fourth quarter of 2015, 0.01 was cleaned of Crowti; that’s 1/1000 of a percent of the hundreds of millions of systems the MSRT executes on each month.

The ER data I outlined above suggests that ransomware represents a risk that has been lower probability relative to other types of malware in most parts of the world. But the rapid evolution of ransomware suggests that these numbers could rise in the future. Email (spam, spear-phishing, etc), social engineering using Word and Excel macros, drive-by download attacks, and removable storage devices (USB drives) are among the most common ways attackers have distributed ransomware. This has been evolving rapidly.

The ability for less-skilled attackers to mount ransomware campaigns has increased recently, due to the emergence of ransomware-as-a-service (RaaS) offerings on the darkweb. Sarento and Enrume are ransomware families that are examples of this approach. Ransomware is being increasingly paired with exploit kits, such as JS/Axpergle (a.k.a. Angler), and other malware to gain persistence in victims’ environments. More attackers using more distribution points has led to more enterprises encountering ransomware as figures 6 and 7 illustrate. Additionally, ransomware can be distributed to systems via other malware, i.e. existing infections, to increase attacker monetization of the assets they control.

When comparing these figures, notice how the ER for ransomware increased between the first and second halves of 2015 surpassing the ER of Password Stealers & Monitoring Tools. Also notice that the ER for ransomware on domain joined systems surpassed that of non-domain joined systems.

Figure 6: Malware and unwanted software encounter rates for domain-based and non-domain computers, in the first half of 2015, by category

Figure 7: Malware and unwanted software encounter rates for domain-based and non-domain computers, in the second half of 2015, by category

More sophisticated attackers that target enterprises try to encrypt as much of their target’s critical data as possible. To do this, they need to move beyond encrypting data on a single device. They use all the dirty tricks in their toolkits to get a foothold in an organization’s IT environment including exploiting unpatched vulnerabilities, taking advantage of misconfigured systems and weak passwords, and of course social engineering.

The main entry points for these attacks are vulnerable Internet facing servers and user workstations. Once they have compromised a single system, they use tactics similar to “APT” style attacks to traverse the infrastructure looking for more data to encrypt. To do this, they will gather credentials on the initial point of entry, attempt to gain elevated privileges (e.g. domain administrator), use those credentials to map out the organization’s network, then move laterally to new hosts, gathering more credentials that will allow them to encrypt data on as many machines as possible. Attackers will also deny the victim organization access to their backups, if they can, to increase the motivation to pay the ransom.

Once attackers have access to data (.pdf, .xlsx, .docx, etc) they believe is valuable to the victim organization, they encrypt it. As ransomware has been evolving, more of this malware has been employing correctly implemented strong encryption algorithms (Advanced Encryption Standards (AES) for example), that prevents recovery without a valid decryption key or restoring the original files from backup. Without backups, the impact of this type of attack to a business could be severe; the loss of intellectual property, customer data, and financial records could have irreversible consequences on a business.

The Samas family (Ransom:MSIL/Samas) of ransomware is a great example of ransomware using some of these tactics.  The MMPC has published a great article on this family: No mas, Samas: What’s in this ransomware’s modus operandi?

Detection for Samas was added to the MSRT in April 2016. The infection rate (CCM) for Samas is virtually zero, as it has only been seen used in targeted attacks versus used in broad attacks as commodity ransomware.

Figure 8: Ransom:MSIL/Samas infection chain

Ransomware has been evolving quickly. Last month (March 2016) the top 5 ransomware families encountered included Ransom:Win32/Tescrypt, Ransom:Win32/Locky, Ransom:Win32/Crowti, Ransom:JS/Brolo, Ransom:Win32/Teerac.

Although commodity ransomware has relatively low encounter rates and low infection rates, when determining the probability and impact in ransomware risk calculations it’s important to consider that ransomware is also being used as part of ransomware-as-a-service kits and by determined adversaries in targeted attacks.

The fact that ransomware families aren’t very prevalent at this point is good news. But that doesn’t make it any less painful to the users and organizations that have been victimized. This is why Microsoft is so committed to continually raising the bar on attackers and helping our customers with these threats. There is a plethora of mitigations available for enterprise customers, both on-premises and cloud-based. Windows 10 has numerous advanced security features that can make it much harder for attackers to be successful with ransomware. The Office 365 Security team published an excellent article that provides some great mitigations, a highly recommended read: How to Deal with Ransomware.

Additionally, I asked some of the experts in Microsoft’s Enterprise Cybersecurity Group to provide some guidance based on the work they are doing to help enterprise customers protect, detect and respond to ransomware cases. The Enterprise Cybersecurity Group has unique, industry-leading cybersecurity expertise from client to cloud that I’m excited to tap. They have helped numerous enterprise customers protect, detect and respond to some of the most sophisticated ransomware attacks to date. This experience informs their approach, something partially summarized in the table below.

Detect Ingress protections
Auto-scale endpoint protections
Behavioral and deterministic detections leveraging Deep Packet Inspection
Protect Reputational services
High Value Asset protection, containment, isolation
Respond Response planning
Offline backups
Regular hunting and validation

We will share more from the Enterprise Cybersecurity Group in the next article in this series on ransomware.

Tim Rains
Director, Security

Defending against persistent attackers: What we’ve learned

Part of what we do at the Microsoft Malware Protection Center involves keeping tabs on known activity groups. This is some of the most interesting and intriguing work we do.

One particularly aggressive and persistent group we track is known within Microsoft by the code-name “STRONTIUM” (following our internal practice of assigning chemical element names to such groups).

Whereas most cyber-attack groups are ultimately profit-oriented, STRONTIUM mainly seeks sensitive information. Its primary targets include government bodies, diplomatic institutions, and military forces. The group has also been known to target journalists, political advisors, and organizations associated with political activism. With such lofty targets, you might expect the group to be highly sophisticated, and it is.

STRONTIUM primarily attempts to ensnare individuals using spear phishing tactics through email or social networking channels. The idea is to dupe people into giving up their login credentials so the group can perform reconnaissance on a target organization. Their lure messages are typically tied to current events such as an upcoming conference or real-world news, and STRONTIUM’s email senders are usually associated with well-known email providers, using plausible names and titles designed to give the messages credibility.

The ultimate goal of this reconnaissance phase is to compile a list of high-value individuals who have information or access that STRONTIUM wants. With this list at hand, the group moves to the next phase of operations — installing malware on the high-value targets’ computers and thereby gaining access to the institution’s network. Depending on the specific attack used, they might send a message with a link that will launch a drive-by download when clicked, or a malicious attachment such as a document file containing an exploit.

It is not yet clear whether the group researches vulnerabilities and develops the exploits themselves, or purchases them on the black market, but Microsoft researchers have observed STRONTIUM moving swiftly to take advantage of newly disclosed vulnerabilities. They are also known for zero-day exploits targeting vulnerabilities where the software vendor has not yet released a security update. STRONTIUM also targets older vulnerabilities that simply haven’t been patched by the organization, and attacks involving non-Windows computers are a concern as well.

Considering STRONTIUM’s broad range of technical capabilities and its determination to keep up an attack for months or years until it succeeds, the group represents a significant threat that is difficult to defend against. Nevertheless, there are steps an organization can take to significantly decrease the probability of a successful attack:

  • Deploy vendor security updates quickly after they are released. STRONTIUM looks for out-of-date software installations inside target institutions. Keeping software current denies the group this avenue of infiltration.
  • Take advantage of the latest mitigation technologies. Recent versions of Windows (most notably Windows 10) and other software include critical mitigations that can render many of STRONTIUM’s exploits ineffective.
  • Enforce segregation of privileges and apply all possible safety measures to protect Admin accounts. STRONTIUM relies on pass-the-hash techniques and elevation of privileges to successfully move laterally across networks.
  • Conduct enterprise software security awareness training. STRONTIUM heavily relies on social engineering to entice individuals into clicking links to malware. Security training can raise awareness around this attack vector.
  • Institute multi-factor authentication. As STRONTIUM extensively uses credential-stealing spear phishing attacks, multi-factor authentication can be an effective tool to prevent unauthorized access even if credentials are stolen.
  • Prepare your network to be forensically ready. A forensically ready network that records authentications, password changes, and other significant network events can help to quickly identify affected systems.
  • Keep personnel and personal data private. STRONTIUM uses open-source intelligence to obtain its initial lists of victims, which might include names and email addresses, but can expand into employment information and other items of interest. Make sure your email is kept confidential and privacy settings on social media don’t disclose sensitive information publicly. These are all pieces of information STRONTIUM can use to devise a realistic attack.

For a deeper look at the STRONTIUM adversary, including technical information that can help your IT department keep your organization safe, see the latest Microsoft Security Intelligence Report here.

To learn more about how Microsoft helps protect your security and privacy in the cloud, visit Trusted Cloud.

The Threat Landscape in Canada – 2015 Update

November 30th, 2015 No comments

I have written about the threat landscape in Canada a couple of times over the years. Using new data from the latest volume of the Microsoft Security Intelligence Report, volume 19, I thought I’d take a fresh look at what has been happening in Canada as its been about a year since I last published an article on it.

If you are interested in reading some of the analysis I have done on the threat landscape in Canada in the past, please read these articles The Threat Landscape in Canada, The threat landscape in Canada & SecTor 2012. Additionally, last month I had the opportunity to speak at the Security Education Conference Toronto (SECTor 2015), Canada’s largest cybersecurity conference. You can watch a video of the presentation I gave at the conference as well as a video interview I did there: Cyberthreats: Microsoft’s Tim Rains on Putting Old Wine in New Bottles.

Starting with the encounter rate (ER) in Canada, which is the percentage of computers running Microsoft real-time security software in Canada that reported detecting malware, or report detecting a specific threat or family, during a quarter.  Most of these encounters are from systems running Microsoft Security Essentials or Windows Defender (on Windows 8.1) reporting that they blocked malware from installing on them. As Figure 1 illustrates, the ER in Canada has been below the worldwide average for many quarters; the worldwide average encounter rate in the second quarter of 2015 (2Q15) was 14.8%, while the ER in Canada was 12.5% during the same period.

Figure 1: the long-term encounter rate (ER) for Canada and the worldwide average per quarter for the period between the 3rd quarter of 2012 through the 2nd quarter of 2015

Although Canada’s ER has been below the worldwide average and that of France for some time, it has been elevated in some time periods compared to the ERs of the United Kingdom and the United States as illustrated in Figure 2.

Figure 2: the long-term encounter rates (ER) for Canada, France, the United Kingdom, the United States, and the worldwide average per quarter for the period between the 3rd quarter of 2012 through the 2nd quarter of 2015

Figure 3 illustrates the long-term view of malware categories encountered by systems in Canada for the time period between the third quarter of 2012 (3Q12) and the second quarter of 2Q15. This data helps us understand the types of threats that Canadians encounter most frequently in each time period. Attackers change their tactics over time to favor malware types that they hope will successfully compromise systems. But any success they have is fleeting as Microsoft and the rest of the security industry update protections to mitigate any threats that attempt to become relatively prevalent.

Figure 3: the long-term view of malware category encounter rates (ER) for Canada per quarter for the period between the 3rd quarter of 2012 through the 2nd quarter of 2015

Figure 3 shows us that the ER spike seen in Canada in 3Q14 was primarily due to an increase in encounters with malware families in the Trojan Downloaders & Droppers category. This category of threats was popular with attackers back in 2007, but we’ve seen a resurgence of these threats in more recent time periods.  The level of encounters with Exploits is also noteworthy as it suggests that Canadians have encountered exploit kits at relatively high frequency; Figures 4 and 5 support this supposition. Figure 4 shows us that the ER for Exploits was higher in Canada than the worldwide average in 2Q15. Figure 5 provides a list of the top 10 malware threats encountered by Canadians in 2Q15, where 3 of the top 10 malware families encountered in Canada were exploit kits.

Figure 4: malware category encounter rates for Canada versus the worldwide average in the 2nd quarter of 2015

Figure 5: the top malware families encountered in Canada in the 2nd quarter of 2015

Malware encounters are much more common than malware infections; i.e. a system has to encounter malware before there’s a chance for it to get infected with malware. On average, about 17.0 percent of reporting computers worldwide encountered malware over the four quarters ending in 2Q15. At the same time, the Microsoft Windows Malicious Software Removal Tool (MSRT) removed malware from about 7.1 out of every 1,000 computers, or 0.71 percent. Figure 6 illustrates the ER and the malware infection rate (CCM) for Canada and the worldwide average for recent time periods.

Figure 6: malware encounters and infections in Canada between the 3rd quarter of 2014 and the 2nd quarter of 2015

Figure 7 provides the top 10 list of malware families that infected systems in Canada in 2Q15. Notice that many of the threats on this list are different from the list of threats that were encountered in Canada during the same period (Figure 5). Many of these threats leverage social engineering and require user interaction in order to infect systems. You can get additional details on many of these threats in the Microsoft Malware Protection Center’s malware encyclopedia.

Figure 7: top threat families by infection rate (CCM) in 2Q15

A few noteworthy threats include Win32/Kilim, Win32/Alureon, and Win32/Zbot. Kilim is a threat family that can install malicious Google Chrome browser plug-ins and can then use your social media profiles to like, share, and follow pages without your permission. Alureon is a family of data-stealing Trojans can give a malicious hacker access to collect confidential information stored on a compromised PC, such as user names, passwords, and credit card data. They can also send malicious data to your PC and corrupt some driver files, making them unusable. Zbot is a family of Trojans that are created by kits known as “Zeus”. These kits are bought and sold on the black market and they can monitor online banking activities by hooking API addresses and injecting code into webpages.

Figure 8: top threat families by infection rate (CCM) in 2Q15

Many times, compromised systems are used to host malware hosting sites, phishing sites, drive-by download sites, etc. The relative levels of these web-based threats differ by country/region. Figure 8 shows us that in Canada levels of Phishing sites and malware hosting sites are slightly elevated above the worldwide average. To help put this into context, an example of a location with very high level of phishing sites is Bulgaria with 98.5 phishing sites per 1,000 hosts. A location with a high number of malware hosting sites is Brazil with 40.97 malware hosting sites per 1,000 hosts.

I hope you’ve found this analysis useful.

Tim Rains
Chief Security Advisor
Enterprise Cybersecurity Group

Microsoft Security Intelligence Report Volume 19 is now available

November 18th, 2015 No comments

We’ve just published hundreds of pages of new threat intelligence available for free download at

This includes threat data from the first half of 2015 as well as longer term trend data on the industry vulnerabilities, exploits, malware, and malicious websites that your organization should use to assess your current security posture. We are also providing threat data for over 100 countries/regions.

Additionally, this volume of the report includes a case study and profile on a determined adversary code name “Strontium.” This case study provides insight into the techniques that these modern threat actors are using. My colleagues in the Microsoft Malware Protection Center have written an article on Strontium that will give you more details and context:

Also included in this volume of the report is an in-depth look at the malware behind much of the bank fraud that has characterized the threat landscape in Brazil for the better part of the last decade. This is required reading for financial services customers.

One of my favorite new data-sets in this report is exploit detection data from the IExtensionValidation interface in Internet Explorer 11. Essentially this interface enables real-time security software to block ActiveX controls from loading on malicious web pages. When Internet Explorer loads a webpage that includes ActiveX controls, if the security software has implemented IExtensionValidation, the browser calls the security software to scan the HTML and script content on the page before loading the controls themselves. If the security software determines that the page is malicious (for example, if it identifies the page as an exploit kit landing page), it can direct Internet Explorer to prevent individual controls or the entire page from loading. The interface helps protect our customers and the data it provides helps us understand how attackers are evolving their web-based attacks such as drive-by download attacks and watering hole attacks. The data in figure 1 shows how attackers have shifted from attacking Flash and Java controls in almost the same frequency to targeting Flash almost 100% of the time. This illustrates the importance of ensuring that Flash is being patched efficiently in your environment.

Figure 1: ActiveX controls detected on malicious webpages through IExtensionValidation, 3Q14–2Q15, by control type

And of course, the report also contains the guidance your organization can use to protect its data and assets.

You can download Volume 19 of the Microsoft Security Intelligence Report at

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

Historic High Infection Rates – The Threat Landscape in the Middle East

October 21st, 2015 No comments

I have written about the threat landscape in the Middle East extensively over the years. It’s been about 18 months since I published my last article on this part of the world and malware infection rates in some locations in the region have since risen to historic highs – far above the highest malware infection rates ever published in the Microsoft Security Intelligence Report. So I thought I’d take a fresh look at what has been happening in some locations in the Middle East.

If you are interested in some of the analysis and insights that we have published in the past, here are some of the most recent articles:

The Threat Landscape in the Middle East and Southwest Asia – Part 1: Relatively High Malware Infection Rates
The Threat Landscape in the Middle East and Southwest Asia – Part 2: Relatively High Malware Encounter Rates
The Threat Landscape in the Middle East and Southwest Asia – Part 3: Regional Anti-virus Software Usage
The Threat Landscape in the Middle East and Southwest Asia – Part 4: Regional Windows XP Market Share
Threat Landscape in the Middle East and Southwest Asia – Part 5: Socio-economic Factors and Regional Malware Infection Rates
Threat Landscape in the Middle East and Southwest Asia – Part 6: Best Practices from Locations with Low Malware Infection Rates
Regime Stability, Demographic Instability and Regional Malware Infection Rates – Part 1: Egypt
Regime Stability, Demographic Instability and Regional Malware Infection Rates – Part 2: Syria
The Threat Landscape in the Middle East – Part 3: Israel and Saudi Arabia

The malware infection rates (CCM) in the Middle East have typically been well above the worldwide average. The exception has tended to be Israel where the infection rate has closely mirrored the worldwide average during many time periods as seen in Figure 1.

Before I explore what happened in late 2013 and 2014 to drive infection rates significantly higher in all the locations listed in Figure 1, you might also be wondering about Qatar’s relatively high infection rate in the first quarter of 2011 (1Q11) that can be seen in Figure 1? You can read about that in a previously published article: The Threat Landscape in the Middle East – Part 1: Qatar.

Figure 1: the malware infection rates (CCM) for Egypt, Iraq, Israel, Oman, the Palestinian Authority, Qatar, Saudi Arabia, Syria, the United Arab Emirates, and the worldwide average per quarter for the years 2011 through 2014

All of the locations listed in Figure 1 had malware infection rates above the worldwide average in all four quarters of 2014. There is a clear increase in the CCM in most of these locations starting in the fourth quarter of 2013 (4Q13) or the first quarter of 2014 (1Q14). Qatar and the United Arab Emirates (UAE) saw increases in CCM in 4Q13; Qatar’s CCM increased 2.4 times from 11.4 to 27.7, while the UAE’s CCM increased 2.8 times from 12.2 to 34.0. But then the CCM in both locations leveled out and decreased in the last half of 2014, as did the worldwide average. Several other locations that saw their CCMs increase in 4Q13, continued to see large CCM increases in the following quarter.

One of the largest infection rate increases was in Iraq. The CCM in Iraq increased from 31.3 in 4Q13 to 110.7 in 1Q14, a 3.5 times increase. Examining the threat families responsible for this very large increase leads us to two families: MSIL/Bladabindi and Win32/Jenxcus. Detection for Bladabindi was added to the Microsoft Windows Malicious Software Removal Tool (MSRT) in January of 2014. Subsequently, Bladabindi was found and removed from 27.9 systems for every 1,000 systems that the MSRT executed on in Iraq in 1Q14. Detection for Jenxcus was added to MSRT in February of 2014 and it was also a prevalent threat in the region, found and removed from 25.2 systems for every 1,000 systems that the MSRT executed on in Iraq during the same period. The sudden increase in detections of these two families is the primary reason for the infection rate increase in Iraq at the beginning of 2014 and the subsequent decrease over time as fewer and fewer systems were found to be infected with these two families of threats.

MSIL/Bladabindi can steal sensitive information and send it to a malicious hacker. This threat family can also download other malware and provider attackers with backdoor access on compromised systems. Variants of this family can spread via infected removable drives, such as USB flash drives. They can also be downloaded by other malware, or spread though malicious links and hacked websites. Bladabindi variants are usually installed with an enticing name and icon to trick people into running it.

Win32/Jenxcus uses social engineering to trick the victim into running a malicious script file that is commonly bundled with other programs. When the program bundle is executed Jenxcus runs silently in the background. Win32/Jenxcus also operates as a worm that detects whether the victim’s system has a removable drive connected to it. If it does, it copies itself onto that drive. It also creates a shortcut link pointing to its copy in the removable drive. Typically, this threat gets onto vulnerable systems via drive-by download attacks or via infected removable drives.

Beyond the CCM increase seen in Iraq, Figure 1 illustrates smaller but similar CCM increases for several other locations in the region including Egypt, Oman, Palestinian Authority (West Bank and Gaza Strip), Saudi Arabia, and Syria. Win32/Jenxcus was the primary threat family driving CCMs higher in the first quarter of 2014 in all of these locations except Syria.

In Syria Win32/Gamarue and Win32/Sality were responsible for driving the infection rate from a CCM of 34.0 in the fourth quarter of 2013 to 75.5 in the first quarter of 2014.

Besides Win32/Jenxcus, Sality also contributed to the infection rate increase in Egypt, where it has been a prevalent threat for some time. I’ve written about this before: Are Viruses Making a Comeback? Egypt’s CCM increased to 73.2 in the first quarter of 2014 from 27.6 the prior quarter, a 2.7 times increase.

Whereas infection rate (CCM) data comes from the Malicious Software Removal Tool, the encounter rate (ER) is the percentage of computers running Microsoft real-time security software that report detecting malware, or report detecting a specific threat or family, during a period. Most of these encounters are from systems running Microsoft Security Essentials or Windows Defender (on Windows 8.1) reporting that they blocked malware from installing on them. For example, the worldwide average encounter rate in the fourth quarter of 2014 (4Q14) was 15.9%. As seen in Figure 2, with the exception of Israel, several locations in the Middle East have significantly higher than average ERs. I can’t show you the ER for all the countries we have CCM data for, as we don’t have enough systems reporting ER data from some of the locations in the region during this period of time.

Figure 2: the encounter rates (ER) for Egypt, Iraq, Israel, Qatar, Saudi Arabia, the United Arab Emirates, and the worldwide average per quarter for the period between the 3rd quarter of 2013 through the 4th quarter of 2014
Notice how the ER increases in the third quarter of 2013 (3Q13) as opposed to the first quarter of 2014 where we saw large increases in infection rates in the region. A few threats were involved in this increase. In most of these locations Win32/Rotbrow, Win32/Brantall, and INF/Autorun, and VBS/Jenxcus all contributed to higher ERs during this period of time.

Malware families that use Autorun feature abuse (Win32/Autorun), have been some of the most prevalent threats encountered in the region for many years. These threats typically spread via USB drives and other removal media. I theorize that this type of threat is encountered in the Middle East so much because Internet connectivity is inconsistent in some locations, likely due to higher than average strife in places like Syria, Egypt, and Iraq. Subsequently, I postulate that people in these locations transfer files using removable media more often than many other places, exposing more systems to Autorun attacks. It’s just an educated guess. I have written about this threat before: Defending Against Autorun Attacks.

Figure 3: infographic to the right which shows how these worms can spread Autorun infographic that shows how these worms can spread

A drive-by download site is a website that hosts one or more exploits that target vulnerabilities in web browsers and browser add-ons. Users with vulnerable computers can be infected with malware simply by visiting such a website, even without attempting to download anything. Drive-by download pages are usually hosted on legitimate websites to which an attacker has posted exploit code. Attackers gain access to legitimate sites through intrusion or by posting malicious code to a poorly secured web form,

like a comment field on a blog. Compromised sites can be hosted anywhere in the world and concern nearly any subject imaginable, making it difficult for even an experienced user to identify a compromised site from a list of search results.

Figure 4: Drive-by download pages indexed by Bing at the end of the fourth quarter of 2014 (4Q14), per 1,000 URLs in each country/region102115_04
Only Syria stands out with substantially higher concentrations of drive-by download sites in the region during 3Q13, 4Q13, and 4Q14.

Figure 5: Concentration of drive-by download URLs tracked by Bing in select locations in the Middle East on a reference date at the end of the associated quarter, expressed as the number of drive-by download URLs per every 1,000 URLs hosted in the country/region.

I asked Cyril Voisin, Microsoft’s Chief Security Advisor in the Middle East and Africa, who is based in the UAE, how people in the region should protect themselves. The following is what Cyril recommended.

Arabic peninsula and Northern Africa countries were particularly affected by MSIL/Bladabindi and Win32/Jenxcus as these were part of attacks targeting Arabic speaking people, making them less suspicious as their language was used in order to lure them. For our larger MEA region, as well as for any other location in the world, I think the number 1 protection is the vigilance of users.

At the end of the day this boils down to:

  • Stay aware of risks and use your judgement as your best defense. And please spread the word by talking to your family and community members to increase their online safety. Anytime you are about to take any potentially harmful decision, reflect before you act and look for clues indicating phishing. Would this person really write to me in a foreign language to warn me about a picture were I look funny? Would this website confirm an order I did not make without calling me by my name? Would my bank require new urgent security information without notice? And of course everyone proposing to share their fortune with you only wants to get your money to build their own fortune… Finally beware of tech support phone scams where someone will call you directly and try to manipulate you over the phone, pretending for instance to be working for Microsoft support and asking you to install software on your machine, in order to take control of it.
  • Enforce basic hygiene. Again, this is not new, and with the risk of sounding as a broken record, I would like to remind everyone about the basics. If you want to skip that section, one recommendation though: upgrade to Windows 10 to benefit from all the security work that has been done to enhance your protection and automate some of the tasks below and beyond.
    • Keep everything up to date (all software on your PC, your tablet, your smartphone): that means applying updates for your system and applications, including browser, plug-ins, music software… as newer software is better for security.
    • Run an up-to-date antimalware solution and keep in mind that the presence of this security tool does not mean you can take inconsiderate risks
    • Use a firewall
    • Choose good passwords where they are necessary. Hint: Windows Hello and Microsoft Passport are your friends.

I hope you found this analysis informative and useful. You can find the latest data on the locations I examined in this series and many others at

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

Cloud security controls series: Multi-factor Authentication

July 20th, 2015 No comments

Recently I wrote an article on the risk of leaked credentials in which I discussed how credentials are stolen in bulk directly from organizations’ websites. As illustrated in Figure 1, during the eight months between November 2013 and June 2014, Microsoft tracked about 1,700 distinct website credential thefts, comprising a little more than 2.3 million credentials that were posted in public places on the Internet. This number represents only a small fraction of the credentials that are traded in forums and specialized websites on less publicly accessible spaces on the Internet that cater to the illicit trade in stolen credentials. This problem is amplified in cases where victims have used the same credentials for access to multiple different service accounts on the Internet. Additionally, many of the high profile network compromises you have heard about over the past several years all had a phishing component in the attack. In many cases someone with a valid user name and password was tricked into disclosing those credentials in a phishing attack that subsequently provided attackers with a way into their infrastructure. Figure 2 illustrates that SmartScreen Filter reported 10.2 phishing attempts per 1,000 unique IP addresses in June 2014. Computers in Western Europe were disproportionately affected by phishing attempts. Four of the 10 locations reporting more than 20 phishing impressions per 1,000 unique IP addresses in June 2014 were in Western Europe: Italy (35.0), France (27.3), Belgium (26.1), and Spain (23.4). Other locations reporting high rates of phishing impressions include Venezuela (24.9) and South Africa (22.0).

Figure 1 (left):  Number of stolen credentials from publicly-posted credential thefts, per month, from November 2013 to June 2014, data from the Microsoft Security Intelligence Report volume 17; Figure 2 (right): Computers reporting phishing impressions per 1,000 unique client IP addresses in June 2014, data from the Microsoft Security Intelligence Report volume 17
0720 Figure 10720 Figure 2

In a world where hundreds of millions of leaked credentials are bought and sold regularly, and phishing attacks are so common and effective, many of the CISOs I talk to have come to the conclusion that passwords, even complex passwords and passphrases, by themselves are no longer sufficient to protect many of the resources that they are entrusted with. After all, even if all the passwords and passphrases meet all of their organization’s password complexity requirements, if attackers have a massive list of leaked credentials they can use to find valid credentials in, the complexity of those credentials isn’t really a mitigating factor for that type of risk.  Most of the CISOs I have talked to have implemented or plan to implement some form of multi-factor authentication as a control that helps mitigate some of these attacks. Multi-factor authentication adds one or more factors to the authentication process so that in addition to something the user knows (a password or pin), successful authentication also relies on something the user has (like a token generator, a smartcard, a specific device or application) or something the user is (biometrics like facial recognition or using iris or fingerprint scans). These additional factors make it harder for attackers to use leaked or stolen credentials to gain illegal access to systems. Security professionals use multi-factor authentication to help manage authentication in many on-premise scenarios including logging into Windows and authenticating to Active Directory, VPN, Direct Access, Exchange, Terminal Services, web applications, etc. In some cases multi-factor authentication helps organizations meet their compliance requirements.

When I have conversations about Microsoft’s Cloud services with customers, one of the first security controls I get asked about is multi-factor authentication. Naturally, security professionals that have implemented multi-factor authentication in their on-premise environments want to know they have the option to also use it to help protect users, data, and applications in the Cloud. Multi-factor authentication is available for Microsoft Cloud services and there are several configuration options to choose from depending on the service and assets you are trying to protect. Some of these options include Multi-factor Authentication for Azure Administrators, Azure Multi-factor Authentication, and Azure Multi-factor Authentication Server, Multi-factor Authentication for Office 365.

Azure Multi-factor Authentication is the multi-factor authentication service for Azure Active Directory. It helps to protect whatever assets you have protected with Azure Active Directory authentication including Cloud applications like Microsoft Office 365, OneDrive for Business, and Windows Intune. It can also be used to protect applications you develop on-premise as well as the thousands of SaaS applications available through Azure’s Application Gallery (screen shot in Figure 3), thus providing a more secure, single sign-on experience for people in your organization.

Figure 3: A screen shot of the Azure Application Gallery in the Azure portal, currently with 2,494 popular SaaS applications available
0720 Figure 3

When enabled, Azure Multi-factor Authentication can be configured to require users to use a mobile app, phone call, or text message after entering a valid password when authenticating to Cloud-based or on-premise applications. You can enforce multi-factor authentication on individual users or on specific applications. For example, let’s say your organization had a corporate LinkedIn account. You can provide access to that application to specific users in your organization via Azure Active Directory so they can access it via the app access panel at You could enforce multi-factor authentication for specific users so they have to use multiple factors when they logon to the app access panel or when they launch LinkedIn in the app access portal. Figure 4 illustrates how this is configured.  in the configuration settings for that application, I had the option to require multi-factor authentication for the users of that application or any of the other applications I have added in my Azure Active Directory.

Figure 4: How the Azure administrator adds the LinkedIn app to Azure Active Directory Applications in the Azure Portal and configuring multi-factor authentication, so that users can access the application from the Azure app access panel
0720 Figure 4a 0720 Figure 4b
0720 Figure 4c
0720 Figure 4d

Figure 5: A user logs into the Azure app access panel and sees they have been given access to the LinkedIn application; when the user launches LinkedIn from the Azure app access panel for the first time after multi-factor authentication has been enabled on the application, the user is prompted to set up the second factor for use in authentication after they successfully authenticate with their user name and password; the user can select the method they want to use for a second factor; the user selected “Mobile app” in this example and has some configuration options available; instructions are then presented to help the user install the mobile app on their smartphone – essentially installing the multi-factor authentication app from the appropriate app store and scan the barcode
0720 Figure 5a 0720 Figure 5b
0720 Figure 5c 0720 Figure 5d
0720 Figure 5e

You can enable the multi-factor authentication service for on-premises applications by using Azure Multi-factor Authentication Server that can be downloaded from the Azure Portal, as seen in Figure 7. Multi-Factor Authentication for Azure Administrators allows every administrative account of an Azure subscription to be protected by multi-factor authentication. So even if your organization decides not to implement multi-factor authentication for all users, the organization’s Azure administrators have the option to enable it for their accounts.

Figure 6: Advanced configuration for Azure Multi-factor Authentication
0720 Figure 6a
0720 Figure 6b

Figure 7: The Server download option for Azure Multi-factor Authentication Server
0720 Figure 7

One tip about multi-factor authentication providers in Azure, as illustrated in Figure 8. You only need to configure a multi-factor authentication provider if you aren’t getting Azure Multi-factor Authentication as part of the service you are using. If you are using Azure Active Directory Premium edition or Office 365 or Multi-Factor Authentication for Azure Administrators, then Azure Multi-factor Authentication is provided for free as part of these offerings. If you plan to use Azure Multi-factor Authentication as a stand-alone service, then you’ll have to create a multi-factor authentication provider to pay for that service. If you create a multi-factor authentication provider when you don’t really need to, you’ll likely pay for Azure Multi-factor Authentication when you don’t really need to – so ensure you need a multi-factor authentication provider before you create one.

Figure 8: Multi-factor Authentication Providers found in the Azure portal under the Active Directory in the left navigation bar, then click the “MULTI-FACTOR AUTH PROVIDERS” tab
0720 Figure 8

There are a lot of great resources that the Microsoft Azure Active Directory team have published on this topic:
Azure Multi-Factor Authentication
Getting started with Windows Azure Multi-Factor Authentication
Azure Multi-Factor Authentication Story
Securing access to cloud services – Information for Administrators
Adding Multi-Factor Authentication to Azure Active Directory
Configuring Azure Multi-Factor Authentication
Azure Multi-Factor Authentication FAQ
Enabling Multi-Factor Authentication for On-Premises Applications and Windows Server
Building Multi-Factor Authentication into Custom Apps (SDK)
Multi-Factor Authentication for Azure AD (video)

As I mentioned earlier, many of the enterprise customers I talk to have already invested in on-premise identity management solutions to meet specific security or compliance objectives they have. They use technologies such as Active Directory Federation Services (AD FS), certificate based authentication, physical smart cards or virtual smart cards. Both Microsoft and third-party authentication methods are available in Windows Server 2012 R2 AD FS. For example, using Windows Server 2012 R2 on-premise, once installed and registered with AD FS, you can enforce multi-factor authentication as part of the global or per-relying-party authentication policy. There are a bunch of providers with multi-factor authentication offerings available for AD FS in Windows Server 2012 R2. Currently these include offerings from Gemalto, inWebo Technologies, Login People, RSA, SafeNet, Swisscom and Symantec. Microsoft Azure Multi-factor Authentication will also work in this scenario. More background information long with the steps to do this are available: Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications.

Figure 9: An illustration of how Azure Multi-factor Authentication Server can be integrated to manage authentication requests from on-premise applications
0720 Figure 9

Figure 10 (left): Installing the AD FS Adapter in the Azure Multi-factor Authentication Server after it has been installed and activated; Figure 11 (right): Configuring the AD FS Global Authentication Policy to use Azure Multi-factor Authentication
0720 Figure 10a 0720 Figure 10b

There are a bunch of other resources available related to using AD FS multi-factor authentication:

Microsoft Azure Multi-Factor Authentication Deep Dive: Securing Access on Premises and in the Cloud (video)
Active Directory Federation Services Overview
Getting started with Azure Multi-Factor Authentication and Active Directory Federation Services
Securing cloud resources with Azure Multi-Factor Authentication and AD FS
Secure cloud and on-premises resources using Azure Multi-Factor Authentication Server with Windows Server 2012 R2 AD FS
Secure cloud and on-premises resources using Azure Multi-Factor Authentication Server with AD FS 2.0
Building Multi-Factor Authentication into Your Applications Using the SDK
Windows Azure: Authenticate Windows Azure with ADFS
Windows Azure Multi-Factor Authentication Server (video)
Taking advantage of Identity capabilities in the Azure Pack (video)

For Office 365, multi-factor authentication can be used to protect both Office 365 administrative accounts and Office 365 user accounts. Multi-factor Authentication for Office 365 is powered by Azure Multi-factor Authentication, and works exclusively with Office 365 applications and is managed from the Office 365 portal. It’s available for all the different SKUs of Office 365. Once enabled, users are required to acknowledge a phone call, text message, or an app notification on their smartphone after correctly entering their password. Only after this second authentication factor has been satisfied does the user get access to Office 365 resources. The Office 365 team has published some great articles and videos that you can use to learn more about Multi-factor Authentication for Office 365:

Multi-Factor Authentication for Office 365
Webcast: Office 365 sign-in with Multi-Factor Authentication
Set up multi-factor authentication for Office 365
Security in Office 365 White Paper

As you can see, you have several options that make it easy to enable multi-factor authentication to help protect administrator and user credentials used to access on-premise applications, Office 365 applications, Azure-based applications, and thousands of third party Cloud SaaS applications.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection