How to steer clear of tax scams

In the month of February, we saw an average of 300,000 phishing attempts across Microsoft’s browsing platforms daily. Our security experts expect these attempted scams to become increasingly more prevalent through the April 15 Tax Day, especially in the two weeks leading up to it, when about 25 percent of people file their taxes. The phishing campaigns we’ve seen aren’t just in the U.S., though; we’ve also recently uncovered similar tactics in Canada, Brazil and India. It’s important for users across the globe to follow best practices and stay vigilant.

With less than a month until the filing deadline in the U.S., we are urging the public to take the following simple steps to avoid tax scams – especially during the last-minute rush to file taxes.

  • Watch for suspicious emails. Be suspicious of all links and attachments, especially when the email seems “off” or unexpected – like an unexpected email from your credit card company, or financial institution. Phish-y emails often include spelling and grammatical errors, or will ask you to send personal information. In these cases, you can apply additional scrutiny on the sender, the content, and any links and attachments. If you know the sender, for example, you can double-check with them before opening or downloading the file.
  • Carefully inspect URLs. Hover over links to verify that the URL goes to the website where it’s supposed to direct you. Is it pointing to the site you expected? URL shorteners provide a lot of convenience, but can make this inspection difficult. If you’re unsure, rather than clicking a link, use search engines like Bing to get to the tax-related website you’re looking for and log in from there.
We recently discovered a phishing campaign targeting Canadian Tax payers where scammers were pretending to help Canadian taxpayers get their refunds, but really aimed to steal banking credentials. We’ve also seen old phishing documents resurface – these claim to be from the Canada Revenue Agency (CRA), inform victims that they have a refund via e-transfer from the CRA, and ask them to divulge their bank details where the funds will be “deposited”. We’ve also seen similar campaigns in Brazil and India.
  • Be wary of any attachments. If you haven’t just made a purchase for tax software, don’t be tricked by getting an email with an invoice from a tax preparation company. Sending fake invoices for services is one of the top methods attackers use to trick people into opening a malicious attachment that could automatically execute malware on your computer. Malicious attachments could also contain links that download and execute malicious programs. We’ve seen PDFs that contain innocuous-looking links that lead to people accidentally downloading malicious software designed to steal credentials, like usernames and passwords.
  • Don’t rely on passwords alone. Scammers take advantage of weak or stolen passwords used across multiple websites, so don’t just rely on your password to keep you safe. When possible, always use multi-factor authentication like the Microsoft Authenticator app for managing your sign-ins for Microsoft accounts and others, and Windows Hello for easy and secure sign-in to your Windows 10 device. These solutions enable biometric authentications like your face or fingerprint to quickly and safely sign in across devices, apps and browsers without you having to remember passwords. Did you know that with a Microsoft Account, you can securely and automatically sign-in to other Microsoft cloud-based applications including Bing, MSN, Cortana,, Xbox Live (PC only), Microsoft Store and Office?
  • Keep software current. Run a modern operating system, like Windows 10 or Windows 10 in S mode, with the latest security and feature updates, in tandem with next-generation anti-malware protection, such as Windows Defender Antivirus.

Microsoft security solutions can proactively inspect links and attachments, as well as block phishing documents and other malicious downloads to help protect users, even if they accidentally click a phishing link or open a malicious attachment. We expect tax scams to be on the rise in the next several months as global tax deadlines approach so our experts will be on the lookout for new campaigns.

Here’s a couple of examples of what we’ve seen just in the last few weeks: two documents named irs_scanned_551712.doc and Tax(IP.PIN).doc. You’ll notice that the security tools built into Microsoft Office caught these and displayed a warning at the top. Before enabling content like these, ensure that the sender is a trusted source, and notice things like missing or misspelled words.

tax-related phishing document with malicious macro code

tax-related phishing document with malicious macro code

Be on the lookout for scams like we’ve described here. There will undoubtedly be more schemes that crop up. Stay vigilant! Learn how to report phishing scam websites through Microsoft Edge or Internet Explorer and suspicious email messages through, Outlook 2016, or Office 365.

Keep these tips and tricks handy, and share with your networks so we can increase awareness of and stop the spread of Tax Day scams! For more information about Microsoft Security, please visit

New capabilities announced for Azure Security Center

Microsoft Azure Security Center—the central hub for monitoring and protecting against related incidents within Azure—has released new capabilities. The following features—announced at Hannover Messe 2019—are now generally available for the Azure Security Center:

  • Advanced Threat Protection for Azure Storage—Layer of protection that helps customers detect and respond to potential threats on their storage account as they occur—without having to be an expert in security.
  • Regulatory compliance dashboard—Helps Security Center customers streamline their compliance process by providing insight into their compliance posture for a set of supported standards and regulations.
  • Support for Virtual Machine Scale Sets (VMSS)—Easily monitor the security posture of your VMSS with security recommendations.
  • Dedicated Hardware Security Module (HSM) service, now available in U.K., Canada, and Australia—Provides cryptographic key storage in Azure and meets the most stringent customer security and compliance requirements.
  • Azure disk encryption support for VMSS—Now Azure disk encryption can be enabled for Windows and Linux VMSS in Azure public regions—enabling customers to help protect and safeguard the VMSS data at rest using industry standard encryption technology.

In addition, support for virtual machine sets are now generally available as part of the Azure Security Center. To learn more, read our Azure blog.


Microsoft Graph Security Hackathon winners announced

Bringing together information from multiple disconnected security systems to solve today’s security challenges is complex. We recently asked Microsoft Graph Security Hackathon participants to come up with innovative solutions using the Microsoft Graph Security API, and they did not disappoint.

We were excited to get a diverse set of submissions that covered real world security use cases, including security operations, user risk management, alerts enrichment, incident response, and analytics. It was truly inspiring to see the effort and creativity that teams and individuals put into their applications.

With that, please join us in congratulating the winners of the Microsoft Graph Security Hackathon.

First place: Microsoft User Security Evaluation Reporter

The Microsoft User Security Evaluation Reporter (MS-USER), from Darren Robinson, helps service desks and cybersecurity leads get instant visibility into their organization’s user security posture. Leveraging the Graph Security API and Microsoft Secure Score, the MS-USER app pulls together user and event information and includes recommended actions for remediating risks. The application also checks against the Have I Been Pwned database to give administrators and service desk personnel additional context on a user’s password security. This solution makes it easy to reach out to users and give them simple, actionable advice to improve their security, and as a result, the security of the rest of the organization. Darren will be joining us at our session at the Microsoft Build conference in Seattle, Washington, May 6-8, 2019. Definitely take a moment to check out his app today at

Runner up: Microsoft Graph Security—Security Alerts Enrichment

The Security Alerts Enrichments solution, submitted by Josh Rickard, is based on the Swimlane platform and ties together alerts with threat indicators and actions. The team created two applications that use Graph Security alerts to automate the creation of a threat intelligence feed, which can then be used to automate remediation of threats in the customer’s on-premises firewall appliance, which in this case is the Palo Alto Panorama Firewall. The second application ties in five different threat intelligence sources for enrichment. This is a great example of the power of a Security Orchestration Automation and Response (SOAR) solution. We encourage you to check it out at

Popular choice: OneGraph

The OneGraph application, from Abhishek Joshi, enables organizations to quickly investigate, analyze, and respond to security threats. The application allows users can get a quick view of all their alerts and statuses, and easily drill down into things like specific threats, users affected, and alerts from specific providers. We really liked the tie-in with Microsoft Planner that allows for alerts to get assigned to specific people or groups. The integration with Microsoft Teams was a great use case that enables quick response. We hope you take a moment to look at this app at

Again, congratulations to the winners and a huge thank you to all participants in the hackathon. We also wanted to take a moment to thank our all-star panel of judges for taking time out of their busy schedules to review and provide feedback on all the submissions. Many thanks for the support to Ann Johnson, Rich Howard, Scott Hanselman, Mark Russinovich, Troy Hunt, and Olli Vanhoja.

Finally, if any of this has inspired to you develop your own security app or solution, here are some resources to get you started:


New steps to protect customers from hacking

Today, court documents were unsealed detailing work Microsoft’s Digital Crimes Unit has executed to disrupt cyberattacks from a threat group we call Phosphorus – also known as APT 35, Charming Kitten, and Ajax Security Team – which is widely associated with Iranian hackers. Our court case against Phosphorus, filed in the U.S. District Court for Washington D.C., resulted in a court order enabling us last week to take control of 99 websites the group uses to conduct its hacking operations so the sites can no longer be used to execute attacks.

Microsoft’s Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been tracking Phosphorus since 2013. Its activity is usually designed to gain access to the computer systems of businesses and government agencies and steal sensitive information. Its targets also include activists and journalists – especially those involved in advocacy and reporting on issues related to the Middle East.

Phosphorus typically attempts to compromise the personal accounts of individuals through a technique known as spear-phishing, using social engineering to entice someone to click on a link, sometimes sent through fake social media accounts that appear to belong to friendly contacts. The link contains malicious software that enables Phosphorus to access computer systems.

Phosphorus also uses a technique whereby it sends people an email that makes it seem as if there’s a security risk to their accounts, prompting them to enter their credentials into a web form that enables the group to capture their passwords and gain access to their systems.

Both attack methods employ the use of websites that incorporate the names of well-known brands, like Microsoft, to appear authentic. Websites registered and used by Phosphorus include, for example,,,, and

While we’ve used daily security analytics tracking to stop individual Phosphorus attacks and notify impacted customers, the action we executed last week enabled us to take control of websites that are core to its operations. Our work to track Phosphorus over multiple years and observe its activity enabled us to build a decisive legal case and execute last week’s action with confidence we could have significant impact on the group’s infrastructure.

The action we executed last week enabled us to take control of 99 websites and redirect traffic from infected devices to our Digital Crime Unit’s sinkhole. The intelligence we collect from this sinkhole will be added to MSTIC’s existing knowledge of Phosphorus and shared with Microsoft security products and services to improve detections and protections for our customers.

Throughout the course of tracking Phosphorus, we’ve worked closely with a number of other technology companies, including Yahoo, to share threat information and jointly stop attacks. We are grateful for their partnership. We also worked with each domain listing company listed in our suit prior to filing it and are grateful for their support and help in transferring the website domains registered by Phosphorus to us once a court order was granted. Our case against Phosphorus is similar to cases we’ve filed against another threat group called Strontium. We have used this approach 15 times to take control of 91 fake websites associated with Strontium. The legal filings in our case against Phosphorus can be found here.

Tags: , ,


From Microsoft Defender ATP alert to protecting customers: Follow the journey

With Microsoft continuously improving kernel mitigations and raising the bar for exploiting native kernel components, third-party kernel drivers are becoming a more appealing target for attackers and an important area of research for security analysts. A vulnerability in a signed third-party driver could have a serious impact: it can be abused by attackers to escalate privileges or, more commonly, bypass driver signature enforcement—without the complexity of using a more expensive zero-day kernel exploit in the OS itself.

Computer manufacturers usually ship devices with software and tools that facilitate device management. These software and tools, including drivers, often contain components that run with ring-0 privileges in the kernel. With these components installed by default, each must be as secure as the kernel; even one flawed component could become the Achilles’ heel of the whole kernel security design.

We discovered such a driver while investigating an alert raised by Microsoft Defender Advanced Threat Protection’s kernel sensors. We traced the anomalous behavior to a device management driver developed by Huawei. Digging deeper, we found a lapse in the design that led to a vulnerability that could allow local privilege escalation.

We reported the vulnerability (assigned CVE-2019-5241) to Huawei, who responded and cooperated quickly and professionally. On January 9, 2019, Huawei released a fix. In this blog post, we’d like to share our journey from investigating one Microsoft Defender ATP alert to discovering a vulnerability, cooperating with the vendor, and protecting customers.

Detecting kernel-initiated code injections with Microsoft Defender ATP

Starting in Windows 10, version 1809, the kernel has been instrumented with new sensors designed to trace User APC code injection initiated by a kernel code, providing better visibility into kernel threats like DOUBLEPULSAR. As described in our in-depth analysis, DOUBLEPULSAR is a kernel backdoor used by the WannaCry ransomware to inject the main payload into user-space. DOUBLEPULSAR copied the user payload from the kernel into an executable memory region in lsass.exe and inserted a User APC to a victim thread with NormalRoutine targeting this region.


Figure 1. WannaCry User APC injection technique schematic diagram

While the User APC code injection technique isn’t novel (see Conficker or Valerino’s earliest proof-of-concept), detecting threats running in the kernel is not trivial. Since PatchGuard was introduced, hooking NTOSKRNL is no longer allowed; there’s no documented way drivers could get notification for any of the above operations. Hence, without proper optics, the only sustainable strategy would be applying memory forensics, which can be complicated.

The new set of kernel sensors aim to address this kind of kernel threat. Microsoft Defender ATP leverages these sensors to detect suspicious operations invoked by a kernel code that might lead to code injection into user-mode. One such suspicious operation triggered this investigation.

Investigating an anomalous code injection from the kernel

While monitoring alerts related to kernel-mode attacks, one alert drew our attention:


Figure 2. Microsoft Defender ATP kernel-initiating code injection alert

The alert process tree showed an abnormal memory allocation and execution in the context of services.exe by a kernel code. Investigating further, we found that an identical alert was fired on another machine around the same time.

To get a better understanding of the observed anomaly, we looked at the raw signals we got from the kernel sensors. This analysis yielded the following findings:

  • A system thread called nt!NtAllocateVirtualMemory allocated a single page (size = 0x1000) with PAGE_EXECUTE_READWRITE protection mask in services.exe address space
  • The system thread then called nt!KeInsertQueueApc to queue User APC to a services.exe arbitrary thread with NormalRoutine pointing to the beginning of the executable page and NormalContext pointing to offset 0x800

The payload copied from kernel mode is divided into two portions: a shellcode (NormalRoutine) and a parameter block (NormalContext). At this point, the overall behavior looked suspicious enough for us to proceed with the hunting. Our goal was to incriminate the kernel code that triggered the alert.

Incriminating the source

In user-mode threats, the caller process context could shed light on the actor and link to other phases in the attack chain. In contrast, with kernel-mode threats, the story is more complicated. The kernel by nature is asynchronous; callbacks might be called in an arbitrary context, making process context meaningless for forensics purposes.

Therefore, we tried to find an indirect evidence to third-party code loaded into the kernel. By inspecting the machine timeline, we found that several third-party drivers were loaded earlier that day.

We concluded based on their file path that they are all related to an app from Huawei called PC Manager, a device management software for Huawei MateBook laptops. The installer is available on Huawei website, so we downloaded it for inspection. For each Huawei driver we used dumpbin.exe to examine imported functions.

And then we had a hit:

figure-03-dumpbin-utility-used-to-detect-user-APC injection-primitives

Figure 3. dumpbin utility used to detect user APC injection primitives

HwOs2Ec10x64.sys: Unexpected behavior from a driver

Hunting led us to the kernel code that triggered the alert. One would expect that a device management software would perform mostly hardware-related tasks, with the supplied device drivers being the communication layer with the OEM-specific hardware. So why was this driver exhibiting unusual behavior? To answer this question, we reverse-engineered HwOs2Ec10x64.sys.

Our entry point was the function implementing the user APC injection. We found a code path that:

  1. allocates RWX page in some target process;
  2. resolves CreateProcessW and CloseHandle function pointers in the address space of the target process;
  3. copies a code area from the driver as well as what seemed to be a parameter block to the allocated page; and
  4. performs User APC injection targeting that page

The parameter block contains both the resolved function pointers as well as a string, which was found to be a command line.


Figure 4. User APC injection code

The APC normal routine is a shellcode which calls CreateProcessW with the given process command line string. This implied that the purpose of the code injection to services.exe is to spawn a child process.


Figure 5. User shellcode performing process creation

Inspecting the xrefs, we noticed that the injection code originated from a create-process notify routine when Create = FALSE. Hence, the trigger was some process termination.

But what command does the shellcode execute? Attaching a kernel debugger and setting a breakpoint on the memcpy_s in charge of copying the parameters from kernel to user-mode revealed the created process: one of Huawei’s installed services, MateBookService.exe, invoked with “/startup” in its command line.


Figure 6. Breakpoint hit on the call to memcpy_s copying shellcode parameters

Why would a valid service be started that way? Inspecting MateBookService.exe!main revealed a “startup mode” that revived the service if it’s stopped – some sort of watchdog mechanism meant to keep the Huawei PC Manager main service running.


Figure 7. MateBookService.exe /startup code path

At this point of the investigation, the only missing piece in the puzzle was making sure the terminated process triggering the injection is indeed MateBookService.exe.


Figure 8. Validating terminated process identity

The code path that decides whether to inject to services.exe uses a global list of watched process names. Hitting a breakpoint in the iteration loop revealed which process was registered: it was MateBookService.exe, as expected, and it was the only process on that list.


Figure 9. Breakpoint hit during process name comparison against global list

HwOs2Ec10x64.sys also provided process protection against external tampering. Any attempt to force MateBookService.exe termination would fail with Access Denied.

Abusing HwOs2Ec10x64.sys process watch mechanism

The next step in our investigation was to determine whether an attacker can tamper with the global watched process list. We came across an IOCTL handler that added an entry to that list. MateBookService.exe process likely uses this IOCTL to register itself when the service starts. This IOCTL is sent to the driver control device, created from its DriverEntry.


Figure 10. HwOs2Ec10x64.sys control device creation with IoCreateDevice

Since the device object is created with IoCreateDevice, Everyone has RW access to it. Another important observation was that this device isn’t exclusive, hence multiple handles could be opened to it.

Nevertheless, when we tried to open a handle to the device \\.\HwOs2EcX64, it failed with Last Error = 537, “Application verifier has found an error in the current process”. The driver was rejecting our request to open the device. How is access enforced? It must be on the CreateFile path; in other words, in HwOs2Ec10x64.sys IRP_MJ_CREATE dispatch routine.


Figure 11. IRP_MJ_CREATE dispatch routine

This function validates the calling process by making sure that the main executable path belongs to a whitelist (e.g., C:\Program Files\Huawei\PCManager\MateBookService.exe). This simple check on the initiating process name, however, doesn’t guarantee the integrity of the calling process. An attacker-controlled instance of MateBookService.exe will still be granted access to the device \\.\HwOs2EcX64 and be able to call some of its IRP functions. Then, the attacker-controlled process could abuse this capability to talk with the device to register a watched executable of its own choice. Given the fact that a parent process has full permissions over its children, even a code with low privileges might spawn an infected MateBookService.exe and inject code into it. In our proof-of-concept, we used process hollowing.


Figure 12. Procmon utility results showing POC process start/exit & IL

Because watched processes are blindly launched by the watchdog when they’re terminated, the attacker-controlled executable would be invoked as a child of services.exe, running as LocalSystem, hence with elevated privileges.


Figure 13. Procexp utility process-tree view showing LPE_POC running as LocalSystem

Responsible disclosure and protecting customers

Once we had a working POC demonstrating the elevation of privilege from a low-integrity attacker-controlled process, we responsibly reported the bug to Huawei through the Microsoft Security Vulnerability Research (MSVR) program. The vulnerability was assigned CVE-2019-5241. Meanwhile, we kept our customers safe by building a detection mechanism that would raise an alert for any successful privilege escalation exploiting the HwOs2Ec10x64.sys watchdog vulnerability as we described.


Figure 14. Microsoft Defender ATP alerting on the privilege escalation POC code

Abusing a second IOCTL handler

Having been able to freely invoke IOCTL handlers of the driver from user-mode, we looked for other capabilities that can be abused. We found one: the driver provided a capability to map any physical page into user-mode with RW permissions. Invoking this handler allowed a code running with low privileges to read-write beyond the process boundaries—to other processes or even to kernel space. This, of course, means a full machine compromise.

We also worked with Huawei to fix this second vulnerability, which was assigned CVE-2019-5242. Huawei addressed the flaw in the same security advisory.

We presented our research at the Blue Hat IL Conference in February. Watch the video recording here, and get the slide deck here.


The two vulnerabilities we discovered in a driver prove the importance of designing software and products with security in mind. Security boundaries must be honored. Attack surface should be minimized as much as possible. In this case, the flaws could have been prevented if certain precautions were taken:

  • The device object created by the driver should be created with a DACL granting SYSTEM RW access (since only the vendor’s services were communicating directly with the driver)
  • If a service should persist, developers should check that it’s not already provided by the OS before trying to implement a complex mechanism
  • User-mode shouldn’t be allowed to perform privileged operations like writing to any physical page; if needed, the driver should do the actual writing for well-defined, hardware-related scenarios

Microsoft’s driver security checklist provides some guidelines for driver developers to help reduce the risk of drivers being compromised.

Our discovery of the driver vulnerabilities also highlights the strength of Microsoft Defender ATP’s sensors. These sensors expose anomalous behavior and give SecOps personnel the intelligence and tools to investigate threats, as we did.

Anomalous behaviors typically point to attack techniques perpetrated by adversaries with only malicious intent. In this case, they pointed to a flawed design that can be abused. Nevertheless, Microsoft Defender ATP exposed a security flaw and protected customers before it can even be used in actual attacks.

Not yet reaping the benefits of Microsoft Defender ATP’s industry-leading optics and detection capabilities? Sign up for free trial today.

Amit Rapaport (@realAmitRap)
Microsoft Defender Research team


The evolution of Microsoft Threat Protection, RSA edition

Last week, the Microsoft Security team attended the RSA conference in San Francisco, California. We made several key announcements about Microsoft Threat Protection, the solution which provides end users optimal security from the moment they log in, use email, work on documents, or utilize cloud applications and offers security professionals the benefit of minimal complexity while staying ahead of threats to their organization. As we previously alluded to, Microsoft Threat Protection is on a journey to provide organizations seamless, integrated, and comprehensive security across multiple attack vectors. In this RSA edition, we want to share where we are in this journey, the most recent new capabilities launched, and the vision of where we’re going as we continue executing toward our goal of offering best-in-class security for modern organizations.

The journey taken

Microsoft Threat Protection is supported by tremendous investment and focus across multiple engineering teams. Each month, we report discrete enhancements to the solution, but Figure 1 shows the many years of strategic investments and designed capabilities which helped create the solution we offer today. As the timeline demonstrates, each discrete enhancement is tied to the larger vision of Microsoft Threat Protection and our effort to ensure customers are offered the best and most secure threat protection available on the market. The roots of Microsoft Threat Protection stretch back to 2014, with the launch of advanced identity protection capabilities offered in Azure Active Directory Premium. Development of the Microsoft Intelligent Security Graph, which weaves our security services together, began shortly thereafter. Building on these strong foundations in identity protection (including security for on-premises identities) and intelligence, we then launched services securing email and documents, cloud apps, endpoints, and infrastructure. Over the last few years, we have leveraged the connectivity of the Intelligent Security Graph to integrate and seamlessly correlate signals across all our services, to help provide an optimized security experience with minimal complexity for customers.

Figure 1. The development timeline of Microsoft Threat Protection.

The journey is continuing, as we further enhance and develop capabilities which secure customers with Microsoft Threat Protection. Next, we look at announcements made at RSA this year, which are significant strides on our evolution toward the full potential Microsoft Threat Protection.

Tomorrow’s SIEM, available today

Many organizations leverage Security Information and Events Management (SIEM) products to support their digital transformation. As the value of digital information continues to increase, so does the volume and sophistication of attacks. Several customers have told us their existing SIEM products are unable to keep pace.

To address this need, at RSA we announced the launch of Microsoft Azure Sentinel, which adds the benefits of a next-gen SIEM to the Microsoft Threat Protection solution. Azure Sentinel is a cloud-native solution, providing intelligent security analytics for the entire organization. With Azure Sentinel (Figure 2), collection of security data across the entire hybrid organization from devices, to users, to apps, to servers on any cloud is easy. It includes built-in artificial intelligence (AI) to help ensure threats are identified quickly and significantly reduces the burden of traditional SIEMs by eliminating the need to spend time setting up, maintaining, and scaling infrastructure. Since it is built on Azure, it offers nearly limitless cloud scale and speed to address your security needs. Traditional SIEMs are also expensive to own and operate, often requiring high upfront costs and continued high costs for infrastructure maintenance and data ingestion. With Azure Sentinel there are no upfront costs as you pay for what you use.  Additionally, organizations can bring their Office 365 activity data to Azure Sentinel for free. It takes just a few clicks to retain your Office 365 data within the Microsoft cloud. Learn more about Azure Sentinel and opt in for a trial today.

Figure 2. The Azure Sentinel – Overview portal.

Combining artificial intelligence with human expertise for unparalleled security

Human expertise will always be pivotal for strong security. However, by 2021, there will be an estimated shortage of 3.5 million security professionals. To help organizations benefit from the knowledge of seasoned security analysts, we announced Microsoft Threat Experts at RSA adding another significant capability to Microsoft Threat Protection to augment customers Security Operation Centers (SOCs). Microsoft Threat Experts is currently offered as part of our endpoint security service, Windows Defender ATP and blends the benefits of human analysts with our industry leading endpoint security service. Soon, Threat Experts will extend to cover more components of Microsoft Threat Protection. It is a new managed threat hunting service providing proactive hunting, prioritization, and additional context and data-driven insights, further helping SOCs identify and respond to threats quickly and accurately. Microsoft Threat Experts enables SOCs to jump-start threat investigations by providing context-rich intelligence. The feature offers:

  • Targeted attack notifications: Offers monitoring by Microsoft’s threat experts and provides notifications to customers in case a breach is identified. In cases where a full incident response becomes necessary, seamless transition to Microsoft incident response (IR) services is available.
  • Experts on demand (Figure 3): Security experts provide technical consultation on relevant detections and adversaries.

Figure 3. Microsoft Threat Experts “Ask a Threat Expert” button.

Learn more about Microsoft Threat Experts and check out these case studies that showcase the significant benefit of combined human and artificial intelligence. Get started on a Windows Defender ATP trial and begin your preview of Microsoft Threat Experts.

Experience the evolution of Microsoft Threat Protection

Take a moment to learn more about Microsoft Threat Protection, read our previous monthly updates, and visit Integrated and automated securityOrganizations have already transitioned to Microsoft Threat Protection and partners are leveraging its powerful capabilities. Begin a trial of Microsoft Threat Protection services today to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace. And check out part 2 of this blog, where we discuss a new unified SecOps experience, powerful new features to strengthen your cloud app security, unique automation capabilities launching in Office 365, and an early look at the full vision and scope of Microsoft Threat Protection.


Secure your digital transformation through simplicity with help from a new Forrester study

Sometimes, technology can make things overly complex.

Even with the best of intentions, there can be too much of a good thing. In the world of cybersecurity, complexity has been a mainstay, but in recent years, it has grown beyond its breaking point and has become a liability for security practitioners.

The Forrester study, titled Security Through Simplicity (Dec. 2018)—commissioned by the Microsoft Security team—clearly shows that digital transformation, while necessary for business success, compounds the complexity of an already tangled security threat landscape. However, the study also found a correlation between vendor consolidation and strategy modernization to reduce security complexity.

Digital transformation introduces new levels of complexity

Digital transformation is a critical shift under which businesses are using data-powered platforms and applications to improve nearly every aspect of their business operations. New open ecosystems and the democratization of data means more users in varied locations sharing data across more applications, devices, platforms, and environments—both internally and externally.

As businesses continue to digitize processes, security teams must contend with an increase in attack vectors and more complicated management, all while keeping pace with increasingly sophisticated attackers. In the face of this massive challenge, security teams must evaluate and refresh their legacy security procedures, tools, and skill sets to accommodate a new and adaptable approach to enterprise security.

In the study, paid for by Microsoft, Forrester asked 481 IT security decision makers, “How challenging are the following security goals/objectives to achieve?” and found them all to be highly or extremely challenging:

Infographic showing 59% correlate security alerts from disparate technologies to detect actual threats, 57% hire trained IT security staff, 57% modernize their organization's IT security strategies, and 60% retrain IT security staff.

Reducing security complexity

So how are enterprise IT security teams successfully reducing complexity to improve their security efforts in the face of digital transformation? The study found an interesting correlation between vendor consolidation and strategy modernization in successfully achieving both business and security initiatives, when executed in concert with each other.

A high number of disparate security solutions in place for on-premises and cloud infrastructure and applications makes visibility and central management extremely difficult. Reducing the number of disparate security point solutions that must interact with each other—particularly older, legacy ones—brings complexity down to a manageable level and allows businesses the visibility, security, and control to expand their digital adoption with confidence. Vendor consolidation and modernization can also yield cost savings by lowering technology budgets, increasing management efficiencies, and avoiding the costs of a data breach or regulatory noncompliance.

A small subset (11 percent) of enterprises that have successfully achieved both critical initiatives, modernization, and vendor consolidation, have been able to reduce complexity and reap the rewards of digital transformation. These organization are:

  • 54 percent more likely to feel that their IT security strategy helps them to digitally transform their organization.
  • 42 percent more likely to feel that their IT security strategy helps reduce risk of a customer data breach.
  • 33 percent more likely to feel that their IT security strategy improves their customers’ experiences.

Key recommendations

Companies undergoing digital transformation seek new ways to engage with customers, create additional revenue streams, and place innovation at the forefront of their corporate strategy. Failing to secure their digital assets can lead to those same organizations forfeiting hard-won successes.

Forrester’s in-depth survey of 481 IT security decision makers yielded several important recommendations:

  • Implement security by design.
  • Consolidate security vendors and security solutions.
  • Increase measurement, analytics, and reporting capabilities.
  • Discover and manage shadow IT.
  • Adapt security to users.

Get your copy of the full study.


Helping security professionals do more, better at this week’s RSA Conference in San Francisco

I’m on my way to the RSA Conference in San Francisco, California, and am looking forward to connecting with our customers and partners there. We have a lot to talk about. Last week, Ann Johnson announced two new services that we now offer to help empower our customers as they deal with the industry-wide cybersecurity talent crunch: Microsoft Azure Sentinel and Microsoft Threat Experts. Today, I’m excited to share more news about our work in security.

Leading integration across the industry

In the face of the cybersecurity talent shortage, our customers are increasingly reliant on their tools working together. We are part of a broad, heterogeneous ecosystem of technology providers, and we take seriously our responsibility to lead integration across them.

We’ve made progress to report on three fronts:

  • There are now 50 partners participating in the Microsoft Intelligent Security Association, a group of technology providers who have integrated their solutions with Microsoft products to provide customers better protection, detection, and response. New members include: Sophos, Citrix, Adobe, and Symantec.
  • The Microsoft Graph Security API now has new capabilities that allow you to share threat indicators to extend detection, easily invoke powerful investigation and remediation activities, and build better connected security apps and workflows without the need to code.
  • Azure Active Directory (Azure AD), which already provides authentication for more than 810,000 applications for our enterprise customers, now integrates with several Zscaler applications. With both Azure AD and Zscaler supporting the SCIM 2.0 standard, our joint customers can now use the Azure AD provisioning service to automate the lifecycle of user and group accounts, giving you a more secure and scalable way to allow user access to Zscaler applications.

Added security controls for Azure and Microsoft 365

In our own security products, we continue to invest heavily in capabilities that take advantage of the cloud and artificial intelligence (AI) to empower your team and let them focus on the most important tasks to protect against threats and keep information secure. We made several key strides in security to strengthen protection for our customers:

  • Threat intelligence-based filtering is now available for Azure Firewall. This addition enables customers to alert or deny traffic from/to malicious IP addresses and domains based on the near real-time data feed powered by the Microsoft Intelligent Security Graph.
  • Azure Security Center now leverages machine learning to reduce the attack surface of internet-facing virtual machines, and its application whitelisting controls have been extended to Linux and on-premises servers. The network map in Azure Security Center extends support for Virtual Network peering, a commonly used networking configuration in which traffic flows between Azure Virtual Networks through the Microsoft backbone.
  • Microsoft Threat Protection now provides automated investigation and remediation in the Microsoft Security Center, a unified console that helps SecOps teams spend their limited time on the most high-value tasks, like proactive hunting and strategic improvements.
  • We are extending our unique, native integration between Microsoft Cloud App Security and Azure AD conditional access. Out-of-the box templates now enable organizations to configure some of our most popular policies, such as blocking the download of sensitive content in real-time, within seconds.
  • New native capabilities in the Microsoft Office 365 version of Office client applications help document and email authors apply the right classification and sensitivity labels, helping you ensure information is protected in accordance with your organization’s policies.

Securing the Internet of Things (IoT)

IoT deployments can help organizations cut costs with predictive maintenance or to create new revenue streams from connected products. Unfortunately, the security pro talent shortage makes it difficult to successfully plan the IoT security controls necessary. We worked with the Industrial Internet Consortium to produce a new IoT Security Maturity Model that provides clear industry best practices for evaluating your IoT risk profile and planning the remediation you need. We’ve also added a new deployment method to Azure Sphere to help you reduce risk across your entire fleet of IoT devices. The new guardian modules built on Azure Sphere bring the security of Azure Sphere to brownfield IoT devices, allowing your business groups to complete IoT deployments without increasing risk for your organization.

Connect with us at RSA

I’m proud to be part of the team driving all this innovation, but technology is not a silver bullet. Its role is simply to empower you—the defenders. On Wednesday, March 6, at 10:30 AM PST, Ann Johnson will speak in her keynote about other ways we, as an industry, can empower people. I encourage you to attend, if you’re at the conference. You can learn more about Microsoft security at booth 6059. We’d love to connect with you there, or in one of the sessions we’ll be leading—find out more about our activities at


Azure Security Center now leverages machine learning to reduce vulnerabilities of virtual machines

This is an exciting week for us at Microsoft. At RSA Conference 2019, we are announcing new and exciting capabilities in Azure and Microsoft 365. With this blog post, we wanted to share with you what we have been working on for Azure Security Center. Azure Security Center now leverages machine learning to reduce the attack surface of internet facing virtual machines. Its adaptive application controls have been extended to Linux and on-premises servers, and extends the network map support to peered virtual network (VNet) configurations.

Leveraging machine learning to reduce attack surface

One of the biggest attack surfaces for workloads running in the public cloud are connections to and from the public Internet. Our customers find it hard to know which Network Security Group (NSG) rules should be in place to make sure that Azure workloads are only available to required source ranges. Security Center can now learn the network traffic and connectivity patterns of your Azure workload and provide you with NSG rule recommendations for your internet facing virtual machines. This helps you better configure your network access policies and limit your exposure to attacks.

Azure Security Center uses machine learning to fully automate this process, including an automated enforcement mechanism, enabling its customers to better protect their internet facing virtual machines with only a few clicks. These recommendations also use Microsoft’s extensive threat intelligence reports to make sure that known bad actors are blocked.

Extending adaptive application controls

Adaptive application control is an intelligent, automated end-to-end application whitelisting solution from Azure Security Center. It helps you control which applications can run on your VMs located in Azure, which, among other benefits, helps harden your VMs against malware. Security Center uses machine learning to analyze the applications running on your VMs and helps you apply the specific whitelisting rules using this intelligence.

We are extending adaptive application controls in Azure Security Center to include Linux VMs and servers/VMs external to Azure (Windows and Linux) in audit mode. This means that Azure Security Center will identify applications running on your servers which are not in compliance with the Azure Security Center generated whitelisting rules and will audit those violations. This will enable you to  detect threats that might otherwise be missed by antimalware solutions; to comply with your organization’s security policy that dictates the use of only licensed software and to audit unwanted software that is being used in your environment.

Network map support for VNet peering

Azure Security Center’s network map has added support for virtual network peering, a configuration in which traffic flows between Azure Virtual Networks through the Microsoft backbone, as if they were virtual machines in the same virtual network, through private IP addresses only. The support includes displaying allowed traffic flows between peered VNets and peering related information on Security Center’s network map.

With these additions, Azure Security Center strengthens its role as the unified security management and advanced threat protection solution for your hybrid cloud workloads. We encourage you to take advantage of these new capabilities for all your Internet-exposed Azure resources. If you have not started using Azure Security Center in your Azure subscription, get started today.


Microsoft Threat Experts introduced to augment customer security operations

We’re excited to introduce Microsoft Threat Experts, an additional layer of expertise and optics that Microsoft customers can utilize to augment security operations capabilities as part of Microsoft 365. This new managed threat hunting service in Windows Defender Advanced Threat Protection provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately.

Microsoft Threat Experts enables SOCs to jump-start threat investigations by providing context-rich intelligence. This release of the service includes 2 capabilities:

  1. Targeted attack notifications: Alerts that are tailored to organizations provide as much information as can be quickly delivered to bring attention to critical threats in their network, including the timeline, scope of breach, and the methods of intrusion.
  2. Experts on demand: When a threat exceeds the SOC’s capability to investigate, or when more actionable information is needed, security experts provide technical consultation on relevant detections and adversaries. In cases where a full incident response becomes necessary, seamless transition to Microsoft incident response (IR) services is available.

Microsoft Threat Experts

With Microsoft Threat Experts, SOCs can further improve defenses by tapping into our world-class security analysts. These experts deeply understand the security landscape and attacker techniques, have intimate knowledge of operating systems, and know how to get the most out of Windows Defender ATP’s features and capabilities. Our experience in battling attackers across more than a billion devices worldwide, together with the artificial intelligence (AI) necessary to harness such unprecedented optics and scale, makes our expert team unique and unmatched in the industry.

The next sections describe the two components of this new service in more detail.

Targeted attack notifications

Microsoft Threat Experts provides proactive hunting for the most important threats, such as human adversary intrusions, hands-on-keyboard attacks, and advanced attacks like cyberespionage. The managed threat hunting service includes:

  • Threat monitoring and analysis, reducing attacker dwell time and risk to business
  • Hunter-trained AI to discover and prioritize both known and unknown attacks
  • Identifying the most important risks, helping SOCs maximize time and energy
  • Scope of compromise and as much context as can be quickly delivered to enable fast SOC response

Custom Threat Experts alert in Windows Defender Security Center

Custom Threat Experts alert in Windows Defender Security Center

Experts on demand

Customers can partner with Microsoft security experts, who can be engaged directly from within Windows Defender Security Center, for timely and accurate response. Experts provide insights needed to better understand complex threats, from the latest zero-day exploit to the root cause of a suspicious network connection. Through Microsoft Threat Experts, customers can:

  • Get additional clarification on alerts including root cause or scope of the incident
  • Gain clarity into suspicious machine behavior and recommended next steps if faced with an advanced attacker
  • Determine risk and protection regarding threat actors, campaigns, or emerging attacker techniques
  • Seamlessly transition to Microsoft Incident Response (IR) services when necessary

Ask a Threat Expert button in Windows Defender Security Center

Ask a Threat Expert button in Windows Defender Security Center

Partnership for improved security

In today’s climate of cybersecurity challenges, organizations must fend off relentless attacks even as they go through their journey of building and maturing their security capabilities. Through Microsoft Threat Experts, customers can partner with Microsoft throughout this journey to augment security operations capabilities to prevent, detect, and respond to threats. Customers and Microsoft can build upon each other’s expertise, intelligence, and insight through this partnership, forming stronger defense against adversaries.

To illustrate the depth of intelligence and the value of the service to customers’ security defenses and overall security posture, we published two case studies for Microsoft Threat Experts on (1) human adversary-based activities related to a zero-day vulnerability and (2) complex “living off the land” threats.

Windows Defender ATP customers can now apply for preview through the Windows Defender Security Center. We will contact customers via email to confirm their participation.

Not yet reaping the benefits of Windows Defender ATP’s industry-leading optics and detection capabilities? Sign up for free trial today.

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Windows Defender ATP community.

Follow us on Twitter @WDSecurity.