Tag: Security

Today, we’re thrilled to announce two new security products driven by our acquisition of RiskIQ just over one year ago that deliver on our vision to provide deeper context into threat actors and help customers lock down their infrastructure.

Track threat actor activity and patterns with Microsoft Defender Threat Intelligence

This new product helps security operations teams uncover attacker infrastructure and accelerate investigation and remediation with more context, insights, and analysis than ever before. While threat intelligence is already built into the real time detections of our platform and security products like Microsoft Sentinel, customers also need direct access to real-time data and Microsoft’s unmatched signal to proactively hunt for threats across their environments.

For example, adversaries often run their attacks from many machines, with unique IP addresses. Tracing the actor behind an attack and tracking down their entire toolkit is challenging and time-consuming. Using built-in AI and machine learning, Defender Threat Intelligence uncovers the attacker or threat family and the elements of their malicious infrastructure. Armed with this information, security teams can then find and remove adversary tools within their organization and block their future use in tools like Microsoft Sentinel, helping to prevent future attacks.

See your business the way an attacker can with Microsoft Defender External Attack Surface Management

The new Defender External Attack Surface Management gives security teams the ability to discover unknown and unmanaged resources that are visible and accessible from the internet—essentially the same view an attacker has when selecting their target. Defender External Attack Surface Management helps customers discover unmanaged resources that could be potential entry points for an attacker.

Microsoft Defender External Attack Surface Management scans the internet and its connections every day. This builds a complete catalogue of a customer’s environment, discovering internet-facing resources, even the agentless and unmanaged assets. Continuous monitoring, without the need for agents or credentials, prioritizes new vulnerabilities. With this complete view of the organization, customers can take recommended steps to mitigate risk by bringing these resources under secure management within tools like Microsoft Defender for Cloud.

Read the full threat intelligence announcement and to learn more about how Microsoft Defender Threat Intelligence and Microsoft Sentinel work together, read the Tech Communities blog.

Additionally, in the spirit of continuous innovation and bringing as much of the digital environment under secure management as possible, we are proud to announce the new Microsoft Sentinel solution for SAP. Security teams can now monitor, detect, and respond to SAP alerts all from our cloud-native SIEM, Microsoft SIEM.

To learn more about these products and to see live demos, visit us at Black Hat USA, Microsoft Booth 2340. You can also register now for the Stop Ransomware with Microsoft Security digital event on September 15, 2022, to watch in-depth demos of the latest threat intelligence technology.

Compliance management is a complex process—one that gets increasingly more complicated the larger an organization grows. Microsoft knows this firsthand, not only because of our experience providing Security and Compliance solutions to customers but also because of the global reach and responsibility for maintaining compliance with a hefty number of regional and industry-specific regulations. Another thing Microsoft has learned along this journey is that the route is significantly smoother with an inclusive mindset and digital tools to ease the way.

In the new world of hybrid work, regulatory compliance has become a board-level directive. Local and global regulations dictate how to manage, store, and transmit data, making compliance more critical than ever before. However, to adhere to these regulatory standards, risks need to be identified and mitigated, and data needs to be governed according to policy. Embarking on this journey will provide additional valuable outcomes, like:

• Providing you with fast access to requested data in the event of an external or internal investigation or legal action.
• Protecting company data as the workplace evolves is especially important given the growing use of personal devices for work and the increase in employees accessing company networks from outside the physical office for some or most of their week.
• Acting as good stewards—Chief Information Security Officers (CISOs) feel a sense of duty to protect their employees, partners, and customers to the best of their ability.

Microsoft’s compliance journey has given us insights and best practices that we can share with other organizations determined to strengthen their compliance management practices. Planning for the unexpected events that inevitably occur means aligning your people, processes, and technology. Here are five things we’ve learned along our compliance path—and stories of what’s worked for customers.

Assess your compliance posture

It’s difficult, if not impossible, to know if you’re headed in the right direction without knowing your current position. So, where do you start? Compliance management has gone from a nice to have to a must-have for organizations, which have huge a incentive to strengthen their compliance management practices. Keeping track of all the regulations they’re responsible for, however, can be challenging, especially for those companies in regulated industries, like financial services or healthcare. Maintaining a good compliance posture can help you avoid penalties, negative publicity, fines, and financial losses. Given how quickly regulations change, this can be a big challenge. And manually tracking compliance issues in spreadsheets often isn’t sufficient. As a first step, we recommend assessing the current state of your compliance with a visual tool that helps measure where you are today, and allows you to track your collective progress over time.

Broaden your idea of compliance

When people hear the term “compliance,” many instantly think about regulatory compliance. Understandably so, because regulations like the California Consumer Protection Act (CCPA) and General Data Protection Regulation (GDPR) receive a lot of press and attention. But as mentioned earlier, compliance goes way beyond regulations.

Compliance management can even lead to innovation. Customers tell us they feel free to adapt the way they operate in response to customer trends. Visionary Wealth Advisors, a financial management firm in the United States, wanted to allow customers to communicate with the company via text messaging but needed to manage that data securely for compliance reasons. Visionary Wealth Advisors was able to maximize security and compliance with Microsoft Purview Data Lifecycle Management and CellTrust SL2.

“A central pain point is that the client doesn’t understand the regulatory environment that we operate in,” said Ryan Barke, Chief Compliance Officer and General Counsel, Visionary Wealth Advsiors. “They just want to communicate with their financial advisor, and the financial advisor wants to communicate with the client. We can have a policy that says, advisors, you’re prohibited from text messaging with your clients but we cannot control the other end of that communication.”

Involve everyone

Data breaches are accelerating—climbing 68 percent in 2021, costing an average of USD4.24 million each.¹ Insider leaks of sensitive data, intellectual property (IP) theft, and fraud can all detrimentally impact a company. So, too, can regulatory violations, but CISOs may be so focused on data protection that data compliance doesn’t get as much attention. What we have learned on our journey is that compliance isn’t a CISO’s burden to bear alone. Multiple Microsoft executives were involved in meeting compliance regulations and obligations. People across Microsoft had to have a hand in compliance to drive the process.

Involving multiple leaders makes sense given how people throughout an organization will benefit from what strong compliance management makes possible. The City of Marion in Australia deployed Microsoft Purview Records Management to better manage the data collected from the 90 services it provides. As a result, city staff has become more engaged with the process of creating and handling information. They can organize themselves and their workflows in Microsoft Teams, set up SharePoint sites, create and link information, create their own Power BI reports, configure workflows, and connect varied information much easier.

“It helps our small team get lots of stuff done, and we don’t need to worry so much about compliance anymore,” said Karlheins Sohl, Information Management Team Leader, City of Marion. “We can trust the system to help take care of that, while we’re freed to focus on the quality of information and the service we provide to the City of Marion staff.”

Discover data and identify risks

In the event of legal action, a merger or acquisition, or an internal or external investigation, technology solutions can help you more efficiently find the relevant data you need. With the proliferation of data, that’s more important than ever.

The sheer volume of data can make this challenging. Technology solutions like Microsoft Purview eDiscovery can help you save time and money on tracking down data.

Through a solution like Microsoft Purview Communication Compliance, organizations can reduce risks related to regulatory compliance obligations.  

Simplify and automate compliance

Effective technology solutions have a wonderful way of simplifying complex processes—and often the workdays of those responsible for managing those processes. Multiple solution providers can complicate already challenging compliance processes and result in a fragmented, inefficient approach. Choosing a comprehensive solution, like Microsoft Purview, can help by continuously monitoring for compliance changes and automating the update process.

Texas-based Frost Bank must follow numerous banking regulations and employees recognize the importance of complying with them—“Compliance is like drinking coffee in the morning,” says Edward Contreras, CISO, Frost Bank. Keeping up with all of those regulations proved challenging before adopting Microsoft Purview Compliance Manager, which updates daily, adding at least 200 updates from more than 1,000 regulatory bodies and enabling the bank to create detailed reports for regulators and auditors.

“Compliance Manager took the mystery out of regulatory compliance for us,” said Glenn McClellan, Endpoint Architect, Frost Bank. “The solution provides improvement actions, excerpts from relevant regulations, and overall, made managing compliance really easy and actionable.”

Explore Microsoft Purview

Effective compliance and risk management are extremely important, and are possible. Microsoft is here to help if you’re looking to simplify your compliance management with technology solutions.

Microsoft Purview is a comprehensive set of compliance and risk management solutions that help organizations govern, protect, and manage data, and improve your company’s risk and compliance posture. These solutions include Microsoft Purview eDiscovery, which helps you discover, preserve, collect, process, cull, and analyze your data in one place; Microsoft Purview Compliance Manager, which helps you simplify compliance and reduce risk; and Microsoft Purview Communication Compliance, which helps foster compliant communications across corporate mediums. We’d love to offer support on your journey.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹Cost of a Data Breach Report 2021, Ponemon Institute, IBM. 2021.

There has never been a greater demand for specialized cybersecurity expertise—or a greater opportunity for our partners to support our customers with new services and solutions. Over the last year, the permanent shift to hybrid work has empowered businesses to be remote and mobile. Increased adoption of public and private clouds has unlocked innovation, agility, and scale. At the same time, ransomware grew 105 percent over the past year and continues to become more sophisticated.¹ The global cybersecurity talent shortage is now 2.72 million, and economic uncertainty has put the spotlight on extracting the highest possible return on investments.²

This week, as we join our partners at Microsoft Inspire, much of our conversation is focused on how, together, we can help our customers prioritize their security initiatives while getting the most out of the solutions they already have.

Security services are a critical need for the year ahead

Every year I am so energized by the expertise and creativity of our partners. Much of what we learn comes from them, so we commissioned a Total Economic Impact™ from Forrester Consulting to better understand the high-level trends driving their security, compliance, and identity opportunities. It’s incredible to see that the Microsoft Security partner opportunity grew 21 percent year-over-year across the board in Microsoft 365 security, cloud security, compliance, and identity:

• With the shift to hybrid work, workplace security has seen the most growth. It’s exciting to see that customers are taking advantage of the expanded security capabilities we’ve added to Microsoft 365, and enlisting partners to help them protect frontline workers, implement data discovery for Microsoft Teams, and activate more Microsoft 365 workloads securely. With many organizations struggling to staff their in-house security teams, partners are creating and delivering managed services built on top of Microsoft Sentinel for security information and event management (SIEM) and extended detection and response (XDR), as well as management, monitoring, and remediation across Microsoft 365.
• There’s also an incredible demand for cloud security services—particularly multicloud. The rapid shift to cloud services has created an ever-evolving threat landscape, driving the need to better protect cloud resources, workloads, and applications. Without the expertise or resources to do that, customers are looking to partners to help with secure cloud migrations, managed services for the security operations center (SOC), and security management of all levels of cloud-based infrastructure.
• Compliance-related managed services are the newest and fastest-growing area for most partners. More partners are starting to expand their general security services to include compliance, typically starting with information protection, communications governance, and insider risk, which are natural extensions of security practices. A trend we’re seeing is an increase in very large information protection deployment opportunities, as well as governance advisory services, which are central to the successful adoption of Microsoft compliance solutions.
• As the foundation for all the previously mentioned points, our identity solutions are also fueling significant partner growth. Securing access for every identity—human and non-human—is critical in today’s connected world. Partners are capitalizing on these investments with repeatable identity-specific security solutions, off-the-shelf connectors, and managed services. Identity-first implementations of Zero Trust continue to be key areas of interest for security decision-makers, and partners serve a critical role in collaborating on plans, priorities, and architecture decisions.

Microsoft Security partners are expanding their existing offerings and creating new offerings in all these areas, packaging their unique experience, expertise, and IP for effective and efficient service delivery. Security deployment, advisory, solutions development, and managed services are needed now more than ever. In fact, within the USD247 billion cybersecurity market, security services spending is projected to reach USD77 billion by the end of 2022.³

Optimization through consolidation

Given the breadth of challenges our customers are facing, and recent economic headwinds, many organizations are looking to consolidate their security portfolios to optimize costs and reduce complexity. In fact, 78 percent of chief information security officers (CISOs) have 16 or more tools in their cybersecurity vendor portfolio, and according to Gartner®, “most organizations recognize vendor consolidation as an avenue for more efficient security, with 80 [percent] executing or interested in a strategy for this.”⁴

Microsoft integrates more than 50 different categories across security, compliance, identity, device management, and privacy—and most customers save 60 percent on average by leveraging Microsoft’s comprehensive security solutions compared to a multi-vendor strategy. All Microsoft Security product families work together as one comprehensive solution across clouds and across platforms, helping customers to reduce tool sprawl, maximize value out of what they already have, and reduce complexity. With recent announcements of Microsoft Entra and Microsoft Purview, we’ve also aligned our product portfolio with how our customers view the totality of their security challenges.

Consolidation isn’t just about tools—the lines between security workloads are blurring as well. Virtually every customer scenario includes elements of secure infrastructure, threat detection and response, identity management and secure access, compliance, and privacy—in fact, 90 percent of the Fortune 100 companies use four or more of these solutions. Our partners agree, and many are moving beyond their core specialty to provide a wider range of services to customers, creating new revenue streams and expanding their expertise as a result.

Maximizing the value of current investments

Assisting customers to deploy and fully leverage products they already own is one of the strongest ways our partners can deliver customer value. This week, Microsoft is announcing an entirely new partner investment to help partners drive customer success and product usage. Starting October 1, 2022, partners who help customers deploy their untapped security capabilities within Microsoft 365 E5 and Microsoft Azure will be eligible for up to USD25,000 per account. Microsoft is excited to provide this co-investment to ensure partners remain competitive in their offerings.

Once security products have been deployed, customers often need assistance analyzing and triaging security data to monitor their ecosystem. Microsoft is seeing a surge in organizations looking for a trusted managed detection and response (MDR) partner to help offload time-consuming work and augment their existing in-house security teams. Gartner estimates that 50 percent of organizations will be using MDR services by 2025, and with more than 785,000 customers currently using Microsoft’s advanced security products, the partner opportunity is tremendous. To meet this need, Microsoft has recently announced investments in our managed XDR partner community, including working with them to verify their XDR solutions for use with Microsoft products. Partners with a verified XDR service will have increased access to co-marketing funding to support their business and direct integration with Microsoft field sellers through co-sell opportunities. Partners can learn more about investing in managed XDR partner success.

At Microsoft, we are continually looking for ways to deliver more value with our solutions—and to make it easier for our partners to do the same. For example:

• Most organizations don’t have IoT security at all, and those that do often need help integrating it into their broader SIEM and XDR programs. Microsoft Defender for IoT positions partners to solve both problems for customers. With new native integration with Microsoft 365 Defender that enables you to see vulnerable IoT devices in the Microsoft 365 Defender console and complete coverage across IoT, enterprise IoT, and operational technology (OT) devices, Defender for IoT can now secure all endpoint types, correlate incidents across the entire kill chain, and provide faster detection and response for attacks that previously may have been left undiscovered.
• Despite facing similar risks as enterprises, small to medium-sized businesses (SMBs) often lack the same level of resources. Microsoft Defender for Business provides next-generation protection, endpoint detection and response (EDR), threat and vulnerability management, and automated investigation and remediation—all in a cost-effective package that’s easy to implement and use. Server support is now available in preview. Integration with Microsoft 365 Lighthouse and Remote Monitoring and Management (RMM) solutions enable Microsoft Cloud Solution Provider (CSP) partners to build on that value by delivering a fully managed service. Partners can learn more with the Microsoft Defender for Business partner kit.
• Simplifying the cloud for the public sector and government entities empowers them to accelerate their digital transformation journey. Azure Confidential Computing now helps customers encrypt their data while it’s in use, so trusted partners can now migrate customer applications that handle sensitive data to Azure without rewriting them, and public sector customers can have confidence that their data is protected. And, to empower public sector customers to take advantage of the full power of the cloud while respecting their digital sovereignty, Microsoft Cloud for Sovereignty provides a means to build, move, and operate data and workloads in the cloud while meeting legal, security, and policy requirements.

Recognizing our partners of the year

Microsoft recently announced a simplified and more flexible way to be identified as a Microsoft Security Solution Provider. If you’ve historically been a silver or gold security partner or Enterprise Mobility Management partner, you now have the opportunity this coming year to be recognized through the Microsoft Cloud Partner Program (MCPP) as a security solution partner. 

Once identified, Microsoft offers a wide variety of co-marketing opportunities you can take advantage of in your own programs and in collaboration with Microsoft to differentiate your business, not the least of which is the opportunity to be recognized by Microsoft as the Security or Compliance partner of the year.

I’d like to congratulate Ernst and Young as the 2022 Security Partner of the Year in recognition of the use of the Zero Trust framework that fully leverages Microsoft Azure Active Directory (Azure AD) and Microsoft Azure Key Vault. I’d also like to recognize Edgile as the 2022 Compliance Partner of the Year for their integration of a comprehensive security framework that extends the capabilities of enterprises to also measure the maturity of their data governance. I want to congratulate these partners for their incredible work, as well as all the winners of the 2022 Microsoft Security Excellence Awards. I also want to express my gratitude to our entire partner community for all you do to advance our shared mission of security and to make the world a safer place.

Top takeaways for our partners

Microsoft partners have an amazing opportunity to showcase their security proficiency, drive new growth, and create real-world impact. We invite all our partners to download our commissioned Forrester report to spur ideas on how to differentiate and expand their business. I’ll close with a few ideas:

• If you don’t have a security practice yet, now is the time! Explore a managed security services practice, such as managed XDR.
• If you’re already offering your customers security services, you should consider going bigger! Lean into governance, risk management, and compliance and privacy with Microsoft Purview and Microsoft Priva.
• Bolster security for small and medium-sized businesses with our Microsoft Defender for Business partner kit.

Be sure to check out our sessions at Microsoft Inspire that go deeper into these topics as well:

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹Report: Pretty much every type of cyberattack increased in 2021, Brandon Vigliarolo. February 17, 2022.

²(ISC)² Cybersecurity Workforce Study, (ISC)². 2021.

³Worldwide information security services spending from 2017 to 2022, Justina Alexandra Sava. April 27, 2022.

⁴Smarter with Gartner, The Top 8 Security and Risk Trends We’re Watching, November 15, 2021.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

A large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites stole passwords, hijacked a user’s sign-in session, and skipped the authentication process even if the user had enabled multifactor authentication (MFA). The attackers then used the stolen credentials and session cookies to access affected users’ mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets. Based on our threat data, the AiTM phishing campaign attempted to target more than 10,000 organizations since September 2021.

Phishing remains to be one of the most common techniques attackers use in their attempts to gain initial access to organizations. According to the 2021 Microsoft Digital Defense Report, reports of phishing attacks doubled in 2020, and phishing is the most common type of malicious email observed in our threat signals. MFA provides an added security layer against credential theft, and it is expected that more organizations will adopt it, especially in countries and regions where even governments are mandating it. Unfortunately, attackers are also finding new ways to circumvent this security measure. 

In AiTM phishing, attackers deploy a proxy server between a target user and the website the user wishes to visit (that is, the site the attacker wishes to impersonate). Such a setup allows the attacker to steal and intercept the target’s password and the session cookie that proves their ongoing and authenticated session with the website. Note that this is not a vulnerability in MFA; since AiTM phishing steals the session cookie, the attacker gets authenticated to a session on the user’s behalf, regardless of the sign-in method the latter uses.

Microsoft 365 Defender detects suspicious activities related to AiTM phishing attacks and their follow-on activities, such as session cookie theft and attempts to use the stolen cookie to sign into Exchange Online. However, to further protect themselves from similar attacks, organizations should also consider complementing MFA with conditional access policies, where sign-in requests are evaluated using additional identity-driven signals like user or group membership, IP location information, and device status, among others. 

While AiTM phishing isn’t new, our investigation allowed us to observe and analyze the follow-on activities stemming from the campaign—including cloud-based attack attempts—through cross-domain threat data from Microsoft 365 Defender. These observations also let us improve and enrich our solutions’ protection capabilities. This campaign thus also highlights the importance of building a comprehensive defense strategy. As the threat landscape evolves, organizations need to assume breach and understand their network and threat data to gain complete visibility and insight into complex end-to-end attack chains.

In this blog, we’ll share our technical analysis of this phishing campaign and the succeeding payment fraud attempted by the attackers. We’ll also provide guidance for defenders on protecting organizations from this threat and how Microsoft security technologies detect it.

How AiTM phishing works

Every modern web service implements a session with a user after successful authentication so that the user doesn’t have to be authenticated at every new page they visit. This session functionality is implemented through a session cookie provided by an authentication service after initial authentication. The session cookie is proof for the web server that the user has been authenticated and has an ongoing session on the website. In AiTM phishing, an attacker attempts to obtain a target user’s session cookie so they can skip the whole authentication process and act on the latter’s behalf.  

To do this, the attacker deploys a webserver that proxies HTTP packets from the user that visits the phishing site to the target server the attacker wishes to impersonate and the other way around. This way, the phishing site is visually identical to the original website (as every HTTP is proxied to and from the original website). The attacker also doesn’t need to craft their own phishing site like how it’s done in conventional phishing campaigns. The URL is the only visible difference between the phishing site and the actual one. 

Figure 2 below illustrates the AiTM phishing process:

The phishing page has two different Transport Layer Security (TLS) sessions—one with the target and another with the actual website the target wants to access. These sessions mean that the phishing page practically functions as an AiTM agent, intercepting the whole authentication process and extracting valuable data from the HTTP requests such as passwords and, more importantly, session cookies. Once the attacker obtains the session cookie, they can inject it into their browser to skip the authentication process, even if the target’s MFA is enabled. 

The AiTM phishing process can currently be automated using open-source phishing toolkits and other online resources. Among the widely-used kits include Evilginx2, Modlishka, and Muraena.  

Tracking an AiTM phishing campaign

Using Microsoft 365 Defender threat data, we detected multiple iterations of an AiTM phishing campaign that attempted to target more than 10,000 organizations since September 2021. These runs appear to be linked together and target Office 365 users by spoofing the Office online authentication page.

Based on our analysis, these campaign iterations use the Evilginx2 phishing kit as their AiTM infrastructure. We also uncovered similarities in their post-breach activities, including sensitive data enumeration in the target’s mailbox and payment frauds.

Initial access

In one of the runs we’ve observed, the attacker sent emails with an HTML file attachment to multiple recipients in different organizations. The email message informed the target recipients that they had a voice message.

When a recipient opened the attached HTML file, it was loaded in the user’s browser and displayed a page informing the user that the voice message was being downloaded. Note, however, that the download progress bar was hardcoded in the HTML file, so no MP3 file was being fetched.

Instead, the page redirected the user to a redirector site:

This redirector acted as a gatekeeper to ensure the target user was coming from the original HTML attachment. To do this, it first validated if the expected fragment value in the URL—in this case, the user’s email address encoded in Base64—exists. If the said value existed, this page concatenated the value on the phishing site’s landing page, which was also encoded in Base64 and saved in the “link” variable (see Figure 7 below).

By combining the two values, the succeeding phishing landing page automatically filled out the sign-in page with the user’s email address, thus enhancing its social engineering lure. This technique was also the campaign’s attempt to prevent conventional anti-phishing solutions from directly accessing phishing URLs.

Note that on other instances, we observed that the redirector page used the following URL format:

hxxp://[username].[wildcard domain].[tld]/#[user email encoded in Base64]

In this format, the target’s username was used as part of an infinite subdomains technique, which we have previously discussed in other phishing campaigns.

After the redirection, the user finally landed on an Evilginx2 phishing site with their username as a fragment value. For example:

hxxp://login[.]nmmnvvx[.]xyz/yamRSmFG#[username]@[organizationname].[tld]

The phishing site proxied the organization’s Azure Active Directory (Azure AD) sign-in page, which is typically login.microsoftonline.com. If the organization had configured their Azure AD to include their branding, the phishing site’s landing page also contained the same branding elements.

Once the target entered their credentials and got authenticated, they were redirected to the legitimate office.com page. However, in the background, the attacker intercepted the said credentials and got authenticated on the user’s behalf. This allowed the attacker to perform follow-on activities—in this case, payment fraud—from within the organization.

Post-breach BEC

Payment fraud is a scheme wherein an attacker tricks a fraud target into transferring payments to attacker-owned accounts. It can be achieved by hijacking and replying to ongoing finance-related email threads in the compromised account’s mailbox and luring the fraud target to send money through fake invoices, among others.

Based on our analysis of Microsoft 365 Defender threat data and our investigation of related threat alerts from our customers, we discovered that it took as little time as five minutes after credential and session theft for an attacker to launch their follow-on payment fraud. From our observation, after a compromised account signed into the phishing site for the first time, the attacker used the stolen session cookie to authenticate to Outlook online (outlook.office.com). In multiple cases, the cookies had an MFA claim, which means that even if the organization had an MFA policy, the attacker used the session cookie to gain access on behalf of the compromised account.

Finding a target

The following days after the cookie theft, the attacker accessed finance-related emails and file attachments files every few hours. They also searched for ongoing email threads where payment fraud would be feasible. In addition, the attacker deleted from the compromised account’s Inbox folder the original phishing email they sent to hide traces of their initial access.

These activities suggest the attacker attempted to commit payment fraud manually. They also did this in the cloud—they used Outlook Web Access (OWA) on a Chrome browser and performed the abovementioned activities while using the compromised account’s stolen session cookie.

Once the attacker found a relevant email thread, they proceeded with their evasion techniques. Because they didn’t want the compromised account’s user to notice any suspicious mailbox activities, the attacker created an Inbox rule with the following logic to hide any future replies from the fraud target:

“For every incoming email where sender address contains [domain name of the fraud target], move the mail to “Archive” folder and mark it as read.”

Conducting payment fraud

Right after the rule was set, the attacker proceeded to reply to ongoing email threads related to payments and invoices between the target and employees from other organizations, as indicated in the created Inbox rule. The attacker then deleted their replies from the compromised account’s Sent Items and Deleted Items folders.

Several hours after the initial fraud attempt was performed, the attacker signed in once every few hours to check if the fraud target replied to their email. In multiple instances, the attacker communicated with the target through emails for a few days. After sending back responses, they deleted the target’s replies from the Archive folder. They also deleted their emails from the Sent Items folder.

On one occasion, the attacker conducted multiple fraud attempts simultaneously from the same compromised mailbox. Every time the attacker found a new fraud target, they updated the Inbox rule they created to include these new targets’ organization domains.

Below is a summary of the campaign’s end-to-end attack chain based on threat data from Microsoft 365 Defender:

Defending against AiTM phishing and BEC

This AiTM phishing campaign is another example of how threats continue to evolve in response to the security measures and policies organizations put in place to defend themselves against potential attacks. And since credential phishing was leveraged in many of the most damaging attacks last year, we expect similar attempts to grow in scale and sophistication.

While AiTM phishing attempts to circumvent MFA, it’s important to underscore that MFA implementation remains an essential pillar in identity security. MFA is still very effective at stopping a wide variety of threats; its effectiveness is why AiTM phishing emerged in the first place. Organizations can thus make their MFA implementation “phish-resistant” by using solutions that support Fast ID Online (FIDO) v2.0 and certificate-based authentication.

Defenders can also complement MFA with the following solutions and best practices to further protect their organizations from such types of attacks:

• Enable conditional access policies. Conditional access policies are evaluated and enforced every time an attacker attempts to use a stolen session cookie. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as compliant devices or trusted IP address requirements.
• Invest in advanced anti-phishing solutions thatmonitor and scan incoming emails and visited websites. For example, organizations can leverage web browsers that can automatically identify and block malicious websites, including those used in this phishing campaign.
• Continuously monitor for suspicious or anomalous activities:
  • Hunt for sign-in attempts with suspicious characteristics (for example, location, ISP, user agent, use of anonymizer services).
  • Hunt for unusual mailbox activities such as the creation of Inbox rules with suspicious purposes or unusual amounts of mail item access events by untrusted IP addresses or devices.

Coordinated threat defense with Microsoft 365 Defender

Microsoft 365 Defender provides comprehensive protection against this AiTM phishing campaign by correlating threat data from various domains. It also coordinates threat defense against the end-to-end attack chain using multiple solutions and has advanced hunting capabilities that allow analysts to inspect their environments further and surface this threat.

Leveraging its cross-signal capabilities, Microsoft 365 Defender alerts customers using Microsoft Edge when a session cookie gets stolen through AiTM phishing and when an attacker attempts to replay the stolen session cookie to access Exchange Online:

Microsoft 365 Defender’s unique incident correlation technology also lets defenders see all the relevant alerts related to an AiTM phishing attack pieced together into a single comprehensive view, thus allowing them to respond to such incidents more efficiently:

Microsoft 365 Defender is backed by threat experts who continuously monitor the computing landscape for new attacker tools and techniques. Their expert monitoring not only helps alert customers of a possible incident (such as a potential cookie theft during an authentication session), their research on the constantly evolving phishing techniques also enriches the threat intelligence that feeds into the abovementioned protection technologies.

Microsoft Defender for Office 365 detects threat activity associated with this phishing campaign through the following email security alerts. Note, however, that these alerts may also be triggered by unrelated threat activity. We’re listing them here because we recommend that these alerts be investigated and remediated immediately.

• Email messages containing malicious file removed after delivery​. This alert is generated when any messages containing a malicious file are delivered to mailboxes in an organization. Microsoft removes the infected messages from Exchange Online mailboxes using zero-hour auto purge (ZAP) if this event occurs.
• Email messages from a campaign removed after delivery​. This alert is generated when any messages associated with a campaign are delivered to mailboxes in an organization. Microsoft removes the infected messages from Exchange Online mailboxes using ZAP if this event occurs.

Microsoft Defender for Cloud Apps detects this AiTM phishing and BEC campaigns through the following alerts:

• Suspicious inbox manipulation rule. The attackers set an Inbox rule to hide their malicious activities. Defender for Cloud Apps identifies such suspicious rules and alerts users when detected.
• Impossible travel activity. The attackers used multiple proxies or virtual private networks (VPNs) from various countries or regions. Sometimes, their attack attempts happen at the same time the actual user is signed in, thus raising impossible travel alerts.
• Activity from infrequent country. Because the attackers used multiple proxies or VPNs, on certain occasions, the egress endpoints of these VPN and proxy servers are uncommon for the user, thus raising this alert.

Azure AD Identity Protection automatically detects and remediates identity-based risks. It detects suspicious sign-in attempts and raises any of the following alerts:

• Anomalous Token. This alert flags a token’s unusual characteristics, such as its token lifetime or played from an unfamiliar location.
• Unfamiliar sign-in properties. In this phishing campaign, the attackers used multiple proxies or VPNs originating from various countries or regions unfamiliar to the target user.
• Unfamiliar sign-in properties for session cookies. This alert flags anomalies in the token claims, token age, and other authentication attributes.
• Anonymous IP address. This alert flags sign-in attempts from anonymous IP addresses (for example, Tor browser or anonymous VPN).

In addition, Continuous Access evaluation (CAE) revokes access in real time when changes in user conditions trigger risks, such as when a user is terminated or moves to an untrusted location.

Learn how you can stop attacks through automated, cross-domain security with Microsoft 365 Defender.

Microsoft 365 Defender Research Team

Microsoft Threat Intelligence Center (MSTIC)

Appendix

Indicators of compromise (IOCs)

Redirector domains

• 32sssaawervvvv[.]biz
• adminmmi[.]biz
• auth2022[.]live
• cleanifl[.]com
• docpmsi[.]us
• vrtlsrvmapp[.]biz
• vrtofcvm[.]live

Phishing site domains  

• login[.]actionspsort[.]cam
• login[.]akasmisoft[.]xyz
• login[.]aueuth11[.]live
• login[.]auth009[.]xyz
• login[.]auth2022[.]live
• login[.]auth83kl[.]live
• login[.]bittermann-hh[.]co
• login[.]cbhbanlc[.]com
• login[.]cleanifl[.]com
• login[.]clfonl365[.]xyz
• login[.]gddss36[.]live
• login[.]grodno-pl[.]com
• login[.]hfs923[.]shop
• login[.]karlandpearson[.]com
• login[.]klm2136[.]click
• login[.]login-micro[.]mcrsfts-passwdupdate[.]com
• login[.]mcrosfts-updata[.]live
• login[.]mcrosfts-update[.]cloud
• login[.]mcrosfts-update[.]digital
• login[.]mcrosftts-update[.]cloud
• login[.]mcrsft-audio[.]xyz
• login[.]mcrsfts-cloud[.]live
• login[.]mcrsfts-passwd[.]cloud
• login[.]mcrsfts-passwd[.]digital
• login[.]mcrsfts-passwdupdate[.]com
• login[.]mcrsfts-update[.]cloud
• login[.]mcrsfts-update[.]digital
• login[.]mcrsfts-virtualofficevm[.]com
• login[.]mcrsftsvm-app[.]digital
• login[.]mcrsftsvm-app[.]live
• login[.]mcrsfts-voiceapp[.]digital
• login[.]mcrsftsvoice-mail[.]cloud
• login[.]microsecurity[.]us
• login[.]microstoff[.]xyz
• login[.]mljs365[.]xyz
• login[.]mwhhncndn[.]xyz
• login[.]mycrsfts-passwd[.]live
• login[.]qwwxthn[.]xyz
• login[.]seafoodsconnection[.]com
• login[.]sunmarks[.]co[.]uk
• login[.]tfosorcimonline[.]xyz
• login[.]whitmanlab[.]uk
• login[.]yi087011[.]xyz

Advanced hunting queries  

When an attacker uses a stolen session cookie, the “SessionId” attribute in the AADSignInEventBeta table will be identical to the SessionId value used in the authentication process against the phishing site. Use this query to search for cookies that were first seen after OfficeHome application authentication (as seen when the user authenticated to the AiTM phishing site) and then seen being used in other applications in other countries:

let OfficeHomeSessionIds = AADSignInEventsBeta
| where Timestamp > ago(1d)
| where ErrorCode == 0
| where ApplicationId == "4765445b-32c6-49b0-83e6-1d93765276ca" //OfficeHome application | where ClientAppUsed == "Browser" | where LogonType has "interactiveUser" | summarize arg_min(Timestamp, Country) by SessionId;
AADSignInEventsBeta
| where Timestamp > ago(1d)
| where ApplicationId != "4765445b-32c6-49b0-83e6-1d93765276ca"
| where ClientAppUsed == "Browser" | project OtherTimestamp = Timestamp, Application, ApplicationId, AccountObjectId, AccountDisplayName, OtherCountry = Country, SessionId
| join OfficeHomeSessionIds on SessionId
| where OtherTimestamp > Timestamp and OtherCountry != Country

Use this query to summarize for each user the countries that authenticated to the OfficeHome application and find uncommon or untrusted ones:  

AADSignInEventsBeta | where Timestamp > ago(7d) | where ApplicationId == "4765445b-32c6-49b0-83e6-1d93765276ca" //OfficeHome application | where ClientAppUsed == "Browser" | where LogonType has "interactiveUser" | summarize Countries = make_set(Country) by AccountObjectId, AccountDisplayName 

Use this query to find new email Inbox rules created during a suspicious sign-in session:

//Find suspicious tokens tagged by AAD "Anomalous Token" alert
let suspiciousSessionIds = materialize(
AlertInfo
| where Timestamp > ago(7d)
| where Title == "Anomalous Token"
| join (AlertEvidence | where Timestamp > ago(7d) | where EntityType == "CloudLogonSession") on AlertId
| project sessionId = todynamic(AdditionalFields).SessionId);
//Find Inbox rules created during a session that used the anomalous token
let hasSuspiciousSessionIds = isnotempty(toscalar(suspiciousSessionIds));
CloudAppEvents
| where hasSuspiciousSessionIds
| where Timestamp > ago(21d)
| where ActionType == "New-InboxRule"
| where RawEventData.SessionId in (suspiciousSessionIds)

Howdy folks, 

As a part of our mission to support organizations’ multicloud strategy, last summer we acquired CloudKnox Security, a leader in Cloud Infrastructure Entitlement Management (CIEM). We delivered the Microsoft public preview of the solution in February. Since then, we’ve been preparing for GA with enhancements, including GDPR compliance, global localization, and automated onboarding.   

Today, I’m thrilled to announce the general availability (GA) of Microsoft Entra Permissions Management, formally CloudKnox, as part of the Microsoft Entra portfolio. Permissions Management is available today as a standalone solution, priced at $125 per resource, per year. Resources supported are compute resources, container clusters, serverless functions, and databases across Amazon Web Services, Microsoft Azure, and Google Cloud Platform. Let’s dive into some of the product features and updates.  

 

Manage permissions of any identity, across any cloud, with one unified platform

Microsoft Entra Permissions Management allows organizations to discover, remediate, and monitor permissions for all identities (both human and workloads) and resources across multicloud environments. By continuously monitoring permission usage, Permissions Management allows you to enforce the principle of least privilege at cloud scale using historical data so that your organization can improve its security posture without interrupting productivity. 

• Discover: Get granular visibility into every action performed by every identity, on every resource, and assess your permission risk and monitoring permissions granted verses permissions used.
• Remediate: Close the permission gap by enforcing the principle of least privileges based on actual usage, leveraging our permission on-demand workflow when additional permissions are needed.
• Monitor: Continuously monitor all activity to detect anomalous permission usage and generate detailed forensic reports to support rapid investigation and remediation.

 

New streamlined onboarding and monitoring capabilities

As part of our GA release, we’re introducing a new, automated approach to onboarding your AWS, Azure, and GCP environments into Permissions Management. With a simplified workflow, you can efficiently collect permissions data across clouds at scale with just a few clicks. 

To kick off our integrations with our Microsoft portfolio, users can now monitor their Permission Creep Index and access Permissions Management directly from their Defender for Cloud dashboard, extending Defender for Cloud’s protection with CIEM.    

This is just the beginning! We’re actively expanding our integrations and features and will begin rolling them out later this year. To learn more about our GA release, visit our Permissions Management documentation.

 

Try Microsoft Entra Permissions Management today   

We’re offering a free 90-day trial to Permissions Management so that you can run a comprehensive risk assessment and identify the top permission risks across your multicloud infrastructure.   

Within a few hours of onboarding, Permissions Management will generate a comprehensive Permissions Analytics Report to identify your organization’s areas of greatest risk, with actionable insights to begin remediation and secure your environment. Request a free risk assessment today at aka.ms/TryPermissionsManagement.

If you’re interested in learning more about Microsoft Entra Permissions Management, visit our website and our product documentation! We’d love to hear your feedback, so please leave a comment below and join our security experts at our Ask Me Anything session on July 19th at 9 AM PST if you have any questions.   

Best regards, 

Alex Simons (Twitter: @Alex_A_Simons) 

Corporate Vice President Product Management 

Microsoft Identity Division  

Learn more about Microsoft identity: 

Like most of you, I was glad to see the 2022 RSA Conference return to its in-person roots after a two-year digital hiatus. This year’s event was a great success, drawing 26,000 attendees to three days of cutting-edge security sessions, tutorials, seminars, and special events at Moscone Center in San Francisco. The conference included more than 600 speakers and 400-plus exhibitors, along with hundreds of media representatives. Microsoft Security was on the ground, interacting with customers and security professionals at Microsoft’s 20-plus earned sessions, as well as showcasing new solutions like Microsoft Entra that help realize our goal of comprehensive security.

I was honored to give a keynote address (video courtesy of RSA Conference) on the future of cybersecurity, including a look at where technology and human expertise are headed, as well as why creating a more inclusive and diverse security workforce will be critical in our defense against evolving threats. Also addressing a subject that’s become more urgent with the growth of the decentralized enterprise, my colleague Bret Arsenault, Microsoft Corporate Vice President (CVP) and Chief Information Security Officer (CISO), gave a special presentation on managing Shadow IT. All in all, it was a fun, collegial, and productive five days. Let’s look at some of the highlights.

Figure 1. Vasu Jakkal gives the keynote address—Innovation, Ingenuity, and Inclusivity: The Future of Security is Now.

Microsoft Security Hub—you made it shine

Thanks to our guests and some hard work by our onsite team, the Microsoft pre-day event was a huge hit. We registered 430 attendees for this all-day event held on June 5, 2022, at Bespoke Event Center. Attendees were able to partake in Q&As with security experts about Zero Trust, threat intelligence, multicloud protection, risk management, and how Microsoft is re-envisioning the future of identity and access with Microsoft Entra.

I hosted Bret Arsenault in a fireside chat about navigating today’s security challenges and my colleague Joy Chik, CVP of Identity and Access, made a special presentation on Microsoft Entra and the trust fabric of identity.

Figure 2. CVP of Identity and Access Joy Chik speaks at the 2022 RSA Conference.

Attendees also enjoyed our immersive walkthrough art experience (and of course, the custom swag bar). Many guests took advantage of the reception to network with other security professionals and reconnect with old friends. It was great to see some familiar faces and share new insights with defenders across our community—a big thank you to everyone who joined us!

Figure 3. Attendes network at the Microsoft Security Hub.

Microsoft had a booth at the North Expo of RSA which showcased Microsoft comprehensive security solutions across our six product families: Microsoft Entra, Microsoft Endpoint Manager, Microsoft Defender, Microsoft Sentinel, Microsoft Purview, and Microsoft Priva. More than 7,300 people visited the Microsoft booth.

Figure 4. Microsoft Security booth at RSA Conference 2022.

Standout sessions

Microsoft speakers appeared in more than 20 earned sessions at this year’s RSA, addressing everything from supply chain attacks to ransomware, botnets, and ways to protect our democracy. We also hosted 40 sessions in our booth. Some of our most popular sessions included:

• Practical Learnings for Threat Hunting and Improving Your Security Posture: Hosted by Jessica Payne, Principal Security Researcher and Threat Intelligence Strategist at Microsoft, and Simon Dyson, Cyber Security Operations Centre Lead in NHS Digitals Data Security Centre, this 50-minute session addressed threat hunting and security posture improvements from a threat intelligence-informed perspective. Attendees gained insights from Jessica’s experience in demystifying and defusing real-world ransomware attacks. They also got a first-hand recounting of Simon’s work securing the complex network maintained by England’s National Health Service (NHS) during the pandemic, and how his team’s experience can benefit all of us.
• Conti Playbook: Infiltrate the Most Profitable Ransomware Gang: Participants learned how a disgruntled affiliate exposed one of the most infamous ransomware gangs, divulging its ransomware-as-a-service (RaaS) secrets to help take them down. This immersive, hands-on workshop guided attendees through a typical Conti attack sequence and provided tips to defend against advanced persistent threats. Thanks to Tom D’Aquino, Fabien Guillot, and Arpan Sarkar of Microsoft partner Vectra AI for this presentation.
• Microsoft Defender Experts for Hunting Has Got Your Back: Abhishek Agarwal, Chief Security and Technology Officer at Helix Biotech, examined threat hunting’s virtuous cycle: track, hunt, and analyze. Specifically, attendees learned how Microsoft Defender Experts for Hunting uses AI to accomplish all three components of the cycle faster, providing automated detection, hunting, and analysis to help the team track and stop threats across the company’s multi-national enterprise.
• Microsoft Security Research—How We Responsibly Disclose Vulnerabilities to Apple, Google, and the Linux Community: Jonathan Bar Or, Principal Security Researcher at Microsoft, discussed how disclosing bugs makes the world safer and benefits users, as well as giving Microsoft Security a better understanding of the technologies we work to protect.​ The goal is to challenge our own detections and prove product truth—making Microsoft Defender stronger by challenging our own blue teams.​
• Solve Secure Access Needs for Workload Identities with Microsoft Entra: Microsoft Product Managers Nick Wryter and Sandy Jiang led this informative session on the phenomenon of exploding workload identities. Currently, workload identities outnumber user identities five to one; the challenge being that many traditional identity and access management solutions don’t manage these prevalent and frequently over-permitted identities. Nick and Sandy explained how the new Microsoft Entra addresses this problem by providing a comprehensive view of every action performed by any identity on any resource, detecting anomalous permission usage at cloud scale.
• Tracking Highly Evasive APTs with Vectra Detect & Microsoft Sentinel: Tom D’ Aquino, Senior Security Engineer at Vectra AI, led this demonstration of real-life threat-hunting using Vectra Detect and Microsoft Sentinel. Tom demonstrated real-world workflows for threat tracking, including individual threat severity, lateral movement, threat targets, and more.
• The Shift of “Why” and “How” of Ransomware Attacks; How Microsoft Helps Customers Survive Ransomware: Led by MacKenzie Brown of Microsoft’s Detection and Response Team (DART), this session examined the how and why behind the recent increase in ransomware attacks. Attendees learned how attackers have evolved their methods to exert minimum effort for maximum return on investment (ROI), and why DART’s methodology can help you defeat them.

Shining a light on Shadow IT

Shadow IT can be broadly defined as a “set of applications, services, and infrastructure that are developed and managed outside of defined company standards.” These kinds of ad-hoc systems can pose a compliance risk, especially for security, privacy, data governance, and accessibility. Like any organization, Microsoft has not been immune to the proliferation of Shadow IT.

Figure 5. Vasu Jakkal and Bret Arsenault speak at the Microsoft pre-day event.

In keeping with our commitment to security for all, Microsoft CVP and CISO Bret Arsenault gave a special presentation on June 8, 2022, addressing Microsoft’s approach to managing Shadow IT. Bret discussed how Microsoft’s security team is enabling engineers and developers to build and operate security capabilities in the cloud, as well as Microsoft’s three primary principles for managing and addressing Shadow IT. For attendees wanting to learn more, we followed up the event with a free white paper on managing Shadow IT.  We’ve also made Bret’s presentation slides available to everyone.

2022 Excellence Awards

The Microsoft Security Excellence Awards (formerly Microsoft Security 20/20 Awards) recognize Microsoft Intelligent Security Association (MISA) members’ success during the past 12 months. This year’s 10 award categories were carefully selected to recognize the unique ways MISA members support their customers and help improve Microsoft security products. Our cross-functional panel carefully examined hundreds of nominations, narrowing the field to just three finalists for each category.

In the spirit of collaboration, Microsoft and MISA members alike voted on the winners. After dinner and cocktails, the awards were handed out at the San Francisco Design Center by Microsoft executives Phil Montgomery, Andrew Conway, Alym Rayani, Irina Nechaeva, Desmond Forbes, Sue Bohn, Mandana Javaheri, Madhu Prasha, Scott Woodgate, and myself. MISA members are a critical part of our approach to comprehensive security. We’re grateful for their vision and dedication to our shared mission of helping customers do more, safely. To all of this year’s finalists and winners—congratulations!

Comprehensive security year-round

Microsoft now protects 785,000 customers around the world, including our own digital estate. Our goal is to provide comprehensive security for our customers while enabling greater security for our shared online world. Microsoft’s best-in-breed protection, built-in intelligence, and simplified management integrates more than 50 product categories in six product families, allowing you to be fearless in the pursuit of your vision.  Our newest product family, Microsoft Entra, helps fulfill that mission by creating a secure entry point for end-to-end security. Entra provides a unified admin center for Azure Active Directory (Azure AD), Entra Permissions Management, and Entra Verified ID where your organization can quickly verify and secure every identity or access request—all in one place.

Our commitment to comprehensive security also means providing the latest research and first-hand knowledge to help keep your organization secure. You can learn more at Cyber Signals, a cyberthreat intelligence brief drawn from the latest Microsoft data and research. If you attended RSA and engaged with Microsoft, please take a few minutes to respond to our RSAC 2022 survey so we can continue to improve your experience. My thanks to everyone who attended, and we’ll see you next year!  

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Editor’s note: Today Microsoft published a new intelligence report, Defending Ukraine: Early Lessons from the Cyber War. This report represents research conducted by Microsoft’s threat intelligence and data science teams with the goal of sharpening our understanding of the threat landscape in the ongoing war in Ukraine. The report also offers a series of lessons and conclusions resulting from the data gathered and analyzed. Notably, the report reveals new information about Russian efforts including an increase in network penetration and espionage activities amongst allied governments, non-profits and other organizations outside Ukraine. This report also unveils detail about sophisticated and widespread Russian foreign influence operations being used among other things, to undermine Western unity and bolster their war efforts. We are seeing these foreign influence operations enacted in force in a coordinated fashion along with the full range of cyber destructive and espionage campaigns. Finally, the report calls for a coordinated and comprehensive strategy to strengthen collective defenses – a task that will require the private sector, public sector, nonprofits and civil society to come together. The foreword of this new report, written by Microsoft President and Vice Chair Brad Smith, offers additional detail below.

---

 The recorded history of every war typically includes an account of the first shots fired and who witnessed them. Each account provides a glimpse not just into the start of a war, but the nature of the era in which people lived. 

Historians who discuss the first shots in America’s Civil War in 1861 typically describe guns, cannons, and sailing ships around a fort near Charleston, South Carolina.  

Events spiraled toward the launch of World War I in 1914 when terrorists in plain view on a city street in Sarajevo used grenades and a pistol to assassinate the archduke of the Austrian-Hungarian Empire.  

It would take until the Nuremberg war trials to fully understand what happened near the Polish border 25 years later. In 1939, Nazi SS troops dressed in Polish uniforms and staged an attack against a German radio station. Adolf Hitler cited such attacks to justify a blitzkrieg invasion that combined tanks, planes, and troops to overrun Polish cities and civilians. 

Each of these incidents also provides an account of the technology of the time — technology that would play a role in the war that ensued and the lives of the people who lived through it. 

The war in Ukraine follows this pattern. The Russian military poured across the Ukrainian border on February 24, 2022, with a combination of troops, tanks, aircraft, and cruise missiles. But the first shots were in fact fired hours before when the calendar still said February 23. They involved a cyberweapon called “Foxblade” that was launched against computers in Ukraine. Reflecting the technology of our time, those among the first to observe the attack were half a world away, working in the United States in Redmond, Washington. 

As much as anything, this captures the importance of stepping back and taking stock of the first several months of the war in Ukraine, which has been devastating for the country in terms of destruction and loss of life, including innocent civilians. 

While no one can predict how long this war will last, it’s already apparent that it reflects a trend witnessed in other major conflicts over the past two centuries. Countries wage wars using the latest technology, and the wars themselves accelerate technological change. It’s therefore important to continually assess the impact of the war on the development and use of technology. 

The Russian invasion relies in part on a cyber strategy that includes at least three distinct and sometimes coordinated efforts – destructive cyberattacks within Ukraine, network penetration and espionage outside Ukraine, and cyber influence operations targeting people around the world. This report provides an update and analysis on each of these areas and the coordination among them. It also offers ideas about how to better counter these threats in this war and beyond, with new opportunities for governments and the private sector to work better together.  

The cyber aspects of the current war extend far beyond Ukraine and reflect the unique nature of cyberspace. When countries send code into battle, their weapons move at the speed of light. The internet’s global pathways mean that cyber activities erase much of the longstanding protection provided by borders, walls, and oceans. And the internet itself, unlike land, sea, and the air, is a human creation that relies on a combination of public and private- sector ownership, operation, and protection.  

This in turn requires a new form of collective defense. This war pits Russia, a major cyber-power, not just against an alliance of countries. The cyber defense of Ukraine relies critically on a coalition of countries, companies, and NGOs.  

The world can now start to assess the early and relative strengths and weaknesses of offensive and defensive cyber operations. Where are collective defenses successfully thwarting attacks and where are they falling short? What types of technological innovations are taking place? And critically, what steps are needed to effectively defend against cyberattacks in the future?  Among other things, it’s important to base these assessments on accurate data and not be misled into an unwarranted sense of tranquility from the external perception that the cyberwar in Ukraine has not been as destructive as some feared.  

This report offers five conclusions that come from the war’s first four months: 

First, defense against a military invasion now requires for most countries the ability to disburse and distribute digital operations and data assets across borders and into other countries. Russia not surprisingly targeted Ukraine’s governmental data center in an early cruise missile attack, and other “on premise” servers similarly were vulnerable to attacks by conventional weapons. Russia also targeted its destructive “wiper” attacks at on-premises computer networks. But Ukraine’s government has successfully sustained its civil and military operations by acting quickly to disburse its digital infrastructure into the public cloud, where it has been hosted in data centers across Europe.  

This has involved urgent and extraordinary steps from across the tech sector, including by Microsoft. While the tech sector’s work has been vital, it’s also important to think about the longer-lasting lessons that come from these efforts.  

Second, recent advances in cyber threat intelligence and end-point protection have helped Ukraine withstand a high percentage of destructive Russian cyberattacks. Because cyber activities are invisible to the naked eye, they are more difficult for journalists and even many military analysts to track. Microsoft has seen the Russian military launch multiple waves of destructive cyberattacks against 48 distinct Ukrainian agencies and enterprises. These have sought to penetrate network domains by initially comprising hundreds of computers and then spreading malware designed to destroy the software and data on thousands of others.  

Russian cyber tactics in the war have differed from those deployed in the NotPetya attack against Ukraine in 2017. That attack used “wormable” destructive malware that could jump from one computer domain to another and hence cross borders into other countries. Russia has been careful in 2022 to confine destructive “wiper software” to specific network domains inside Ukraine itself. But the recent and ongoing destructive attacks themselves have been sophisticated and more widespread than many reports recognize. And the Russian army is continuing to adapt these destructive attacks to changing war needs, including by coupling cyberattacks with the use of conventional weapons.  

A defining aspect of these destructive attacks so far has been the strength and relative success of cyber defenses. While not perfect and some destructive attacks have been successful, these cyber defenses have proven stronger than offensive cyber capabilities. This reflects two important and recent trends. First, threat intelligence advances, including the use of artificial intelligence, have helped make it possible to detect these attacks more effectively. And second, internet-connected end-point protection has made it possible to distribute protective software code quickly both to cloud services and other connected computing devices to identify and disable this malware. Ongoing wartime innovations and measures with the Ukrainian Government have strengthened this protection further. But continued vigilance and innovation will likely be needed to sustain this defensive advantage. 

Third, as a coalition of countries has come together to defend Ukraine, Russian intelligence agencies have stepped up network penetration and espionage activities targeting allied governments outside Ukraine. At Microsoft we’ve detected Russian network intrusion efforts on 128 organizations in 42 countries outside Ukraine. While the United States has been Russia’s number one target, this activity has also prioritized Poland, where much of the logistical delivery of military and humanitarian assistance is being coordinated. Russian activities have also targeted Baltic countries, and during the past two months there has been an increase in similar activity targeting computer networks in Denmark, Norway, Finland, Sweden, and Turkey. We have also seen an increase in similar activity targeting the foreign ministries of other NATO countries.  

Russian targeting has prioritized governments, especially among NATO members. But the list of targets has also included think tanks, humanitarian organizations, IT companies, and energy and other critical infrastructure suppliers. Since the start of the war, the Russian targeting we’ve identified has been successful 29 percent of the time. A quarter of these successful intrusions has led to confirmed exfiltration of an organization’s data, although as explained in the report, this likely understates the degree of Russian success.  

We remain the most concerned about government computers that are running “on premise” rather than in the cloud. This reflects the current and global state of offensive cyber espionage and defensive cyber protection. As the SolarWinds incident demonstrated 18 months ago, Russia’s intelligence agencies have extremely sophisticated capabilities to implant code and operate as an Advanced Persistent Threat (APT) that can obtain and exfiltrate sensitive information from a network on an ongoing basis. There have been substantial advances in defensive protection since that time, but the implementation of these advances remains more uneven in European governments than in the United States. As a result, significant collective defensive weaknesses remain. 

Fourth, in coordination with these other cyber activities, Russian agencies are conducting global cyber-influence operations to support their war efforts. These combine tactics developed by the KGB over several decades with new digital technologies and the internet to give foreign influence operations a broader geographic reach, higher volume, more precise targeting, and greater speed and agility. Unfortunately, with sufficient planning and sophistication, these cyber-influence operations are well positioned to take advantage of the longstanding openness of democratic societies and the public polarization that is characteristic of current times. 

As the war in Ukraine has progressed, Russian agencies are focusing their cyber-influence operations on four distinct audiences. They are targeting the Russian population with the goal of sustaining support for the war effort. They are targeting the Ukrainian population with the goal of undermining confidence in the country’s willingness and ability to withstand Russian attacks. They are targeting American and European populations with the goal of undermining Western unity and deflecting criticism of Russian military war crimes. And they are starting to target populations in nonaligned countries, potentially in part to sustain their support at the United Nations and in other venues. 

Russian cyber-influence operations are building on and are connected to tactics developed for other cyber activities. Like the APT teams that work within Russian intelligence services, Advance Persistent Manipulator (APM) teams associated with Russian government agencies act through social media and digital platforms. They are pre-positioning false narratives in ways that are similar to the pre-positioning of malware and other software code. They are then launching broad-based and simultaneous “reporting” of these narratives from government-managed and influenced websites and amplifying their narratives through technology tools designed to exploit social media services. Recent examples include narratives around biolabs in Ukraine and multiple efforts to obfuscate military attacks against Ukrainian civilian targets.  

As part of a new initiative at Microsoft, we are using AI, new analytics tools, broader data sets, and a growing staff of experts to track and forecast this cyber threat. Using these new capabilities, we estimate that Russian cyber influence operations successfully increased the spread of Russian propaganda after the war began by 216 percent in Ukraine and 82 percent in the United States.  

These ongoing Russian operations build on recent sophisticated efforts to spread false COVID narratives in multiple Western countries. These included state-sponsored cyber-influence operations in 2021 that sought to discourage vaccine adoption through English-language internet reports while simultaneously encouraging vaccine usage through Russian-language sites. During the last six months, similar Russian cyber influence operations sought to help inflame public opposition to COVID-19 policies in New Zealand and Canada.  

We will continue to expand Microsoft’s work in this field in the weeks and months ahead. This includes both internal growth and through the agreement we announced last week to acquire Miburo Solutions, a leading cyber threat analysis and research company specializing in the detection of and response to foreign cyber influence operations. 

We’re concerned that many current Russian cyber influence operations currently go for months without proper detection, analysis, or public reporting. This increasingly impacts a wide range of important institutions in both the public and private sectors. And the longer the war lasts in Ukraine, the more important these operations likely will become for Ukraine itself. This is because a longer war will require sustaining public support from the inevitable challenge of greater fatigue. This should add urgency to the importance of strengthening Western defenses against these types of foreign cyber influence attacks. 

Finally, the lessons from Ukraine call for a coordinated and comprehensive strategy to strengthen defenses against the full range of cyber destructive, espionage, and influence operations. As the war in Ukraine illustrates, while there are differences among these threats, the Russian Government does not pursue them as separate efforts and we should not put them in separate analytical silos. In addition, defensive strategies must consider the coordination of these cyber operations with kinetic military operations, as witnessed in Ukraine.  

New advances to thwart these cyber threats are needed, and they will depend on four common tenets and — at least at a high level — a common strategy. The first defensive tenet should recognize that Russian cyber threats are being advanced by a common set of actors inside and outside the Russian Government and rely on similar digital tactics. As a result, advances in digital technology, AI, and data will be needed to counter them. Reflecting this, a second tenet should recognize that unlike the traditional threats of the past, cyber responses must rely on greater public and private collaboration. A third tenet should embrace the need for close and common multilateral collaboration among governments to protect open and democratic societies. And a fourth and final defensive tenet should uphold free expression and avoid censorship in democratic societies, even as new steps are needed to address the full range of cyber threats that include cyber influence operations.  

An effective response must build on these tenets with four strategic pillars. These should increase collective capabilities to better (1) detect, (2) defend against, (3) disrupt, and (4) deter foreign cyber threats. This approach is already reflected in many collective efforts to address destructive cyberattacks and cyber-based espionage. They also apply to the critical and ongoing work needed to address ransomware attacks. We now need a similar and comprehensive approach with new capabilities and defenses to combat Russian cyber influence operations.  

As discussed in this report, the war in Ukraine provides not only lessons but a call to action for effective measures that will be vital to the protection of democracy’s future. As a company, we are committed to supporting these efforts, including through ongoing and new investments in technology, data, and partnerships that will support governments, companies, NGOs, and universities. 

Tags: cyber, cyberattacks

A recent study conducted by Microsoft in partnership with Ponemon Institute included a survey of companies that have adopted IoT solutions and 65 percent of them mentioned that security is a top priority when implementing IoT. Attacks targeting IoT devices put businesses at risk. Impacted devices can be bricked, held for ransom, employed as launch points for further network attacks, or used for malicious purposes. Among many consequences, we often see intellectual property (IP) and data theft and compromised regulatory status, all of which can have brand and financial implications on the business. 

Subsequently, we did a survey to understand the top concerns around the security of IoT devices, and we shared the findings in a previous blog about best practices for managing IoT security concerns. The following list summarizes the top security concerns from companies that have adopted IoT solutions:

• Ensuring data privacy (46 percent).
• Ensuring network-level security (40 percent).
• Security endpoints for each IoT device (39 percent).
• Tracking and managing each IoT device (36 percent).
• Making sure all existing software is updated (35 percent).
• Updating firmware and other software on devices (34 percent).
• Performing hardware/software tests and device evaluation (34 percent).
• Updating encryption protocols (34 percent).
• Conducting comprehensive training programs for employees involved in IoT environment (33 percent).
• Securely provisioning devices (33 percent).
• Shifting from device-level to identity-level control (29 percent).
• Changing default passwords and credentials (29 percent).

To help address these concerns, Microsoft is thrilled to announce today the general availability of the extension of our Secured-core platform to IoT devices along with new Edge Secured-core certified devices from our partners Aaeon, Asus, Lenovo and Intel in the Azure certified device catalog. We have added this new device certification for our Edge Secured-core platform so customers can more easily select IoT devices that meet this advanced security designation.   

As outlined in Microsoft’s Zero Trust paper, a key investment, especially around new devices, is to choose devices with built-in security. Devices built with Azure Sphere benefit from industry-leading built-in security, with servicing by Microsoft.

Announcements for Edge Secured-core

Edge Secured-core is a certification in the Azure Certified Device program for IoT devices. Devices that have achieved this certification provide enterprises the confidence that the devices they’re purchasing deliver the following security benefits:

• Hardware-based device identity: In addition to the various security properties that a hardware-based device identity provides, this also enables the use of the hardware-backed identity when connecting to Azure IoT Hub and using the IoT Hub device provisioning service.  
• Capable of enforcing system integrity: Using a combination of processor, firmware, and OS support to facilitate measurement of system integrity to help ensure the device works well with Microsoft Azure Attestation.
• Stays up-to-date and is remotely manageable: Receives the necessary device updates for a period of at least 60 months from the date of submission.
• Provides data-at-rest encryption: The device provides built-in support for encrypting the data at rest using up-to-date protocols and algorithms.
• Provides data-in-transit encryption: IoT devices such as gateways, which are often used to connect downstream devices to the cloud, need inherent support for protecting data in transit. Edge Secured-core devices help support up-to-date protocols and algorithms that are used for data-in-transit encryption.
• Built-in security agent and hardening: Edge Secured-core devices are hardened to help reduce the attack surface and include a built-in security agent to help secure from threats.

In addition to addressing many of the top concerns that we’ve heard from customers around the security of their IoT devices, our data shows that Secured-core PCs are 60 percent more resilient to malware than PCs that don’t meet the Secured-core specifications. We’ve brought the learnings from Secured-core PCs to define the requirements for Edge secured-core devices.

Today, we’re excited to announce the availability of Windows IoT Edge Secured-core devices available in the Azure Certified Device catalog.

Additionally, Microsoft invests with semiconductor partners to build IoT-connected industry-certified MCU security platforms that align with Microsoft’s security standards.  

Get started with Microsoft Security

Email us to request a call for more information about Azure Sphere, Edge Secured-core devices, or industry-certified devices. Learn more about Azure IoT security.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Today’s sophisticated cyber threats require a modern approach to security. And this doesn’t apply only to enterprises or government entities—in recent years we’ve seen attacks increase exponentially against individuals. There are 921 password attacks every second.¹ We’ve seen ransomware threats extending beyond their usual targets to go after small businesses and families. And we know, as bad actors become more and more sophisticated, we need to increase our personal defenses as well.

That is why it is so important for us to protect your entire digital life, whether you are at home or work—threats don’t end when you walk out of the office or close your work laptop for the day. We need solutions that help keep you and your family secure in how you work, play, and live.

That’s why I’m excited to share the availability of Microsoft Defender for individuals, a new online security application for Microsoft 365 Personal and Family subscribers. We believe every person and family should feel safe online. This is an exciting step in our journey to bring security to all and I’m thrilled to share with you more about this new app, available with features for you to try today.

Introducing Microsoft Defender

As our digital footprints grow, and with more devices and family members online, protecting your personal data and devices becomes more important than ever. On top of that, you and your family’s device preferences may result in Windows, iOS, Android, and macOS devices all represented in a single household—I know from personal experience in my own family. As threats grow more sophisticated, and time spent online has increased during the pandemic, we are more vulnerable than ever.  

To help keep your data private and devices secure, people often turn to multiple security products, with scattered security monitoring and device management. This fragmentation makes keeping up with increasing online threats even harder.

We must evolve our security solutions to meet unique customer needs at home and work by bringing together existing technologies in a new way. That is why we are introducing Microsoft Defender for individuals. It was built on our Microsoft Defender for Endpoint technology, leveraging the same trusted security that enterprises rely on. It joins our comprehensive set of security products and services as the newest member of our family of Microsoft Defender solutions and extends the protection already built into Windows Security.

What does Microsoft Defender do?

Microsoft Defender is simplified online security that meets you and your family where you are by bringing multiple protections together into a single dashboard. It provides online protection across the devices you and your family use. It offers tips and recommendations to strengthen your protection further. And, as you grow your digital footprint by adding family members and devices, Defender grows with you and keeps your defenses up-to-date using trusted technology.  

This seamless solution, which includes continuous antivirus and anti-phishing protection for your data and devices, will enable you to:

• Manage your security protections and view security protections for everyone in your family, from a single easy-to-use, centralized dashboard.²
• View your existing antivirus protection (such as Norton or McAfee). Defender recognizes these protections within the dashboard.
• Extend Windows device protections to iOS, Android, and macOS devices for cross-platform malware protection on the devices you and your family use the most.^{3, 4}
• Receive instant security alerts, resolution strategies, and expert tips to help keep your data and devices secure.⁵

This is just the start. As we look forward, we will continue to bring more protections together under a single dashboard, including features like identity theft protection and secure online connection. Microsoft Defender is simplified online security that grows with you and your family to help keep you safe. 

Try it today!

The expansion of our security portfolio with Microsoft Defender for individuals is the natural and exciting progression in our journey as a security company. The Microsoft Defender app is available to Microsoft 365 subscribers beginning today, across Windows, macOS, iOS, and Android. It was shaped based on the thoughts and feedback from so many families and people who use our products, and we are so excited to have this available today. Read more about the value to Microsoft 365 subscribers and the journey to get here from the Microsoft 365 team, or try Microsoft Defender today. There is so much more to come, and we look forward to sharing more on this journey to make the world a safer place for all!

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹According to Microsoft Azure Active Directory (Azure AD) authentication log data. 2022. 

²App requires a Microsoft 365 Family or Personal subscription and is available as a separate download. 

³App is available on Windows, macOS, Android, and iOS in select Microsoft 365 Family or Personal billing regions.

⁴New malware protection is not available where these protections exist on iOS and Windows.

⁵Security tips are available on Windows and macOS only.