What was the next big inflection point in the development of the DCU’s strategy?<\/h2>
We started to partner with Microsoft Threat Intelligence Center (MSTIC) to disrupt nation-state actors with the Russian infiltration of the Democratic National Convention in 2016. Our approach was to distort their business model by forcing them to harden their infrastructure, which increases the cost and complexity of their operations. Nation-state actors are much more sophisticated and difficult to identify. They want to blend into traffic, and there are very few victims. We had to devise new investigative techniques, as well as adapt our legal techniques.<\/p>
How did you change your approach to disrupt nation-state threats?<\/h2>
At that time, nation-state actors were using domain-based malware like cybercriminals were, but they’d register a domain and keep it silent for several years. Then, all of a sudden, they would pop up. But our investigators learned that those domains would always have a specific type of malware that was unique to each attack. We would search for that malware, or at least bits and pieces of it, in a domain. When we found it, that would allow us to legally substantiate our need to take the domain down. But they would come up with new domains all the time, and each time we’d have to go back to the court for additional orders. That’s much too slow when you’re dealing with a nation-state threat.<\/p>
We did something very unique, which was to use what’s called a “special master” or “court monitor,” which is primarily used in divorce proceedings. It’s a process in both federal and state law that allows you to ask the court to appoint a monitor to keep watching the case after it’s closed. This allows you to act quickly on problems that arise over and over again without having to go back to court every time. If we find a domain that fits a set of predetermined criteria, we can have a phone hearing with the court monitor within 24 to 48 hours and take it down. Being able to accelerate the process was a real evolution in our legal and technical strategy.<\/p>
What have been some more recent innovations in your strategy?<\/h2>
We developed a tactic we call Statutory Automated Disruption (SAD)<\/a> that uses copyright law. In the 2021 case of Google vs. Oracle, the US courts ruled that application programming interfaces (APIs) are copyrightable. That gave us an idea: we started reverse engineering malware to see if threat actors were using Microsoft’s APIs. Very often, they were. We have copyright rules in the terms of use for our APIs, so now we can very quickly disrupt cybercriminals by showing violation of our copyright due to illegal use.<\/p> In the US, the Digital Millennium Copyright Act (DMCA) allows you to send a legal request to a service provider to take down content that’s violating your copyright. Companies send DMCA notices all the time to take down things like pirated movies. But we’re using the same strategy to take down cybercriminals’ command-and-control infrastructure. The built-in penalties in the statute are very high, so providers have to take down the malware immediately. No one’s ever done this before, and it makes disruption much more efficient and effective.<\/p> The DMCA doesn’t apply in other countries, so we can’t compel foreign entities to comply, but there are a few ways we use SAD tactics internationally. We share our DMCA notices with international registries to help law enforcement build cases against cybercriminals. We also work with private-sector cybersecurity partners around the world, and for many security companies, copyright violation constitutes a breach of contract. Sharing our DMCA notices frequently gives these companies all the proof they need to force a cybercriminal to take down malware.<\/p>\n","protected":false},"excerpt":{"rendered":" Richard Boscovich, Assistant General Counsel with Microsoft’s Digital Crimes Unit (DCU), explains his team’s unique approach to disrupting malware threats by wielding the power of the law.<\/p>\n","protected":false},"author":23,"featured_media":2458,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_microsoft_sidebar_content":"\n Share<\/p>\n\n\n<\/div>\n\n\n\n We are working to help civil society, governments, \u2028and technology makers come together to discuss what responsible computing means in the quantum era so we can safely use these technologies for societally beneficial \u2028purposes.<\/p>\n\n\n\n Emily Violi Benjamin,Post-quantum resilience: building secure foundations <\/a><\/h2>\n\n\n\n
<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
Microsoft Digital Defense Report 2025 <\/a><\/h2>\n\n\n\n
<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n
Senior Program Manager,
Quantum Legal and Policy<\/p>\n<\/blockquote>\n","_microsoft_bottom_content":"\n![\"Conference](\"https:\/\/celacampaig.wpenginepowered.com\/wp-content\/uploads\/2025\/12\/Article-1-Star-Blizzard-DCU-Disruption-Blog_Header_1200x675.webp\")
<\/figure>\n\n\n\n5 things you need to know about tracking today\u2019s nation-state threats<\/a><\/h3>\n<\/div>\n\n\n\n
\n <\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
![\"Abstract](\"https:\/\/celacampaig.wpenginepowered.com\/wp-content\/uploads\/2025\/12\/Article-2-HeaderVisual_DCUStory.webp\")
<\/a><\/figure>\n\n\n\nHow Microsoft is taking down AI hackers who create harmful images of celebrities and others<\/a><\/h3>\n<\/div>\n\n\n\n
![\"Security](\"https:\/\/celacampaig.wpenginepowered.com\/wp-content\/uploads\/2025\/11\/CLO22_SecOps_006-1-1024x683.jpg\")
<\/a><\/figure>\n\n\n\n