Legitimate hosting services, such as SharePoint, OneDrive, and Dropbox, are widely used by organizations for storing, sharing, and collaborating on files. However, the widespread use of such services also makes them attractive targets for threat actors, who exploit the trust and familiarity associated with these services to deliver malicious files and links, often avoiding detection by traditional security measures.

Importantly, Microsoft takes action against malicious users violating the Microsoft Services Agreement in how they use apps like SharePoint and OneDrive. To help protect enterprise accounts from compromise, by default both Microsoft 365 and Office 365 support multi-factor authentication (MFA) and passwordless sign-in. Consumers can also go passwordless with their Microsoft account. Because security is a team sport, Microsoft also works with third parties like Dropbox to share threat intelligence and protect mutual customers and the wider community.

In this blog, we discuss the typical attack chain used in campaigns misusing file hosting services and detail the recently observed tactics, techniques, and procedures (TTPs), including the increasing use of certain defense evasion tactics. To help defenders protect their identities and data, we also share mitigation guidance to help reduce the impact of this threat, and detection details and hunting queries to locate potential misuse of file hosting services and related threat actor activities. By understanding these evolving threats and implementing the recommended mitigations, organizations can better protect themselves against these sophisticated campaigns and safeguard digital assets.

Attack overview

Phishing campaigns exploiting legitimate file hosting services have been trending throughout the last few years, especially due to the relative ease of the technique. The files are delivered through different approaches, including email and email attachments like PDFs, OneNote, and Word files, with the intent of compromising identities or devices. These campaigns are different from traditional phishing attacks because of the sophisticated defense evasion techniques used.

Since mid-April 2024, we observed threat actors increasingly use these tactics aimed at circumventing defense mechanisms:

• Files with restricted access: The files sent through the phishing emails are configured to be accessible solely to the designated recipient. This requires the recipient to be signed in to the file-sharing service—be it Dropbox, OneDrive, or SharePoint—or to re-authenticate by entering their email address along with a one-time password (OTP) received through a notification service.
• Files with view-only restrictions: To bypass analysis by email detonation systems, the files shared in these phishing attacks are set to ‘view-only’ mode, disabling the ability to download and consequently, the detection of embedded URLs within the file.

An example attack chain is provided below, depicting the updated defense evasion techniques being used across stages 4, 5, and 6:

Initial access

The attack typically begins with the compromise of a user within a trusted vendor. After compromising the trusted vendor, the threat actor hosts a file on the vendor’s file hosting service, which is then shared with a target organization. This misuse of legitimate file hosting services is particularly effective because recipients are more likely to trust emails from known vendors, allowing threat actors to bypass security measures and compromise identities. Often, users from trusted vendors are added to allow lists through policies set by the organization on Exchange Online products, enabling phishing emails to be successfully delivered.

While file names observed in these campaigns also included the recipients, the hosted files typically follow these patterns:

• Familiar topics based on existing conversations
  • For example, if the two organizations have prior interactions related to an audit, the shared files could be named “Audit Report 2024”.
• Familiar topics based on current context
  • If the attack has not originated from a trusted vendor, the threat actor often impersonates administrators or help desk or IT support personnel in the sender display name and uses a file name such as “IT Filing Support 2024”, “Forms related to Tax submission”, or “Troubleshooting guidelines”.
• Topics based on urgency
  • Another common technique observed by the threat actors creating these files is that they create a sense of urgency with the file names like “Urgent:Attention Required” and “Compromised Password Reset”.

Defense evasion techniques

Once the threat actor shares the files on the file hosting service with the intended users, the file hosting service sends the target user an automated email notification with a link to access the file securely. This email is not a phishing email but a notification for the user about the sharing action. In scenarios involving SharePoint or OneDrive, the file is shared from the user’s context, with the compromised user’s email address as the sender. However, in the Dropbox scenario, the file is shared from no-reply@dropbox[.]com. The files are shared through automated notification emails with the subject: “<User> shared <document> with you”. To evade detections, the threat actor deploys the following additional techniques:

• Only the intended recipient can access the file
  • The intended recipient needs to re-authenticate before accessing the file
  • The file is accessible only for a limited time window
• The PDF shared in the file cannot be downloaded

These techniques make detonation and analysis of the sample with the malicious link almost impossible since they are restricted.

Identity compromise

When the targeted user accesses the shared file, the user is prompted to verify their identity by providing their email address:

Next, an OTP is sent from no-reply@notify.microsoft[.]com. Once the OTP is submitted, the user is successfully authorized and can view a document, often masquerading as a preview, with a malicious link, which is another lure to make the targeted user click the “View my message” access link.

This link redirects the user to an adversary-in-the-middle (AiTM) phishing page, where the user is prompted to provide the password and complete multifactor authentication (MFA). The compromised token can then be leveraged by the threat actor to perform the second stage BEC attack and continue the campaign.

Recommended actions

Microsoft recommends the following mitigations to reduce the impact of this threat:

• Enable Conditional Access policies in Microsoft Entra, especially risk-based access policies. Conditional access policies evaluate sign-in requests using additional identity-driven signals like user or group membership, IP address location information, and device status, among others, are enforced for suspicious sign-ins. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as compliant devices, Azure trusted IP address requirements, or risk-based policies with proper access control. If you are still evaluating Conditional Access, use security defaults as an initial baseline set of policies to improve identity security posture.
• Implement continuous access evaluation.
• Implement Microsoft Entra passwordless sign-in with FIDO2 security keys.
• Turn on network protection in Microsoft Defender for Endpoint to block connections to malicious domains and IP addresses.
• Implement Microsoft Defender for Endpoint – Mobile Threat Defense on mobile devices used to access enterprise assets.
• Leverage Microsoft Edge to automatically identify and block malicious websites, including those used in this phishing campaign, and Microsoft Defender for Office 365 to detect and block malicious emails, links, and files. Monitor suspicious or anomalous activities in Microsoft Entra ID Protection. Investigate sign-in attempts with suspicious characteristics (such as the location, ISP, user agent, and use of anonymizer services). Educate users about the risks of secure file sharing and emails from trusted vendors.

Appendix

Microsoft Defender XDR detections

Microsoft Defender XDR raises the following alerts by combining Microsoft Defender for Office 365 URL click and Microsoft Entra ID Protection risky sign-ins signal.

• Risky sign-in after clicking a possible AiTM phishing URL
• User compromised through session cookie hijack
• User compromised in a known AiTM phishing kit

Hunting queries

Microsoft Defender XDR 

The file sharing events related to the activity in this blog post can be audited through the CloudAppEvents telemetry. Microsoft Defender XDR customers can run the following query to find related activity in their networks: 

Automated email notifications and suspicious sign-in activity

By correlating the email from the Microsoft notification service or Dropbox automated notification service with a suspicious sign-in activity, we can identify compromises, especially from securely shared SharePoint or Dropbox files.

let usersWithSuspiciousEmails = EmailEvents
    | where SenderFromAddress in ("no-reply@notify.microsoft.com", "no-reply@dropbox.com") or InternetMessageId startswith "<OneTimePasscode"
    | where isnotempty(RecipientObjectId)
    | distinct RecipientObjectId;
AADSignInEventsBeta
| where AccountObjectId in (usersWithSuspiciousEmails)
| where RiskLevelDuringSignIn == 100

Files share contents and suspicious sign-in activity

In the majority of the campaigns, the file name involves a sense of urgency or content related to finance or credential updates. By correlating the file share emails with suspicious sign-ins, compromises can be detected. (For example: Alex shared “Password Reset Mandatory.pdf” with you). Since these are observed as campaigns, validating that the same file has been shared with multiple users in the organization can support the detection.

let usersWithSuspiciousEmails = EmailEvents
    | where Subject has_all ("shared", "with you")
    | where Subject has_any ("payment", "invoice", "urgent", "mandatory", "Payoff", "Wire", "Confirmation", "password")
    | where isnotempty(RecipientObjectId)
    | summarize RecipientCount = dcount(RecipientObjectId), RecipientList = make_set(RecipientObjectId) by Subject
    | where RecipientCount >= 10
    | mv-expand RecipientList to typeof(string)
    | distinct RecipientList;
AADSignInEventsBeta
| where AccountObjectId in (usersWithSuspiciousEmails)
| where RiskLevelDuringSignIn == 100

BEC: File sharing tactics based on the file hosting service used

To initiate the file sharing activity, these campaigns commonly use certain action types depending on the file hosting service being leveraged. Below are the action types from the audit logs recorded for the file sharing events. These action types can be used to hunt for activities related to these campaigns by replacing the action type for its respective application in the queries below this table.

OneDrive or SharePoint: The following query highlights that a specific file has been shared by a user with multiple participants. Correlating this activity with suspicious sign-in attempts preceding this can help identify lateral movements and BEC attacks.

let securelinkCreated = CloudAppEvents
    | where ActionType == "SecureLinkCreated"
    | project FileCreatedTime = Timestamp, AccountObjectId, ObjectName;
let filesCreated = securelinkCreated
    | where isnotempty(ObjectName)
    | distinct tostring(ObjectName);
CloudAppEvents
| where ActionType == "AddedToSecureLink"
| where Application in ("Microsoft SharePoint Online", "Microsoft OneDrive for Business")
| extend FileShared = tostring(RawEventData.ObjectId)
| where FileShared in (filesCreated)
| extend UserSharedWith = tostring(RawEventData.TargetUserOrGroupName)
| extend TypeofUserSharedWith = RawEventData.TargetUserOrGroupType
| where TypeofUserSharedWith == "Guest"
| where isnotempty(FileShared) and isnotempty(UserSharedWith)
| join kind=inner securelinkCreated on $left.FileShared==$right.ObjectName
// Secure file created recently (in the last 1day)
| where (Timestamp - FileCreatedTime) between (1d .. 0h)
| summarize NumofUsersSharedWith = dcount(UserSharedWith) by FileShared
| where NumofUsersSharedWith >= 20

Dropbox: The following query highlights that a file hosted on Dropbox has been shared with multiple participants.

CloudAppEvents
| where ActionType in ("Added users and/or groups to shared file/folder", "Invited user to Dropbox and added them to shared file/folder")
| where Application == "Dropbox"
| where ObjectType == "File"
| extend FileShared = tostring(ObjectName)
| where isnotempty(FileShared)
| mv-expand ActivityObjects
| where ActivityObjects.Type == "Account" and ActivityObjects.Role == "To"
| extend SharedBy = AccountId
| extend UserSharedWith = tostring(ActivityObjects.Name)
| summarize dcount(UserSharedWith) by FileShared, AccountObjectId
| where dcount_UserSharedWith >= 20

Microsoft Sentinel

Microsoft Sentinel customers can use the resources below to find related activities similar to those described in this post:

The following query identifies files with specific keywords that attackers might use in this campaign that have been shared through OneDrive or SharePoint using a Secure Link and accessed by over 10 unique users. It captures crucial details like target users, client IP addresses, timestamps, and file URLs to aid in detecting potential attacks:

let OperationName = dynamic(['SecureLinkCreated', 'AddedToSecureLink']);
OfficeActivity
| where Operation in (OperationName)
| where OfficeWorkload in ('OneDrive', 'SharePoint')
| where SourceFileName has_any ("payment", "invoice", "urgent", "mandatory", "Payoff", "Wire", "Confirmation", "password", "paycheck", "bank statement", "bank details", "closing", "funds", "bank account", "account details", "remittance", "deposit", "Reset")
| summarize CountOfShares = dcount(TargetUserOrGroupName), 
            make_list(TargetUserOrGroupName), 
            make_list(ClientIP), 
            make_list(TimeGenerated), 
            make_list(SourceRelativeUrl) by SourceFileName, OfficeWorkload
| where CountOfShares > 10

Considering that the attacker compromises users through AiTM,  possible AiTM phishing attempts can be detected through the below rule:

• Possible AiTM Phishing Attempt

In addition, customers can also use the following identity-focused queries to detect and investigate anomalous sign-in events that may be indicative of a compromised user identity being accessed by a threat actor:

• Signins From VPS Providers
• Signins from Nord VPN Providers
• Successful Signin From Non-Compliant Device

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post File hosting services misused for identity phishing appeared first on Microsoft Security Blog.

Defender Experts for XDR offers a range of capabilities: 

• Managed detection and response: Let our expert analysts manage your Microsoft Defender XDR incident queue and handle triage, investigation, and response on your behalf.  
• Proactive threat hunting: Extend your team’s threat hunting capabilities and prioritize significant threats with Defender Experts for Hunting built in. 
• Live dashboards and reports: Get a transparent view of our operations conducted on your behalf, along with a noise-free, actionable view of prioritized incidents and detailed analytics. 
• Proactive check-ins: Benefit from remote, periodic check-ins with your named service delivery manager (SDM) team to guide your MXDR experience and improve your security posture. 
• Fast and seamless onboarding: Get a guided baselining experience to ensure your Microsoft security products are correctly configured.

Microsoft Defender Experts for XDR

Give your security operations center (SOC) team coverage with leading end-to-end protection and expertise.

Learn more

Cyberattacks detected by Defender Experts for XDR

In the first cyberattack, Defender Experts for XDR provided detection, visibility, and coverage under what Microsoft Threat Intelligence tracks as the threat actor Purple Typhoon. From the early steps in the intrusion, our team alerted the customer that 11 systems and 13 accounts were compromised via a malicious Remote Desktop Protocol (RDP) session, leveraging a Dynamic Link Library (DLL) Search Order Hijacking on a legitimate Notepad++ executable. As is common with this threat actor, the next cyberattack, established a Quasar RAT backdoor triggering keylogging, capturing credentials for the domain admin. After the loaders were executed, scheduled tasks were used to move laterally, execute discovery commands on internal network areas, and complete credential theft dumping.       

For the second cyberattack, which used BlackCat ransomware, Defender Experts for XDR detected and provided extensive guidance on investigation and remediation actions. The BlackCat ransomware, also known as ALPHV, is a prevalent cyberthreat and a prime example of the growing ransomware-as-a-service (RaaS) gig economy. It’s noteworthy due to its unconventional programming language (Rust), multiple target devices and possible entry points, and affiliation with prolific threat activity groups. While BlackCat’s arrival and execution vary based on the actors deploying it, the outcome is the same—target data is encrypted, exfiltrated, and used for “double extortion,” where attackers threaten to release the stolen data to the public if the ransom isn’t paid. This attack used access broker credentials to perform lateral movement, exfiltrate sensitive data via privileged execution, and execute ransomware encryption malware.    

In both cyberattacks, our team focused on providing focused email, in-product focus to guide the customer, and in a real world cyberattack, our service and product would take disruption actions to stop the cyberattack.

Comprehensive threat hunting, managed response, and product detections 

With complex cyberattacks, security operations teams need robust guidance on what is happening and how to prioritize remediation efforts. Throughout this evaluation, we provided over 18 incidents, 196 alerts, and enriched product detections with human-driven guidance via email and in product experiences using Managed responses. This includes a detailed investigation summary, indicators of compromise (IOCs), advanced hunting queries (AHQs), and prioritized remediation actions to help contain the cyberthreat. Our world class hunting team focuses on providing initial response to a cyberattack, then iterations on updates based on new threat intelligence findings and other enrichment.   

Figure 1. The incident and alerts are tagged with Defender Experts and detailed analysis provided under view Managed response.

Figure 2. Managed response showing details of investigation summary, IOCs, and TTPs.

Figure 3. Managed response focused remediation one-click actions such as blocking indicator, stopping a malicious process, and resetting passwords.

AI-driven attack disruption with Microsoft Defender XDR   

As the second cyberattack leveraged BlackCat ransomware, Microsoft Defender XDR’s attack disruption capability automatically contained the threat and then followed up with hunter guidance on additional containment. This capability combines our industry-leading detection with AI-powered enforcement mechanisms to help mitigate cyberthreats early on in the cyberattack chain and contain their advancement. Analysts have a powerful tool against human-operated cyberattacks while leaving them in complete control of investigating, remediating, and bringing assets back online. 

Figure 4. A summary attack graph, managed responses and attack disruption automatically handling this ransomware threat.

Seamless alert prioritization and consolidation into notifications for the SOC 

We provide prioritization and focus for a typical customer’s SOC team using tags and incident titles with Defender Experts where we enrich product detections. In addition, a dedicated SDM will conduct periodic touchpoints with customers to share productivity and service metrics, provide insights on any vulnerabilities or changes in their environment, solicit feedback, and make best practices recommendations. Our customers see a reduction in total incident volume over time, improvements in security posture, and overall lower operational overhead. Learn how Defender Experts helps Westminster School.  

Figure 5. Summary of all incidents and Defender Experts tag to help filter and prioritize for customers.

Commitment to Microsoft MXDR partners 

We continue our commitment to support our partners in our Microsoft-verified MXDR program. We know that a single provider can’t meet the unique needs of every organization, so we frequently collaborate with our ecosystem of partners to provide customers the flexibility to choose what works best for them—and to leverage those trusted relationships for the best outcomes and returns on their investment. 

We acknowledge that there are areas for discussion and enhancement, but we will take these as a valuable learning opportunity to continuously improve our products and services for the customers we serve. We appreciate our ongoing collaboration with MITRE as the managed services evaluation process evolves with the growing cyberthreat landscape. We thank MITRE Engenuity for the opportunity to contribute to and participate in this year’s evaluation. 

Learn more about Microsoft Defender Experts for XDR

To learn more, visit the Microsoft Defender Experts for XDR web page, read the Defender Experts for XDR docs page, and subscribe to our ongoing news at the Microsoft Security Experts blog. 

Cybersecurity and AI news

Discover the latest trends and best practices in cyberthreat protection and AI for cybersecurity.

Get the latest resources

​​To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

© June 2024. The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. 

The post Microsoft Defender Experts for XDR recognized in the latest MITRE Engenuity ATT&CK® Evaluation for Managed Services appeared first on Microsoft Security Blog.

According to Frost & Sullivan, the market for MDR is growing rapidly, with a growth rate of 35.2%, as evidenced with 22 MDR vendors plotted in this year’s analysis. This growth is expected to continue as Frost & Sullivan cited that “faced with a lack of access to professionals and an inability to protect their business-critical data effectively, organizations are outsourcing to alleviate the issue.”

Figure 1. Frost Radar^TM for Managed Detection and Response 2024 showing Microsoft as a leader.

Advancing cybersecurity frontiers with Defender Experts

Designated as one of the companies to be considered first for investment, partnerships, or benchmarking by Frost & Sullivan, Microsoft is a recent entrant in the MDR space, but with its focus on AI and machine learning, “especially the development of Microsoft Copilot for Security, coupled with its top-tier threat detection and response capabilities, allows it to maintain an innovation edge over other world-class competitors.”¹ Our Defender Experts for XDR service helps our customers boost their security operations centers (SOCs) with security expertise and around-the-clock coverage to detect and accurately respond to incidents that matter across their varied Microsoft Defender XDR workloads.

The Frost & Sullivan report emphasizes the comprehensive capabilities of our Defender Experts for XDR service, which brings together human expertise with AI and automation powered by our Defender XDR suite. The service provides cross-domain MDR services with visibility over endpoints, email, cloud, and identity. In addition, Defender Experts for XDR “delivers 24/7 monitoring, detection, and response, and proactive threat hunting, combined with its world-class threat intelligence, security posture assessments, and access to its expert team.”

Charting new horizons—the convergence of managed services and generative AI

The report highlights the key innovation that Microsoft offers to customers, which is the ability to use both human-led expertise and generative AI in cybersecurity. As organizations continue to adopt MDR services to enhance their SOC efforts, the appearance of generative AI in cybersecurity solutions also offers more potential to those who want to improve their SOC teams. According to Frost & Sullivan, “AI, [machine learning], and automation have become increasingly integral to cybersecurity solutions. These technologies enhance detection and response and allow SOC analysts to focus on what’s important instead of chasing down false alerts.”

The report also recognizes Microsoft Copilot for Security as a pivotal AI assistant that enhances the capabilities of security analysts. It streamlines complex data into concise summaries, offers insights, aids in detection, accelerates response, and contextualizes alerts and incidents. This tool is instrumental in supporting both novice and seasoned analysts, enabling them to make well-informed decisions with greater confidence and speed.

Building on this, the Defender Experts team has found the utilization of Copilot for Security not only boosts productivity and streamlines workflows, but also significantly enhances threat detection and response. Insights from team leaders and real-world applications, such as script analysis and incident summaries, are detailed in a recent blog post. These examples underscore Copilot’s role in elevating the skills of analysts and enriching threat intelligence, and empowering security teams to leverage AI’s full potential in safeguarding their organizations. Microsoft will continue to invest in generative AI and unlock its potential for Defender Experts and our customers.

Microsoft Defender Experts for XDR

Give your security operations center team coverage with leading end-to-end protection and expertise.

See features

Empower your SOC with managed XDR

Frost & Sullivan’s report praises Microsoft Defender Experts for XDR for its capacity to expedite SOC operations through expert triage and investigation, provide robust protection through human-led response and proactive remediation, offer around-the-clock access to Defender Experts for real-time consultations, and provide strategic recommendations to fortify defenses and mitigate future cyberthreats, all underscored by the transformative integration of generative AI with human expertise.

We know that a single provider can’t meet the unique needs of every organization, so we frequently collaborate with our ecosystem of partners that provide customers the flexibility to choose what works for them—and to leverage those trusted relationships for the best outcomes and returns on their investment. To date, we’ve added more than 50 partners to our Microsoft-verified MXDR program and invite you to review their offerings.

Learn more

To learn more about our service, visit the Microsoft Defender Experts for XDR web page, read the Defender Experts for XDR docs page, and subscribe to our ongoing news at the Microsoft Security Experts blog home.

Cybersecurity and AI news

Discover the latest trends and best practices in cyberthreat protection and AI for cybersecurity.

Get the latest resources

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Frost & Sullivan, Frost Radar™: Managed Detection and Response, 2024, Lucas Ferreyra. March 2024.

The post ​​Frost & Sullivan names Microsoft a Leader in the Frost Radar™: Managed Detection and Response, 2024 appeared first on Microsoft Security Blog.

Our own Microsoft Defender Experts team has been using and exploring Copilot, and finding new ways it can streamline, inform, and optimize their daily work—from improving communication clarity to data analysis and upskilling. Through their work on the Microsoft Defender Experts for XDR service, they serve as an extension of our customers’ security operations center (SOC) teams. They proactively hunt for serious cyberthreats using Microsoft Defender data. They triage, investigate, and expose advanced threats, identify the scope and impact of malicious activity, and then take action on a customer’s behalf to remediate the incident. And now with Copilot, Defender Experts have a powerful new security tool.

Microsoft Copilot for Security

Powerful new capabilities, new integrations, and industry-leading generative AI.

Learn more

A leadership view of Copilot for Security

In this new series of short videos, our Defender Experts share real-world scenarios where Copilot is helping them navigate threat detection, investigation, and managed response. To begin, Ryan Kivett, Partner Group Manager for Defender Experts, Microsoft, shares his leadership view on how Copilot helps support learning and career growth for his team. Then Brian Hooper, Principal Research Lead for Defender Experts, Microsoft, talks about how Copilot can help minimize the mundane tasks that take security analysts away from their most important work—serious threat investigations.

Watch the video “A leadership view on deploying Copilot.”

Save time and increase efficiency

From a leadership level, it’s easy to see the potential of Copilot. But when every second counts—like during an active security incident—that potential needs to be fully realized and actionable. Copilot for Security puts critical guidance and context into the hands of your security team so they can respond to incidents in minutes instead of hours or days. In our next video clip, Phoebe Rogers, a senior member of the Microsoft Defender Experts analyst team, shares how Copilot helps her shave minutes off every script analysis—which adds up to real saved time, increased efficiency and understanding, and greater incident insight. Watch as she shares how she uses Copilot to analyze a suspicious script, step by step.

Watch the video “Script Analysis.”

When security analysts communicate with customers, they need to provide a clear, concise, and comprehensive summary of an active incident in a timely manner, so customers have a deep understanding of the situation. In the following video, Brian Hooper shares a detailed walkthrough of how Copilot is helping analysts write up these incident narratives 90% faster than in the past.

Watch the video “Incident Summaries.”

Upskill junior analysts and develop critical expertise

Most complex and sophisticated attacks like ransomware evade detection through numerous ways, including the use of scripts and PowerShell. Moreover, these scripts are often obfuscated, which adds to the complexity of detection and analysis. In our next video, Brian Hooper shows how the detailed, line-by-line script examination in Copilot allows security analysts to quickly assess and identify a script as malicious or benign. It also helps junior security analysts upskill their expertise. With Copilot, any analyst can use natural language prompts to initiate and perform tasks that they may not have a lot of experience with or expertise in, and the outputs of Copilot will help them both accomplish the right results quickly, and, more importantly, help them develop those critical skills for long-term use.

“Copilot for Security really helps our junior analysts, as if they had a coach next to them, guiding them through the learning phase of their role. And for our senior analysts, it’s really helping them push past what would have otherwise been possible, in terms of reaching their potential.”

—Ryan Kivett, Partner Group Manager for Defender Experts, Microsoft

Watch the video “Script Analyzer in Defender.”

Get rich, contextual information with threat intelligence

Understanding an organization’s external threat surface can take a lot of time and tools. Often, analysts must go to multiple repositories to obtain the critical data sets they need to assess a suspicious domain, host, or IP address. DNS data, WHOIS information, malware, and SSL certificates provide important context to indicators of compromise (IOCs), but these repositories are widely distributed and don’t always share a common data structure, making it difficult to ensure analysts have all relevant data needed to make a proper and timely assessment of suspicious infrastructure. Getting threat intelligence data and rich, contextual information from Microsoft Defender Threat Intelligence and Copilot helps security analysts make determinations, like whether an IP is malicious or not. In the next video clip, Phoebe Rogers uses Defender Threat Intelligence and Copilot to compare a user’s sign-in properties with their authentication history, surfacing the relevant information to streamline her analysis and determine whether or not it’s a threat.

Watch the video “Getting threat intel data.”

Once a determination is made, it can still take time and effort for an analyst to summarize and communicate a threat to affected parties. But Copilot can help. In our last video clip, Phoebe explains how Copilot can quickly explain the impact of common vulnerabilities and exposures (CVEs) and summarize relevant content like impacted products, bad actors known to exploit the vulnerability, and mitigation recommendations.

Watch the video “CVEs and Vulnerabilities.”

Protect at the speed and scale of AI

When faced with incomplete and imperfect data and the need to investigate a potential threat, communicate that threat to a customer, or craft a timely response, security analysts are realizing tangible, measurable benefits from using Copilot in their daily work. It helps them protect and defend their organization at machine speed and scale. Of course, the ability to leverage generative AI is not exclusive to security teams. It may also be leveraged by potential threat actors. So, the sooner security teams can experience and evaluate generative AI to augment and improve their security, the better. That’s why Brian Hooper encourages department leadership who are building their plan to deploy Copilot within their team to encourage exploration. “Let the team try different prompts. Let the team summarize incidents. Let the team analyze scripts. Let the team find out about intelligence that Microsoft knows about attacks. Organically, they will find all different places that it’s going to help them.”

Learn more

To learn more about Microsoft Copilot for Security, visit the product page, and for more helpful tips and information, view the Copilot for Security Playlist on the Microsoft Security Channel on YouTube.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Microsoft Copilot for Security provides immediate impact for the Microsoft Defender Experts team appeared first on Microsoft Security Blog.

Octo Tempest is a financially motivated collective of native English-speaking threat actors known for launching wide-ranging campaigns that prominently feature adversary-in-the-middle (AiTM) techniques, social engineering, and SIM swapping capabilities. Octo Tempest, which overlaps with research associated with 0ktapus, Scattered Spider, and UNC3944, was initially seen in early 2022, targeting mobile telecommunications and business process outsourcing organizations to initiate phone number ports (also known as SIM swaps). Octo Tempest monetized their intrusions in 2022 by selling SIM swaps to other criminals and performing account takeovers of high-net-worth individuals to steal their cryptocurrency.

Building on their initial success, Octo Tempest harnessed their experience and acquired data to progressively advance their motives, targeting, and techniques, adopting an increasingly aggressive approach. In late 2022 to early 2023, Octo Tempest expanded their targeting to include cable telecommunications, email, and technology organizations. During this period, Octo Tempest started monetizing intrusions by extorting victim organizations for data stolen during their intrusion operations and in some cases even resorting to physical threats.

In mid-2023, Octo Tempest became an affiliate of ALPHV/BlackCat, a human-operated ransomware as a service (RaaS) operation, and initial victims were extorted for data theft (with no ransomware deployment) using ALPHV Collections leak site. This is notable in that, historically, Eastern European ransomware groups refused to do business with native English-speaking criminals. By June 2023, Octo Tempest started deploying ALPHV/BlackCat ransomware payloads (both Windows and Linux versions) to victims and lately has focused their deployments primarily on VMWare ESXi servers. Octo Tempest progressively broadened the scope of industries targeted for extortion, including natural resources, gaming, hospitality, consumer products, retail, managed service providers, manufacturing, law, technology, and financial services.  

In recent campaigns, we observed Octo Tempest leverage a diverse array of TTPs to navigate complex hybrid environments, exfiltrate sensitive data, and encrypt data. Octo Tempest leverages tradecraft that many organizations don’t have in their typical threat models, such as SMS phishing, SIM swapping, and advanced social engineering techniques. This blog post aims to provide organizations with an insight into Octo Tempest’s tradecraft by detailing the fluidity of their operations and to offer organizations defensive mechanisms to thwart the highly motivated financial cybercriminal group.

Analysis 

The well-organized, prolific nature of Octo Tempest’s attacks is indicative of extensive technical depth and multiple hands-on-keyboard operators. The succeeding sections cover the wide range of TTPs we observed being used by Octo Tempest.

Initial access 

Social engineering with a twist

Octo Tempest commonly launches social engineering attacks targeting technical administrators, such as support and help desk personnel, who have permissions that could enable the threat actor to gain initial access to accounts. The threat actor performs research on the organization and identifies targets to effectively impersonate victims, mimicking idiolect on phone calls and understanding personal identifiable information to trick technical administrators into performing password resets and resetting multifactor authentication (MFA) methods. Octo Tempest has also been observed impersonating newly hired employees in these attempts to blend into normal on-hire processes.

Octo Tempest primarily gains initial access to an organization using one of several methods:

• Social engineering
  • Calling an employee and socially engineering the user to either:
    • Install a Remote Monitoring and Management (RMM) utility
    • Navigate to a site configured with a fake login portal using an adversary-in-the-middle toolkit
    • Remove their FIDO2 token
  • Calling an organization’s help desk and socially engineering the help desk to reset the user’s password and/or change/add a multi-factor authentication token/factor
• Purchasing an employee’s credentials and/or session token(s) on a criminal underground market
• SMS phishing employee phone numbers with a link to a site configured with a fake login portal using an adversary-in-the-middle toolkit
• Using the employee’s pre-existing access to mobile telecommunications and business process outsourcing organizations to initiate a SIM swap or to set up call number forwarding on an employee’s phone number. Octo Tempest will initiate a self-service password reset of the user’s account once they have gained control of the employee’s phone number.

In rare instances, Octo Tempest resorts to fear-mongering tactics, targeting specific individuals through phone calls and texts. These actors use personal information, such as home addresses and family names, along with physical threats to coerce victims into sharing credentials for corporate access.

Reconnaissance and discovery 

Crossing borders for identity, architecture, and controls enumeration

In the early stage of their attacks, Octo Tempest performs various enumeration and information gathering actions to pursue advanced access in targeted environments and abuses legitimate channels for follow-on actions later in the attack sequence. Initial bulk-export of users, groups, and device information is closely followed by enumerating data and resources readily available to the user’s profile within virtual desktop infrastructure or enterprise-hosted resources. 

Frequently, Octo Tempest uses their access to carry out broad searches across knowledge repositories to identify documents related to network architecture, employee onboarding, remote access methods, password policies, and credential vaults.

Octo Tempest then performs exploration through multi-cloud environments enumerating access and resources across cloud environments, code repositories, server and backup management infrastructure, and others. In this stage, the threat actor validates access, enumerates databases and storage containers, and plans footholds to aid further phases of the attack.

Additional tradecraft and techniques:

• PingCastle and ADRecon to perform reconnaissance of Active Directory 
• Advanced IP Scanner to probe victim networks
• Govmomi Go library to enumerate vCenter APIs 
• PureStorage FlashArray PowerShell module to enumerate storage arrays 
• AAD bulk downloads of user, groups, and devices

Privilege escalation and credential access

Octo Tempest commonly elevates their privileges within an organization through the following techniques:

• Using their pre-existing access to mobile telecommunications and business process outsourcing organizations to initiate a SIM swap or to set up call number forwarding on an employee’s phone number. Octo Tempest will initiate a self-service password reset of the user’s account once they have gained control of the employee’s phone number.
• Social engineering – calling an organization’s help desk and socially engineering the help desk to reset an administrator’s password and/or change/add a multi-factor authentication token/factor

Further masquerading and collection for escalation

Octo Tempest employs an advanced social engineering strategy for privilege escalation, harnessing stolen password policy procedures, bulk downloads of user, group, and role exports, and their familiarity with the target organizations procedures. The actor’s privilege escalation tactics often rely on building trust through various means, such as leveraging possession of compromised accounts and demonstrating an understanding of the organization’s procedures. In some cases, they go as far as bypassing password reset procedures by using a compromised manager’s account to approve their requests.

Octo Tempest continually seeks to collect additional credentials across all planes of access. Using open-source tooling like Jercretz and TruffleHog, the threat actor automates the identification of plaintext keys, secrets, and credentials across code repositories for further use.

Additional tradecraft and techniques:

• Modifying access policies or using MicroBurst to gain access to credential stores
• Using open-source tooling: Mimikatz, Hekatomb, Lazagne, gosecretsdump, smbpasswd.py, LinPEAS, ADFSDump
• Using VMAccess Extension to reset passwords or modify configurations of Azure VMs
• Creating snapshots virtual domain controller disks to download and extract NTDS.dit
• Assignment of User Access Administrator role to grant Tenant Root Group management scope

Defense evasion

Security product arsenal sabotage

Octo Tempest compromises security personnel accounts within victim organizations to turn off security products and features and attempt to evade detection throughout their compromise. Using compromised accounts, the threat actor leverages EDR and device management technologies to allow malicious tooling, deploy RMM software, remove or impair security products, data theft of sensitive files (e.g. files with credentials, signal messaging databases, etc.), and deploy malicious payloads.

To prevent identification of security product manipulation and suppress alerts or notifications of changes, Octo Tempest modifies the security staff mailbox rules to automatically delete emails from vendors that may raise the target’s suspicion of their activities.

Additional tradecraft and techniques:

• Using open-source tooling like privacy.sexy framework to disable security products
• Enrolling actor-controlled devices into device management software to bypass controls
• Configuring trusted locations in Conditional Access Policies to expand access capabilities
• Replaying harvested tokens with satisfied MFA claims to bypass MFA

Persistence 

Sustained intrusion with identities and open-source tools

Octo Tempest leverages publicly available security tools to establish persistence within victim organizations, largely using account manipulation techniques and implants on hosts. For identity-based persistence, Octo Tempest targets federated identity providers using tools like AADInternals to federate existing domains, or spoof legitimate domains by adding and then federating new domains. The threat actor then abuses this federation to generate forged valid security assertion markup language (SAML) tokens for any user of the target tenant with claims that have MFA satisfied, a technique known as Golden SAML. Similar techniques have also been observed using Okta as their source of truth identity provider, leveraging Okta Org2Org functionality to impersonate any desired user account.

To maintain access to endpoints, Octo Tempest installs a wide array of legitimate RMM tools and makes required network modifications to enable access. The usage of reverse shells is seen across Octo Tempest intrusions on both Windows and Linux endpoints. These reverse shells commonly initiate connections to the same attacker infrastructure that deployed the RMM tools.

A unique technique Octo Tempest uses is compromising VMware ESXi infrastructure, installing the open-source Linux backdoor Bedevil, and then launching VMware Python scripts to run arbitrary commands against housed virtual machines.

Additional tradecraft and techniques:

• Usage of open-source tooling: ScreenConnect, FleetDeck, AnyDesk, RustDesk, Splashtop, Pulseway, TightVNC, LummaC2, Level.io, Mesh, TacticalRMM, Tailscale, Ngrok, WsTunnel, Rsocx, and Socat
• Deployment of Azure virtual machines to enable remote access via RMM installation or modification to existing resources via Azure serial console
• Addition of MFA methods to existing users
• Usage of the third-party tunneling tool Twingate, which leverages Azure Container instances as a private connector (without public network exposure)

Actions on objectives

Common trifecta: Data theft, extortion, and ransomware

The goal of Octo Tempest remains financially motivated, but the monetization techniques observed across industries vary between cryptocurrency theft and data exfiltration for extortion and ransomware deployment.

Like in most cyberattacks, data theft largely depends on the data readily available to the threat actor. Octo Tempest accesses data from code repositories, large document management and storage systems, including SharePoint, SQL databases, cloud storage blobs/buckets, and email, using legitimate management clients such as DBeaver, MongoDB Compass, Azure SQL Query Editor, and Cerebrata for the purpose of connection and collection. After data harvesting, the threat actor employs anonymous file-hosting services, including GoFile.io, shz.al, StorjShare, Temp.sh, MegaSync, Paste.ee, Backblaze, and AWS S3 buckets for data exfiltration.

Octo Tempest employs a unique technique using the data movement platform Azure Data Factory and automated pipelines to extract data to external actor hosted Secure File Transfer Protocol (SFTP) servers, aiming to blend in with typical big data operations. Additionally, the threat actor commonly registers legitimate Microsoft 365 backup solutions such as Veeam, AFI Backup, and CommVault to export the contents of SharePoint document libraries and expedite data exfiltration.

Ransomware deployment closely follows data theft objectives. This activity targets both Windows and Unix/Linux endpoints and VMware hypervisors using a variant of ALPHV/BlackCat. Encryption at the hypervisor level has shown significant impact to organizations, making recovery efforts difficult post-encryption.

Octo Tempest frequently communicates with target organizations and their personnel directly after encryption to negotiate or extort the ransom—providing “proof of life” through samples of exfiltrated data. Many of these communications have been leaked publicly, causing significant reputational damage to affected organizations.

Additional tradecraft and techniques:

• Use of the third-party services like FiveTran to extract copies of high-value service databases, such as SalesForce and ZenDesk, using API connectors
• Exfiltration of mailbox PST files and mail forwarding to external mailboxes

Recommendations

Hunting methodology

Octo Tempest’s utilization of social engineering, living-off-the land techniques, and diverse toolsets could make hunting slightly unorthodox. Following these general guidelines alongside robust deconfliction with legitimate users will surface their activity:

Identity

• Understand authentication flows in the environment.
• Centralize visibility of administrative changes in the environment into a single pane of glass.
• Scrutinize all user and sign-in risk detections for any administrator within the timeframe. Common alerts that are surfaced during an Octo Tempest intrusion include (but not limited to): Impossible Travel, Unfamiliar Sign-in Properties, and Anomalous Token
• Review the coverage of Conditional Access policies; scrutinize the use of trusted locations and exclusions.
• Review all existing and new custom domains in the tenant, and their federation settings.
• Scrutinize administrator groups, roles, and privileges for recent modification.
• Review recently created Microsoft Entra ID users and registered device identities.
• Look for any anomalous pivots into organizational apps that may hold sensitive data, such as Microsoft SharePoint and OneDrive.

Azure

• Leverage and continuously monitor Defender for Cloud for Azure Workloads, providing a wealth of information around unauthorized resource access.
• Review Azure role-based access control (RBAC) definitions across the management group, subscription, resource group and resource structure.
• Review the public network exposure of resources and revoke any unauthorized modifications.
• Review both data plane and management plane access control for all critical workloads such as those that hold credentials and organizational data, like Key Vaults, storage accounts, and database resources.
• Tightly control access to identity workloads that issue access organizational resources such as Active Directory Domain Controllers.
• Review the Azure Activity log for anomalous modification of resources.

Endpoints

• Look for recent additions to the indicators or exclusions of the EDR solution in place at the organization.
• Review any generation of offboarding scripts.
• Review access control within security products and EDR software suites.
• Scrutinize any tools used to manage endpoints (SCCM, Intune, etc.) and look for recent rule additions, packages, or deployments.
• Scrutinize use of remote administration tools across the environment, paying particular attention to recent installations regardless of whether they are used legitimately within the network already.
• Ensure monitoring at the network boundary is in place, that alerting is in place for connections with common anonymizing services and scrutinize the use of these services.

Defending against Octo Tempest activity

Align privilege in Microsoft Entra ID and Azure

Privileges spanning Microsoft Entra ID and Azure need to be holistically aligned, with purposeful design decisions to prevent unauthorized access to critical workloads. Reducing the number of users with permanently assigned critical roles is paramount to achieving this. Segregation of privilege between on-premises and cloud is also necessary to sever the ability to pivot within the environment.

It is highly recommended to implement Microsoft Entra Privileged Identity Management (PIM) as a central location for the management of both Microsoft Entra ID roles and Azure RBAC. For all critical roles, at minimum:

• Implement role assignments as eligible rather than permanent.
• Review and understand the role definition Actions and NotActions – ensure to select only the roles with actions that the user requires to do their role (least privileged access).
• Configure these roles to be time-bound, deactivating after a specific timeframe.
• Require users to perform MFA to elevate to the role.
• Optionally require users to provide justification or a ticket number upon elevation.
• Enable notifications for privileged role elevation to a subset of administrators.
• Utilize PIM Access Reviews to reduce standing access in the organization on a periodic basis.

Every organization is different and, therefore, roles will be classified differently in terms of their criticality. Consider the scope of impact those roles may have on downstream resources, services, or identities in the event of compromise. For help desk administrators specifically, ensure to scope privilege to exclude administrative operations over Global Administrators. Consider implementing segregation strategies such as Microsoft Entra ID Administrative Units to segment administrative access over the tenant. For identities that leverage cross-service roles such as those that service the Microsoft Security Stack, consider implementing additional service-based granular access control to restrict the use of sensitive functionality, like Live Response and modification of IOC allow lists.

Segment Azure landing zones

For organizations yet to begin or are early in their modernization journey, end-to-end guidance for cloud adoption is available through the Microsoft Azure Cloud Adoption Framework. Recommended practice and security are central pillars—Azure workloads are segregated into separate, tightly restricted areas known as landing zones. When deploying Active Directory in the cloud, it is advised to create a platform landing zone for identity—a dedicated subscription to hold all Identity-related resources such as Domain Controller VM resources. Employ least privilege across this landing zone with the aforementioned privilege and PIM guidance for Azure RBAC.

Implement Conditional Access policies and authentication methods

TTPs outlined in this blog leverage strategies to evade multifactor authentication defenses. However, it is still strongly recommended to practice basic security hygiene by implementing a baseline set of Conditional Access policies:

• Require multifactor authentication for all privileged roles with the use of authentication strengths to enforce phish-resistant MFA methods such as FIDO2 security keys
• Require phishing-resistant multifactor authentication for administrators
• Enforce MFA registration from trusted locations from a device that also meets organizational requirements with Intune device compliance policies
• User and sign-in risk policies for signals associated to Microsoft Entra ID Protection

Organizations are recommended to keep their policies as simple as possible. Implementing complex policies might inhibit the ability to respond to threats at a rapid pace or allow threat actors to leverage misconfigurations within the environment.

Develop and maintain a user education strategy

An organization’s ability to protect itself against cyberattacks is only as strong as its people—it is imperative to put in place an end-to-end cybersecurity strategy highlighting the importance of ongoing user education and awareness. Targeted education and periodic security awareness campaigns around common cyber threats and attack vectors such as phishing and social engineering not only for users that hold administrative privilege in the organization, but the wider user base is crucial. A well-maintained incident response plan should be developed and refined to enable organizations to respond to unexpected cybersecurity events and rapidly regain positive control.

Use out-of-band communication channels

Octo Tempest has been observed joining, recording, and transcribing calls using tools such as OtterAI, and sending messages via Slack, Zoom, and Microsoft Teams, taunting and threatening targets, organizations, defenders, and gaining insights into incident response operations/planning. Using out-of-band communication channels is strongly encouraged when dealing with this threat actor.

Detections

Microsoft 365 Defender

Microsoft 365 Defender is becoming Microsoft Defender XDR. Learn more.

NOTE: Several tools mentioned throughout this blog are remote administrator tools that have been utilized by Octo Tempest to maintain persistence. While these tools are abused by threat actors, they can have legitimate use cases by normal users, and are updated on a frequent basis. Microsoft recommends monitoring their use within the environment, and when they are identified, defenders take the necessary steps for deconfliction to verify their use.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects this threat as the following malware:

• HackTool:Win32/Mimikatz
• HackTool:Win64/Mimikatz
• Behavior:Win32/BlackCatExec
• Ransom:Win32/Blackcat
• Ransom:Linux/BlackCat
• Behavior:Win32/BlackCat
• Ransom:Win64/BlackCat

Turning on tamper protection, which is part of built-in protection, prevents attackers from stopping security services.

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:

• Octo Tempest activity group

The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can also be triggered by unrelated threat activity.

• Suspicious usage of remote management software
• Mimikatz credential theft tool
• BlackCat ransomware
• Activity linked to BlackCat ransomware
• Tampering activity typical to ransomware attacks
• Possible hands-on-keyboard pre-ransom activity

Microsoft Defender for Cloud Apps

Using Microsoft Defender for Cloud Apps connectors, Microsoft 365 Defender raises AitM-related alerts in multiple scenarios. For Microsoft Entra ID customers using Microsoft Edge, attempts by attackers to replay session cookies to access cloud applications are detected by Microsoft 365 Defender through Defender for Cloud Apps connectors for Microsoft Office 365 and Azure. In such scenarios, Microsoft 365 Defender raises the following alerts:

• Backdoor creation using AADInternals tool
• Suspicious domain added to Microsoft Entra ID
• Suspicious domain trust modification following risky sign-in
• User compromised via a known AitM phishing kit
• User compromised in AiTM phishing attack
• Suspicious email deletion activity

Similarly, the connector for Okta raises the following alerts:

• Suspicious Okta account enumeration
• Possible AiTM phishing attempt in Okta

Microsoft Defender for Identity

Microsoft Defender for Identity raises the following alerts for TTPs used by Octo Tempest such as NTDS stealing and Active Directory reconnaissance:

• Account enumeration reconnaissance
• Network-mapping reconnaissance (DNS)
• User and IP address reconnaissance (SMB)
• User and Group membership reconnaissance (SAMR)
• Suspected DCSync attack (replication of directory services)
• Suspected AD FS DKM key read
• Data exfiltration over SMB

Microsoft Defender for Cloud

The following Microsoft Defender for Cloud alerts relate to TTPs used by Octo Tempest. Note, however, that these alerts can also be triggered by unrelated threat activity.

• MicroBurst exploitation toolkit used to enumerate resources in your subscriptions
• MicroBurst exploitation toolkit used to execute code on your virtual machine
• MicroBurst exploitation toolkit used to extract keys from your Azure key vaults
• MicroBurst exploitation toolkit used to extract keys to your storage accounts
• Suspicious Azure role assignment detected
• Suspicious elevate access operation (Preview)
• Suspicious invocation of a high-risk ‘Initial Access’ operation detected (Preview)
• Suspicious invocation of a high-risk ‘Credential Access’ operation detected (Preview)
• Suspicious invocation of a high-risk ‘Data Collection’ operation detected (Preview)
• Suspicious invocation of a high-risk ‘Execution’ operation detected (Preview)
• Suspicious invocation of a high-risk ‘Impact’ operation detected (Preview)
• Suspicious invocation of a high-risk ‘Lateral Movement’ operation detected (Preview)
• Unusual user password reset in your virtual machine
• Suspicious usage of VMAccess extension was detected on your virtual machines (Preview)
• Suspicious usage of multiple monitoring or data collection extensions was detected on your virtual machines (Preview)
• Run Command with a suspicious script was detected on your virtual machine (Preview)
• Suspicious Run Command usage was detected on your virtual machine (Preview)
• Suspicious unauthorized Run Command usage was detected on your virtual machine (Preview)

Microsoft Sentinel

Microsoft Sentinel customers can use the following Microsoft Sentinel Analytics template to identify potential AitM phishing attempts:

• Possible AitM Phishing Attempt Against Azure AD

This detection uses signals from Microsoft Entra ID Identity Protection and looks for successful sign-ins that have been flagged as high risk. It combines this with data from web proxy services, such as ZScaler, to identify where users might have connected to the source of those sign-ins immediately prior. This can indicate a user interacting with an AitM phishing site and having their session hijacked. This detection uses the Advanced Security Information Model (ASIM) Web Session schema. Refer to this article for more details on the schema and its requirements. 

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection info, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

• Octo Tempest
• Octo Tempest uses social engineering and AADInternals to compromise cloud identities

Microsoft 365 Defender Threat analytics  

• Actor profile: Octo Tempest
• Threat insights: Octo Tempest uses social engineering and AADInternals to compromise cloud identities

Hunting queries

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.

• Suspicious sign-in followed by MFA modification
• Account MFA modifications
• Okta SSO phishing detection
• Okta rare MFA operations
• Okta login from different locations
• Okta user password reset
• SharePointFileOperation via clientIP with previously unseen user agents
• SharePointFileOperation via devices with previously unseen user agents
• SharePointFileOperation via previously unseen IPs of risky ASN’s
• SharePointFileOperation via previously unseen IPs
• Anomalous AAD account manipulation
• New external user granted admin
• Anomolous sign-ins based on time
• New account added to admin group
• Authentication methods changed for privileged account
• Rare run command PowerShell script
• Azure NSG administrative operations
• Rare operations of create and update of snapshots
• AdFind usage
• Anomalous listing of storage keys
• Storage account key enumeration
• Potential Microsoft Security services tampering
• Potential Microsoft Defender tampering
• Office mail forwarding
• Multiple users Office mail forwarding

Further reading

Listen to Microsoft experts discuss Octo Tempest TTPs and activities on The Microsoft Threat Intelligence Podcast.

Visit this page for more blogs from Microsoft Incident Response.

For more security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

November 1, 2023 update: Updated the Actions of objectives section to fix the list of anonymous file-hosting services used by Octo Tempest for data exfiltration, which incorrectly listed Sh.Azl. It has been corrected to shz.al.

The post Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction appeared first on Microsoft Security Blog.

At Microsoft, we aim to help our customers meet the range of today’s security demands—together. In this environment, it is not a surprise that organizations are looking to do more with less and turning to managed security services to help their security teams.

Microsoft Security Experts

Extend your ability to defend and manage with a comprehensive line of services from the experts at Microsoft.

Learn more

Microsoft Defender Experts for XDR

In preview last year, Microsoft Defender Experts for XDR is now generally available. This managed extended detection and response (MXDR) service helps customers alleviate some of their most pressing pain points, including alert fatigue, scarce cybersecurity resources, and a limited ability to look end-to-end—beyond the endpoints—to visualize and correlate threat data across their entire digital environment. For most companies, security isn’t their core business. Defender Experts for XDR can help customers drive security operations center (SOC) efficiency and add security expertise to their team quickly, freeing up their time to work on other security priorities.

Microsoft Defender Experts for XDR helps SOC teams focus on what matters, triaging and investigating prioritized incidents on your behalf. Our Defender Experts are available around the clock to chat about specific incidents or alerts, so your team can get immediate confirmation or clarification on a particular incident. Also, they provide detailed best practices and recommendations to help your team prevent future attacks and improve your overall security posture.

To learn more about Defender Experts for XDR, read through our blog that walks through how the service works or watch our explainer video to see the service in action.

Microsoft Defender Experts for Hunting

Microsoft Defender Experts for Hunting is generally available for customers who look to Microsoft to proactively hunt for threats across Microsoft Defender data—including endpoints, email, cloud applications, and identity. Defender Experts for Hunting combines human expertise and hunter-trained AI to probe deeper to expose threats and correlate across your security stack. Improve your SOC response and prioritize significant threats with timely notifications and analysis by our expert threat hunters. And if you have questions, you can contact our Experts on Demand directly within your Microsoft Defender portal.

To learn more about how we approach active threat hunting, read through our Threat Hunting Survival Guide, or read about our participation in MITRE’s first managed services evaluation.

Microsoft Incident Response

For customers that want help remediating a complex breach (or avoiding one altogether), Microsoft Incident Response (Microsoft IR) offers an end-to-end portfolio of proactive and reactive incident response services. We’ve been helping customers with their toughest incident response challenges since 2008. And we created Microsoft IR to be the first call for customers before, during, and after an incident. We operate in 190 countries and our incident responders are seasoned veterans with more than a combined 1,000 years of career experience resolving attacks from ransomware criminals to the most sophisticated nation-state threat actor groups.

Proactive services can help organizations identify and mitigate risks before they become incidents. This includes services such as compromise assessments, threat hunting, and incident response planning. We know companies that put proactive measures in place detect breaches 108 days faster than those without support (214 days compared to 322 days).³ Reactive services can help organizations respond to a breach quickly and effectively to mitigate damage. This includes services such as incident investigation, containment, and remediation.

Since our last update, Microsoft Incident Response Retainer is now generally available. This new option is designed to give our customers a proactive way to get IR support from Microsoft and was designed to work with cyber insurance. The Microsoft IR Retainer is a flexible and scalable service that can help organizations of all sizes prepare for and respond to cyber incidents. The retainer includes pre-paid hours that provide organizations with peace of mind knowing that they have the resources they need to respond to an incident, regardless of its size or complexity. And if reactive services are not needed, the pre-paid hours can be reallocated to proactive services that help shore up the organization’s security posture. The Microsoft Incident Response Retainer is a valuable tool for organizations of all sizes that want to be prepared for the unexpected. View the explainer video for more information.

To learn more about all our Incident Response services—including the newly available retainer—visit our Microsoft Incident Response webpage or go behind the scenes for an inside look at real-life cyberattack investigations in the Cyberattack Series.

Expert-led security transformation

Microsoft Security Enterprise Services (Enterprise Services), formerly known as Microsoft Security Services for Modernization, has restructured its offerings and is now more focused on helping customers meet modern security needs. These services are ideal for large enterprises that want to leverage Microsoft best practices and know-how as they continue their security transformation. Enterprise Services offers hands-on expertise and advisory services to assess and create your modern organizational cybersecurity strategy. These offerings provide planning and operations expertise to help you mitigate business risks and meet compliance requirements to ensure your business is future-ready. The services have recently been combined into two core expertise areas:

Security Cyber Resilience: End-to-end services to modernize and secure your digital estate including identities, data, applications, and devices across Microsoft Azure and multicloud environments. Microsoft Security Cyber Resilience helps safeguard your digital estate and create a transformation program of change, strategy, and operating models.

Security Operations: Secure your digital estate and safeguard critical information and assets with a security strategy and framework designed and implemented to respond to the modern threat landscape. Security Operations helps create—and action—a program of change for cybersecurity to make your digital estate more secure.

Working alongside our partners

Cybersecurity is a team sport. Too often, organizations play it outnumbered and outsmarted by the attacker. For most companies, cybersecurity is not their core business, and hiring specialized resources to address these concerns can be a challenge. Most customers rely on a trusted security provider in some capacity to help them on their security journey.

Microsoft partners provide robust services and the ability to uniquely customize their offering to your needs. Service providers commonly protect across the breadth of your estate including Microsoft and other third-party security tools. Microsoft’s partners also routinely provide customized service level agreements, data regulatory and industry specialization, and other specialized services aligned with the specific needs you may have, ranging from remotely managed supplementary services to your in-house team through full outsourcing services as required. Microsoft Security Experts services were built to work alongside partner services, and we frequently partner with them on customer requests and design feedback for our solutions.

Over the previous 12 months, more than 40 partners in the Microsoft Cloud Partner Program with Security designations have now received this verified MXDR engineering verification. If you are considering adding MXDR services, we recommend reviewing one of Microsoft’s verified MXDR service partners.

Looking to the future

As we continue to face new cybersecurity challenges, Microsoft will continue to evolve our Microsoft Security Experts services through our innovative engineering practices while leveraging the immense power of AI and other breakthrough technologies to help protect individuals, businesses, and more. Visit the Microsoft Security Experts page to learn more.

Cybersecurity and AI news

Discover the latest trends and best practices in cyberthreat protection and AI for cybersecurity.

Get the latest resources

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.  

¹Revealing New Opportunities for the Cybersecurity Workforce, (ISC)2. 2022.

²Top Risks in Cybersecurity 2023, Bipartisan Policy Center. February 13, 2023.

³Cost of a Data Breach Report 2023, IBM. 2023.

The post Expanded Microsoft Security Experts offerings provide comprehensive protection appeared first on Microsoft Security Blog.

Cybersecurity threats to large events and venues are diverse and complex. They require constant vigilance and collaboration among stakeholders to prevent and mitigate escalation. With the global sports market valued at more than USD600 billion, sports teams, major league and global sporting associations, and attendees house a trove of valuable information desirable to cyber criminals.¹

Unfortunately, this information is made increasingly vulnerable by the growing number of connected venues, and with the number of devices and interconnected networks in these environments, sports teams as well as major league and global sporting associations and attendees house a trove of valuable information desirable to cybercriminals.

Venue IT systems and arenas contain hundreds of known and unknown vulnerabilities that allow threat actors to target critical business services such as point of sale, IT infrastructures, and visitor devices. Teams, coaches, and athletes themselves are also vulnerable to data loss on athletic performance, competitive advantage, and personal information. Attendee personal identifiable information can also be targeted through vulnerable event digital amenities, like companion mobile apps, wireless hotspots, and QR codes with malicious URLs.

Cyber Signals

The fifth edition of Cyber Signals looks at threats to large venues, and sporting and entertainment events.

Read the report

Microsoft Defender Experts for Hunting developed comprehensive cybersecurity defenses for Qatari facilities and organizations supporting the soccer tournament. Defender Experts for Hunting conducted an initial risk assessment, factoring in threat actor profiles, adversary tactics, techniques, and procedures, and other global intelligence from our telemetry. We ultimately analyzed more than 634.4 million events while providing cybersecurity defenses for Qatari facilities and organizations throughout November and December of 2022.    

With sporting and entertainment events at large, there is a level of cyber risk and vulnerability that does not exist in other environments. Because some of these events come together quickly, often with new partners and vendors acquiring access to enterprise networks that are perceived as temporary, they are often not designed for evaluation and ongoing refinement of the security posture.

In addition to the pre-planning required to support this unique security apparatus, venues consider the privacy risk associated with temporary, ad-hoc, and permanent cyber infrastructure. That means understanding and acknowledging if configurations needed to support the event potentially add additional risk or vulnerability.

To safeguard against cybersecurity threats, sports, associations, teams, and venues must adopt robust protective measures. First and foremost, they should prioritize the implementation of a comprehensive and multilayered security framework. This includes deploying firewalls, intrusion detection and prevention systems, and strong encryption protocols to fortify the network against unauthorized access and data breaches. Regular security audits and vulnerability assessments should be conducted to identify and address any weaknesses within the network infrastructure.

Furthermore, user awareness and training programs are crucial to educating employees and stakeholders about cybersecurity best practices, such as recognizing phishing emails, using multifactor authentication or passwordless protection, and avoiding suspicious links or downloads. Additionally, it is essential to partner with reputable cybersecurity firms to continuously monitor network traffic, detect potential threats in real time, and respond swiftly to any security incidents. By adopting these proactive measures, sports associations, teams, and venues can significantly enhance their resilience against cyberattacks and protect both their own infrastructure and the sensitive information of their patrons.

Learn more in this fifth edition of Cyber Signals.

Learn more

Learn more about Microsoft Defender Experts for Hunting.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Global Sports Market Forecast to 2032: Sector is Expected to Reach $623.63 Billion in 2027 at a CAGR of 5%, Globe Newswire. May 3, 2023.

The post Cyber Signals: Sporting events and venues draw cyberthreats at increasing rates appeared first on Microsoft Security Blog.

Microsoft Defender Experts for XDR

Meet the new first-party MXDR services from Microsoft with end-to-end protection and expertise.

Learn more

Defender Experts for XDR builds on Microsoft’s industry-leading XDR suite

Industry-leading technologies serve as the backbone of any managed security service, and Defender Experts for XDR builds on the defining benchmark that Microsoft 365 Defender has set in the extended detection and response space. Microsoft was named a Leader in The Forrester New Wave™: Extended Detection and Response (XDR), Q4, 2021, one of only two providers to be named a Leader.⁵ Microsoft 365 Defender was rated as “differentiated” in seven criteria including detection, investigation, response, and remediation. Forrester noted that our decision to regulate inputs into XDR, specifically to rich, native telemetry, yields tailored detection, investigation, response, and mitigation capabilities.

Forrester notes that “there is a deep divide in the XDR market between those far along the path and those just starting to deliver on the vision of XDR” and those mature providers “combine the best elements of their portfolios, including industry-leading products, to simplify incident response and build targeted, high-efficacy detections.”

The right and leading technologies are crucial to implementing managed services. Microsoft has a leading endpoint detection and response (EDR) solution, and while EDR is important and serves a valuable purpose, it is insufficient as the only method to protect against evolving threats.⁶ In addition, “too many tools, or worse, duplicate tools in the SOC [security operations center] need to be rationalized and managed security services like MDR [managed detection and response] are increasingly seen as not only a cost savings opportunity but also as a way to rapidly mature their capabilities.”⁷ With Microsoft’s XDR solution coupled with Defender Experts for XDR, we can deliver end-to-end protection and expertise.

How Microsoft Defender Experts for XDR works

Our Defender Experts team delivers the essential human element that complements the power of our Microsoft 365 Defender suite. They are the tip of the spear—taking unparalleled access to data and intelligence across nation-state and e-crime activity, new vulnerability data, newly observed tactics and techniques, and more to analyze and curate a hypothesis-led hunting strategy to find emerging, suspicious activities, and in turn deliver expertise to your security team immediately to help address coverage gaps and augment your overall security operations.

Figure 1. This diagram describes how Microsoft conducts its four-step Defender Experts for XDR process. It starts with triage and prioritizing Microsoft 365 Defender incidents and alerts to alleviate alert fatigue. Microsoft investigates and analyzes the most critical incidents first, documenting the process and findings. In the response step, Microsoft helps contain and mitigate incidents faster by delivering step-by-step guided and managed response, with Defender Experts available on-demand by live chat. Detailed recommendations and best practices are then provided to prevent future attacks. This process delivers continuous security posture improvements around the clock.

As an extension of your team, Defender Experts for XDR empowers you to respond with confidence. Our Defender Experts work around the clock, monitoring your environment and triaging the incidents that need immediate attention. In the event your organization is being affected by a critical incident, our team will investigate it, correlate the threat data to determine the root cause, and provide step-by-step response actions you need to take to contain and remediate the threat. You can take it further and give us permission to contain and remediate the threat for you.

Figure 2. This graphic shows a multistage incident in Microsoft 365 Defender. It includes the attack story of the active alerts related to the incident as well as the Defender Experts section that shows the guided response that includes the actions needed to resolve the incident immediately.

This is all available to you in a turnkey experience, where you can get up and running in hours, with the help of your dedicated service delivery manager (SDM)—your trusted advisor, who is available to you at any given time. And if you have any questions or need additional context on a particular incident, you can access our experts around the clock through live chat. Our detailed, real-time reporting shows you the comprehensive details of investigations into critical incidents, and how long it takes for our team to conduct the investigations on your behalf.

Figure 3. The graph highlights the number of hours that a customer spent completing guided response tasks and the potential time savings a customer can realize if Defender Experts for XDR handles response on their behalf.

“Defender Experts for XDR found a shadow IT detection on the first day of service,” said Mike Johnson, Global Cyber Threat and Incident Response Security Operations Center Manager at Verifone. “I was impressed that they found a real issue for us so fast—none of our other tools alerted us about it.”

Defender Experts for XDR also provides recommendations on how your team can be proactive to prevent the next attack and reduce the number of incidents over time to improve your security posture. “Organizations who need to augment their SOC with 24/7 coverage and immediate access to expertise that will help them quickly triage, investigate, and respond to incidents should explore a managed XDR service,“ said Craig Robinson, Vice President of Security Services at IDC Research. “Microsoft’s new MXDR service positions them to support the needs of organizations facing talent shortages who need to scale their security programs quickly, address coverage gaps, and protect their environment.”

Learn more about Microsoft Defender Experts for XDR

Defender Experts for XDR can quickly deliver expertise to your security teams, help address coverage gaps, and add capabilities like proactive threat hunting to augment your overall security operations. Our customers and partners have been instrumental in the development of Defender Experts for XDR and your continued trust in us drives our team to listen, learn, and adapt to meet your evolving needs. We’re excited about the road ahead and look forward to being a part of your security journey and building a safer world for everyone.

To learn more about the service, visit the Microsoft Defender Experts for XDR web page, read the Defender Experts for XDR docs page, download the datasheet, or watch a short video.

Cybersecurity and AI news

Discover the latest trends and best practices in cyberthreat protection and AI for cybersecurity.

Get the latest resources

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Building a safer world together with our partners—introducing Microsoft Security Experts, Vasu Jakkal. May 9, 2022.

²Microsoft Defender Experts for Hunting proactively hunts threats, Microsoft Security Experts. August 3, 2022.

³Microsoft Defender Experts for Hunting demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&CK® Evaluations for Managed Services, Ryan Kivett. November 9, 2022.

⁴Meet unprecedented security challenges by leveraging MXDR services, Microsoft Security Experts. July 10, 2023.

⁵Forrester Research, Inc., The Forrester New Wave™: Extended Detection And Response (XDR) Providers, Q4 2021, Allie Mellen, Joseph Blankenship, Alexis Tatro, Peggy Dostie. October 13, 2021.

⁶Microsoft is named a Leader in the 2022 Gartner® Magic Quadrant™ for Endpoint Protection Platforms, Rob Lefferts. March 2, 2023.

⁷Applying the Lessons Learned from 2022 Is Vital for Security Service Providers to Secure Growth in 2023, Doc #US50206623, IDC. February 2023.

The post Microsoft Defender Experts for XDR helps triage, investigate, and respond to cyberthreats appeared first on Microsoft Security Blog.

Looking at the steady rise in cybercrime, it can feel like there are only gray skies on the horizon. Since September 2021 we saw the number of password attacks rise from 579¹ to 1,287² per second. That’s a staggering increase. But at Microsoft, we’re moving into the new year full of hope and resolution. We center our actions around the belief that cybersecurity is about people—to protect, involve, and empower everyone.

We’re committed to innovating against the threats of today and tomorrow by harnessing AI, machine learning, and cloud technologies all brought together in an end-to-end security cloud. Since July 2022, Microsoft Security has delivered more than 300 product innovations—from minor updates to major launches like Microsoft Entra Workload Identities (November 2022). In addition, we now have more than 15,000 partners integrated across our security ecosystem so customers have the power to choose what works best for them. In a time when security professionals are being asked to do more with less—fewer people, scant resources, and less time—Microsoft has responded with a simplified, comprehensive security approach that protects your entire multicloud, multiplatform digital estate. And we continue to foster a diverse, inclusive new generation of cyber defenders who will keep us all moving ahead—fearlessly. Here’s a look at some of our newest innovations to help you move into the new year with confidence.

Unified innovations to protect you comprehensively and make your job easier

According to Microsoft research, 72 percent of chief information security officers (CISOs) and other C-level security professionals say that it’s very important for a technology vendor to offer a comprehensive set of products across security, compliance, and identity.³ We continue to respond to this need, and over the past year, we’ve streamlined and simplified our security solutions into six integrated product families designed to decrease your costs and enable growth. This simplification makes it easier for you to anticipate vulnerabilities, manage risks, and navigate a rapidly evolving threat landscape and regulatory environment. This comprehensive solution with interconnected product families cover extended detection and response (XDR), security information and event management (SIEM), threat intelligence, identity and access management (IAM), endpoint management, cloud security, and data protection, compliance, and privacy. For organizations that want to extend their ability to defend and manage threats, we’ve added a new line of managed services—Microsoft Security Experts.

Integrated security defense

As cyberattacks become more sophisticated, Microsoft continues to keep pace. We’re always pushing our limits and improving our products to help you eliminate security gaps and protect more with less. During the latter half of 2022, we extended our vision of simplified, unified protection—delivering hundreds of innovations to help protect your entire digital estate. Some of our notable launches over the past six months include:

• Microsoft Defender for IoT adds agentless monitoring to secure enterprise IoT devices like Voice over Internet Protocol (VoIP), printers, and smart TVs—as well as Operational Technology (OT) devices in critical industries like energy, manufacturing, and healthcare.⁴ A dedicated integration with Microsoft 365 Defender adds XDR for Internet of Things (IoT) devices, which means less complexity and greater visibility within one unified security operational center. These entry points can be used to escalate laterally across your network and are often overlooked. 
• Microsoft Defender Cloud Security Posture Management (in preview), helps your security teams save time and remediate critical risks with contextual cloud security. Get a continuous security assessment of your resources running across Microsoft Azure, Amazon Web Services (AWS), Google Cloud, and on-premises systems with new agentless scanning capabilities that provide real-time assessments across hybrid and multicloud environments. 
• Microsoft Defender for DevOps (also in preview) integrates with Defender Cloud Security Posture Management to further connect the dots for security operations (SecOps) teams. Defender for DevOps empowers your team to unify and strengthen DevOps security to minimize vulnerabilities, then effectively prioritize and drive remediation across multipipeline environments. 
• Microsoft Defender External Attack Surface Management also integrates with Defender Cloud Security Posture Management to help provide a better picture of your attack surface, including shadow IT and other unseen assets accumulated through normal business growth. This gives SecOps the ability to discover unknown resources that are accessible from the internet—the same view an attacker has when selecting a target. With this new tool, your team is empowered to maintain a dynamic inventory of external resources across multiple cloud and hybrid environments, helping to monitor unmanaged resources that could serve as potential entry points. 
• Microsoft Defender Threat Intelligence empowers your team to better track threat actor activity and patterns.⁵ Uncover attacker infrastructure so you can accelerate your investigation and remediation with more context, insights, and analysis. Armed with this real-time data, your team can proactively hunt for threats, undertake custom threat intelligence processes and investigations, and even improve the performance of third-party security products.
• Microsoft Defender Experts for Hunting provides a proactive threat-hunting service for customers who would prefer to have Microsoft experts help them hunt down threats using Microsoft Defender data.⁶ This new service covers not only endpoints, but also Microsoft Office 365, cloud applications, and identity. Our experts will investigate anything they find, then hand off contextual alert information and remediation instructions, enabling your team to respond quickly. 

Integrated data and identity protection

A recent industry study found that phishing, password spray, multifactor authentication fatigue, and other identity-driven attacks now account for 61 percent of breaches.⁷ And during the third quarter of 2022, approximately 15 million data records were breached worldwide—a 37 percent increase over the previous quarter.⁸ Because our adversaries aren’t slowing their attacks, we’ve continued to innovate and expand capabilities for Microsoft Entra, Microsoft Intune, and Microsoft Purview to help your team protect user identities, their endpoints, and the precious data that keep your business going.

• Microsoft Entra Permissions Management (formerly CloudKnox Security) is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility and control over permissions for any identity and any resource in Azure, AWS, and Google Cloud.⁹ With Permissions Management, organizations can discover, remediate, and monitor permissions for all identities and resources across multicloud environments. This empowers your team to enforce the Zero Trust principle of least-privilege access at cloud scale using historical data—improving your security without interrupting productivity.
• Microsoft Entra Workload Identities extends advanced capabilities, such as Conditional Access and Identity Protection, to better manage lifecycles with insight into access activities and protect your non-human identities as well. 
• Microsoft Entra Verified ID—for Microsoft Azure Active Directory (Azure AD) subscribers (free and premium)—provides provides an easy option to issue, request, and verify credentials for employment, education, or any other claim.¹⁰ This decentralized identity system offers a convenient, portable way to verify your identity while controlling your own data.
• Microsoft Entra certificate-based authentication (CBA) through Azure AD strengthens access controls and helps organizations reduce infrastructure costs, so even customers who have regulatory requirements for CBA can move authentication to the cloud and eliminate the need for Active Directory Federation Services (AD FS).
• Microsoft Entra Identity Governance is a complete identity cloud-delivered governance solution to ensure that only the right people have access to the right resources. This service includes more advanced tools—lifecycle workflows that automate repetitive tasks like employee onboarding and separation of duties, which introduces checks and balances within entitlements management and provisioning back to your on-premises applications——and capabilities that were already available in Azure AD.
• Microsoft Purview Data Loss Prevention and new capabilities focused on granular policy configuration and context for post-incident investigation on endpoint devices help users make informed decisions and take the right actions while using sensitive data, helping balance security and productivity. A recent survey by MDC Research shows that a majority of customers purchase three or more products to meet their compliance and data protection needs. Stitching together disparate solutions is not only resource-intensive but also could lead to potential blind spots and gaps in an organization’s data protection strategy.¹¹
• Microsoft Purview Information Protection for Adobe Document Cloud provides a rights-management solution that helps you protect your data when shared in documents. This portable data protection solution combines native classification and labeling capabilities with the power of Adobe Acrobat to seamlessly secure PDFs with sensitivity labels and user-defined permissions. Available for Windows and macOS.
• Microsoft Purview Insider Risk Management offers analytics, quicker policy creation capabilities, new file path, keyword, and site URL exclusions to reduce false positives, and a new policy type to help detect risky browsing usage help organizations detect risky insider activities that may lead to a data security incident.¹² Data breaches arising from insider threats cost businesses an average of USD7.5 million annually. Our holistic insider risk management program report showed that the most effective way to address insider risks is to build a program focused on empowering your people, making user privacy a priority, collaborating across leadership, and addressing data protection and insider risk management from multiple lenses.¹³
• Microsoft Purview eDiscovery APIs help organizations lower costs by leveraging automation to streamline repetitive workflows. The automation and extensibility of eDiscovery workflows help reduce staff hours and the likelihood of costly human errors, which is critical for organizations with complex requirements for litigation and investigation.

Looking back, I am appreciative for all we’ve accomplished. These innovations across the Microsoft Security comprehensive solution empower your team to move into this year with confidence—six integrated product families to help you protect what matters most.

Creating a safer world for all is our north star; it’s what drives us toward relentless innovation. We hope you will join us in this goal and discover new ways to stay ahead of the bad actors. Today, Microsoft Security helps to protect billions of people around the globe. Our ability to process trillions of signals daily gives us a unique vantage point to scan the threat landscape and help protect against sophisticated new attacks. As proof, the number of Microsoft Security customers almost doubled in the last year to more than 860,000 worldwide. That’s why Microsoft is driving the future of cybersecurity by continuing to invest in AI, machine learning, and cloud technologies.

Join us at Microsoft Secure to hear about future innovations

Be among the first to hear important security announcements from Microsoft leaders and learn how your organization can eliminate security gaps and cut costs with simplified, comprehensive protection for the new year at Microsoft Secure on March 28, 2023. This new digital event will bring our customers, partners, and the defender community together to share perspectives on navigating the security landscape and to build on real-world experience. Register today!

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹The passwordless future is here for your Microsoft account, Vasu Jakkal. September 15, 2021.

²Microsoft Entra: 5 identity priorities for 2023, Joy Chik. January 9, 2023.

³Microsoft Security audience tracking research, November 2022.

⁴Introducing security for unmanaged devices in the Enterprise network with Microsoft Defender for IoT, Michal Braverman-Blumenstyk and Nir Giller. July 11, 2022.

⁵Microsoft announces new solutions for threat intelligence and attack surface management, Vasu Jakkal. August 2, 2022.

⁶Microsoft Defender Experts for Hunting proactively hunts threats, Microsoft Security Experts. August 3, 2022.

⁷50 Identity And Access Security Stats You Should Know In 2022, Caitlin Jones. January 6, 2023.

⁸Number of data records exposed worldwide from 1st quarter 2020 to 3rd quarter 2022, Statista. November 29, 2022.

⁹Microsoft Entra Permissions Management is now generally available, Alex Simons. July 7, 2022.

¹⁰Microsoft Entra Verified ID now generally available, Ankur Patel. August 8, 2022.

¹¹New capabilities that help proactively secure data with Microsoft Purview Data Loss Prevention, Shilpa Bothra. October 12, 2022.

¹²Detecting and investigating security risks with new capabilities from Insider Risk Management, Talhah Mir. October 12, 2022.

¹³Microsoft publishes new report on holistic insider risk management, Bret Arsenault. October 6, 2022.

The post Microsoft Security innovations from 2022 to help you create a safer world today appeared first on Microsoft Security Blog.

We provided a seamless, comprehensive, and rapid response to the simulated attack using expert-led threat hunting and an industry-leading extended detection and response (XDR) platform—Microsoft 365 Defender. This evaluation showcased our service’s strength in the following areas:

• In-depth visibility and analytics across all stages of the attack chain.
• Comprehensive managed hunting.
• Seamless alert prioritization and consolidation into notifications for the security operations center (SOC).
• Tailored hunting guidance and advanced hunting queries (AHQ) to optimize investigations.
• Frequently updated and customized recommendations for rapid containment and remediation.
• Threat actor attribution with tactics, techniques, and procedures (TTP) context.
• Technology powered by a team of expert hunters and customer-centric approach.
• Commitment to managed extended detection and response (MXDR) partners running on Microsoft 365 Defender.

In-depth visibility and analytics across all stages of the attack chain

Figure 1. Microsoft Defender Experts for Hunting coverage. Fully reported—including initial access, execution, persistence, credential access, lateral movement, and collection—reflects 100 percent acceptance of evidence submission. Majority reported—including defense evasion, discovery, exfiltration, and command and control—reflects some gaps in evidence acceptance.

Comprehensive managed hunting

Microsoft Defender Experts for Hunting team identified all threats and provided a cohesive attack timeline with remediation guidance.

From the early stages of the intrusion, our hunters alerted the customer that a malicious archive masquerading as marketing materials was potentially part of a targeted attack. After a user opened the archive, a threat actor, which we attributed with high confidence as EUROPIUM, gained access to the environment.

Over the next few days, the threat actor used this foothold to steal credentials, move laterally in the network, deploy a web shell on an Exchange Server, and escalate privileges in the domain. The threat actor ultimately used their access to target sensitive data on an SQL server. Based on available telemetry, we reported that the threat actor staged sensitive data and may have successfully exfiltrated the data through email using a malicious RDAT utility.

Microsoft threat hunters discovered and investigated all of the essential and impactful TTPs used in this evaluation.

Seamless alert prioritization and consolidation into notifications for the SOC

From initial malware execution to data theft, Microsoft 365 Defender seamlessly detected and correlated alerts from all stages of the attack chain into two overarching incidents that provided end-to-end attack stories (see Figure 2). Microsoft 365 Defender’s incident correlation technology helps SOC analysts to counter alert fatigue, and our hunters then enrich these incidents by finding new attacks with the existing deep signals and custom alerting.

Figure 2. Consolidated incidents enriched by Defender Experts for Hunting as illustrated in the above tags.

Our hunters followed up on automated alerting with Defender Expert notifications (DENs) to provide additional context on the threat activity with an executive summary, threat actor attribution, detailed scope of impact, recommendations, and advanced hunting queries to self-serve investigations and response actions. This human enrichment helps the customer prioritize their time and focused actions in the SOC.

Figure 3. Beginning of incident executive summary provided by Defender Experts.

Tailored hunting guidance and AHQ to optimize investigations

Within the DENs, our hunters additionally provided tailored hunting guidance and AHQs to enable investigators to hunt for and identify relevant attack activity in each incident. Figure 4 shows one example where we directly flagged to the customer that a series of file modification events were consistent with data exfiltration attempts.

Figure 4. Example of running provided AHQs to surface activity of interest.

Frequently updated and customized recommendations for containment and remediation

Throughout the attack, our hunters regularly shared remediation guidance to aid the customer in a rapid response (Figure 5). As the incident developed, using the Recommendation Summary, we kept the customer apprised of the scope of the attack and the efforts needed to contain it.

Figure 5. Excerpt of custom recommendations in the Microsoft 365 Defender portal.

Threat actor attribution with TTP context

Microsoft Defender Experts for Hunting provided the customer with nation-state attribution based on observed TTPs and behaviors. We identified the activity was consistent with the threat actor EUROPIUM, also known as APT34 and OilRig, which Microsoft has observed as far back as 2015. EUROPIUM is a well-resourced actor capable of multiple types of attacks—from spear phishing and social engineering to remote exploitation of internet-facing devices.

We leveraged this attribution to provide valuable incident context, such as potential intrusion goals and relevant TTP, to the customer.

Figure 6. Incident attribution in Microsoft 365 Defender portal.

Technology powered by a team of expert hunters

The Microsoft philosophy in this evaluation was to represent product truth and real-world service delivery for our customers. We participated in the evaluation using our Defender Experts for Hunting team and product capabilities and configurations that we expect customers to use. As you review evaluation results, you should consider additional aspects including depth and durability of protection, completeness of signals, actionable insights, and the quality of what our hunters provided to enrich both the incidents and component alerts. All of these factors are critical in delivering a world-class hunting service to protect real customer production environments.

Commitment to MXDR partners running on Microsoft 365 Defender

Microsoft supported several of our verified MXDR partners in this evaluation. Our collaborative efforts reinforce our commitment to our MSSP partners’ success in building managed extended detection and response services to meet growing demand and support our joint customers.

We thank MITRE Engenuity for the opportunity to contribute to and participate in this year’s evaluation.

Read more about the MITRE Managed Services Evaluations.

Learn more

Learn more about Microsoft Defender Experts for Hunting.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

© November 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

The post Microsoft Defender Experts for Hunting demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&CK® Evaluations for Managed Services appeared first on Microsoft Security Blog.