This case highlights a growing class of cyberattacks that exploit trust, collaboration platforms, and built-in tooling, and underscores why defenders must be prepared to detect and disrupt these techniques before they escalate. Read the full report to dive deeper into this vishing breach of trust.

What happened?

Once remote interactive access was established, the threat actor shifted from social engineering to hands-on keyboard compromise, steering the user toward a malicious website under their control. Evidence gathered from browser history and Quick Assist artifacts showed the user was prompted to enter corporate credentials into a spoofed web form, which then initiated the download of multiple malicious payloads. One of the earliest artifacts—a disguised Microsoft Installer (MSI) package—used trusted Windows mechanisms to sideload a malicious dynamic link library (DLL) and establish outbound command-and-control, allowing the threat actor to execute code under the guise of legitimate software.

Subsequent payloads expanded this foothold, introducing encrypted loaders, remote command execution through standard administrative tooling, and proxy-based connectivity to obscure threat actor activity. Over time, additional components enabled credential harvesting and session hijacking, giving the threat actor sustained, interactive control within the environment and the ability to operate using techniques designed to blend in with normal enterprise activity rather than trigger overt alarms.

How did Microsoft respond?

Given the growing pattern of identity-first intrusions that begin with collaboration-based social engineering, DART moved quickly to contain risk and validate scope. The team confirmed that the compromise originated from a successful Microsoft Teams voice phishing interaction and immediately prioritized actions to prevent identity or directory-level impact. Through focused investigation, we established that the activity was short-lived and limited in reach, allowing responders to concentrate on early-stage tooling and entry points to understand how access was achieved and constrained.

To disrupt the intrusion, DART conducted targeted eviction and applied tactical containment controls to protect privileged assets and restrict lateral movement. Using proprietary forensic and investigation tooling, the team collected and analyzed evidence across affected systems, validated that threat actor objectives were not met, and confirmed the absence of persistence mechanisms. These actions enabled rapid recovery while helping to ensure the environment was fully secured before declaring the incident resolved.

What can customers do to strengthen their defenses?

Human nature works against us in these cyberattacks. Employees are conditioned to be responsive, helpful, and collaborative, especially when requests appear to come from internal IT or support teams. Threat actors exploit that instinct, using voice phishing and collaboration tools to create a sense of urgency and legitimacy that can override caution in the moment.

To mitigate exposure, DART recommends organizations take deliberate steps to limit how social engineering attacks can propagate through Microsoft Teams and how legitimate remote access tools can be misused. This starts with tightening external collaboration by restricting inbound communications from unmanaged Teams accounts and implementing an allowlist model that permits contact only from trusted external domains. At the same time, organizations should review their use of remote monitoring and management tools, inventory what is truly required, and remove or disable utilities—such as Quick Assist—where they are unnecessary.

Together, these measures help shrink the attack surface, reduce opportunities for identity-driven compromise, and make it harder for threat actors to turn human trust into initial access, while preserving the collaboration employees rely on to do their work.

What is the Cyberattack Series?

In our Cyberattack Series, customers discover how DART investigates unique and notable attacks. For each cyberattack story, we share:

• How the cyberattack happened.
• How the breach was discovered.
• Microsoft’s investigation and eviction of the threat actor.
• Strategies to avoid similar cyberattacks.

DART is made up of highly skilled investigators, researchers, engineers, and analysts who specialize in handling global security incidents. We’re here for customers with dedicated experts to work with you before, during, and after a cybersecurity incident.

Learn more

To learn more about DART capabilities, please visit our website, or reach out to your Microsoft account manager or Premier Support contact. To learn more about the cybersecurity incidents described above, including more insights and information on how to protect your own organization, download the full report.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2025.

The post Help on the line: How a Microsoft Teams support call led to compromise appeared first on Microsoft Security Blog.

Microsoft maintains a continuous effort to protect its platforms and customers from fraud and abuse. From blocking imposters on Microsoft Azure and adding anti-scam features to Microsoft Edge, to fighting tech support fraud with new features in Windows Quick Assist, this edition of Cyber Signals takes you inside the work underway and important milestones achieved that protect customers.

We are all defenders. 

Between April 2024 and April 2025, Microsoft:

• Thwarted $4 billion in fraud attempts.
• Rejected 49,000 fraudulent partnership enrollments.
• Blocked about 1.6 million bot signup attempts per hour.

The evolution of AI-enhanced cyber scams

AI has started to lower the technical bar for fraud and cybercrime actors looking for their own productivity tools, making it easier and cheaper to generate believable content for cyberattacks at an increasingly rapid rate. AI software used in fraud attempts runs the gamut, from legitimate apps misused for malicious purposes to more fraud-oriented tools used by bad actors in the cybercrime underground.

AI tools can scan and scrape the web for company information, helping cyberattackers build detailed profiles of employees or other targets to create highly convincing social engineering lures. In some cases, bad actors are luring victims into increasingly complex fraud schemes using fake AI-enhanced product reviews and AI-generated storefronts, where scammers create entire websites and e-commerce brands, complete with fake business histories and customer testimonials. By using deepfakes, voice cloning, phishing emails, and authentic-looking fake websites, threat actors seek to appear legitimate at wider scale.

According to the Microsoft Anti-Fraud Team, AI-powered fraud attacks are happening globally, with much of the activity coming from China and Europe, specifically Germany due in part to Germany’s status as one of the largest e-commerce and online services markets in the European Union (EU). The larger a digital marketplace in any region, the more likely a proportional degree of attempted fraud will take place.

E-commerce fraud

Fraudulent e-commerce websites can be set up in minutes using AI and other tools requiring minimal technical knowledge. Previously, it would take threat actors days or weeks to stand up convincing websites. These fraudulent websites often mimic legitimate sites, making it challenging for consumers to identify them as fake. 

Using AI-generated product descriptions, images, and customer reviews, customers are duped into believing they are interacting with a genuine merchant, exploiting consumer trust in familiar brands.

AI-powered customer service chatbots add another layer of deception by convincingly interacting with customers. These bots can delay chargebacks by stalling customers with scripted excuses and manipulating complaints with AI-generated responses that make scam sites appear professional.

In a multipronged approach, Microsoft has implemented robust defenses across our products and services to protect customers from AI-powered fraud. Microsoft Defender for Cloud provides comprehensive threat protection for Azure resources, including vulnerability assessments and threat detection for virtual machines, container images, and endpoints.

Microsoft Edge features website typo protection and domain impersonation protection using deep learning technology to help users avoid fraudulent websites. Edge has also implemented a machine learning-based Scareware Blocker to identify and block potential scam pages and deceptive pop-up screens with alarming warnings claiming a computer has been compromised. These attacks try to frighten users into calling fraudulent support numbers or downloading harmful software.

Job and employment fraud

The rapid advancement of generative AI has made it easier for scammers to create fake listings on various job platforms. They generate fake profiles with stolen credentials, fake job postings with auto-generated descriptions, and AI-powered email campaigns to phish job seekers. AI-powered interviews and automated emails enhance the credibility of job scams, making it harder for job seekers to identify fraudulent offers.

To prevent this, job platforms should introduce multifactor authentication for employer accounts to make it harder for bad actors to take over legitimate hirers’ listings and use available fraud-detection technologies to catch suspicious content.

Fraudsters often ask for personal information, such as resumes or even bank account details, under the guise of verifying the applicant’s information. Unsolicited text and email messages offering employment opportunities that promise high pay for minimal qualifications are typically an indicator of fraud.

Employment offers that include requests for payment, offers that seem too good to be true, unsolicited offers or interview requests over text message, and a lack of formal communication platforms can all be indicators of fraud.

Tech support scams

Tech support scams are a type of fraud where scammers trick victims into unnecessary technical support services to fix a device or software problems that don’t exist. The scammers may then gain remote access to a computer—which lets them access all information stored on it, and on any network connected to it or install malware that gives them access to the computer and sensitive data.

Tech support scams are a case where elevated fraud risks exist, even if AI does not play a role. For example, in mid-April 2024, Microsoft Threat Intelligence observed the financially motivated and ransomware-focused cybercriminal group Storm-1811 abusing Windows Quick Assist software by posing as IT support. Microsoft did not observe AI used in these attacks; Storm-1811 instead impersonated legitimate organizations through voice phishing (vishing) as a form of social engineering, convincing victims to grant them device access through Quick Assist. 

Quick Assist is a tool that enables users to share their Windows or macOS device with another person over a remote connection. Tech support scammers often pretend to be legitimate IT support from well-known companies and use social engineering tactics to gain the trust of their targets. They then attempt to employ tools like Quick Assist to connect to the target’s device. 

Quick Assist and Microsoft are not compromised in these cyberattack scenarios; however, the abuse of legitimate software presents risk Microsoft is focused on mitigating. Informed by Microsoft’s understanding of evolving cyberattack techniques, the company’s anti-fraud and product teams work closely together to improve transparency for users and enhance fraud detection techniques. 

The Storm-1811 cyberattacks highlight the capability of social engineering to circumvent security defenses. Social engineering involves collecting relevant information about targeted victims and arranging it into credible lures delivered through phone, email, text, or other mediums. Various AI tools can quickly find, organize, and generate information, thus acting as productivity tools for cyberattackers. Although AI is a new development, enduring measures to counter social engineering attacks remain highly effective. These include increasing employee awareness of legitimate helpdesk contact and support procedures, and applying Zero Trust principles to enforce least privilege across employee accounts and devices, thereby limiting the impact of any compromised assets while they are being addressed. 

Microsoft has taken action to mitigate attacks by Storm-1811 and other groups by suspending identified accounts and tenants associated with inauthentic behavior. If you receive an unsolicited tech support offer, it is likely a scam. Always reach out to trusted sources for tech support. If scammers claim to be from Microsoft, we encourage you to report it directly to us at http://approjects.co.za/?big=reportascam. 

Building on the Secure Future Initiative (SFI), Microsoft is taking a proactive approach to ensuring our products and services are “Fraud-resistant by Design.” In January 2025, a new fraud prevention policy was introduced: Microsoft product teams must now perform fraud prevention assessments and implement fraud controls as part of their design process. 

Recommendations

• Strengthen employer authentication: Fraudsters often hijack legitimate company profiles or create fake recruiters to deceive job seekers. To prevent this, job platforms should introduce multifactor authentication and Verified ID as part of Microsoft Entra ID for employer accounts, making it harder for unauthorized users to gain control.
• Monitor for AI-based recruitment scams: Companies should deploy deepfake detection algorithms to identify AI-generated interviews where facial expressions and speech patterns may not align naturally.
• Be cautious of websites and job listings that seem too good to be true: Verify the legitimacy of websites by checking for secure connections (https) and using tools like Microsoft Edge’s typo protection.
• Avoid providing personal information or payment details to unverified sources: Look for red flags in job listings, such as requests for payment or communication through informal platforms like text messages, WhatsApp, nonbusiness Gmail accounts, or requests to contact someone on a personal device for more information.

Using Microsoft’s security signal to combat fraud

Microsoft is actively working to stop fraud attempts using AI and other technologies by evolving large-scale detection models based on AI, such as machine learning, to play defense by learning from and mitigating fraud attempts. Machine learning is the process that helps a computer learn without direct instruction using algorithms to discover patterns in large datasets. Those patterns are then used to create a comprehensive AI model, allowing for predictions with high accuracy.

We have developed in-product safety controls that warn users about potential malicious activity and integrate rapid detection and prevention of new types of attacks.

Our fraud team has developed domain impersonation protection using deep-learning technology at the domain creation stage, to help protect against fraudulent e-commerce websites and fake job listings. Microsoft Edge has incorporated website typo protection, and we have developed AI-powered fake job detection systems for LinkedIn.

Microsoft Defender Smartscreen is a cloud-based security feature that aims to prevent unsafe browsing habits by analyzing websites, files, and applications based on their reputation and behavior. It is integrated into Windows and the Edge browser to help protect users from phishing attacks, malicious websites, and potentially harmful downloads.

Furthermore, Microsoft’s Digital Crimes Unit (DCU) partners with others in the private and public sector to disrupt the malicious infrastructure used by criminals perpetuating cyber-enabled fraud. The team’s longstanding collaboration with law enforcement around the world to respond to tech support fraud has resulted in hundreds of arrests and increasingly severe prison sentences worldwide. The DCU is applying key learnings from past actions to disrupt those who seek to abuse generative AI technology for malicious or fraudulent purposes. 

Quick Assist features and remote help combat tech support fraud

To help combat tech support fraud, we have incorporated warning messages to alert users about possible tech support scams in Quick Assist before they grant access to someone approaching them purporting to be an authorized IT department or other support resource.

Windows users must read and click the box to acknowledge the security risk of granting remote access to the device.

Microsoft has significantly enhanced Quick Assist protection for Windows users by leveraging its security signal. In response to tech support scams and other threats, Microsoft now blocks an average of 4,415 suspicious Quick Assist connection attempts daily, accounting for approximately 5.46% of global connection attempts. These blocks target connections exhibiting suspicious attributes, such as associations with malicious actors or unverified connections.

Microsoft’s continual focus on advancing Quick Assist safeguards seeks to counter adaptive cybercriminals, who previously targeted individuals opportunistically with fraudulent connection attempts, but more recently have sought to target enterprises with more organized cybercrime campaigns that Microsoft’s actions have helped disrupt.

Our Digital Fingerprinting capability, which leverages AI and machine learning, drives these safeguards by providing fraud and risk signals to detect fraudulent activity. If our risk signals detect a possible scam, the Quick Assist session is automatically ended. Digital Fingerprinting works by collecting various signals to detect and prevent fraud.

For enterprises combating tech support fraud, Remote Help is another valuable resource for employees. Remote Help is designed for internal use within an organization and includes features that make it ideal for enterprises.

By reducing scams and fraud, Microsoft aims to enhance the overall security of its products and protect its users from malicious activities.

Consumer protection tips

Fraudsters exploit psychological triggers such as urgency, scarcity, and trust in social proof. Consumers should be cautious of:

• Impulse buying—Scammers create a sense of urgency with “limited-time” deals and countdown timers.
• Trusting fake social proof—AI generates fake reviews, influencer endorsements, and testimonials to appear legitimate.
• Clicking on ads without verification—Many scam sites spread through AI-optimized social media ads. Consumers should cross-check domain names and reviews before purchasing.
• Ignoring payment security—Avoid direct bank transfers or cryptocurrency payments, which lack fraud protections.

Job seekers should verify employer legitimacy, be on the lookout for common job scam red flags, and avoid sharing personal or financial information with unverified employers.

• Verify employer legitimacy—Cross-check company details on LinkedIn, Glassdoor, and official websites to verify legitimacy.
• Notice common job scam red flags—If a job requires upfront payments for training materials, certifications, or background checks, it is likely a scam. Unrealistic salaries or no-experience-required remote positions should be approached with skepticism. Emails from free domains (such as johndoehr@gmail.com instead of hr@company.com) are also typically indicators of fraudulent activity.
• Be cautious of AI-generated interviews and communications—If a video interview seems unnatural, with lip-syncing delays, robotic speech, or odd facial expressions, it could be deepfake technology at work. Job seekers should always verify recruiter credentials through the company’s official website before engaging in any further discussions.
• Avoid sharing personal or financial information—Under no circumstances should you provide a Social Security number, banking details, or passwords to an unverified employer.

Microsoft is also a member of the Global Anti-Scam Alliance (GASA), which aims to bring governments, law enforcement, consumer protection organizations, financial authorities and providers, brand protection agencies, social media, internet service providers, and cybersecurity companies together to share knowledge and protect consumers from getting scammed.

Recommendations

• Remote Help: Microsoft recommends using Remote Help instead of Quick Assist for internal tech support. Remote Help is designed for internal use within an organization and incorporates several features designed to enhance security and minimize the risk of tech support hacks. It is engineered to be used only within an organization’s tenant, providing a safer alternative to Quick Assist.
• Digital Fingerprinting: This identifies malicious behaviors and ties them back to specific individuals. This helps in monitoring and preventing unauthorized access.
• Blocking full control requests: Quick Assist now includes warnings and requires users to check a box acknowledging the security implications of sharing their screen. This adds a layer of helpful “security friction” by prompting users who may be multitasking or preoccupied to pause to complete an authorization step.

Kelly Bissell: A cybersecurity pioneer combating fraud in the new era of AI

Kelly Bissell’s journey into cybersecurity began unexpectedly in 1990. Initially working in computer science, Kelly was involved in building software for healthcare patient accounting and operating systems at Medaphis and Bellsouth, now AT&T.

His interest in cybersecurity was sparked when he noticed someone logged into a phone switch attempting to get free long-distance calls and traced the intruder back to Romania. This incident marked the beginning of Kelly’s career in cybersecurity.

“I stayed in cybersecurity hunting for bad actors, integrating security controls for hundreds of companies, and helping shape the NIST security frameworks and regulations such as FFIEC, PCI, NERC-CIP,” he explains.

Currently, Kelly is Corporate Vice President of Anti-Fraud and Product Abuse within Microsoft Security. Microsoft’s fraud team employs machine learning and AI to build better detection code and understand fraud operations. They use AI-powered solutions to detect and prevent cyberthreats, leveraging advanced fraud detection frameworks that continuously learn and evolve.

“Cybercrime is a trillion-dollar problem, and it’s been going up every year for the past 30 years. I think we have an opportunity today to adopt AI faster so we can detect and close the gap of exposure quickly. Now we have AI that can make a difference at scale and help us build security and fraud protections into our products much faster.”

Previously Kelly managed the Microsoft Detection and Response Team (DART) and created the Global Hunting, Oversight, and Strategic Triage (GHOST) team that detected and responded to attackers such as Storm-0558 and Midnight Blizzard.

Prior to Microsoft, during his time at Accenture and Deloitte, Kelly collaborated with companies and worked extensively with government agencies like the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation, where he helped build security systems inside their operations.

His time as Chief Information Security Officer (CISO) at a bank exposed him to addressing both cybersecurity and fraud, leading to his involvement in shaping regulatory guidelines to protect banks and eventually Microsoft.

Kelly has also played a significant role in shaping regulations around the National Institute of Standards and Technology (NIST) and Payment Card Industry (PCI) compliance, which helps ensure the security of businesses’ credit card transactions, among others.

Internationally, Kelly played a crucial role in helping establish agencies and improve cybersecurity measures. As a consultant in London, he helped stand up the United Kingdom’s National Cyber Security Centre (NCSC), which is part of the Government Communications Headquarters (GCHQ), the equivalent of CISA. Kelly’s efforts in content moderation with several social media companies, including YouTube, were instrumental in removing harmful content.

That’s why he’s excited about Microsoft’s partnership with GASA. GASA brings together governments, law enforcement, consumer protection organizations, financial authorities, internet service providers, cybersecurity companies, and others to share knowledge and define joint actions to protect consumers from getting scammed.

“If I protect Microsoft, that’s good, but it’s not sufficient. In the same way, if Apple does their thing, and Google does their thing, but if we’re not working together, we’ve all missed the bigger opportunity. We must share cybercrime information with each other and educate the public. If we can have a three-pronged approach of tech companies building security and fraud protection into their products, public awareness, and sharing cybercrime and fraudster information with law enforcement, I think we can make a big difference,” he says.

Next steps with Microsoft Security

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Methodology: Microsoft platforms and services, including Azure, Microsoft Defender for Office, Microsoft Threat Intelligence, and Microsoft Digital Crimes Unit (DCU), provided anonymized data on threat actor activity and trends. Additionally, Microsoft Entra ID provided anonymized data on threat activity, such as malicious email accounts, phishing emails, and attacker movement within networks. Additional insights are from the daily security signals gained across Microsoft, including the cloud, endpoints, the intelligent edge, and telemetry from Microsoft platforms and services. The $4 billion figure represents an aggregated total of fraud and scam attempts against Microsoft and our customers in consumer and enterprise segments (in 12 months).

The post Cyber Signals Issue 9 | AI-powered deception: Emerging fraud threats and countermeasures appeared first on Microsoft Security Blog.

The evolution of ransomware attacks

Modern ransomware campaigns are meticulously planned. Cyberattackers understand that their chances of securing a ransom increase significantly if they can inflict widespread damage across a victim’s environment. The rationale is simple: paying the ransom becomes the most viable option when the alternative—restoring the environment and recovering data—is technically unfeasible, time-consuming, and costly.

This level of damage happens in minutes and even seconds, where bad actors embed themselves within an organization’s environment, laying the groundwork for a coordinated cyberattack that can encrypt dozens, hundreds, or even thousands of devices within minutes. To execute such a campaign, threat actors must overcome several challenges such as evading protection, mapping the network, maintaining their code execution ability, and preserving persistency in the environment, building their way to securing two major prerequisites necessary to execute ransomware on multiple devices simultaneously:

• High-privilege accounts: Whether cyberattackers choose to drop files and encrypt the devices locally or perform remote operations over the network, they must obtain the ability to authenticate to a device. In an on-premises environment, cyberattackers usually target domain admin accounts or other high-privilege accounts, as those can authenticate to the most critical resources in the environment.
• Access to central network assets: To execute the ransomware attack as fast and as wide as possible, threat actors aim to achieve access to a central asset in the network that is exposed to many endpoints. Thus, they can leverage the possession of high-privilege accounts and connect to all devices visible in their line of sight.

The role of domain controllers in ransomware campaigns

Domain controllers are the backbone of any on-premises environment, managing identity and access through Active Directory (AD). They play a pivotal role in enabling cyberattackers to achieve their goals by fulfilling two critical requirements:

1. Compromising highly privileged accounts

Domain controllers house the AD database, which contains sensitive information about all user accounts, including highly privileged accounts like domain admins. By compromising a domain controller, threat actors can:

• Extract password hashes: Dumping the NTDS.dit file allows cyberattackers to obtain password hashes for every user account.
• Create and elevate privileged accounts: Cyberattackers can generate new accounts or manipulate existing ones, assigning them elevated permissions, ensuring continued control over the environment.

With these capabilities, cyberattackers can authenticate as highly privileged users, facilitating lateral movement across the network. This level of access enables them to deploy ransomware on a scale, maximizing the impact of their attack.

2. Exploiting centralized network access

Domain controllers handle crucial tasks like authenticating users and devices, managing user accounts and policies, and keeping the AD database consistent across the network. Because of these important roles, many devices need to interact with domain controllers regularly to ensure security, efficient resource management, and operational continuity. That’s why domain controllers need to be central in the network and accessible to many endpoints, making them a prime target for cyberattackers looking to cause maximum damage with ransomware attacks.

Given these factors, it’s no surprise that domain controllers are frequently at the center of ransomware operations. Cyberattackers consistently target them to gain privileged access, move laterally, and rapidly deploy ransomware across an environment. We’ve seen in more than 78% of human-operated cyberattacks, threat actors successfully breach a domain controller. Additionally, in more than 35% of cases, the primary spreader device—the system responsible for distributing ransomware at scale—is a domain controller, highlighting its crucial role in enabling widespread encryption and operational disruption.

Case study: Ransomware attack using a compromised domain controller

In one notable case, a small-medium manufacturer fell victim to a well-known, highly skilled threat actor attempting to execute a widespread Akira ransomware attack:

Pre domain-compromise activity

After gaining initial access, presumably through leveraging the customer’s VPN infrastructure, and prior to obtaining domain admin privileges, the cyberattackers initiated a series of actions focused on mapping potential assets and escalating privileges. A wide, remote execution of secrets dump is detected on Microsoft Defender for Endpoint-onboarded devices and User 1 (domain user) is contained by attack disruption.

Post domain-compromise activity

Once securing domain admin (User 2) credentials, potentially through leveraging the victim’s non-onboarded estate, the attacker immediately attempts to connect to the victim’s domain controller (DC1) using Remote Desktop Protocol (RDP) from the cyberattacker’s controlled device. When gaining access to DC1, the cyberattacker leverages the device to perform the following set of actions:

• Reconnaissance—The cyberattacker leverages the domain controller’s wide network visibility and high privileges to map the network using different tools, focusing on servers and network shares.
• Defense evasion—Leveraging the domain controller’s native group policy functionality, the cyberattacker attempts to tamper with the victim’s antivirus by modifying security-related group policy settings.
• Persistence—The cyberattacker leverages the direct access to Active Directory, creating new domain users (User 3 and User 4) and adding them to the domain admin group, thus establishing a set of highly privileged users that would later on be used to execute the ransomware attack.

Encryption over the network

Once the cyberattacker takes control over a set of highly privileged users, this provides them access to any domain-joined resource, including comprehensive network access and visibility. It will also allow them to set up tools for the encryption phase of the cyberattack.

Assuming they’re able to validate a domain controller’s effectiveness, they begin by running the payload locally on the domain controller. Attack disruption detects the threat actor’s attempt to run the payload and contains User 2, User 3, and the cyberattacker-controlled device used to RDP to the domain controller.

After successfully containing Users 2 and 3, the cyberattacker proceeded to log in to the domain controller using User 4, who had not yet been utilized. After logging into the device, the cyberattacker attempted to encrypt numerous devices over the network from the domain controller, leveraging the access provided by User 4.

Attack disruption detects the initiation of encryption over the network and automatically granularly contains device DC1 and User 4, blocking the attempted remote encryption on all Microsoft Defender for Endpoint-onboarded and targeted devices.

Protecting your domain controllers

Given the central role of domain controllers in ransomware attacks, protecting them is critical to preventing large-scale damage. However, securing domain controllers is particularly challenging due to their fundamental role in network operations. Unlike other endpoints, domain controllers must remain highly accessible to authenticate users, enforce policies, and manage resources across the environment. This level of accessibility makes it difficult to apply traditional security measures without disrupting business continuity. Hence, security teams constantly face the complex challenge of striking the right balance between security and operational functionality.

To address this challenge, Defender for Endpoint introduced contain high value assets (HVA), an expansion of our contain device capability designed to automatically contain HVAs like domain controllers in a granular manner. This feature builds on Defender for Endpoint’s capability to classify device roles and criticality levels to deliver a custom, role-based containment policy, meaning that if a sensitive device, such a domain controller, is compromised, it is immediately contained in less than three minutes, preventing the cyberattacker from moving laterally and deploying ransomware, while at the same time maintaining the operational functionality of the device. The ability of the domain controller to distinguish between malicious and benign behavior helps keep essential authentication and directory services up and running. This approach provides rapid, automated cyberattack containment without sacrificing business continuity, allowing organizations to stay resilient against sophisticated human-operated cyberthreats.

Now your organization’s domain controllers can leverage automatic attack disruption as an extra line of defense against malicious actors trying to overtake high value assets and exert costly ransomware attacks.

Learn more

Explore these resources to stay updated on the latest automatic attack disruption capabilities:

• Learn more about Microsoft Defender for Endpoint.
• Read about the new containment features.
• Learn how attack disruption safeguards your domain controllers in this video.
• Check out our latest infographic.
• Read about automatic attack disruption.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Average cost per data breach in the United States 2006-2024, Ani Petrosyan. October 10, 2024.

The post How cyberattackers exploit domain controllers using ransomware appeared first on Microsoft Security Blog.

Unique characteristics of QR code phishing campaigns

Like with other phishing techniques, the goal of QR code phishing attacks is to get the user to click on a malicious link that seems legitimate. They often use minimalistic emails to deliver malicious QR codes that prompt seemingly legitimate actions—like password resets or two-factor authentication verifications. A QR code can also be easily manipulated to redirect unsuspecting victims to malicious websites or to download malware in exactly the same way as URLs.

Figure 1. QR code as an image within email body redirecting to a malicious website.

The normal warning signs users might notice on larger screens can often go unnoticed on mobile devices. While the tactics, techniques, and procedures (TTPs) vary depending on which bad actor is at work, Microsoft Defender for Office 365 has detected a key set of patterns in QR code phishing attacks, including but not limited to:

• URL redirection, where a click or tap takes you not where you expected, but to a forwarded URL.
• Minimal to no text, which reduces the signals available for analysis and machine learning detection.
• Exploiting a known or trusted brand, using their familiarity and reputation to increase likelihood of interaction.
• Exploiting known email channels that trusted, legitimate senders use.
• A variety of social lures, including multifactor authentication, document signing, and more.
• Embedding QR codes in attachments.

The impact of QR code phishing campaigns on the broader email security industry

With the most common intent of QR code phishing being credential theft, malware distribution, or financial theft, QR code campaigns are often massive—exceeding 1,000 users and follow targeted information gathering reconnaissance by bad actors.²

Microsoft security researchers first started noticing an increase in QR-code based attacks in September 2023. We saw attackers quickly morphing their techniques in two keys ways: First by manipulating the way that the QR code rendered (such as different colors and tables), and second by manipulating the embedded URL to do redirection.

The dynamic nature of QR codes made it challenging for traditional email security mechanisms that were designed for link-based phishing techniques to effectively filter and protect against these types of cyberattacks. A key reason was the fact that extensive image content analysis was not commonly done for every image in every message, and did not represent a standard in the industry at the time of the surge.

As a result, for several months our customers saw an increase in bad email that contained malicious QR codes as we were adapting and evolving our technology to be effective against QR codes. This was a challenging time for our customers and those of other email security vendors. We added incremental resources and redirected all our engineering energy to address these issues, and along the way not only delivered new technological innovations but also modified our processes and modernized components of our pipeline to be more resilient in the future. Now these challenges have been addressed through a key set of innovations, and we want to share our learnings and technology advancements moving forward.

For bad actors, QR code phishing has become a lucrative business, and attackers are utilizing AI and large language models (LLMs) like ChatGPT to increase the speed and improve the believability of their attacks. Recent research by Insikt Group noted that bad actors can generate 1,000 phishing emails in under two hours for as little as $10.³ For the security industry, this necessitates a multifaceted response including improved employee training and a renewed commitment to innovation.

The necessity of innovation in QR code phishing defense

Innovation in the face of evolving QR code phishing risk is not just beneficial, it’s imperative. As cybercriminals continually refine their tactics to exploit new technologies, security solutions must evolve at a similar pace to remain effective. In response to the growing threat of QR code phishing, Microsoft Defender for Office 365 took decisive action to leverage advanced machine learning and AI—developing robust defenses capable of detecting and neutralizing QR code phishing attacks in real time. Our team meticulously analyzed these cyberthreats across trillions of signals, gaining valuable insights into their mechanisms and evolving patterns. This knowledge helped us refine our security protocols and enhance our platform’s resilience with several strategic updates. As the largest email security provider, we have seen a significant decline in QR code phishing attempts. At the height, Defender for Office 365 was blocking 3 million attempts daily, and with the delivery of innovative protection we have seen this number shrink to 200,000 QR code phishing attempts every day. This is testament that our innovation is having the desired effect: reducing the effectiveness of QR code-based attacks and forcing attackers to shift their tactics.

Figure 2. QR code phishing blocked by Microsoft Defender for Office 365.

Recent innovations and protections we’ve implemented and improved within Microsoft Defender for Office 365 to help combat QR code phishing include:

• URL extraction enhancements: Microsoft Defender for Office 365 has improved its capabilities to extract URLs from QR codes, substantially boosting the system’s ability to detect and counteract phishing links hidden within QR images. This enhancement enables a more thorough analysis of potential cyberthreats embedded in QR codes. In addition, we now extract metadata from QR codes, which enriches the contextual data available during threat assessments, enhancing our ability to detect suspicious activities early in the attack chain.
• Advanced image processing: Advanced image processing techniques at the initial stage of the mail flow process allow us to extract and log URLs hidden within QR codes. This proactive measure disrupts attacks before they have a chance to compromise end user inboxes, addressing cyberthreats at the earliest possible point.
• Advanced hunting and remediation: To offer a comprehensive response to QR code threats across email, endpoint, and identities with our advanced hunting capabilities, security teams across organizations are well equipped to specifically identify and filter out malicious activities linked to these codes.
• User resilience against QR code phishing: To further equip our organization against these emerging threats, Microsoft Defender for Office 365 has expanded its advanced capabilities to include QR code threats, maintaining alignment with email platforms and specific cyberattack techniques. Our attack simulation training systems along with standard setup of user selection, payload configuration, and scheduling, now have specialized payloads for QR code phishing to simulate authentic attack scenarios.

Read more technical details on how to hunt and respond to QR code-based attacks. By integrating all these capabilities across the Microsoft Defender XDR platform, we can help ensure any QR code-related threats identified in emails are thoroughly analyzed in conjunction with endpoint and identity data, creating a robust security posture that addresses threats on multiple fronts.

Staying ahead of the evolving threat landscape 

The enhancements of Microsoft Defender for Office 365 to defend against QR code-based phishing attacks showcased our need to advance Microsoft’s email and collaboration security faster. The rollout of the above has closed this gap and made Defender for Office 365 effective against these attacks, and as the use of QR codes expands, our defensive tactics will now equally advanced to combat them.

Our continuous investment in analyzing the cyberthreat landscape, learning from past gaps, and our updated infrastructure will enable us to effectively handle present issues and proactively address future risks faster as threats emerge across email and collaboration tools. We will soon be sharing more exciting innovation that will showcase our commitment to delivering the best email and collaboration security solution to customers.

For more information, view the data sheet on protecting against QR code phishing or visit the website to learn more about Microsoft Defender for Office 365.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Attackers Weaponizing QR Codes to Steal Employees Microsoft Credentials, Cybersecurity News. August 22, 2023.

²Hunting for QR Code AiTM Phishing and User Compromise, Microsoft Tech Community. February 12, 2024.

³Security Challenges Rise as QR Code and AI-Generated Phishing Proliferate, Recorded Future. July 18, 2024.

The post How Microsoft Defender for Office 365 innovated to address QR code phishing attacks appeared first on Microsoft Security Blog.

Try Face Check for yourself.

Verified ID: Verify once, use everywhere

In our everyday lives, we use identity documents like driver’s licenses or passports as convenient and secure ways to prove our identity. Until now, we have not had a good digital equivalent. Microsoft Entra Verified ID provides a secure and easy-to-use experience for digitally verifying many aspects of our identity, such as education, skills, and workplace affiliation. As fraud skyrockets for businesses and consumers, and fraud tactics become increasingly complex—especially with advancements in generative AI—identity verification has never been more important.

Microsoft Entra Verified ID is based on open standards, enabling organizations to verify the widest variety of credentials using a simple API. Verified ID integrates with some of the leading verification partners to verify identity attributes for individuals (for example, a driver’s license and a liveness match) across 192 countries. Today, hundreds of organizations rely on Verified ID to remotely onboard new users as well as reduce fraud when providing self-service recovery. For example, Skype has reduced fraudulent cases of registering Skype Phone Numbers in Japan by 90% by implementing Verified ID. Elsewhere, enterprises are issuing Verified Employee Credentials to enable employees to verify their employment status with LinkedIn as well as for business-to-business collaboration.

Learn more about how Verified ID works and how organizations are using it today in our whitepaper.

Introducing Face Check with Verified ID: Unlocking high-assurance verifications at scale

Face Check, powered by Azure AI services, adds a critical layer of trust by matching a user’s real-time selfie and the photo from their identity document (such as a passport or driver’s license). By sharing only the match results and not any sensitive identity data, Face Check improves user privacy while allowing organizations to be sure the person claiming an identity is really them.

Many organizations are evaluating Face Check as part of the preview. BEMO, a leader in help desk services for cybersecurity operations, uses Face Check to quickly verify the identity of an employee and reduce the risk of impersonation. “The liability of granting admin [role] access to the wrong person is high, so Face Check provides an extra layer of insurance. In the past we had to trade off between increasing risk of fraudulent access or increased compliance risk by collecting personally identifiable information in an ad hoc manner. Now we can verify the identity of an employee instantly and with high confidence, without trading off between security and compliance.” More than a hundred of BEMO’s business customers have already implemented Face Check.

Visit our frequently asked questions to learn more. If you are ready to implement Face Check with Verified ID for your organization, see the steps below to get started. 

Get started with Face Check in Verified ID

If you are ready to implement Verified ID for your organization, here are the steps to get started.

Total time: 5 minutes

1. Follow this tutorial to create a Face Check-ready Verified Workplace Credential.

Time: 1 minute

2. Configure who can request a Verified ID by selecting all users or specific groups of users.

Time: 3 minutes

3. Users can sign in to http://myaccount.microsoft.com. Use the new option under your profile to get your Verified ID (using photo from Microsoft 365 profile). Use Microsoft Authenticator to get your Face Check-ready Verified ID. It’s that easy!

Time: 1 minute

How Face Check enables high-assurance verification

Apps can make a simple API request for users to perform a Face Check against a Verified Employee credential, state-issued government ID, or a custom digital credential with a trusted photo. For example, businesses can enable a wide variety of self-service scenarios including activating a passkey or resetting a password. A help desk service for a business can request a Face Check against a Verified Employee credential to verify the identity quickly and securely. To reduce compliance risk, apps receive a confidence score for match against the photo from the desired credential, without gaining access to liveness data.

Microsoft Entra Verified ID developer docs has a reference for a presentation request sample with Face Check.

What’s next for Verified ID?

Today, businesses can verify a wide variety of identity attributes, such as employment, education or government-issued ID (with partners like LexisNexis® Risk Solutions, Au10tix, and IDEMIA). Now with Face Check, businesses can be confident that the person presenting these credentials is indeed the right person to whom these credentials were issued. Next, we are extending this API pattern to verify other identity attributes that businesses care about, including verified work history and legal entity verification in partnership with Dun & Bradstreet (DNB), LexisNexis® Risk Solutions, and IDEMIA. Stay tuned for more details on this program in coming weeks.

Join us online at Microsoft Secure on March 13, 2024, to learn about Microsoft Entra innovations that redefine how to think about secure access for any identity to any resource, from anywhere.

Learn more

Learn more about Microsoft Entra Verified ID.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Microsoft Entra Verified ID introduces Face Check in preview appeared first on Microsoft Security Blog.

Today, we are taking a significant step in completing the delivery of functionality we promised when we first unveiled the vision for the Microsoft Intune Suite.¹ We are launching three new solutions: Microsoft Intune Enterprise Application Management, Microsoft Intune Advanced Analytics, and Microsoft Cloud PKI. With these additions, the Intune Suite now goes beyond unified endpoint management to bring you a comprehensive collection of advanced cross-platform capabilities across three core areas: streamlined application security, secure access to on-premises and private cloud resources, and improved troubleshooting and support. While we will continue to add more functionality over time, today’s release marks “the end of the beginning,” as the main components of the Intune Suite are generally available this month. As such, let’s take the opportunity to recap the principles behind the value and functionality of the Intune Suite.

Microsoft Intune

Enhance security and IT efficiency with the Microsoft Intune Suite.

Learn more

The broad value of the Intune Suite

While the solutions of the Intune Suite launched at different points in time, three fundamental principles have been there from the beginning.

First, one place for workloads adjacent to Unified Endpoint Management. If you’re currently using a mix of third-party solutions, the integrated experience in Microsoft Intune provides security and efficiency on multiple levels. First, one unified solution means fewer integrations to manage across third parties, meaning fewer attack vectors for malicious actors. And second, on a deeper level, the broader Intune proposition (both Intune Suite and Intune) is integrated with Microsoft 365 and Microsoft Security solutions. This provides a consolidated and seamless experience for IT professionals with a single pane of glass for end-to-end endpoint management.

Second, all parts of the Intune Suite are ready to support your cloud and AI-enabled future. Intune Suite will help accelerate organizations’ digital transformation to cloud native and simplify their IT operations. Additionally, data from Intune Suite are consolidated with other Intune and security data, meaning complete visibility across the device estate, informing and improving emerging technologies like Microsoft Copilot for Security. The more interrelated data that Copilot can use, the more it can proactively advise on the next best action.

Lastly, Intune Suite is available in a single unified plan. So, rather than having separate solutions for remote assistance, privilege management, analytics, and more, these advanced solutions can all be consolidated and simplified into one. This provides value in two ways: directly, by reducing the overall licensing cost, as the cost of Intune Suite is less than purchasing separate solutions; and the economic value of the Intune Suite is also in indirect savings: no need to manage separate vendors, train IT admins on separate tools, or maintain costly on-premises public key infrastructure (PKI). The Intune Suite makes it easier for IT admins, reducing overhead costs.

“With what we get out of Intune Suite, we can eliminate other products that our customers need. It’s now a suite of many components that enable customers who want to consolidate solutions and save money.”

—Mattias Melkersen Kalvåg, Mobility and Windows Management Consultant at MINDCORE, and| Microsoft Certified Professional & MVP

From today: A comprehensive suite across applications, access needs, and support

Let’s get into specifics. For application security, Enterprise App Management helps you find, deploy, and update your enterprise apps. And Endpoint Privilege Management lets you manage elevation rules on a per-app basis so that even standard users can run approved privileged apps. Cloud PKI lets you manage certificates from the cloud in lieu of complex, on-premises PKI infrastructure. And Microsoft Tunnel for Mobile Application Management (MAM) is perfect for unenrolled, personal mobile devices, to help broker secure access to line of business apps. Advanced Analytics gives you data-rich insights across your endpoints. And Remote Help lets you view and control your PCs, Mac computers, and specialized mobile devices, right from the Intune admin center. Let us take each of those three product areas in turn.

Increase endpoint security with Enterprise App Management and Endpoint Privilege Management

Enterprise App Management gives you a new app catalog, allowing you to easily distribute managed apps, but also keep them patched and always up to date. With this initial release, you will be able to discover and deploy highly popular, pre-packaged apps, so you no longer need to scour the Internet to find their installation files, repackage, and upload them into Intune. Simply add and deploy the apps directly from their app publishers. You can also allow the apps you trust to self-update, and when a new update is available, it is just one click to update all your devices with that app installed. We will continuously expand and enrich the app catalog functionality in future releases to further advance your endpoint security posture and simplify operations. 

“I’m very excited about Enterprise App Management as it’s powered by a strong app catalog and natively integrated in Intune. This single pane of glass experience is what we’re all looking for.”

—Niklas Tinner, Microsoft MVP and Senior Endpoint Engineer at baseVISION AG

For more control over your apps, with Endpoint Privilege Management, you can scope temporary privilege elevation, based on approved apps and processes. Then, as a user in scope for this policy, you can elevate only the processes and apps that have been approved. For example, users can only run a single app for a short period of time as an administrator. Unlike other approaches that give local admin permissions or virtually unlimited scope, you can selectively allow a user to elevate in a one-off scenario by requesting Intune admin approval, without you needing to define the policy ahead of time.

“Endpoint Privilege Management offers tight integration into the operating system. And the focus that Microsoft has over only elevating specific actions and apps versus making you an admin for a period of time—this is security at its best, going for the least privileged access.”

—Michael Mardahl, Cloud Architect at Apento

Cloud PKI and Microsoft Tunnel for MAM powers secure access

With Cloud PKI, providing both root and issuing Certificate Authorities (CA) in the cloud, you can simply set up a PKI in minutes, manage the certificate lifecycle, reduce the need for extensive technical expertise and tools, and minimize the effort and cost of maintaining on-premises infrastructure. In addition, support for Bring-Your-Own CA is available, allowing you to anchor Intune’s Issuing CA to your own private CA. Certificates can be deployed automatically to Intune-managed devices for scenarios such as authentication to Wi-Fi, VPN, and more; a modern PKI management option that works well to secure access with Microsoft Entra certificate-based authentication. In the initial release, Cloud PKI will also work with your current Active Directory Certificate Services for SSL and TLS certificates, but you do not need to deploy certificate revocation lists, Intune certificate connectors, Network Device Enrollment Service (NDES) servers, or any reverse proxy infrastructure. You can issue, renew, or revoke certificates directly from the Intune admin center automatically or manually. 

Microsoft Tunnel for MAM helps secure mobile access to your private resources. Microsoft Tunnel for MAM works similarly to Microsoft Tunnel for managed devices; however, with this advanced solution, Microsoft Tunnel for MAM works with user-owned (non-enrolled) iOS and Android devices. Microsoft Tunnel for MAM provides secure VPN access at the app level, for just the apps and browser (including Microsoft Edge) your IT admin explicitly authorizes. So, for personally owned devices, the user can access approved apps, without your company’s data moving onto the user’s personal device. App protection policies protect the data within the apps, preventing unauthorized data leakage to other apps or cloud storage locations.

“Cloud PKI within the Intune Suite allows you to go cloud native in terms of certificate deployment, which means you can provision PKIs with just a few clicks—that’s a blessing for all the IT administrators. With this built-in service, Microsoft hosts everything for you to manage certificates.”  

—Niklas Tinner

Resolve support issues quicker with Advanced Analytics and Remote Help

Advanced Analytics in Intune is a powerful set of tools for actionable reporting and AI-driven analytics. It provides deep, near real-time insights into your connected devices and managed apps that help you understand, anticipate, and proactively improve the user experience. We continue to infuse AI and machine learning into our analytics products. For example, you can get ahead of battery degradation in your device fleet through our advanced statistical analysis and use that information to prioritize hardware updates. Intune Suite now includes real-time device querying on-demand using Kusto Query Language for individual devices, useful for troubleshooting and resolving support calls quicker.

With Remote Help, you can also streamline the way you remotely view and interact with your managed devices, for both user-requested or unattended sessions. As a help desk technician, you can securely connect to both enrolled and unenrolled devices. Users also have peace of mind in being able to validate the technician’s identity, to avoid help desk spoofing attempts. Right now, Remote Help works for remote viewing and controlling in Windows PCs and Android dedicated Enterprise devices, and supports remote viewing for macOS. Especially useful for frontline workers, Remote Help for Android allows help desk administrators to configure and troubleshoot unattended devices, meaning issues can be revolved off-shift.

“Remote Help takes away the requirement and the need for third-party remote help tools. Remote Help is native, it’s interactive, and you don’t have to worry about installing anything, it’s already there. It’s part of Intune, it’s part of the build.”

—Matthew Czarnoch, Cloud and Infrastructure Operations Manager at RLS (Registration and Licensing Services)

To see many of these new capabilities in action, we invite you to watch this new Microsoft Mechanics video.

Analyst recognition for Microsoft

With the additions to the Intune Suite now available, IT can power a more secure and productive future at an important time as AI comes online. Notably, analyst recognition is validating the importance of its value. For example, Microsoft again assumes the strongest leadership position in the Omdia Universe: Digital Workspace Management and Unified Endpoint Management Platforms 2024. Omdia wrote: “Microsoft is focused on reducing management costs by utilizing the Microsoft Intune Suite and integrating different solutions with it.” They added: “The company plans to invest in Endpoint Analytics and Security Copilot to introduce data-driven management, helping IT professionals shift from reactive, repetitive tasks to strategic ones by utilizing Endpoint Analytics and automation.” Omdia’s recognition follows that from others like Forrester, who named Microsoft as a Leader in The Forrester Wave™ for Unified Endpoint Management, Q4 2023.

Get started with consolidated endpoint management solutions with the Microsoft Intune Suite

The February 2024 release of the solutions in the Intune Suite marks a key milestone, offering a consolidated, comprehensive solution set together in a cost-effective bundle (and available as individual add-on solutions) for any plan that includes Intune. And in April 2024, they will also be available to organizations and agencies of the United States government community cloud. We look forward to hearing your reactions to the new Intune Suite.

• Microsoft Intune News at Microsoft Ignite 2023.
• Learn more about Microsoft Intune.
• Omdia Universe: Digital Workspace Management/Unified Endpoint Management Platforms 2024.
• Forrester Wave™ for Unified Endpoint Management, Q4 2023. 
• Microsoft Cloud PKI blog announcement at Microsoft Ignite 2023.
• Microsoft Intune Enterprise App Management blog announcement at Microsoft Ignite 2023.
• Microsoft Intune Advanced Analytics blog announcement at Microsoft Ignite 2023.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Ease the burden of managing and protecting endpoints with Microsoft advanced solutions, Dilip Radhakrishnan and Gideon Bibliowicz. April 5, 2022.

The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester’s call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave™. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

The Forrester Wave™: Unified Endpoint Management, Q4 2023, Andrew Hewitt, Glen O’Donnell, Angela Lozada, Rachel Birrell. November 19, 2023.

The post 3 new ways the Microsoft Intune Suite offers security, simplification, and savings appeared first on Microsoft Security Blog.

Multicloud and multiplatform deployments increase the potential for security risks and data breaches. Today, many customers are working to secure a complex patchwork of technologies across different devices, applications, platforms, and clouds. Some are also dealing with separate security infrastructures for each cloud they’re operating in, which introduces incredible complexity, creates seams for attackers to exploit, and increases the likelihood of mistakes.

I am excited to share several innovations that improve multicloud visibility and help customers proactively reduce risk and respond to threats in real time. Read on to see how we continue to expand our end-to-end security solution to help organizations defend against threats across all endpoints and clouds.

Microsoft Defender for Cloud

Protect multicloud and hybrid environments with comprehensive security across the full lifecycle, from development to runtime.

Learn more

Extend multicloud visibility to proactively prevent breaches

Today, we’re thrilled to announce new advanced multicloud posture management capabilities for Google Cloud Platform (GCP) in Microsoft Defender for Cloud to help customers proactively prevent data breaches across multicloud and hybrid environments. 

Microsoft is recognized as a Representative Vendor in the 2023 Gartner Market Guide for Cloud Native Application Protection Platforms.³ Microsoft Defender for Cloud became the first cloud provider to offer multicloud workload protection for cloud infrastructure, applications, and data across the full lifecycle for all three public clouds.⁴ Since then, we’ve rapidly expanded our CNAPP capabilities to provide advanced posture management with Microsoft Defender Cloud Security Posture Management (Defender CSPM), DevSecOps security with integrations into GitHub Advanced Security, and continued investments in our cloud workload protection (CWP) solutions across servers, containers, APIs, storage, and databases.

Figure 1. Attack path showing a GCP virtual machine exposed to the internet with permissions to a data store.

On August 15, 2023, Defender CSPM will extend its advanced agentless scanning, data-aware security posture, cloud security graph, and attack path analysis capabilities to GCP, providing a single contextual view of cloud risks across Amazon Web Services (AWS), Azure, GCP, and hybrid environments. Defender CSPM provides advanced posture management capabilities and is recognized by KuppingerCole as an Overall Leader, Market Champion, Product Leader, and Innovation Leader in its 2023 CSPM Leadership Compass, noting “Organizations looking for a CSPM which provides multicloud capabilities including data-aware security posture should consider Microsoft Defender for Cloud.”⁵ Defender CSPM provides advanced posture management capabilities with full visibility across cloud and hybrid resources from agentless scanning, integrated contextual insights from code, identities, data, internet exposure, compliance, attack path analysis, and more, to prioritize your most critical risks. Customers will be able to leverage agentless scanning to gain full visibility of their GCP, AWS, Azure, and on-premises compute resources in the cloud security graph and attack path analysis to prioritize and mitigate risk against potential threats.  

Within the new Defender CSPM capabilities for GCP, we’re also extending our sensitive data discovery capabilities to GCP Cloud Storage. With this advancement, customers will be able to discover all their GCP Cloud Storage buckets, identify more than 100 sensitive information types, and assess their data security posture through cloud security graph queries and attack path analysis. Now customers can identify potentially sensitive data exposure risks across Azure, AWS, and GCP storage resources and harden their multicloud data security posture.

We chose Microsoft Defender for Cloud as our CNAPP because of the robust, intelligent end-to-end cloud security it provides with proactive CSPM and in protecting our cloud workloads. We’ve already been impressed with the value of Microsoft’s cloud workload protection, so it was an easy choice to also use Defender CSPM. Its agentless scanning allows us to quickly gain insights about our VMs, storage accounts, and containers, and attack path analysis with its contextual insights helps us prioritize and remediate risks. Defender for Cloud is critical in further helping our security teams save time to focus on preventing security incidents and give us peace of mind by knowing we have security across the application lifecycle.

—Cloud Security Manager, Mercedes-Benz Group AG

Get multicloud policy monitoring as a free offering

Microsoft’s cloud security benchmark (MCSB) extends security control guidance and compliance checks to GCP, completing multicloud monitoring across Azure, AWS, and GCP as a free offering. MCSB provides a cloud-centric control framework mapped to major regulatory industry benchmarks (CIS, PCI, NIST, and more) and cloud-specific implementation tools turned on by default to maintain your cloud security compliance across clouds.⁶ Today, along with existing Azure and AWS guidance, organizations can now leverage the MCSB security guidance for GCP environments and access GCP checks (as a preview feature) in the context of MCSB controls in the regulatory compliance dashboard in Microsoft Defender for Cloud. In addition to the policy compliance checking available through MCSB, Microsoft customers also benefit from the free expanded cloud logging support we announced last month.

Prevent malware upload and distribution in near real time

Defender for Cloud is also advancing cloud data security at runtime. We’re excited to share the upcoming general availability of Malware Scanning in Microsoft Defender for Storage.⁷ Starting September 1, 2023, security teams can enable an additional layer of protection to detect and prevent storage accounts from acting as a point of malware entry and distribution.

Organizations rely on cloud storage to store and access data and files, which often contain sensitive and critical data. However, due to its critical and connected role in an organization’s cloud environment, cloud storage can be an effective attack vector for malicious actors to upload and distribute malware. Malware protection methods in the past have focused mostly on compute resources. Protection for storage in this old model would require complex networking workarounds that negatively impact overall performance.

We built Malware Scanning in Defender for Storage to cut through the networking complexities and optimize malware detection for Microsoft Azure Blob Storage in near real time when content is uploaded. Content is automatically scanned for metamorphic and polymorphic malware, with results automatically recorded on the blob metadata.

Read more about Defender for Cloud’s new multicloud security capabilities.

Manage vulnerability risk across cloud deployments

As organizations adopt new technologies across cloud computing, Internet of Things (IoT) devices, and remote work, their attack surface is expanding, making vulnerability management increasingly challenging. Security teams must rethink how to secure a growing and diverse portfolio of devices outside of traditional organizational boundaries, adding complexity to the vulnerability management process. This process requires a combination of policy and scope definition that cannot be purchased off the shelf. Instead, it must be established and matured within an organization, based on its specific risk appetite and maturity level.

In recent years, Microsoft has established itself as a leading solution for vulnerability risk management (VRM) by leveraging its threat intelligence and security expertise. Microsoft Defender Vulnerability Management has become a leading solution for a vast range of customer organizations, providing them end-to-end capabilities across the VRM lifecycle. It is designed to help organizations identify, assess, prioritize, and remediate vulnerabilities in their IT environments, making it an ideal tool for managing an expanded attack surface and reducing overall risk posture, We are thrilled to announce Defender Vulnerability Management is now offered as a standalone solution, which means that customers can purchase it separately and take advantage of the full set of core and premium capabilities across their portfolio of managed and unmanaged devices. Microsoft 365 E5 and Defender for Endpoint Plan 2 customers have the core capabilities included and can continue to get the full vulnerability management solution with the Defender Vulnerability Add-on.  

Figure 2. Core and premium capabilities of Microsoft Defender Vulnerability Management and how customers would acquire them.

Committed to protecting the entire organization’s estate, we are excited to announce the general availability of vulnerability assessments for containers in Defender CSPM and the preview of vulnerability assessments for containers in Microsoft Defender for Containers using Defender Vulnerability Management. With the rise of containerization and microservices, it’s more important than ever to secure the software supply chain and ensure that container images are free from vulnerabilities. Defender Vulnerability Management’s new container vulnerability assessment capabilities enable organizations to scan container images for vulnerabilities and prioritize remediation efforts, based on the severity of the vulnerabilities.

Read more about the new standalone offer and the expanded capabilities of Defender Vulnerability Management.

Get additional protection and expanded endpoint coverage

You can’t protect and manage what you can’t see. This means that a Zero Trust model can’t just be limited to the endpoints enrolled in Microsoft Intune—it must extend to devices integrated with Microsoft Security solutions. If you can’t distribute compliance or security policies to all your devices, you can’t implement a Zero Trust model. 

Now you can expand coverage and provide additional protection from a single unified pane of glass with Microsoft Intune, which can manage the security settings of any device with Microsoft Defender for Endpoint, including Windows, macOS, and Linux endpoints.⁸ These policies and settings allow security admins to remain in the Defender portal to manage Defender for Endpoint and the Intune endpoint security policies for Defender security settings configurations. Now security admins can deploy policies from Intune to manage the Defender security settings on devices onboarded to Defender for Endpoint, without enrolling those devices with Intune.

Secure Score integration with Microsoft Intune means that recommendations for device health and security settings for your organization’s endpoints from Intune are now included in Microsoft Secure Score. Secure Score is the measurement of an organization’s security posture. This score is used to assess risk, drive configuration actions, plan improvements, and report to management. More points in Secure Score equates to more actions taken to improve an organization’s security posture.

And finally, we recently announced a new solution that adds another layer of protection for Samsung Galaxy devices with hardware-backed device attestation.⁹ Device attestation is a crucial mechanism to verify device trust and health to help detect if a device has been compromised. Building on our strategic partnership with Samsung, this attestation helps to prevent malicious endpoints from accessing organization resources using valid client information taken from another device and limiting tampering with client requests. Samsung’s hardware-backed cryptography and Intune app protection policies verify the client endpoint and secure the communication between Intune client and service. It enables a trusted, on-device hardware-backed health check, giving organizations that allow Samsung Galaxy mobile devices to access their corporate network the confidence that personally owned Galaxy devices have the same strong level of extra protection as company-owned devices.

Continuing to deliver for our customers

With our latest product and feature announcements, customers working to secure their multicloud and multiplatform deployments can have a clearer view of their environment, reduce risk, and gain improvements in the safety of their data and systems. At Microsoft, we are committed to providing our customers with the tools and resources they need to protect everything.

Join us at Black Hat 2023

Microsoft Security has a central presence at this year’s Black Hat USA, taking place August 5 to 10, 2023, at Mandalay Bay in Las Vegas, Nevada. If you haven’t already made plans to attend, check out our previous blog post for information about our Black Hat sessions, product demos, meetings at our booth (number 1740), and a customer happy hour.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹2023 State of the Cloud Report, Flexera. 2023. 

²Cloud-based cyber attacks increased by 48 percent in 2022, Continuity Central. January 19, 2023.

³Gartner®, Market Guide for Cloud-Native Application Protection Platforms, Neil MacDonald, et al. March 14, 2023.

⁴The next wave of multicloud security with Microsoft Defender for Cloud, a Cloud-Native Application Protection Platform (CNAPP), Vlad Korsunsky. March 22, 2023.

⁵Leadership Compass: Cloud Security Posture Management, KuppingerCole. July 27, 2023.

⁶Announcing Microsoft cloud security benchmark (Public Preview), Jim Cheng. October 13, 2022.

⁷Malware Scanning for cloud storage GA pre-announcement | prevent malicious content distribution, Inbal Argov. July 26, 2023.

⁸Manage security settings for Windows, macOS, and Linux natively in Defender for Endpoint, Dan Levy. July 11, 2023.

⁹Hardware-backed device attestation powers mobile workers, Michael Wallent. July 27, 2023.

The post New Microsoft Security innovations expand multicloud visibility and enhance multiplatform protection appeared first on Microsoft Security Blog.

As more employees work remotely on a variety of devices and networks, businesses need a security model that supports this new operational efficiency. An expanding perimeter poses challenges for organizational security, exposing your company to risks from malware and data breaches from IT devices that are unknown and unsafe.

To adapt to the realities of modern work, the principles of Zero Trust have been rapidly adopted as a security best practice by businesses and security professionals alike.

A pillar of the Zero Trust framework is based on assuming devices are breached until they are explicitly verified as trusted.

This applies particularly to mobile devices, as employee-held smartphones are increasingly infected with malware, targeted by phishing attacks, or exploited due to vulnerable software and configuration. These threats on untrusted devices that access company data result in businesses suffering from cyberattacks and data breaches. By embracing the principles of Zero Trust, businesses can better manage these risks and secure themselves against mobile-borne threats by ensuring that only trusted devices have access to company data.

How Microsoft and Traced work together to ensure endpoint protection based on Zero Trust principles

United Kingdom-based cybersecurity vendor Traced Mobile Security joined the Microsoft Intelligence Security Association (MISA) with the goal of transforming Zero Trust access to business data on mobile devices.

At Traced, our vision is to live in a world where anyone can comfortably, easily, and securely use the same mobile device for work and play. MISA has helped us to achieve this with their valuable advice, access to technical experts, and sharing our vision for safer devices.

Benedict Jones, Co-Founder, Traced

Trust nothing, verify everything.

With ever-more mobile devices accessing company networks, information, and cloud apps, customers need to be able to automatically control access to cloud apps based on the security status of a smartphone or tablet—whether it’s personal- or corporate-owned.

So Traced developed Trustd MTD to provide simple, fast, and robust Zero Trust access to those Cloud Apps for Microsoft customers. Trustd’s integration with Microsoft Azure Active Directory (Azure AD), part of the Microsoft Entra product family, helps customers achieve compliance and mitigate the growing business risks of cyberattacks and data breaches originating from company and personal mobile devices.

This means that customers can:

• Reduce the risk of data breaches, fines, and damages from cyberthreats such as Man-in-the-Middle attacks, malware, and phishing.
• Enable secure remote working without compromising efficiency.
• Automatically allow access to company data when a user’s device is validated as trusted and restrict access if it becomes untrusted.
• Protect their private data on mobile devices across most locations and networks.

“As mobile threats abound in greater numbers, we’re seeing many businesses struggling to protect themselves. We’re using Trustd MTD to enforce the principles of Zero Trust for our customers and ensure that untrusted and compromised mobile devices cannot access company data.”

Fayyaz Shah, Chief Operating Officer, METCLOUD

Through Trustd MTD’s integration with Azure AD conditional access policies, customers can automatically restrict access to thousands of Azure AD Gallery apps from users with compromised or untrusted mobile devices.

With Azure AD Single Sign-on (SSO) being seamlessly supported across such a broad range of apps, Trustd MTD’s integration with Azure AD for conditional access to company resources means that we can together ensure that company data is inaccessible to compromised users for your business’ key and sensitive apps.

Benedict Jones, Co-Founder, Traced

Free Zero Trust white paper

To learn more about Zero Trust and how Azure AD integrates with Traced’s MTD solution, download the free Trustd whitepaper “Zero Trust mobile security in a perimeter-less world.”

About Traced

Traced’s vision is to make the invisible visible.

It’s about making software that shines a light on threats that are invisible to traditional forms of detection. It’s about making sure their software protects people by being easy to understand, effective, and affordable. And it’s about respecting users’ and employees’ privacy by being transparent about what you’re doing and why.

And it’s about making a different kind of security company. A company that understands and talks about the threats that businesses really face every day, rather than the ones that get the best headlines or induce the greatest fear. For more information, visit the Traced website.

Learn more

• Embrace proactive security with Zero Trust.
• Assess your organization’s Zero Trust maturity.
• Learn about identity and access solutions from Microsoft.

To learn more about the Microsoft Intelligent Security Association (MISA), visit the website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.  

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Implementing Zero Trust access to business data on BYOD with Trustd MTD and Microsoft Entra appeared first on Microsoft Security Blog.

While IoT devices can easily outnumber managed endpoints like laptops and mobile phones, they often lack the same safeguards that would ensure their security. To bad actors, these unmanaged devices can be used as a point of entry, for lateral movement, or evasion. The chart below showcases a typical attack lifecycle involving two IoT devices, where one is used as a point of entry, and another one for lateral movement. Too often, the use of such tactics leads to the exfiltration of sensitive information.

Introducing protection for Enterprise IoT devices in Microsoft Defender for IoT

At the 2021 Microsoft Ignite, we announced the preview of enterprise IoT security capabilities in Microsoft Defender for IoT. With these new capabilities, Defender for IoT adds agentless monitoring to secure enterprise IoT devices connected to IT networks, like Voice over Internet Protocol (VoIP), printers, and smart TVs. A dedicated integration with Microsoft 365 Defender allows Defender for Endpoint customers to extend their extended detection and response (XDR) coverage to include IoT devices. Today, we’re excited to announce the general availability of these capabilities in Defender for IoT.

With this new addition, Defender for IoT now delivers comprehensive security for all endpoint types, applications, identities, and operating systems. The new capabilities allow organizations to get the visibility and insights they need to address complex multi-stage attacks that specifically take advantage of IoT and OT devices to achieve their goals. Customers will now be able to get the same types of vulnerability management, threat detection, response, and other capabilities for enterprise IoT devices that were previously only available for managed endpoints and OT devices.

Further, to make Enterprise IoT security accessible to more customers, we are introducing a dedicated native integration for Microsoft 365 Defender customers. The new integration helps customers to discover and secure IoT devices within Microsoft 365 Defender environments in minutes.

Identifying unmanaged devices

You can’t secure a device if you don’t know it exists. Taking a thorough inventory of all IoT devices can be expensive, challenging, and time-consuming. Employees may connect IoT devices to the network without first notifying IT or operations.

By using the existing Microsoft Defender for Endpoint clients, which are often deployed pervasively across an organization’s infrastructure, we can provide immediate device discovery with no additional deployment or configuration required. For the most complete view of your IoT and OT devices, and specifically for network segments where Defender for Endpoint sensors are not present, Defender for IoT includes a deployable network sensor that can be used to collect all of the network data it needs for discovery, behavioral analytics, and machine learning.

Understanding device vulnerabilities

Knowing all the devices present in your network is a critical step to securing your IoT—but it’s only the first step. To understand the potential risk that those devices pose to your network and organization, you need to be able to stay on top of insecure configurations and vulnerabilities that may be present within your inventory of devices.

These types of devices are often unpatched, misconfigured, and unmonitored, which makes them an immediate target for an attacker. Defender for IoT assesses all your enterprise IoT devices, offering recommendations in the Microsoft 365 console as part of the ongoing investigation flow for network-based alerts. 

New IoT devices are being introduced into an environment all the time. Because of that, the identification and risk assessment processes run continuously within Defender for IoT to ensure maximum visibility and posture at all times.

Securing IoT devices against threats

Threat detection remains one of the most difficult tasks in the IoT domain. Defender for IoT customers benefit from the machine learning and threat intelligence obtained from trillions of signals collected daily across the global Microsoft ecosystem (like email, endpoints, cloud, Microsoft Azure Active Directory, and Microsoft 365), augmented by IoT- and OT-specific intelligence. By applying machine learning and threat intelligence, we help our customers to reduce the alert signal to noise ratio by providing them with prioritized incidents that render end-to-end attacks in complete context rather than giving them an endless list of uncorrelated alerts.

Just recently, this approach enabled Defender for IoT to rank number one in threat visibility coverage in the MITRE ATT&CK for ICS evaluation, successfully detecting malicious activity for 100 percent of major attack steps and 96 percent of all adversary sub-steps, with fewest missed detections of any other vendor.

Defender for IoT: Complete coverage across all IoT/OT

It is certain that the demand for digital transformation and pressure to remain competitive will continue incentivizing organizations to embrace more IoT technologies, whether they are smart TVs in offices or industrial controllers in plants. Chief Information Security Officers will soon be responsible for an attack surface area that is many times larger than their managed device footprint. With the latest release in Defender for IoT, we’re extending coverage to enterprise IoT devices to help customers remain secure across the entire spectrum of their IoT technologies. What’s more, for the first time we’re enabling our Defender for Endpoint customers to gain visibility into their IoT devices within minutes and without buying or deploying any additional technologies or products.

Microsoft Defender for IoT remains a major component of the broader Microsoft SIEM and XDR solutions. Through native integration with Microsoft Defender and Microsoft Sentinel, we can provide customers with the automation and visualization tools they need to address attacks crossing IT and OT network boundaries. These integrations also empower analysts to perform incident response holistically rather than as separate disconnected attacks that require extensive manual investigations to bring together. With these efficiency gains, organizations can stop attacks and bring their environments back to a pre-breach state far more quickly.

We’re excited to reach this major milestone on our journey to securing customers in IoT and OT and invite you to explore how Defender for IoT can help your organization.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Introducing security for unmanaged devices in the Enterprise network with Microsoft Defender for IoT appeared first on Microsoft Security Blog.

Subsequently, we did a survey to understand the top concerns around the security of IoT devices, and we shared the findings in a previous blog about best practices for managing IoT security concerns. The following list summarizes the top security concerns from companies that have adopted IoT solutions:

• Ensuring data privacy (46 percent).
• Ensuring network-level security (40 percent).
• Security endpoints for each IoT device (39 percent).
• Tracking and managing each IoT device (36 percent).
• Making sure all existing software is updated (35 percent).
• Updating firmware and other software on devices (34 percent).
• Performing hardware/software tests and device evaluation (34 percent).
• Updating encryption protocols (34 percent).
• Conducting comprehensive training programs for employees involved in IoT environment (33 percent).
• Securely provisioning devices (33 percent).
• Shifting from device-level to identity-level control (29 percent).
• Changing default passwords and credentials (29 percent).

To help address these concerns, Microsoft is thrilled to announce today the general availability of the extension of our Secured-core platform to IoT devices along with new Edge Secured-core certified devices from our partners Aaeon, Asus, Lenovo and Intel in the Azure certified device catalog. We have added this new device certification for our Edge Secured-core platform so customers can more easily select IoT devices that meet this advanced security designation.   

As outlined in Microsoft’s Zero Trust paper, a key investment, especially around new devices, is to choose devices with built-in security. Devices built with Azure Sphere benefit from industry-leading built-in security, with servicing by Microsoft.

Announcements for Edge Secured-core

Edge Secured-core is a certification in the Azure Certified Device program for IoT devices. Devices that have achieved this certification provide enterprises the confidence that the devices they’re purchasing deliver the following security benefits:

• Hardware-based device identity: In addition to the various security properties that a hardware-based device identity provides, this also enables the use of the hardware-backed identity when connecting to Azure IoT Hub and using the IoT Hub device provisioning service.  
• Capable of enforcing system integrity: Using a combination of processor, firmware, and OS support to facilitate measurement of system integrity to help ensure the device works well with Microsoft Azure Attestation.
• Stays up-to-date and is remotely manageable: Receives the necessary device updates for a period of at least 60 months from the date of submission.
• Provides data-at-rest encryption: The device provides built-in support for encrypting the data at rest using up-to-date protocols and algorithms.
• Provides data-in-transit encryption: IoT devices such as gateways, which are often used to connect downstream devices to the cloud, need inherent support for protecting data in transit. Edge Secured-core devices help support up-to-date protocols and algorithms that are used for data-in-transit encryption.
• Built-in security agent and hardening: Edge Secured-core devices are hardened to help reduce the attack surface and include a built-in security agent to help secure from threats.

In addition to addressing many of the top concerns that we’ve heard from customers around the security of their IoT devices, our data shows that Secured-core PCs are 60 percent more resilient to malware than PCs that don’t meet the Secured-core specifications. We’ve brought the learnings from Secured-core PCs to define the requirements for Edge secured-core devices.

Today, we’re excited to announce the availability of Windows IoT Edge Secured-core devices available in the Azure Certified Device catalog.

Additionally, Microsoft invests with semiconductor partners to build IoT-connected industry-certified MCU security platforms that align with Microsoft’s security standards.  

Get started with Microsoft Security

Email us to request a call for more information about Azure Sphere, Edge Secured-core devices, or industry-certified devices. Learn more about Azure IoT security.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Securing your IoT with Edge Secured-core devices appeared first on Microsoft Security Blog.