Unique characteristics of QR code phishing campaigns

Like with other phishing techniques, the goal of QR code phishing attacks is to get the user to click on a malicious link that seems legitimate. They often use minimalistic emails to deliver malicious QR codes that prompt seemingly legitimate actions—like password resets or two-factor authentication verifications. A QR code can also be easily manipulated to redirect unsuspecting victims to malicious websites or to download malware in exactly the same way as URLs.

Figure 1. QR code as an image within email body redirecting to a malicious website.

The normal warning signs users might notice on larger screens can often go unnoticed on mobile devices. While the tactics, techniques, and procedures (TTPs) vary depending on which bad actor is at work, Microsoft Defender for Office 365 has detected a key set of patterns in QR code phishing attacks, including but not limited to:

• URL redirection, where a click or tap takes you not where you expected, but to a forwarded URL.
• Minimal to no text, which reduces the signals available for analysis and machine learning detection.
• Exploiting a known or trusted brand, using their familiarity and reputation to increase likelihood of interaction.
• Exploiting known email channels that trusted, legitimate senders use.
• A variety of social lures, including multifactor authentication, document signing, and more.
• Embedding QR codes in attachments.

The impact of QR code phishing campaigns on the broader email security industry

With the most common intent of QR code phishing being credential theft, malware distribution, or financial theft, QR code campaigns are often massive—exceeding 1,000 users and follow targeted information gathering reconnaissance by bad actors.²

Microsoft security researchers first started noticing an increase in QR-code based attacks in September 2023. We saw attackers quickly morphing their techniques in two keys ways: First by manipulating the way that the QR code rendered (such as different colors and tables), and second by manipulating the embedded URL to do redirection.

The dynamic nature of QR codes made it challenging for traditional email security mechanisms that were designed for link-based phishing techniques to effectively filter and protect against these types of cyberattacks. A key reason was the fact that extensive image content analysis was not commonly done for every image in every message, and did not represent a standard in the industry at the time of the surge.

As a result, for several months our customers saw an increase in bad email that contained malicious QR codes as we were adapting and evolving our technology to be effective against QR codes. This was a challenging time for our customers and those of other email security vendors. We added incremental resources and redirected all our engineering energy to address these issues, and along the way not only delivered new technological innovations but also modified our processes and modernized components of our pipeline to be more resilient in the future. Now these challenges have been addressed through a key set of innovations, and we want to share our learnings and technology advancements moving forward.

For bad actors, QR code phishing has become a lucrative business, and attackers are utilizing AI and large language models (LLMs) like ChatGPT to increase the speed and improve the believability of their attacks. Recent research by Insikt Group noted that bad actors can generate 1,000 phishing emails in under two hours for as little as $10.³ For the security industry, this necessitates a multifaceted response including improved employee training and a renewed commitment to innovation.

The necessity of innovation in QR code phishing defense

Innovation in the face of evolving QR code phishing risk is not just beneficial, it’s imperative. As cybercriminals continually refine their tactics to exploit new technologies, security solutions must evolve at a similar pace to remain effective. In response to the growing threat of QR code phishing, Microsoft Defender for Office 365 took decisive action to leverage advanced machine learning and AI—developing robust defenses capable of detecting and neutralizing QR code phishing attacks in real time. Our team meticulously analyzed these cyberthreats across trillions of signals, gaining valuable insights into their mechanisms and evolving patterns. This knowledge helped us refine our security protocols and enhance our platform’s resilience with several strategic updates. As the largest email security provider, we have seen a significant decline in QR code phishing attempts. At the height, Defender for Office 365 was blocking 3 million attempts daily, and with the delivery of innovative protection we have seen this number shrink to 200,000 QR code phishing attempts every day. This is testament that our innovation is having the desired effect: reducing the effectiveness of QR code-based attacks and forcing attackers to shift their tactics.

Figure 2. QR code phishing blocked by Microsoft Defender for Office 365.

Recent innovations and protections we’ve implemented and improved within Microsoft Defender for Office 365 to help combat QR code phishing include:

• URL extraction enhancements: Microsoft Defender for Office 365 has improved its capabilities to extract URLs from QR codes, substantially boosting the system’s ability to detect and counteract phishing links hidden within QR images. This enhancement enables a more thorough analysis of potential cyberthreats embedded in QR codes. In addition, we now extract metadata from QR codes, which enriches the contextual data available during threat assessments, enhancing our ability to detect suspicious activities early in the attack chain.
• Advanced image processing: Advanced image processing techniques at the initial stage of the mail flow process allow us to extract and log URLs hidden within QR codes. This proactive measure disrupts attacks before they have a chance to compromise end user inboxes, addressing cyberthreats at the earliest possible point.
• Advanced hunting and remediation: To offer a comprehensive response to QR code threats across email, endpoint, and identities with our advanced hunting capabilities, security teams across organizations are well equipped to specifically identify and filter out malicious activities linked to these codes.
• User resilience against QR code phishing: To further equip our organization against these emerging threats, Microsoft Defender for Office 365 has expanded its advanced capabilities to include QR code threats, maintaining alignment with email platforms and specific cyberattack techniques. Our attack simulation training systems along with standard setup of user selection, payload configuration, and scheduling, now have specialized payloads for QR code phishing to simulate authentic attack scenarios.

Read more technical details on how to hunt and respond to QR code-based attacks. By integrating all these capabilities across the Microsoft Defender XDR platform, we can help ensure any QR code-related threats identified in emails are thoroughly analyzed in conjunction with endpoint and identity data, creating a robust security posture that addresses threats on multiple fronts.

Staying ahead of the evolving threat landscape 

The enhancements of Microsoft Defender for Office 365 to defend against QR code-based phishing attacks showcased our need to advance Microsoft’s email and collaboration security faster. The rollout of the above has closed this gap and made Defender for Office 365 effective against these attacks, and as the use of QR codes expands, our defensive tactics will now equally advanced to combat them.

Our continuous investment in analyzing the cyberthreat landscape, learning from past gaps, and our updated infrastructure will enable us to effectively handle present issues and proactively address future risks faster as threats emerge across email and collaboration tools. We will soon be sharing more exciting innovation that will showcase our commitment to delivering the best email and collaboration security solution to customers.

For more information, view the data sheet on protecting against QR code phishing or visit the website to learn more about Microsoft Defender for Office 365.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Attackers Weaponizing QR Codes to Steal Employees Microsoft Credentials, Cybersecurity News. August 22, 2023.

²Hunting for QR Code AiTM Phishing and User Compromise, Microsoft Tech Community. February 12, 2024.

³Security Challenges Rise as QR Code and AI-Generated Phishing Proliferate, Recorded Future. July 18, 2024.

The post How Microsoft Defender for Office 365 innovated to address QR code phishing attacks appeared first on Microsoft Security Blog.

Microsoft Incident Response

Strengthen your security with an end-to-end portfolio of proactive and reactive cybersecurity incident response services.

Explore services

One click opens the door to a threat actor

We know that 50% of Microsoft cybersecurity recovery engagements relate to ransomware,² and 61% of all breaches involve credentials.³ Identity attacks continue to be a challenge for businesses because humans continue to be a central risk vector in social engineering identity attacks. People click links without thinking. Too often, users open attachments by habit, thereby opening the door to threat actors. Even when employees recognize credential harvesting attempts, they’re often still susceptible to drive-by URL attacks. And teams focused on incident response are often disconnected from teams that manage corporate identities. In this incident, one click on a malicious link led a large customer to reach out to Microsoft Incident Response for help.

Figure 1. Diagram of a threat actor’s malware moving through the network.

The malicious link the employee clicked infected their device with Qakbot. Qakbot is a modular malware that has been evolving for more than a decade. It’s a multipurpose malware that unfortunately gives attackers a wide range of capabilities. Once the identity-focused threat actor had established multiple avenues of persistence in the network and seemed to be preparing to deploy ransomware, the customer’s administrators and security operations staff were overwhelmed with tactical recovery and containment. That’s when they called Microsoft.

Your first call before, during, and after a cybersecurity incident

Microsoft Incident Response stepped in and deployed Microsoft Defender for Identity—a cloud-based security solution that helps detect and respond to identity-related threats. Bringing identity monitoring into incident response early helped an overwhelmed security operations team regain control. This first step helped to identify the scope of the incident and impacted accounts, take action to protect critical infrastructure, and work on evicting the threat actor. Then, by leveraging Microsoft Defender for Endpoint alongside Defender for Identity, Microsoft Incident Response was able to trace the threat actor’s movements and disrupt their attempts to use compromised accounts to reenter the environment. And once the tactical containment was complete and full administrative control over the environment was restored, Microsoft Incident Response worked with the customer to move forward to build better resiliency to help prevent future cyberattacks. More information about the incident and remediation details can be found on our technical post titled “Follow the Breadcrumbs with Microsoft Incident Response and Microsoft Defender for Identity: Working Together to Fight Identity-Based Attacks.”

Strengthen your identity posture with defense in depth

We know protecting user identities can help prevent incidents before they happen. But that protection can take many forms. Multiple, collaborative layers of defense—or defense in depth—can help build up protection so no single control must shoulder the entire defense. These layers include multifactor authentication, conditional access rules, mobile device and endpoint protection policies, and even new tools—like Microsoft Copilot for Security. Defense in depth can help prevent many cyberattacks—or at least make them difficult to execute—through the implementation and maintenance of layers of basic security controls.

In a recent Cyberattack Series blog post and report, we go more in depth on how to protect credentials against social engineering attacks. The cyberattack series case involved Octo Tempest—a highly active cyberthreat actor group which utilizes varying social engineering campaigns with the goal of financial extortion across many business sectors through means of data exfiltration and ransomware. Octo Tempest compromised a customer with a targeted phishing and smishing (text-based phishing) attack. That customer then reached out to Microsoft Incident Response for help to contain, evict, and detect any further threats. By collaborating closely with the victim organization’s IT and security teams, the compromised systems were isolated and contained. Throughout the entire process, effective communication and coordination between the incident response team and the affected organization is crucial. The team provides regular updates on their progress, shares threat intelligence, and offers guidance on remediation and prevention strategies. By working together seamlessly, the incident response team and the affected organization can mitigate the immediate cyberthreat, eradicate the cyberattacker’s presence, and strengthen the organization’s defenses against future cyberattacks.

Honeytokens: A sweet way to defend against identity-based attacks

Another layer of protection for user identities is the decoy account. These accounts are set up expressly to lure attackers, diverting their attention away from real targets and harmful activities—like accessing sensitive resources or escalating privileges. The decoy accounts are called honeytokens, and they can provide security teams with a unique opportunity to detect, deflect, or study attempted identity attacks. The best honeytokens are existing accounts with histories that can help hide their true nature. Honeytokens can also be a great way to monitor in-progress attacks, helping to discover where attackers are coming from and where they may be positioned in the network. For more detailed instructions on how to tag an account as a honeytoken and best practices for honeytoken use, read our tech community post titled “Deceptive defense: best practices for identity based honeytokens in Microsoft Defender for Identity.”

Working together to build better resilience

Microsoft Incident Response is the first call for customers who want to access dedicated experts before, during, and after any cybersecurity incident. With on-site and remote assistance on a global scale, unprecedented access to product engineering, and the depth and breadth of Microsoft Threat Intelligence, it encompasses both proactive and reactive incident response services. Collaboration is key. Microsoft Incident Response works with the tools and teams available to support incident response—like Defender for Identity, Defender for Endpoint, and now Copilot for Security—to defend against identity-based attacks, together. And that collaboration helps ensure better outcomes for customers. Learn more about the Microsoft Incident Response proactive and reactive response services or see it in action in the fourth installment of our ongoing Cyberattack Series.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report, Microsoft. 2023.

²Microsoft Digital Defense Report, Microsoft. 2022.

³2023 Data Breach Investigations Report, Verizon.

⁴Microsoft Entra: 5 identity priorities for 2023, Joy Chik. January 9, 2023.

The post How Microsoft Incident Response and Microsoft Defender for Identity work together to detect and respond to cyberthreats appeared first on Microsoft Security Blog.

Tax-related fraud campaigns 

Although everyone is susceptible to tax-season phishing, we have noted that certain groups of people are more vulnerable than others. Prime targets include individuals who may be less informed about government tax procedures and methods—green card holders, small business owners, new taxpayers under the age of 25, and older taxpayers over 60.  

At the end of January 2024, Microsoft Threat Intelligence observed a campaign using lures masquerading as tax-related documents provided by employers. The phishing email contained an HTML attachment that directed the user to a fake landing page. This page hosted malicious executables and once the target clicked on the “Download Documents” prompt, malware installed on their computer.  

Figure 1. Phishing email using tax lures.

The malicious executable file dropped on the target’s machine had information stealer capabilities. Once in the environment, it attempted to collect information including login credentials.

Be diligent around phishing emails 

Phishing email campaigns around tax season use a variety of tactics to trick users into believing they represent legitimate sources. These include spoofing the landing pages of genuine services or websites, using homoglyph domains, and customizing phishing links for each user. Threat actors typically impersonate employers and human resources personnel, the Internal Revenue Service (IRS), or taxation-related entities such as state tax organizations or tax preparation services.  

Phishing emails may contain malicious attachments like HTML files, PDF files, or ZIP archives. The cybercriminal tries to exploit the recipients’ trust in the perceived sender to trick them into opening these attachments. When they do, malware is automatically downloaded onto their machine. Threat actors also commonly send URLs that direct users to fraudulent websites that host malware. 

Tax season cybersecurity best practices 

The best defense against cybercriminals, both at tax season and throughout the year, is education and good cyber hygiene. Education means phishing awareness—knowing what phishing attempts look like and what to do when they’re encountered. Good cyber hygiene means implementing basic security measures like multifactor authentication for financial and email accounts. With multifactor authentication enabled, you can prevent 99.9% of attacks on your accounts.  

Ways to help protect yourself from phishing 

Falling for a phishing attack can lead to a number of unwanted outcomes including leaked confidential information, infected networks, financial demands, corrupted data, and more. Here are a few tips to help protect yourself:  

• Inspect the sender’s email address. Is everything in order? A misplaced character or unusual spelling could signal a fake.  
• Be wary of emails with generic greetings (“Dear customer,” for example) that ask you to act urgently. 
• Look for verifiable sender contact information. If in doubt, do not reply. Start a new email to respond instead. 
• Never send sensitive information by email. If you must convey private information, use the phone. 
• Think twice about clicking unexpected links, especially if they direct you to sign into your account. To be safe, log in from the official website instead.  
• Avoid opening email attachments from unknown senders or friends who do not usually send you attachments. 
• Install a phishing filter for your email apps and enable the spam filter on your email accounts. 

To learn more about the latest observed tax season phishing campaigns, social engineering fraud, and tips on how to stay ahead of these types of attacks during tax season and other holidays, read the Microsoft Threat Intelligence tax season report. For a deeper look into social engineering fraud tactics, read Feeding from the trust economy: social engineering fraud, and watch the session from Microsoft Ignite 2023 called The risk of trust: Social engineering threats and cyber defense.

Keeping a pulse on today’s threats

The Microsoft Threat Intelligence team tracks hundreds of threat actor groups worldwide, with more than 10,000 security experts analyzing more than 78 trillion signals daily to uncover the latest insights. Microsoft Threat Intelligence’s global network of security and intelligence teams includes engineers, researchers, data scientists, cybersecurity experts, threat hunters, geopolitical analysts, investigators, and frontline responders across 77 countries. These experts come together to help share timely insights about the ever-expanding attack surface and provide actionable guidance through resources like the annual Microsoft Digital Defense Report, nation-state reports, the Microsoft Threat Intelligence podcast, Cyber Signals report, and digital briefings. To read the latest reports, threat briefs, or learn about the tactics and techniques from some of the more than 300 threat actors that we monitor and to get behind the scenes and watch interviews with threat intelligence experts, visit Security Insider.

Microsoft Threat Intelligence

Read the new tax season report to learn about the techniques that threat actors use to mislead taxpayers.

Read the report

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Microsoft Threat Intelligence unveils targets and innovative tactics amidst tax season appeared first on Microsoft Security Blog.

Storm-0324 (DEV-0324), which overlaps with threat groups tracked by other researchers as TA543 and Sagrid, acts as a distributor in the cybercriminal economy, providing a service to distribute the payloads of other attackers through phishing and exploit kit vectors.  Storm-0324’s tactics focus on highly evasive infection chains with payment and invoice lures. The actor is known to distribute the JSSLoader malware, which facilitates access for the ransomware-as-a-service (RaaS) actor Sangria Tempest (ELBRUS, Carbon Spider, FIN7). Previous distribution activity associated with Storm-0324 included the Gozi infostealer and the Nymaim downloader and locker.

In this blog, we provide a comprehensive analysis of Storm-0324 activity, covering their established tools, tactics, and procedures (TTPs) as observed in past campaigns as well as their more recent attacks. To defend against this threat actor, Microsoft customers can use Microsoft 365 Defender to detect Storm-0324 activity and significantly limit the impact of these attacks on networks. Additionally, by using the principle of least privilege, building credential hygiene, and following the other recommendations we provide in this blog, administrators can limit the destructive impact of ransomware even if the attackers can gain initial access.

Historical malware distribution activity

Storm-0324 manages a malware distribution chain and has used exploit kit and email-based vectors to deliver malware payloads. The actor’s email chains are highly evasive, making use of traffic distribution systems (TDS) like BlackTDS and Keitaro, which provide identification and filtering capabilities to tailor user traffic. This filtering capability allows attackers to evade detection by certain IP ranges that might be security solutions, like malware sandboxes, while also successfully redirecting victims to their malicious download site.

Storm-0324’s email themes typically reference invoices and payments, mimicking services such as DocuSign, Quickbooks, and others. Users are ultimately redirected to a SharePoint-hosted compressed file containing JavaScript that downloads the malicious DLL payload. Storm-0324 has used many file formats to launch the malicious JavaScript including Microsoft Office documents, Windows Script File (WSF), and VBScript, among others.

Storm-0324 has distributed a range of first-stage payloads since at least 2016, including:

• Nymaim, a first-stage downloader and locker
• Gozi version 3, an infostealer
• Trickbot, a modular malware platform
• Gootkit, a banking trojan
• Dridex, a banking trojan
• Sage ransomware
• GandCrab ransomware
• IcedID, a modular information-stealing malware

Since 2019, however, Storm-0324 has primarily distributed JSSLoader, handing off access to ransomware actor Sangria Tempest.

Ongoing Storm-0324 and Sangria Tempest JSSLoader email-based infection chain

Since as early as 2019, Storm-0324 has handed off access to the cybercrime group Sangria Tempest after delivering the group’s first-stage malware payload, JSSLoader. Storm-0324’s delivery chain begins with phishing emails referencing invoices or payments and containing a link to a SharePoint site that hosts a ZIP archive. Microsoft continues to work across its platforms to identify abuse, take down malicious activity, and implement new proactive protections to discourage malicious actors from using our services.

The ZIP archive contains a file with embedded JavaScript code. Storm-0324 has used a variety of files to host the JavaScript code, including WSF and Ekipa publisher files exploiting the CVE-2023-21715 local security feature bypass vulnerability.

When the JavaScript launches, it drops a JSSLoader variant DLL. The JSSLoader malware is then followed by additional Sangria Tempest tooling.

In some cases, Storm-0324 uses protected documents for additional social engineering. By adding the security code or password in the initial communications to the user, the lure document may acquire an additional level of believability for the user. The password also serves as an effective anti-analysis measure because it requires user interaction after launch.

New Teams-based phishing activity

In July 2023, Storm-0324 began using phishing lures sent over Teams with malicious links leading to a malicious SharePoint-hosted file. For this activity, Storm-0324 most likely relies on a publicly available tool called TeamsPhisher. TeamsPhisher is a Python-language program that enables Teams tenant users to attach files to messages sent to external tenants, which can be abused by attackers to deliver phishing attachments. These Teams-based phishing lures by threat actors are identified by the Teams platform as “EXTERNAL” users if external access is enabled in the organization.

Microsoft takes these phishing campaigns very seriously and has rolled out several improvements to better defend against these threats. In accordance with Microsoft policies, we have suspended identified accounts and tenants associated with inauthentic or fraudulent behavior. We have also rolled out enhancements to the Accept/Block experience in one-on-one chats within Teams, to emphasize the externality of a user and their email address so Teams users can better exercise caution by not interacting with unknown or malicious senders . We rolled out new restrictions on the creation of domains within tenants and improved notifications to tenant admins when new domains are created within their tenant.  In addition to these specific enhancements, our development teams will continue to introduce additional preventative and detective measures to further protect customers from phishing attacks.

Recommendations

To harden networks against Storm-0324 attacks, defenders are advised to implement the following:

• Pilot and start deploying phishing-resistant authentication methods for users.
• Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
• Apply security best practices for Microsoft Teams. Refer to the security guide for Microsoft Teams.
  • Understand and select the best access settings for external collaboration for your organization.
  • Specify trusted Microsoft 365 organizations to define which external domains are allowed or blocked to chat and meet.
• Keep Microsoft 365 auditing enabled so that audit records could be investigated if required.
• Allow only known devices that adhere to Microsoft’s recommended security baselines.
• Educate users about social engineering and credential phishing attacks, including refraining from entering MFA codes sent via any form of unsolicited messages.
  • Educate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities, be cautious about what they share, and never share their account information or authorize sign-in requests over chat.
  • Educate Microsoft Teams users about accepting or blocking people outside the organization who send messages in Microsoft Teams.
• Educate users to review sign-in activity and mark suspicious sign-in attempts as “This wasn’t me”.
• Implement Conditional Access App Control in Microsoft Defender for Cloud Apps for users connecting from unmanaged devices.
• Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Microsoft Office applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
• Enable Zero-hour auto purge (ZAP) in Microsoft Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
• Practice the principle of least privilege and maintain credential hygiene. Avoid the use of domain-wide, administrator-level service accounts. Restricting local administrative privileges can help limit installation of RATs and other unwanted applications.
• Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
• For additional recommendations on hardening your organization against ransomware attacks, refer to our threat overview on human-operated ransomware.

Microsoft customers can turn on attack surface reduction rules to prevent common attack techniques:

• Block executable files from running unless they meet a prevalence, age, or trusted list criterion
• Block JavaScript or VBScript from launching downloaded executable content
• Use advanced protection against ransomware

Detection details

Microsoft 365 Defender

Microsoft 365 Defender is becoming Microsoft Defender XDR. Learn more.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware:

• TrojanSpy:MSIL/JSSLoader
• Trojan:Win32/Gootkit
• Trojan:Win32/IcedId
• Trojan:Win64/IcedId
• Trojan:Win32/Trickbot

Microsoft Defender for Endpoint

Alerts with the following titles in the security center can indicate threat activity on your network:

• Ransomware-linked Storm-0324 threat activity group detected

Hunting queries

Microsoft 365 Defender

Possible TeamsPhisher downloads The following query looks for downloaded files that were potentially facilitated by use of the TeamsPhisher tool. Defenders should customize the SharePoint domain name (‘mysharepointname’) in the query.

let allowedSharepointDomain = pack_array(
'mysharepointname' //customize Sharepoint domain name and add more domains as needed for your query
);
//
let executable = pack_array(
'exe',
'dll',
'xll',
'msi',
'application'
);
let script = pack_array(
'ps1',
'py',
'vbs',
'bat'
);
let compressed = pack_array(
'rar',
'7z',
'zip',
'tar',
'gz'
);
//
let startTime = ago(1d);
let endTime = now();
DeviceFileEvents
| where Timestamp between (startTime..endTime)
| where ActionType =~ 'FileCreated'
| where InitiatingProcessFileName has 'teams.exe'
    or InitiatingProcessParentFileName has 'teams.exe'
| where InitiatingProcessFileName !has 'update.exe'
    and InitiatingProcessParentFileName !has 'update.exe'
| where FileOriginUrl has 'sharepoint'
    and FileOriginReferrerUrl has_any ('sharepoint', 'teams.microsoft')
| extend fileExt = tolower(tostring(split(FileName,'.')[-1]))
| where fileExt in (executable)
    or fileExt in (script)
    or fileExt in (compressed)
| extend fileGroup = iff( fileExt in (executable),'executable','')
| extend fileGroup = iff( fileExt in (script),'script',fileGroup)
| extend fileGroup = iff( fileExt in (compressed),'compressed',fileGroup)
//
| extend sharePoint_domain = tostring(split(FileOriginUrl,'/')[2])
| where not (sharePoint_domain has_any (allowedSharepointDomain))
| project-reorder Timestamp, DeviceId, DeviceName, sharePoint_domain, FileName, FolderPath, SHA256, FileOriginUrl, FileOriginReferrerUrl

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.

Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.

• Suspicious Javascript
• Javascript file creation
• Ransomware Triggered
• Signs of Ransomware Activity
• Suspicious Image Load

References

• Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself
• JSSLoader: Recoded and Reloaded (Proofpoint)

Further reading

Microsoft customers can refer to the report on this activity in Microsoft Defender Threat Intelligence and Microsoft 365 Defender for detections, assessment of impact, mitigation and recovery actions, and hunting guidance.

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on Twitter at https://twitter.com/MsftSecIntel.

The post Malware distributor Storm-0324 facilitates ransomware access appeared first on Microsoft Security Blog.

In Q1 2023, Microsoft was once again part of an evaluation of email security platforms conducted by SE Labs. SE Labs has been industry-renowned for assessing the effectiveness of security solutions for nearly a decade, and in their latest report, various email security vendors’ solutions were tested against a range of simulated email attack scenarios.  

We are thrilled to announce that Microsoft Defender for Office 365 has once again received an AAA Protection Award, the highest possible that a vendor can achieve in this test.  

Empowering thousands of teams worldwide, Microsoft Defender for Office 365 provides robust security against advanced threats like phishing, business email compromise (BEC), credential phishing, spear phishing, and ransomware over email. With a wide range of protection features, that leverage advanced machine learning and sophisticated heuristics, Defender for Office 365 identifies and neutralizes attacks with exceptional detection breadth, to facilitate a secure email environment for any type of organization.  

Microsoft Defender for Office 365

Help secure your email with advanced protection against phishing, business email compromise, ransomware, and other threats.

Learn more

In the SE Labs report, Microsoft Defender for Office 365 received the AAA Protection Award based on the following criteria: 

• 81 percent of emails that contained threats were blocked. 
• 100 percent of email that was legitimate was correctly identified. 

The testing methodology used in the report was designed to emulate real-world scenarios as close as possible. For testing threat detection, a collection of email threats was compiled, including phishing emails, BEC attempts, and other forms of malicious content. These were sourced from a variety of channels to ensure a representative sample. Simultaneously, legitimate emails were prepared to test the ability to identify non-threatening communications.   

This high score on threat containment demonstrates the exceptional email security protection Microsoft provides and the effectiveness with which Microsoft Defender for Office 365 can protect customers from BEC. Meanwhile, the perfect score for correctly identifying legitimate email shows our commitment to ensuring that important communications are not mistakenly flagged as threats.  

Even with this already high level of accuracy, the core functionality that drives automated threat detection in Microsoft Defender for Office 365 is built from the ground up to embody continuous improvement and adaptation. Our AI-powered algorithms continue to train from each real-world interaction, to become more capable over time. This commitment to growth and learning is another key factor that differentiates Microsoft in the field of email security.  

However, no matter how accurate, automated threat detection is not the only key component of an effective cybersecurity strategy. A proactive security culture that engages users is an indispensable element of any comprehensive security solution, which is why attack and phishing simulation training is also core component of Microsoft Defender for Office 365. With user training that continuously runs exercises to educate employees and senior leaders to raise their awareness of real-life phishing attacks, organizations can keep their most sensitive and important information secure.   

Beyond identifying threats and legitimate email, Defender for Office 365 also uses advanced AI to disrupt attacks in their early stages, providing an additional layer of protection. This is particularly important for protecting against BEC. This AI-driven system is designed to recognize and respond to such threats, ensuring business communications remain secure and trustworthy.  

The SE Labs report validates that Microsoft Defender for Office 365, part of Microsoft 365 Defender, continues to be a leading choice for email protection, trusted by organizations and companies worldwide.  

Microsoft Defender for Office 365 provides comprehensive coverage, both through the lifecycle of an attack and across email and collaboration tools like email, Microsoft Teams, SharePoint, and OneDrive. These capabilities are part of Microsoft’s extended detection and response (XDR) solution, Microsoft 365 Defender, which helps organizations secure their users with integrated threat protection, detection, and response across endpoints, email, identities, applications, and data.  

To take advantage of our advanced email protection in your environment, get started with Microsoft Defender for Office 365 today! 

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity

Cybersecurity and AI news

Discover the latest trends and best practices in cyberthreat protection and AI for cybersecurity.

Get the latest resources

The post Microsoft Defender for Office 365 gets highest rating in SE Labs Enterprise Email Security Services test for Q1 2023 appeared first on Microsoft Security Blog.

We are proud to announce that Microsoft Defender for Office 365 has been recognized as a leader in The Forrester Wave ™: Enterprise Email Security, Q2 2023 report, which we believe demonstrates its strong track record for being a comprehensive and robust email and collaboration security solution.¹ Forrester noted that “Microsoft’s continued investment in security is paying off as it protects end users from attacks that target communication and collaboration environments in addition to email,” and that “email and collaboration security are key elements of Microsoft’s extended detection and response (XDR) strategy, adding prevention capabilities to its unified approach to detection, investigation, response, and remediation.”

The Forrester Wave report evaluates email security solutions based on criteria that include email filtering capabilities, threat intelligence, data leak prevention control enforcement, endpoint detection and response (EDR) and XDR integrations, performance, and product strategy. In the latest evaluation for Q2 2023, Defender for Office 365 has demonstrated its excellence in these areas, offering a range of industry-leading capabilities that set it apart from its competitors. Defender for Office 365 received the highest possible score in the incident response, threat intelligence, EDR and XDR solutions integration criteria, as well as in the product vision and roadmap.

Microsoft capabilities

With our unparalleled database of 65 trillion security signals gathered across Microsoft Security products (including Microsoft Defender for Endpoint, Microsoft Defender for Cloud Apps, Microsoft Sentinel, and Microsoft Azure Active Directory), combined with state-of-the-art AI and machine learning research, Defender for Office 365 is capable of detecting and mitigating advanced threats from phishing, malware, and zero-day exploits with an industry-leading level of accuracy. This real-time threat intelligence and proactive monitoring enable organizations to stay at the forefront of rapidly changing threats.

Defender for Office 365 empowers security operations (SecOps) teams to investigate and remediate incidents swiftly. With automated and manual incident response capabilities, SecOps teams can respond to email attacks and risks across all email channels. Whether it’s investigating potentially malicious clicks, suspected user compromise, or suspicious messages, Defender for Office 365 provides tools and processes to identify, analyze, and respond to incidents efficiently. Automated investigation and remediation features expedite the analysis and response for events like this, enabling SecOps teams to take swift action and minimize the impact of attacks. 

Defender for Office 365 seamlessly integrates with other Microsoft products and security solutions, minimizing machine resource overhead cost, while maximizing the comprehensiveness of protection coverage. This integration also enables a centralized single point for management, providing unparalleled visibility, streamlining security operations, and enhancing overall threat response capabilities. With this holistic approach, organizations benefit from reduced complexity without sacrificing security performance.

Forrester Wave Enterprise Email Security report

See why Forrester recognizes Microsoft Defender for Office 365 for its email security capabilities.

Read the report

Users form an important proactive defensive layer within any organization, especially against phishing-based attacks. Based on this understanding, Defender for Office 365 emphasizes the significance of user readiness. With tools that provide relevant training and customized simulations based on the unique situation of each organization, users can be equipped with the knowledge and skills to spot threats effectively. Defender for Office 365 enables employees to play an active role in keeping their organizations secure. This approach to user readiness adds a layer of defense against email-based threats. 

As cyberthreats continue to evolve, Defender for Office 365 remains committed to staying one step ahead. We are proud of the strides we’ve made in the enterprise and email security space, and even more grateful to see our efforts recognized by an institution like Forrester. However, we can’t rest on our laurels, and maintaining this leadership means remaining dynamic, adaptable, and focused on innovation. Our team continues to focus on research and development to understand emerging threats and develop cutting-edge defenses against them.

Furthermore, customer feedback has been and will continue to be an instrumental part of determining our product direction and development. Keeping our customers satisfied, feeling valued, heard, and confident about their security will always be our highest priority.

For more information on this recognition, check out the full Forrester Wave: Enterprise Email Security, Q2 2023 Report.

Learn more

Learn more about Microsoft Defender for Office 365.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹The Forrester Wave™: Enterprise Email Security, Q2 2023, Jess Burn. June 12, 2023.

The post Forrester names Microsoft a Leader in the 2023 Enterprise Email Security Wave appeared first on Microsoft Security Blog.

Brooke: What are the top threats impacting organizations?

Matt: One of the big threats is business email compromise, with all the phishing happening of organizations and billions of dollars being stolen because of invoices being modified after attackers access the mailboxes of key employees.

Another threat is info-stealers. Essentially, ransomware involved criminal groups breaching organizations’ infrastructure, encrypting their files, and asking for ransom. Now, because more organizations are aware of that threat, they have become more proactive, and use backups. This is why criminal groups are switching to info-stealers, where they steal that sensitive information rather than randomly encrypting files. They are more strategic with the data they are stealing, so they can monetize the information. Ransomware actors even buy the credentials of companies on different forums or from other criminal groups.

Brooke: How can organizations reduce the risk of threats?

Matt: Reducing your risk is a continuous process because threats today are different from a few years ago and they are different from what they will be in one to three years.

Organizations must understand that there will never be zero risk. That is why it is important to be proactive when it comes to detection as well as have a strong, quick, and efficient incident response plan in place. We enable our users to proactively hunt for threats not only after breaches but also as a routine exercise as sometimes actors can be present in your network for months before they take any visible actions.

This plan should also include digital forensics—uncovering root causes and working those learnings back into the rest of the organization to remediate vulnerabilities, as well as improve the overall incident response plan, which is another strong way to reduce the risk of attack through similar methods.

Microsoft Incident Response

Your first call before, during, and after a cybersecurity incident.

Learn more

Brooke: How do you get leadership buy-in to build an incident response team?

Matt: To get budget, the chief information security officer needs to convince upper management of being prepared for a cyber breach, as it is inevitable. At organizations that understand the security risk, it may be easier to get budget, but then it is about how you deploy that budget. That comes down to the organization and leadership prioritizing what they want to focus on based on the actual threat model of the organization and areas where they know they are weak and want to improve.

The answer is going to differ from one organization to another, but the main thing is to make sure that leadership understands the risk of poor cybersecurity and a lack of preparedness for when a breach occurs. Fortunately, in 2023, there are enough stories in the press, movies, TV shows, and books to do the job for people.

Brooke: How does an organization develop an efficient incident response process?

Matt: First, each organization needs to understand its threat model, because each organization has different risks. The issues of a healthcare company and a financial institution are going to be completely different, and even the people targeting you would have different attack strategies.

Organizations need to focus on both detection and response capabilities. Detection involves being proactive, making sure you have visibility of your network and understand what is happening. If there is a threat, you detect it. The response part is why you have an incident response plan and digital forensics capabilities in place. If something is happening, you need to be able to investigate it immediately and thoroughly.

Organizations also need to understand their threat model and the profile of people that may be going after them. Based on that information, focus on a strategy for detection and a strategy for incident response. Threat intelligence is a component of both.

Everyone also needs to have a backup plan internally whenever they investigate because detection is great but not perfect.

Brooke: What do we need to know about incident response to protect ourselves?

Matt: Unfortunately, a lot of security processes involve humans, so if you are a large organization, automate as much as you can to avoid security people experiencing burnout and so your company can be more efficient.

If you are an organization developing software, make sure you have proper application security people in place. If you are handling data, make sure you have good controls in place. If you are a financial institution, you are going to need all of the above, so it really depends on the profile of the organization. It is about people being logical and not only relying on security products.

Brooke: Why is multifactor authentication so important?

Matt: With identity, we are talking about control. Multifactor authentication is great because it adds a layer to authentication. As long as we depend on passwords for authentication, multifactor authentication is a must because of the issues happening with spear phishing, business email compromise, and databases containing passwords being leaked.

Passwordless is the future of authentication. Until we move toward the direction of passwordless authentication, two-factor authentication is going to be a must.

Brooke: How do you sift through information about a threat effectively without burnout?

Matt: AI is good if you know and understand the data you have, which is not often the case. Information triage is always required. Organizations need to understand their needs properly and not simply be driven by checkbooks or just check boxes because of compliance.

A good first step is what we call a priority intelligence requirement. Data is always about context. You need to understand what type of data you have to categorize it and then that can be efficient. If you have a lot of information, it is good, but if you have data with no context, it is useless. That is why you need to always make sure you have the right context, and that what you are collecting is responding to your intelligence requirements.

Brooke: What is the best way to monitor tenant administrator accounts?

Matt: This goes back to building a proper threat model so organizations can identify potential infection vectors and how administrative accounts are being used. In a lot of cases, you may have administrative accounts that are completely forgotten or hidden somewhere. For example, an employee left, and that account was not disabled.

That is why I like authentication. More organizations are using single sign-on (SSO) technologies in addition to multifactor authentication. Another great way to do this is to avoid multiple accounts and centralize identity and control so it is easier to monitor. It is a difficult exercise because you may have multiple Microsoft Azure Active Directory accounts, multiple cloud providers, different accounts for accounting, or other things not inside the SSO. If you do a threat model, you can list all the ways of authentication that would require monitoring in the first place.

Brooke: What is your advice for incident response teams, whether one person or more?

Matt: Whether one person handles incident response, or you have a team of 10 people, you must understand what you do well but also your limitations. Understanding your limitations is often quite tricky because people do not like the exercise of discovering what is missing or requires improvement.

Sometimes, the security approach is generic and aligned with compliance checkboxes when it should be more practical. The more practical it is, the easier it is to make decisions. Understand your current capabilities and weaknesses, then focus on where you have gaps. Start with creating an incident response plan and aligning your internal stakeholders around it. Ensure it includes steps for what happens during and immediately after the breach and post-incident so that you can learn from the incident and come out stronger. If you just spend your time filtering and doing triage of data and information, it is like running in the sand backward.

Learn more

Learn more about Microsoft Incident Response.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Why a proactive detection and incident response plan is crucial for your organization appeared first on Microsoft Security Blog.

Successful BEC attacks cost organizations hundreds of millions of dollars annually. In 2022, the FBI’s Recovery Asset Team (RAT) initiated the Financial Fraud Kill Chain (FFKC) on 2,838 BEC complaints involving domestic transactions with potential losses of more than USD590 million.²  

BEC attacks stand apart in the cybercrime industry for their emphasis on social engineering and the art of deception. Between April 2022 and April 2023, Microsoft Threat Intelligence detected and investigated 35 million BEC attempts with an adjusted average of 156,000 attempts daily. 

Cyber Signals

Microsoft’s Digital Crimes Unit has observed a 38 percent increase in cybercrime as a service targeting business email between 2019 and 2022.

Read the report

Common BEC tactics

Threat actors’ BEC attempts can take many forms—including via phone calls, text messages, emails, or social media. Spoofing authentication request messages and impersonating individuals and companies are also common tactics. 

Instead of exploiting vulnerabilities in unpatched devices, BEC operators seek to exploit the daily sea of email traffic and other messages to lure victims into providing financial information, or taking direct action like unknowingly sending funds to money mule accounts that help criminals perform fraudulent money transfers.  

Unlike a “noisy” ransomware attack featuring disruptive extortion messages, BEC operators play a quiet confidence game using contrived deadlines and urgency to spur recipients who may be distracted or accustomed to these types of urgent requests. Instead of novel malware, BEC adversaries align their tactics to focus on tools improving the scale, plausibility, and in-box success rate of malicious messages. 

Microsoft observes a significant trend in attackers’ use of platforms like BulletProftLink, a popular service for creating industrial-scale malicious mail campaigns, which sells an end-to-end service including templates, hosting, and automated services for BEC. Adversaries using this CaaS are also provided with IP addresses to help guide BEC targeting.   

BulletProftLink’s decentralized gateway design, which includes Internet Computer blockchain nodes to host phishing and BEC sites, creates an even more sophisticated decentralized web offering that’s much harder to disrupt. Distributing these sites’ infrastructure across the complexity and evolving growth of public blockchains makes identifying them, and aligning takedown actions, more complex.  

While there have been several high-profile attacks that take advantage of residential IP addresses, Microsoft shares law enforcement and other organizations’ concern that this trend can be rapidly scaled, making it difficult to detect activity with traditional alarms or notifications.  

Although, threat actors have created specialized tools to facilitate BEC, including phishing kits and lists of verified email addresses targeting C-suite leaders, accounts payable leads, and other specific roles, there are methods that enterprises can employ to preempt attacks and mitigate risk.  

BEC attacks offer a great example of why cyber risk needs to be addressed in a cross-functional way with IT, compliance, and cyber risk officers at the table alongside executives and leaders, finance employees, human resource managers, and others with access to employee records like social security numbers, tax statements, contact information, and schedules.   

Recommendations to combat BEC

• Use a secure email solution: Today’s cloud platforms for email use AI capabilities like machine learning to enhance defenses, adding advanced phishing protection and suspicious forwarding detection. Cloud apps for email and productivity also offer the advantages of continuous, automatic software updates and centralized management of security policies.  

• Secure Identities to prohibit lateral movement: Protecting identities is a key pillar to combating BEC. Control access to apps and data with Zero Trust and automated identity governance.  

• Adopt a secure payment platform: Consider switching from emailed invoices to a system specifically designed to authenticate payments.  

• Train employees to spot warning signs: Continuously educate employees to spot fraudulent and other malicious emails, such as a mismatch in domain and email addresses, and the risk and cost associated with successful BEC attacks.  

Learn more

Read the fourth edition of Cyber Signals today.

For more threat intelligence insights and guidance including past issues of Cyber Signals, visit Security Insider. 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

End notes

¹Cyber Signals, Microsoft.

²Internet Crime Complaint Center Releases 2022 Statistics, FBI.

The post Cyber Signals: Shifting tactics fuel surge in business email compromise appeared first on Microsoft Security Blog.

Microsoft has worked with organizations globally to protect against ransomware and phishing and is excited to announce that SE Labs named Microsoft Defender for Office 365 the Best Email Security Service of 2023.

Microsoft Defender for Office 365 provides comprehensive email protection from attacks such as credential phishing, business email compromise, and ransomware. Using advanced machine learning, an unparalleled massive database of threat signals, and other innovative heuristics, Microsoft Defender for Office 365 is capable of identifying phishing attacks across the entire organization, while also offering sophisticated prevention, detection, and response features that are seamlessly integrated into Office 365. By seamlessly integrating with Office, Microsoft Defender is able to provide a user experience that feels native, easy to use, and minimizes processing overhead, without compromising on security.

Technology is key, but users are often the weak link in phishing attacks, so training is a critical element to make sure that phishing links remain untouched by your employees. Microsoft Defender for Office 365 includes built-in phishing simulation training to educate employees and senior leaders to decrease the chance of real-world attacks. Furthermore, SecOps teams are given powerful tools that enable them to customize simulation training, based on detailed insights into where there are knowledge gaps in the organization.

SE Labs testing, methodology, and award results

For this award, Microsoft Defender for Office 365 was evaluated on a combination of quantitative and qualitative factors alongside other cybersecurity vendors. For quantitative testing, SE Labs created simulated attacks based on the current, most up-to-date threat intelligence. SE Labs then measured how many of these malicious messages were appropriately filtered out by Microsoft Defender for Office 365 as well as other email security systems. SE Labs has been building and refining this test since 2017.

In the quantitative test, Microsoft received a rating of AAA, the highest possible. Microsoft Defender for Office 365 was able to correctly identify and block 98 percent of emails containing malicious content like malware or phishing, demonstrating its state-of-the-art capability in protecting customers from business email compromise. Furthermore, once deployed, the Microsoft Defender for Office 365 engine is always learning from email traffic in its environment and makes adjustments accordingly. Learn more about this test and its results.

In addition to quantitative testing, SE Labs conducted a comprehensive evaluation by also gathering qualitative feedback from organizations. Through this approach, SE Labs gained valuable insights into the real-world efficacy of email security solutions. We are humbled that the results indicate that Microsoft Defender for Office 365 received the highest levels of customer satisfaction, compared to other vendors in the evaluation.

While not one of the customers that provided feedback as part of the SE Labs research evaluation, here’s what Rx.Health, a large digital solutions provider for healthcare systems, had to say about their experience with Microsoft Defender for Office 365:

“Defender for Office 365 is the silent component that gives us peace of mind.”—Saurabh Gupta, Director of Engineering and Technology, Rx.Health.

For more on what Rx.Health has to say about Microsoft’s Security solutions, read the full story.

Protect against sophisticated attacks like business email compromise and ransomware with Microsoft’s XDR

Email security is embedded into Microsoft’s unified extended detection and response (XDR) solution: Microsoft 365 Defender. The cross-domain XDR technology uses signals across email, endpoint, on-premises and cloud identities, as well as cloud apps to illuminate the entire kill chain and protect your organization more effectively from modern threats like ransomware and business email compromise. While it delivers game-changing capabilities like automatic attack disruption, which stops active threats early and stops them from progressing, prevention is another critical XDR component to stop threats at the front door. That’s why Microsoft recommends that you evaluate XDR solutions that provide phishing protection through email security and identity access management.

Thank you to SE Labs for their important and impactful testing of email security solutions, in addition to all of our customers who provided their feedback as part of this research.

At Microsoft, we understand the vital importance of robust cybersecurity in the modern digital landscape. That’s why we remain steadfastly dedicated to delivering exceptional security products and services, like Microsoft Defender for Office 365, backed by our team of world-class security researchers and industry-leading threat intelligence. Our advanced AI technology further adapts to the continuous and ever-evolving threat environment, helping to keep your organization safe and secure, so you can focus on driving success and growth.

Learn more

• Read the full SE Labs report for additional information on the methodology used in their tests, and background on how this award was issued.
• Learn more about leading email security capabilities from Microsoft Defender for Office 365.
• Ready to get started? Check out our documentation for step-by-step information.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Annual Report 2023, SE Labs.

The post Microsoft Defender for Office 365 named Best Email Security Service of 2023 by SE Labs appeared first on Microsoft Security Blog.

Even as the digital landscape grows larger and more complex, we remain guided by our core belief that cybersecurity is about empowering people. Security is a team sport; I believe that with my whole heart. It takes us all working together to defend the world from bad actors, and I’m excited and honored to be in the trenches with all of you.

Since 2020 we’ve seen drastic changes in the ways people work and live. As a result, organizations continue to evolve the way they think about security. At Microsoft we’ve worked to be nimble, to listen attentively to honest feedback from our customers, and to implement these changes in products and solutions that are future-proof and secure from the start. In the last six months of 2022 alone, we launched more than 300 product innovations to help organizations stay ahead of evolving threats.  

Microsoft has an unparalleled view of the evolving threat landscape. With industry-leading AI, we synthesize 65 trillion signals a day—across all types of devices, apps, platforms, and endpoints—a nearly eight times increase from the 8 trillion daily signals captured just two years ago. And we apply the learnings from that signal intelligence, as well as from our world-class threat intelligence, into all the products and services we offer. Furthermore, we now have more than 15,000 partners working with us across our security ecosystem helping to bring better solutions and more choices to market.

Despite economic uncertainties, security software projects and investments are top of chief information officer priority lists as they confront evolving threats and recognize the value of taking a proactive, comprehensive approach.¹ In this blog, we’ll look at why a comprehensive approach to cybersecurity is so important, and how your organization can do more with less during uncertain times. 

Navigating a changing threat landscape

We’ve seen rapid increases in the volume, severity, and sophistication of cyberattacks, along with a growing breadth of targets. In the past, threats were largely confined to specific sectors or were considered to be more manageable reactively. But in 2022, the average cost of a data breach reached an all-time high of USD4.35 million.² The 2022 Microsoft Digital Defense Report (MDDR) revealed some daunting realities behind those costs. Our Digital Crimes Unit took down 531,000 unique phishing URLs and 5,400 phish kits between July 2021 and June 2022, leading to the identification and closure of more than 1,400 malicious email accounts used to collect stolen credentials. In addition, Microsoft blocked 2.75 million site registrations before they could be used to engage in global cybercrime.³

People are now the primary attack vector and represent the greatest vulnerability to an organization’s security.⁴ A recent industry study found that identity-driven attacks accounted for 61 percent of breaches.⁵ The risk-to-return ratio makes these human-centered attacks irresistible for cybercriminals. For example, password-spray attacks cost an attacker almost nothing and can yield invaluable access to business information. Phishing remains the most prevalent form of cyberattack, with business email compromise (BEC) potentially the most costly.⁶ From the time your business email is compromised, it takes only an average of one hour and 12 minutes for an attacker to access your private data.⁷

Our internal defender community continues to track the rise of ransomware as a service (RaaS). As examined in the August 2022 issue of Cyber Signals, RaaS enables cybercriminals to rent or sell ransomware tools in return for a portion of the profits. This retail approach to cybercrime lowers the barrier to entry because it requires virtually no technical skills. However, these attacks can often be prevented by following a few simple security best practices. As part of our comprehensive approach, Microsoft Sentinel, Microsoft 365 Defender, and Microsoft Defender for Cloud seamlessly integrate to provide security information and event management (SIEM) and extended detection and response (XDR) solutions that proactively protect your enterprise from ransomware attacks.

In the December 2022 issue of Cyber Signals, we shared new insights on the risks that converging IT, Internet of Things (IoT), and operational technology (OT) systems pose to critical infrastructure. As with IT security, a solid defense based on Zero Trust, effective policy enforcement, and continuous monitoring can help limit any potential blast radius.

Do more with less this year—increasing your security ROI

It’s clear the threat landscape we face today requires new approaches. Microsoft research finds that 72 percent of chief information security officers (CISOs) at organizations with more than 1,000 employees believe that having a comprehensive set of products that spans security, compliance, and identity is “extremely or very important.” Our research shows that large organizations have an average of 75 security solutions. Clearly, there’s a growing recognition among cybersecurity leaders that managing multiple vendors can be burdensome for an IT team. Worse, patchwork solutions can create dangerous blind spots by leaving valuable security insights siloed in separate dashboards. This kind of fragmented visibility provides an opportunity for threat actors.

Our survey found that 30 percent of CISOs are concerned about gaps and inconsistencies in securing their organization’s hybrid, multicloud, and multi-platform environment. Twenty-five percent are worried about being unable to replace their legacy systems, and an equal percentage are concerned about enabling user productivity without sacrificing security.

Security is woven into the digital fabric of our applications and services right from the start—from Microsoft Azure’s approach to vulnerabilities, to macro-blocking in Microsoft 365, to enhanced built-in security features in Windows 11—we are raising the bar on the security baseline. We recognize our most secure future requires an end-to-end approach with technology and people, empowered to defend with resilience—this is why security is built into everything we design, develop, and deliver.

Microsoft Security solutions are notably designed to help you eliminate inefficient silos and patchwork fixes, closing the gaps with simplified, comprehensive protection. We integrate more than 50 categories into six product lines which form one Microsoft Security cloud. By eliminating redundant capabilities, you can avoid the hassles of managing multiple contracts and licenses. Even better, your organization can realize up to 60 percent cost savings when you use Microsoft security, compliance, and identity end-to-end solutions.⁸ Learn more on this topic from my recent blog: 3 ways Microsoft helps simplify security.

More than 860,000 customers have chosen Microsoft Security to protect their organizations. According to our customer data, the number of organizations with four or more workloads has increased more than 40 percent year over year. Yesterday, Satya gave examples of organizations that chose to consolidate with our security stack to reduce cost, risk, and complexity. In the United Kingdom, retailer Fraser’s Group consolidated from 10 security vendors down to just Microsoft. Because of its integrated XDR and SIEM capabilities, Land O’Lakes was able to gain granular visibility across its multicloud, hybrid workspace by consolidating on Microsoft Sentinel (now with more than 20,000 customers) and Microsoft Defender for Cloud.

Bringing diverse perspectives to meet diverse challenges

Experts predict the global workforce will need to hire and train roughly 3.4 million cybersecurity professionals to defend the growing digital space.⁹  Unfortunately, many groups are still underrepresented in this crucial profession. Less than 25 percent of the cyber workforce are women and, in 2021, only 9 percent of cybersecurity workers were Black and only 4 percent Hispanic.¹⁰

Microsoft is working hard to make cybersecurity more inclusive by fostering a new generation of defenders that’s as diverse as the world we share. We’re honored to work with so many dedicated professionals who have helped move us closer to that goal. Together with WiCyS (Women in CyberSecurity), we’re empowering the recruitment, retention, and advancement of women in the cybersecurity field. And our partnership with Girl Security, a nonprofit driving change in the security sector through education, workforce training, and professional advancement into careers is helping to create pathways into cybersecurity for girls and gender minorities ages 14-26. We also created Microsoft DigiGirlz to offer female middle and high school students an early opportunity to learn about careers in technology, as well as connect with Microsoft employees and participate in hands-on technology workshops.

In 2021, Microsoft launched a national campaign with community colleges in the United States to help skill and recruit 250,000 cybersecurity professionals by 2025. Still going strong, the Microsoft Cybersecurity Scholarship Program—in partnership with the Last Mile Education Fund—has already benefited more than 1,000 low-income community college students across 47 states. This scholarship program has helped us access a talent pool that may have faced challenges in accessing higher education.

Taking stock and forging ahead

In January of 2021, I had only been with Microsoft for about six months when we announced our first major milestone of USD10 billion in revenue. That was an inspiring accomplishment, but we couldn’t have done it alone. Even as the digital world grows and threats continue to multiply, I’m constantly encouraged by the creativity, determination, and can-do spirit displayed by our partners and customers. 2022 pushed all of us to learn on our feet as the hybrid and remote workplace and the move to a multi-platform environment continued to bring new security challenges. I’m looking forward to learning from all of you and forging stronger relationships in the year ahead.

To learn more about how your organization can eliminate security gaps and cut costs with simplified, comprehensive protection, be sure to join me at Microsoft Secure on March 28, 2023. This new digital event will bring together customers, partners, and the defender community to share perspectives on navigating the security landscape and build on real-world experience. Security is the defining challenge for our world, and it should always be an instrument of hope. It’s going to take all of us to do great security; so, thank you for inspiring us here at Microsoft. Here’s to doing our part and building a safer world for all, together.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Morgan Stanley US Tech 4Q22 CIO Survey.

²Cost of a Data Breach, IBM. 2022.

³Methodology: For snapshot data, Microsoft platforms, including Microsoft Defender and Microsoft Azure Active Directory, and our Digital Crimes Unit provided anonymized data on threat activity, such as malicious email accounts, phishing emails, and attacker movement within networks. Additional insights are from the 43 trillion daily security signals gained across Microsoft, including the cloud, endpoints, the intelligent edge, and our Compromise Security Recovery Practice and Detection and Response teams.

⁴SANS 2022 Security Awareness Report, the SANS Institute. June 28, 2022.

⁵50 Identity And Access Security Stats You Should Know In 2022, Caitlin Jones. January 6, 2023.

⁶Phishing Scams are the Most Common Cyber Attack, Says FBI, Conor Cawley. May 10, 2022.

⁷Microsoft Digital Defense Report 2022, Microsoft. 2022.

⁸Savings based on publicly available estimated pricing for other vendor solutions and web direct/based price shown for Microsoft offerings. Price is not guaranteed and subject to change.

⁹Innovation Through Inclusion: The Multicultural Cybersecurity Workforce, Frost & Sullivan. 2018.

¹⁰Microsoft Joins Abbott, Raytheon to Prepare HBCU Students for Cybersecurity Roles, Mikayla Gruber. June 6, 2022.

The post Microsoft Security reaches another milestone—Comprehensive, customer-centric solutions drive results appeared first on Microsoft Security Blog.