For decades, Microsoft has consistently prioritized earning and maintaining the trust of the people and organizations that rely on its technologies. The 2025 Axios Harris Poll 100 ranked Microsoft as one of the top three most trusted brands in the United States.¹ At Microsoft, we believe one of the best ways we can build trust is through our long-established core values of respect, accountability, and integrity. We also instill confidence in our approach to regulations by demonstrating rigorous internal compliance discipline—such as regular audits, cross-functional reviews, and executive oversight—that mirrors the reliability we extend to customers externally.

Microsoft Trust Center

Our mission is to empower everyone to achieve more, and we build our products and services with security, privacy, compliance, and transparency in mind.

Explore products and services

Here at Microsoft, we are grounded in the belief that privacy is a human right, and we safeguard it as such. Whether you’re an individual using Microsoft 365 or a global enterprise running mission-critical workloads on Microsoft Azure, your privacy is protected by design. In my role as Vice President for Microsoft Security and Deputy CISO for Privacy and Policy at Microsoft, I see privacy and security as two sides of the same coin—complementary priorities that strengthen each other. They’re inseparable, and they can be simultaneously delivered to customers at the highest standard, whether they rely on Microsoft as data processor or data controller.

There are plenty of people out there who view the relationship between security and privacy as one of tension and conflict, but that doesn’t need to be the case. Within my team, we embrace differing viewpoints from security- and privacy-focused individuals as a core principle and a mechanism for refining our quality of work. To show you how we do this, I’d like to walk you through a few of the ways Microsoft delivers both security and privacy to its customers.

Security and privacy, implemented at scale

Our approach to safeguarding customer data is rooted in a philosophy that prioritizes security without the need for access to the data itself. Think of it as building a fortress where the walls (security) protect the treasures inside (data privacy) without ever needing to peek at them. Microsoft customers retain full ownership and control of their data, as outlined in our numerous privacy statements and commitments. We do not mine customer data for advertising, and customers can choose where their data resides geographically. Even when governments request access, we adhere to strict legal and contractual protocols to protect the interests of our customers.

A number of Microsoft technologies play important roles in the implementation of our privacy policy. Microsoft Entra, and in particular its Private Access capability, replaces legacy VPNs with identity-centric Zero Trust Network Access, allowing organizations to grant granular access to private applications without exposing their entire network. Microsoft Entra ID serves as the backbone for identity validation, ensuring that only explicitly trusted users and devices can access sensitive resources. This is complemented by the information protection and governance capabilities of Microsoft Purview, which enables organizations to classify, label, and protect data across Microsoft 365, Azure, and their third-party platforms. Microsoft Purview also supports automated data discovery, policy enforcement, and compliance reporting.

The beating heart of the Microsoft security strategy is the Secure Future Initiative. We assume breach and mandate verification for every access request, regardless of origin. Every user, every action, and every resource is continuously authenticated and authorized. Automated processes, like our Conditional Access policies, dynamically evaluate multiple factors like user identity, device health, location, and session risk before granting access. Support workers can access customer data only with the explicit approval of the customer through Customer Lockbox, which gives customers authorization and auditability controls over how and when Microsoft engineers may access their data. Once authorized by a customer, support workers may only access customer data through highly secure, monitored environments like hardened jump hosts—air-gapped Azure virtual machines that require multifactor authentication and employ just-in-time access gates.

Privacy is a human right

The intersection of privacy and security is not just a theoretical concept for Microsoft. It’s a practical reality that we work to embody through comprehensive, layered strategies and technical implementations. By using advanced solutions like Microsoft Entra and Microsoft Purview and adhering to the principles set out in our Secure Future Initiative, we help ensure that our customers’ data is protected at every level.

We demonstrate our commitment to privacy through our proactive approach to regulatory compliance, our tradition of transforming legal obligations into opportunities for innovation, and our commitment to earning the trust of our customers. Global and region-specific privacy, cybersecurity, and AI regulations often evolve over time. Microsoft embraces regulations not just as legal obligations but as strategic opportunities through which we can reinforce our commitments to privacy and security. This is exactly what we did when the European General Data Protection Regulation (GDPR) came into effect in May of 2018, and we’ve applied similar principles to emerging frameworks like India’s Digital Personal Data Protection Act (DPDP), the EU’s Network and Information Systems Directive 2 (NIS2) for cybersecurity, the Digital Operational Resilience Act (DORA) for financial sector resilience, and the EU AI Act for responsible AI governance.

Using regulatory compliance as a lever for innovation

Microsoft publicly cheered the GDPR as a step forward for individual privacy rights, and we committed ourselves to full compliance across our cloud services. We soon became an early adopter of the GDPR, adding GDPR-specific assurances to our cloud service contracts, including breach notification timelines and data subject rights.

Because we believe so strongly in these protections, our compliance efforts quickly became the foundation for a broader, proactive transformation of our privacy and security posture. First, we established a company-wide framework that formalized privacy responsibilities and safeguards. It mandated robust technical and organizational measures designed to protect personal data companywide, now aligned with cybersecurity standards like those in NIS2.

As part of this framework, Microsoft appointed data protection officers and identified corporate vice presidents in each business unit to provide group-level accountability. Microsoft also built what we believe is one of the most comprehensive privacy and compliance platforms in the industry. This platform is the result of a company-wide effort to give customers real control over their personal data, experienced with consistency across our products, while seamlessly integrating security and regulatory compliance.

To operationalize these commitments, we developed advertising and data deletion protocols that made sure data subject requests (DSRs) were honored across all our systems, including those managed by third-party vendors. Microsoft extended GDPR-like principles to customers globally. This initiative emphasized data minimization, consent management, and timely breach reporting. It also reinforced customers’ rights to access, correct, delete, and export their personal data.

Expanding from this foundation, we continue to take a proactive stance on emerging global regulations. For DPDP in India, we enhanced data localization and consent mechanisms in Azure to help organizations comply with local privacy mandates while maintaining robust security. Under NIS2 and DORA, our tools like Microsoft Defender for Cloud enable critical sectors to detect, respond, and build operational resilience—creating cybersecurity as the shield that protects privacy rights.

For the EU AI Act, Microsoft Responsible AI tools integrated with Microsoft Purview enable governance, classification, and compliance tracking of AI models, ensuring transparency and accountability across the AI lifecycle. In parallel, Microsoft Defender for Cloud extends protection for AI workloads and data environments, ensuring AI systems are secure, monitored, and resilient — much like a traffic light system that signals safe passage for innovation while mitigating risk.

Thanks to this early, decisive action to safeguard privacy and security worldwide, Microsoft is now in a strong leadership position as similar laws are passed by a growing number of countries. Because we’ve already gone above and beyond what initial regulations asked of us, we’re more easily able to adapt to the specifics of other related legal frameworks.

Learn more

To hear more from Microsoft Deputy CISOs, check out the OCISO blog series. To stay on top of important security industry updates, explore resources specifically designed for CISOs, and learn best practices for improving your organization’s security posture, join the Microsoft CISO Digest distribution list.

• Visit the Microsoft Trust Center to better understand your privacy rights and find ways to improve your security posture.
• To learn how Microsoft empowers organizations to innovate securely, explore Microsoft Security Solutions.
• Discover how to build digital trust with Microsoft Purview.
• See how Microsoft helps you turn compliance into competitive advantage, by exploring Microsoft Purview Compliance Manager.

Microsoft
Deputy CISOs

To hear more from Microsoft Deputy CISOs, check out the OCISO blog series:

To stay on top of important security industry updates, explore resources specifically designed for CISOs, and learn best practices for improving your organization’s security posture, join the Microsoft CISO Digest distribution list.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹The 2025 Axios Harris Poll 100 reputation rankings

The post How Microsoft builds privacy and security to work hand-in-hand appeared first on Microsoft Security Blog.

What happened?

The cases we’re examining in detail spanned two parts—Reactive 1 and Reactive 2. Reactive 1 began when a retail customer received a Microsoft Defender Experts alert titled “Possible web shell installation.” The Investigation revealed a malicious ASPX file on their SharePoint server, linked to vulnerabilities CVE-2025-49706 and CVE-2025-49704. These allowed cyberattackers to spoof identities and inject remote code.

Reactive 2 started with a single compromised identity. Cyberattackers gained persistence by abusing self-service password reset features and mapped the organization’s identity structure using Microsoft Entra ID and Microsoft Graph API. The issue escalated access using Azure Virtual Desktop and Remote Desktop Protocol (RDP), deployed tools like PsExec and SQL Server Management Studio, and maintained control using Teleport, Azure CLI, and Rsocx proxy. Credential manipulation and directory exploration followed, confirmed by Entra ID risk events. The Detection and Response Team (DART) again provided expert support to contain and analyze the threat.

In both cases, the customer engaged DART quickly, which helped validate the scope of the compromise and assess cyberattacker activity and persistence mechanisms.

How did Microsoft respond?

DART swiftly addressed the two security incidents by executing a comprehensive set of actions aimed at restoring control, containing cyberthreats, and reinforcing long-term resilience. The team began by reclaiming identity systems—both on-premises and cloud—through Active Directory takeback and Entra ID isolation. It neutralized threat actor access by deprivileging compromised accounts, revoking tokens, and identifying persistence mechanisms like Teleport and multifactor authentication (MFA) device registration. Malicious web shells were detected and removed within hours, showcasing rapid containment capabilities.

To investigate and remediate the incidents, Microsoft deployed proprietary forensic tools across critical infrastructure, enabling root cause analysis and operational recovery. The team also guided the affected organization through security configuration enhancements aligned with Zero Trust principles, including MFA enforcement. Threat intelligence from Defender and Microsoft Sentinel confirmed systemic identity compromise, prompting patching of vulnerable systems and a phased mass password reset with user identity re-attestation. Additionally, reverse engineering of ransomware revealed targeted attacks on ESXi directories, informing further mitigation strategies.

What can customers do to prepare?

In the case of Reactive 1, we recommended critical security actions to fortify on-premises SharePoint environments and minimize exposure to known vulnerabilities, something we recommend for all customers. Customers can reduce their risk by deploying endpoint detection and response (EDR) across all devices, conducting regular vulnerability scans, and strengthening identity and access controls. Centralized logging and threat intelligence should also be implemented, along with preserving evidence and maintaining a robust incident response plan. Tools to monitor behavioral anomalies, suspicious processes, and malware indicators are increasingly necessary to protect against today’s threat actors.

Patching promptly—especially for known exploited vulnerabilities—remains a key defense for customers. Regular security hygiene practices—like enforcing MFA across all accounts, removing inactive credentials, and applying least privileged access principles—can improve defenses in real time as threats change fast.

Secure your spot

Ready to strengthen your security strategy for the AI era? Register now for Microsoft Secure, on September 30, to explore the latest AI-first solutions. Then, join us at Microsoft Ignite—November 17–21 in San Francisco, CA or online—to deep dive into more innovations, connect with industry experts, experience hands-on labs, and earn certifications.

What is the Cyberattack Series?

With our Cyberattack Series, customers discover how DART investigates unique and notable cyberattacks. For each cyberattack story, we share:

• How the cyberattack happened
• How the security compromise was discovered
• Microsoft’s investigation and eviction of the threat actor
• Strategies to avoid similar cyberattacks

While retail customers were the target of cyberattackers this time, these incidents serve as a stark reminder that proactive patching, identity segmentation, and continuous monitoring are essential security practices to defend against modern cyber threats for all customers. DART is made up of highly skilled investigators, researchers, engineers, and analysts who specialize in handling global security incidents. We’re here for customers with dedicated experts to work with you before, during, and after a cybersecurity incident.

Learn more with Microsoft Security

To learn more about DART capabilities, please visit our website, or reach out to your Microsoft account manager or premier support contact. To learn more about the cybersecurity incidents described above, including more insights and information on how to protect your own organization, download the full report.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Retail Cybersecurity Statistics: Market Data Report 2025 

The post Retail at risk: How one alert uncovered a persistent cyberthreat​​ appeared first on Microsoft Security Blog.

A unified approach to identity threat detection and response (ITDR) is no longer a luxury; it’s a necessity. Whether you are an identity admin or a security operations center (SOC) analyst, minimizing your risk starts with eliminating gaps in protection.

From chaos to control: Uniting identity and security solutions

As the corporate IT landscape has evolved organizations have been left managing complex webs of identities across multiple environments, tools, and vendors, giving cyber criminals many potential gaps to sneak through. The recent Secure Access Report illustrates the direct correlation between complex, multisolution identity vendors and the probability of a significant breach.

According to the report research, companies relying on a patchwork of six or more identity and network solutions not only face operational inefficiencies but also a 79% higher probability of a significant breach.²

At Microsoft, we understand that ITDR is an integrated partnership between identity and access management (IAM) and extended detection and response (XDR) and our vision has been to eliminate the organizational silos and unite these teams, their tools, and processes.

One of the key advantages of our integrated solution is its ability to provide end-to-end visibility and protection. Microsoft Entra natively feeds critical signals to Microsoft Defender and vice versa, enabling comprehensive identity protection across both on-premises, cloud environments, and third parties. Customers like ElringKlinger have recognized that fragmented, siloed security solutions were no longer sufficient to address the sophisticated nature of cyberthreats.

The combination of the individual Microsoft identity solutions is great. It helps us find issues that we might not uncover if we had siloed identity solutions and makes life easier for our team.

—Alexander Maute, Director of IT at ElringKlinger

Proactive protection: Hardening your Identity security posture

ITDR starts long before a cyberattack ever begins, specifically by minimizing your attack surface area. From an identity perspective this means eliminating the vulnerable configurations, stale accounts, and instances of over-privilege that cyberattackers often look to exploit. Microsoft’s approach to ITDR emphasizes this proactive stance: posture management isn’t just a best practice—it’s the foundation that makes real-time ITDR possible. We also understand that successful security practices require coordination across different teams and processes.

Microsoft Entra and Microsoft Defender surface actionable recommendations directly into Microsoft Secure Score and Extended Security Exposure Management (XSPM), enabling security teams to visualize attack paths, prioritize remediation, and proactively harden their defenses before threats materialize. The Identity Security initiative offers an identity-specific view of recommended actions from across on-premises and cloud identities, identity infrastructure, and third-party identity providers. These and other recommendations across endpoints, applications, data, networks, and identities help provide security leaders with unmatched visibility into potential attack paths and vulnerabilities, allowing them to identify and mitigate risks before they escalate.

Milliseconds matter: The power of real-time detection and response

Prevention alone is no longer sufficient in today’s evolving threat landscape—true cyber resilience relies on the ability to detect and respond at speed. In an environment where every second counts, Microsoft’s ITDR approach stands apart by delivering strategically layered defenses that help actively disrupt cyberthreats in real time by unifying the data, tools, and workflows across IAM and SOC teams.

The first layer comes in the form of dynamic, risk-based access controls leveraging the unparalleled insights from the identity landscape. As the identity provider, Microsoft Entra directly manages cloud authentication and enforces protection in real time at the point of authentication. This allows us to dynamically enforce access controls and step-up authentication faster and more consistently than anyone else. This is made possible through the native bi-directional integration between Entra and Defender, which enables continuous, real-time sharing of identity signals across identity and security operations.

What differentiates this approach is the built-in feedback loop: identity signals inform security detections instantly, and threat intelligence from Defender directly influences access decisions in Entra—without manual handoffs, or latency. In addition to adding more potential points of failure, multivendor solutions typically rely on older logs from prior log-on attempts and may not have the full context or see the changes that have happened since then.

Where the integration truly shines, however, is our identity threat response capabilities.  During an active cyberattack, speed of response is critical. That’s why Microsoft has automatic attack disruption, a built-in self-defense capability that uses the correlated native signal in XDR, AI, and latest threat intelligence to identify and contain in-progress attacks like AiTM, ransomware, and more to prevent further lateral movement. Attack disruption maps out the attack path using insights from the unified platform to accurately predict where the attacker will go next. Once a threat is confirmed, Defender initiates automatic containment—isolating compromised assets or shutting down user sessions to prevent further spread.

This near real-time response not only stops the attack but also minimizes its impact, giving security teams critical time to investigate and remediate without disruption to the broader environment. This closed-loop integration strengthens risk engines over time, and responses become smarter and faster, saving time and balancing productivity and security for your identity and SOC teams.

Extending Zero Trust beyond ITDR

ITDR is a critical component of a modern cybersecurity strategy, but it’s only one part of a larger, evolving vision. At Microsoft, Zero Trust is not a checkpoint—it’s a guiding security philosophy that continues to scale and adapt with the evolving threat landscape. Securing the modern organization means adopting a Zero Trust strategy that protects users, data, applications, and infrastructure—regardless of where they reside. This includes enforcing least privileged access, verifying explicitly, and assuming breach as a constant. These principles must extend across the digital estate, not just within identity, but across endpoints, applications, and networks.

Microsoft delivers on this vision through an end-to-end portfolio that supports the full spectrum of Zero Trust capabilities. Microsoft Entra provides robust identity and access management. Microsoft Intune ensures device compliance and health. Microsoft Purview enforces data security and governance. Microsoft Defender offers threat protection across endpoints, identities, software as a service apps, email and collaboration tools, multicloud workloads, and data security insights. And Microsoft’s network access capabilities—delivered through the Entra Suite—secure connections and reduce lateral movement risks. And when you use them together, you can secure any identities, any apps, anywhere.

As organizations navigate increasingly complex environments—from hybrid work to multicloud infrastructures—Microsoft is committed to being a trusted partner on the Zero Trust journey. With Microsoft, organizations are not only prepared for today’s identity threats—they’re equipped for the future of secure digital transformation.

Microsoft Identity Threat Detection and Response

Get comprehensive protection for all of your identities and identity infrastructure. Learn more and explore products.

The future of ITDR

As threat actors grow more sophisticated, security strategies must evolve beyond fragmented tools and isolated signals. Looking ahead, ITDR will continue to serve as a cornerstone of Zero Trust—one that is natively integrated across identity, apps, endpoints, cloud, network, and beyond. With Microsoft as a trusted partner, business leaders are equipped to go beyond ITDR and protect your identities, secure your operations, and build resilience for the future.

Watch our video to learn more.

Learn more about Microsoft Identity Threat Detection and Response.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2024

²Secure employee access in the age of AI

The post Modernize your identity defense with Microsoft Identity Threat Detection and Response appeared first on Microsoft Security Blog.

To help protect and inform customers, this blog highlights the protection coverage across the Microsoft Defender and Microsoft Sentinel security ecosystem and provides security posture hardening recommendations to protect against threat actors like Octo Tempest.

Overview of Octo Tempest 

Octo Tempest, also known in the industry as Scattered Spider, Muddled Libra, UNC3944, or 0ktapus, is a financially motivated cybercriminal group that has been observed impacting organizations using varying methods in their end-to-end attacks. Their approach includes: 

• Gaining initial access using social engineering attacks and impersonating a user and contacting service desk support through phone calls, emails, and messages.
• Short Message Service (SMS)-based phishing using adversary-in-the-middle (AiTM) domains that mimic legitimate organizations.
• Using tools such as ngrok, Chisel, and AADInternals.
• Impacting hybrid identity infrastructures and exfiltrating data to support extortion or ransomware operations.  

Recent activity shows Octo Tempest has deployed DragonForce ransomware with a particular focus on VMWare ESX hypervisor environments. In contrast to previous patterns where Octo Tempest used cloud identity privileges for on-premises access, recent activities have involved impacting both on-premises accounts and infrastructure at the initial stage of an intrusion before transitioning to cloud access. 

Octo Tempest detection coverage 

Microsoft Defender has a wide range of detections to detect Octo Tempest related activities and more. These detections span across all areas of the security portfolio including endpoints, identities, software as a service (SaaS) apps, email and collaboration tools, cloud workloads, and more to provide comprehensive protection coverage. Shown below is a list of known Octo Tempest tactics, techniques, and procedures (TTPs) observed in recent attack chains mapped to detection coverage.

Disrupting Octo Tempest attacks  

Disrupt in-progress attacks with automatic attack disruption:
Attack disruption is Microsoft Defender’s unique, built-in self-defense capability that consumes multi-domain signals, the latest threat intelligence, and AI-powered machine learning models to automatically predict and disrupt an attacker’s next move by containing the compromised asset (user, device). This technology uses multiple potential indicators and behaviors, including all the detections listed above, possible Microsoft Entra ID sign-in attempts, possible Octo Tempest-related sign-in activities and correlate them across the Microsoft Defender workloads into a high-fidelity incident. 

Based on previous learnings from popular Octo Tempest techniques, attack disruption will automatically disable the user account used by Octo Tempest and revokes all existing active sessions by the compromised user. 

While attack disruption can contain the attack by cutting off the attacker, it is critical for security operations center (SOC) teams to conduct incident response activities and post-incident analysis to help ensure the threat is fully contained and remediated.  

Investigate and hunt for Octo Tempest related activity:
Octo Tempest is infamously known for aggressive social engineering tactics, often impacting individuals with specific permissions to gain legitimate access and move laterally through networks. To help organizations identify these activities, customers can use Microsoft Defender’s advanced hunting capability to proactively investigate and respond to threats across their environment. Analysts can query across both first- and third-party data sources powered by Microsoft Defender XDR and Microsoft Sentinel. In addition to these tables, analysts can also use exposure insights from Microsoft Security Exposure Management.  

Using advanced hunting and the Exposure Graph, defenders can proactively assess and hunt for the threat actor’s related activity and identify which users are most likely to be targeted and what will be the effect of a compromise, strengthening defenses before an attack occurs.  

Proactive defense against Octo Tempest 

Microsoft Security Exposure Management, available in the Microsoft Defender portal, equips security teams with capabilities such as critical asset protection, threat actor initiatives, and attack path analysis that enable security teams to proactively reduce exposure and mitigate the impact of Octo Tempest’s hybrid attack tactics.

Ensure critical assets stay protected 

Customers should ensure critical assets are classified as critical in the Microsoft Defender portal to generate relevant attack paths and recommendations in initiatives. Microsoft Defender automatically identifies critical devices in your environment, but teams should also create custom rules and expand critical asset identifiers to enhance protection.  

Take action to minimize impact with initiatives 

Exposure Management’s initiatives feature provides goal-driven programs that unify key insights to help teams harden defenses and act fast on real threats. To address the most pressing risks related to Octo Tempest, we recommend organizations begin with the initiatives below: 

• Octo Tempest Threat Initiative: Octo Tempest is known for tactics like extracting credentials from Local Security Authority Subsystem Service (LSASS) using tools like Mimikatz and signing in from attacker-controlled IPs—both of which can be mitigated through controls like attack surface reduction (ASR) rules and sign-in policies. This initiative brings these mitigations together into a focused program, mapping real-world attacker behaviors to actionable controls that help reduce exposure and disrupt attack paths before they escalate.
• Ransomware Initiative: A broader initiative focused on reducing exposure to extortion-driven attacks through hardening identity, endpoint, and infrastructure layers. This will provide recommendations tailored for your organization.  

Investigate on-premises and hybrid attack paths

Security teams can use attack path analysis to trace cross-domain threats—like those used by Octo Tempest—who’ve exploited the critical Entra Connect server to pivot into cloud workloads, escalate privileges, and expand their reach. Teams can use the ‘Chokepoint’ view in the attack path dashboard to highlight entities appearing in multiple paths, making it easy to filter for helpdesk-linked accounts, a known Octo target, and prioritize their remediation.  

Given Octo Tempest’s hybrid attack strategy, a representative attack path may look like this: 

Recommendations 

In today’s threat landscape, proactive security is essential. By following security best practices, you reduce the attack surface and limit the potential impact of adversaries like Octo Tempest. Microsoft recommends implementing the following to help strengthen your overall posture and stay ahead of threats: 

Identity security recommendations 

• Ensure multifactor authentication is enabled for all users: Adding more authentication methods, such as the Microsoft Authenticator app or a phone number, increases the level of protection if one factor is compromised.
• Enable Microsoft Entra ID Identity Protection sign-in risk policies: Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for.
• Ensure phishing-resistant multifactor authentication strength is required for Administrators.
• Ensure Microsoft Azure overprovisioned identities should have only the necessary permissions.
• Enable Microsoft Entra Privileged Identity Management as well as other protective measures to mitigate the risk of unnecessary or unauthorized access.

Endpoint security recommendations 

• Enable Microsoft Defender Antivirus cloud-delivered protection for Linux.
• Turn on Microsoft Defender Antivirus real-time protection for Linux.
• Enable Microsoft Defender for Endpoint EDR in block mode to block post breach malicious behavior on the device through behavior blocking and containment capabilities.
• Turn on tamper protection that essentially prevents Microsoft Defender for Endpoint (your security settings) from being modified.
• Block credential stealing from the Windows local security authority subsystem: Attack surface reduction (ASR) rules are the most effective method for blocking the most common attack techniques being used in cyber-attacks and malicious software.
• Turn on Microsoft Defender Credential Guard to isolate secrets so that only privileged system software can access them.

Cloud security recommendations 

• Key Vaults should have purge protection enabled to prevent immediate, irreversible deletion of vaults and secrets.
• To reduce risks of overly permissive inbound rules on virtual machines’ management ports, enable just-in-time (JIT) network access control. 
• Microsoft Defender for Cloud recommends encrypting data with customer-managed keys (CMK) to support strict compliance or regulatory requirements. To reduce risk and increase control, enable CMK to manage your own encryption keys through Microsoft Azure Key Vault.
• Enable logs in Azure Key Vault and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
• Microsoft Azure Backup should be enabled for virtual machines to protect the data on your Microsoft Azure virtual machines, and to create recovery points that are stored in geo-redundant recovery vaults.

Microsoft Defender

Comprehensive threat prevention, detection and response capabilities for everyone.

Discover more

Explore security solutions

​​To learn more about Microsoft Security solutions, visit our website. Bookmark the Microsoft Security blog to keep up with our expert coverage on security matters.

Also, follow us on Microsoft Security LinkedIn and @MSFTSecurity on X for the latest news and updates on cybersecurity. 

The post Protecting customers from Octo Tempest attacks across multiple industries appeared first on Microsoft Security Blog.

In November 2023, to address the evolution of the digital and regulatory landscape, and the unprecedented changes in the cyberthreat landscape, we announced the Microsoft Secure Future Initiative. The Secure Future Initiative (SFI) is a multiyear effort to revolutionize the way we design, build, test, and operate our products and services, to achieve the highest security standards. SFI is our commitment to improve Microsoft’s security posture, thereby improving the security posture of all our customers, and to work with governments and industry to improve the security posture of the entire ecosystem.

Last year, the Cybersecurity and Infrastructure Security Agency (CISA), through its “Secure by Design” pledge, called on the technology industry to prioritize security at every stage of product development and deployment. This approach of embedding cybersecurity in digital delivery from the outset is also reflected in the United Kingdom’s Government’s Cyber Security Strategy as well as in the Australian Cyber Security Centre (ACSC)’s “Essential Eight” mitigation strategies to protect against cyberthreats. Throughout this blog post, the term “Secure by Design” encompasses both “secure by design” and “secure by default.”

Microsoft committed to work towards key goals across a spectrum of Secure by Design principles advocated by numerous government agencies around the world. These goals aim to enhance security outcomes for customers by embedding robust cybersecurity practices throughout the product lifecycle. We continue to take our learnings, feed them back into our security standards, and operationalize these learnings as paved paths that can enable secure design and operations at scale. Our SFI updates provide examples of Microsoft’s progress in implementing secure by design, secure by default, and secure in operations principles, and provide best practices based on Microsoft’s own experience, demonstrating our dedication to improving security for customers.

Keep reading to learn about the initiatives Microsoft has undertaken over the past 18 months to support secure by design objectives as part of our SFI initiative. It is organized around our SFI principles to provide our customers and partners with an understanding of the robust security measures we are implementing to safeguard their digital environments.

Enhancing security with multifactor authentication and default password management

Phishing-resistant multifactor authentication provides the most robust defense against password-based cyberattacks, including credential stuffing and password theft. This includes promoting multifactor authentication among customers, implementing it as a default requirement for access, and participating in efforts to establish long-term standards in authentication.

In October 2024, Microsoft implemented mandatory multifactor authentication for the Microsoft Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center. Since then, Microsoft has worked with our customers to reduce extensions and rapidly advance multifactor authentication adoption. A key achievement is our progress in eliminating passwords across products. Microsoft has introduced enhancements to streamline authentication and improve sign-in experiences, emphasizing usability and security. Users can now remove passwords from their accounts and use passkeys instead, addressing vulnerabilities and preventing unauthorized access.

On March 26, 2025, Microsoft launched a new sign-in experience for more than 1 billion users. By the end of April 2025, most Microsoft account users will see updated sign-in and sign-up user experience flows for web and mobile apps. This new user experience is optimized for a passwordless and passkey-first experience. Microsoft is also updating the account sign-in logic to make passkey the default sign-in choice whenever possible.

Additional examples of Microsoft improving authentication and how customers can learn from Microsoft’s approach and solutions include:

• Microsoft recommendations for organizations to get started deploying phishing-resistant passwordless authentication using Microsoft Entra ID.
• Security defaults make it easier to help protect against identity-related cyberattacks like password spray, replay, and phishing common in today’s environments. Learn more about preconfigured security settings available in Microsoft Entra ID.
• Microsoft’s Conditional Access uses identity-driven signals as part of access control decisions.
• To help prevent phishing, Microsoft added additional hardening to Windows Hello, which is the multifactor authentication solution built-in to Windows. Windows Hello has also been extended to support passkeys, which are an industry standard, and which we continue to evolve. With Hello and passkeys, on Windows, it means much of the web can be protected with multifactor authentication, and people no longer need to choose between a simple sign-in and a safe sign-in. 
• Learn how Microsoft is advancing decentralized identity standards and verifiable credentials.
• Following GitHub’s April 2024 update on a year of progress in pushing multifactor authentication adoption, further cohorts requiring multifactor authentication enablement have been rolled out in the past year. This effort continues to drive multifactor authentication utilization with almost 50% of contributing GitHub users having multifactor authentication enabled. Of those, more than 38% of users have two or more methods of two-factor authentication enabled and more than 3.6 million users have a passkey enabled on their account. Additionally, GitHub has pushed for best practices in multifactor authentication methods, and in November 2024 shipped enhancements to the management of multifactor authentication settings for organizations and enterprises that allow the restriction of insecure methods of multifactor authentication such as text messaging.

Reducing entire classes of vulnerabilities

Most exploited vulnerabilities today stem from types that can often be mitigated on a large scale, such as SQL injection, cross-site scripting, and memory safety language vulnerabilities. Governments aim to reduce these by encouraging companies to adopt practices like eliminating authorization validation logic mistakes, enabling the use of memory-safe languages, creating secure firmware architectures, and implementing secure administrative protections. The goal is to minimize exploitation risks by addressing systemic vulnerabilities at their root.

Our introduction of mandatory use of the Microsoft Authentication Library (MSAL) across all Microsoft applications helps ensure that advanced identity defenses, such as token binding, continuous access evaluation, and advanced application attack detections, are consistently implemented. This standardizes secure authentication processes, making it significantly harder for attackers to exploit identity-related vulnerabilities. MSAL enables developers to acquire security tokens from the Microsoft identity platform to authenticate users and access secured web APIs. 

Microsoft is also committed to adopting memory-safe languages, such as Rust, for developing new products and transitioning existing ones. This approach addresses common vulnerabilities related to memory safety. Microsoft is investing heavily into safe language to enhance the safety of our code, and we are applying this new approach to our security platform and other key areas like Microsoft Surface and Pluton security firmware.   

In Windows 11, we’ve applied a secure by design strategy from the very first line of code. We have established a Hardware Security Baseline, which helps to ensure every Windows 11 PC has consistent hardware security forming a secure foundation. Windows 11 has secure by default settings and stronger controls for what apps and drivers are allowed to run. This is important as unverified apps and drivers lead to malware and script attacks. And most malware and ransomware apps are unsigned, which means they can be authored and distributed without being provably safe. For consumers and smaller organizations, Smart App Control is a new feature that uses cloud AI to enable millions of known safe apps to run, regardless of where you got them. For larger organizations, IT admins can layer on App Control for Business policies and deploy them using Intune.  

With Windows powering business critical solutions across a wide variety of customers, we are committed to helping ensure that Windows remains the most secure and reliable platform. At Microsoft Ignite in 2024, we announced the Windows Resilience Initiative focused on enhancing the security and resilience of the Windows operating system. This involves implementing advanced security features, improving threat detection and response capabilities, and to help ensure that Windows can withstand and recover from cyberattacks. As part of the Windows Resilience Initiative, we are working to protect against common cyberattacks in addition to strengthening identity protection mentioned above.  

As part of this we are addressing the long-standing challenge of overprivileged users and applications, which create significant risk. Yet many people do not want to give up admin control of their PC. To help strike the balance of admin privileges and security we are introducing Administrator protection (currently in Windows Insiders). Admin protection gives you the protection of standard user permissions by default, and when needed you can securely authorize a just-in-time system change using Windows Hello. Once the process has completed, the temporary admin token is destroyed. This means admin privileges do not persist.  Admin protection will be disruptive to cyberattackers, as they no longer have elevated privileges by default, which will help organizations ensure they remain in control of Windows. 

We are also collaborating with endpoint security partners to adopt safe deployment practices. This means all security product updates will be gradual, minimizing deployment risks and monitoring to help ensure any negative impact is kept to a minimum. Additionally, we are developing new Windows capabilities that allow security product developers to build their products outside of kernel mode, reducing the impact to Windows in the event of a security product crash. 

Another key development is our secure by design user experience (UX) toolkit. Human error causes the majority of security breaches. The UX toolkit helps build more secure software and improve user security experiences. This toolkit represents a new way of thinking—where design and security aren’t siloed but are working together from the very beginning. Adopted internally and shared externally, the toolkit helps other software organizations in enhancing their security practices.

Other activities Microsoft has worked on to eliminate classes of vulnerabilities include:

• Continued support to enable developers to use the memory safe language Rust on Windows.
• Taking steps to mitigate Windows NT LAN (NTLM) Relay Attacks by default against Exchange Service, Active Directory Certificate Services and Lightweight Directory Access Protocol (LDAP).
• Zero Trust Domain Name System (DNS) preview expanded to include Windows 11 enterprise customers. This feature helps lock down devices to only access-approved network destinations.
• Surface embedded firmware products use of a common firmware architecture.
• Launch of the Windows 365 Link, which is the first Cloud PC device for Windows 365. Windows 365 Link eliminates local data and apps and has no local admin users and provides employees a way to more securely stream their Windows 365 Cloud PC.
• GitHub released CodeQL support for GitHub Actions workflow files. This new static analysis capability identifies common continuous integration and continuous delivery (CI/CD) flaws both in existing code bases and before they are introduced to help eliminate this class of vulnerabilities. Using this new feature, the GitHub Security Lab was able to help secure more than 75 GitHub Actions workflows in open source projects, disclosing more than 90 different vulnerabilities.

Boosting patch application rates

Timely and effective patch management is necessary for cybersecurity, as this is how we can reduce the window of opportunity for malicious actors to exploit software flaws.

Microsoft has made measurable increases in the installation of security patches, which we achieved by enabling automatic installation of software patches when possible and enabling this functionality by default, as well as by offering widespread support for these patches.

Microsoft continues to roll out major security updates on the second Tuesday of each month, known as Patch Tuesday. This regular schedule ensures that all systems receive timely updates to address critical vulnerabilities, thereby reducing the risk of exploitation by cyberattackers.

Building on this foundation, Microsoft has made significant strides in improving the update process with Windows 11. By reducing the number of required system restarts from 12 to four per year through the use of Hotpatch updates, we have further streamlined operations and encouraged organizations to remain compliant with patching requirements.

Other examples of our efforts in to boost patch and security update rates include:

• Windows Hotpatch: Announced at Microsoft Ignite 2024, this provides a 60% reduction in time to adopt security updates, assisted by applying updates seamlessly without system restarts.
• Microsoft has emphasized the importance of clearly communicating the expected lifespan of products at the time of sale and investing in provisioning capabilities to ease customer transitions to supported versions when products reach the end of their lifecycle. This strategy ensures that customers are well-informed and can smoothly adapt to new technologies.

Adopting a Vulnerability Disclosure Policy (VDP) and Common Vulnerabilities and Exposures (CVE) 

Coordinated vulnerability disclosure, a practice Microsoft adopted more than a decade ago, benefits both security researchers and software manufacturers by enabling collaboration to enhance product security. A VDP that authorizes public testing of products, commits to refraining from legal action against those who follow the VDP in good faith, provides a clear channel for reporting vulnerabilities, and permits public disclosure of vulnerabilities according to coordinated vulnerability disclosure best practices and international standards makes a real difference for cybersecurity. Additionally, manufacturers can demonstrate transparency by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every CVE record for the manufacturer’s products.

Our adoption of the CWE and CPE standards in every CVE record for its products is an important achievement. This transparency facilitates accurate and detailed information about vulnerabilities, facilitating timely and effective remediation. By issuing CVEs promptly for all critical or high-impact vulnerabilities, Microsoft demonstrates its commitment to maintaining a secure environment and protecting its customers from potential cyberthreats.

Another notable highlight is the publication of a machine-readable CSAF files, which provide a clear channel for reporting vulnerabilities and authorizes public testing of Microsoft products. This fosters collaboration between security researchers and software manufacturers, enabling the identification and mitigation of vulnerabilities in a coordinated manner.

Other activities Microsoft has worked on to adopt VDP and CVE include:

• Microsoft has published a security.txt file with links to different aspects of our VDP CVE related blogs generally.
• Microsoft is now issuing CVEs for critical cloud service vulnerabilities, regardless of whether customers need to install a patch or to take other actions to protect themselves.
• Microsoft has begun to publish root cause data for Microsoft CVEs using the CWE industry standard. By adopting CWE, more effective community discussion about discovering and mitigating weaknesses in existing software and hardware can be facilitated.
• Microsoft added a new standard machine-readable format, called Common Security Advisory Framework (CSAF), to all Microsoft CVE information to help customer accelerate CVE response and remediation.

Empowering customers to detect and document intrusions

Organizations should do more to detect cybersecurity incidents and understand their impact. To ensure they can do that, manufacturers should provide artifacts and evidence-gathering tools, like audit logs.

An example of Microsoft’s commitment in this area is our implementation of robust sensors and logs, enhancing detection of cyberthreats. This initiative provides customers with actionable insights into potential intrusions, enabling swift responses and risk mitigation.

Other activities Microsoft has worked on to empower customers to detect and document inclusions include:

• Microsoft Purview has expanded its audit logging and retention periods, among other security enhancements, to increase security visibility and incident response capabilities for cloud-based services.
• Microsoft Security Copilot offers prebuilt promptbooks to automate security-related tasks, such as incident investigations, user analysis, and threat intelligence assessments, enhancing efficiency and accuracy in cybersecurity operations.
• Microsoft has provided detailed guidance on implementing the United States Department of Defense (DoD) Zero Trust Strategy, with activities categorized into target and advanced phases to achieve full Zero Trust adoption by 2032.
• Microsoft’s Expanded Cloud Logs Implementation Playbook provides detailed guidance on operationalizing new logging capabilities in Microsoft Purview Audit (Standard).
• Microsoft has published a whitepaper on lessons learned from red teaming more than 100 generative AI products at Microsoft. The whitepaper highlights the importance of understanding AI systems, breaking them without computing gradients, and the necessity of human involvement in AI red teaming, among other topics.

GitHub shipped enhanced capabilities to the GitHub audit log to provide customers with increased visibility of API events and features to enable enterprise management, automation, and integration.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2024.

²Microsoft Digital Defense Report 2022.

³IDC North America Tools and Vendors Consolidation Survey, 2023.

⁴2024 ISC2 Cybersecurity Workforce Study.

⁵Global cybercrime estimated cost 2029.

The post Microsoft’s Secure by Design journey: One year of success appeared first on Microsoft Security Blog.

Microsoft maintains a continuous effort to protect its platforms and customers from fraud and abuse. From blocking imposters on Microsoft Azure and adding anti-scam features to Microsoft Edge, to fighting tech support fraud with new features in Windows Quick Assist, this edition of Cyber Signals takes you inside the work underway and important milestones achieved that protect customers.

We are all defenders. 

Between April 2024 and April 2025, Microsoft:

• Thwarted $4 billion in fraud attempts.
• Rejected 49,000 fraudulent partnership enrollments.
• Blocked about 1.6 million bot signup attempts per hour.

The evolution of AI-enhanced cyber scams

AI has started to lower the technical bar for fraud and cybercrime actors looking for their own productivity tools, making it easier and cheaper to generate believable content for cyberattacks at an increasingly rapid rate. AI software used in fraud attempts runs the gamut, from legitimate apps misused for malicious purposes to more fraud-oriented tools used by bad actors in the cybercrime underground.

AI tools can scan and scrape the web for company information, helping cyberattackers build detailed profiles of employees or other targets to create highly convincing social engineering lures. In some cases, bad actors are luring victims into increasingly complex fraud schemes using fake AI-enhanced product reviews and AI-generated storefronts, where scammers create entire websites and e-commerce brands, complete with fake business histories and customer testimonials. By using deepfakes, voice cloning, phishing emails, and authentic-looking fake websites, threat actors seek to appear legitimate at wider scale.

According to the Microsoft Anti-Fraud Team, AI-powered fraud attacks are happening globally, with much of the activity coming from China and Europe, specifically Germany due in part to Germany’s status as one of the largest e-commerce and online services markets in the European Union (EU). The larger a digital marketplace in any region, the more likely a proportional degree of attempted fraud will take place.

E-commerce fraud

Fraudulent e-commerce websites can be set up in minutes using AI and other tools requiring minimal technical knowledge. Previously, it would take threat actors days or weeks to stand up convincing websites. These fraudulent websites often mimic legitimate sites, making it challenging for consumers to identify them as fake. 

Using AI-generated product descriptions, images, and customer reviews, customers are duped into believing they are interacting with a genuine merchant, exploiting consumer trust in familiar brands.

AI-powered customer service chatbots add another layer of deception by convincingly interacting with customers. These bots can delay chargebacks by stalling customers with scripted excuses and manipulating complaints with AI-generated responses that make scam sites appear professional.

In a multipronged approach, Microsoft has implemented robust defenses across our products and services to protect customers from AI-powered fraud. Microsoft Defender for Cloud provides comprehensive threat protection for Azure resources, including vulnerability assessments and threat detection for virtual machines, container images, and endpoints.

Microsoft Edge features website typo protection and domain impersonation protection using deep learning technology to help users avoid fraudulent websites. Edge has also implemented a machine learning-based Scareware Blocker to identify and block potential scam pages and deceptive pop-up screens with alarming warnings claiming a computer has been compromised. These attacks try to frighten users into calling fraudulent support numbers or downloading harmful software.

Job and employment fraud

The rapid advancement of generative AI has made it easier for scammers to create fake listings on various job platforms. They generate fake profiles with stolen credentials, fake job postings with auto-generated descriptions, and AI-powered email campaigns to phish job seekers. AI-powered interviews and automated emails enhance the credibility of job scams, making it harder for job seekers to identify fraudulent offers.

To prevent this, job platforms should introduce multifactor authentication for employer accounts to make it harder for bad actors to take over legitimate hirers’ listings and use available fraud-detection technologies to catch suspicious content.

Fraudsters often ask for personal information, such as resumes or even bank account details, under the guise of verifying the applicant’s information. Unsolicited text and email messages offering employment opportunities that promise high pay for minimal qualifications are typically an indicator of fraud.

Employment offers that include requests for payment, offers that seem too good to be true, unsolicited offers or interview requests over text message, and a lack of formal communication platforms can all be indicators of fraud.

Tech support scams

Tech support scams are a type of fraud where scammers trick victims into unnecessary technical support services to fix a device or software problems that don’t exist. The scammers may then gain remote access to a computer—which lets them access all information stored on it, and on any network connected to it or install malware that gives them access to the computer and sensitive data.

Tech support scams are a case where elevated fraud risks exist, even if AI does not play a role. For example, in mid-April 2024, Microsoft Threat Intelligence observed the financially motivated and ransomware-focused cybercriminal group Storm-1811 abusing Windows Quick Assist software by posing as IT support. Microsoft did not observe AI used in these attacks; Storm-1811 instead impersonated legitimate organizations through voice phishing (vishing) as a form of social engineering, convincing victims to grant them device access through Quick Assist. 

Quick Assist is a tool that enables users to share their Windows or macOS device with another person over a remote connection. Tech support scammers often pretend to be legitimate IT support from well-known companies and use social engineering tactics to gain the trust of their targets. They then attempt to employ tools like Quick Assist to connect to the target’s device. 

Quick Assist and Microsoft are not compromised in these cyberattack scenarios; however, the abuse of legitimate software presents risk Microsoft is focused on mitigating. Informed by Microsoft’s understanding of evolving cyberattack techniques, the company’s anti-fraud and product teams work closely together to improve transparency for users and enhance fraud detection techniques. 

The Storm-1811 cyberattacks highlight the capability of social engineering to circumvent security defenses. Social engineering involves collecting relevant information about targeted victims and arranging it into credible lures delivered through phone, email, text, or other mediums. Various AI tools can quickly find, organize, and generate information, thus acting as productivity tools for cyberattackers. Although AI is a new development, enduring measures to counter social engineering attacks remain highly effective. These include increasing employee awareness of legitimate helpdesk contact and support procedures, and applying Zero Trust principles to enforce least privilege across employee accounts and devices, thereby limiting the impact of any compromised assets while they are being addressed. 

Microsoft has taken action to mitigate attacks by Storm-1811 and other groups by suspending identified accounts and tenants associated with inauthentic behavior. If you receive an unsolicited tech support offer, it is likely a scam. Always reach out to trusted sources for tech support. If scammers claim to be from Microsoft, we encourage you to report it directly to us at http://approjects.co.za/?big=reportascam. 

Building on the Secure Future Initiative (SFI), Microsoft is taking a proactive approach to ensuring our products and services are “Fraud-resistant by Design.” In January 2025, a new fraud prevention policy was introduced: Microsoft product teams must now perform fraud prevention assessments and implement fraud controls as part of their design process. 

Recommendations

• Strengthen employer authentication: Fraudsters often hijack legitimate company profiles or create fake recruiters to deceive job seekers. To prevent this, job platforms should introduce multifactor authentication and Verified ID as part of Microsoft Entra ID for employer accounts, making it harder for unauthorized users to gain control.
• Monitor for AI-based recruitment scams: Companies should deploy deepfake detection algorithms to identify AI-generated interviews where facial expressions and speech patterns may not align naturally.
• Be cautious of websites and job listings that seem too good to be true: Verify the legitimacy of websites by checking for secure connections (https) and using tools like Microsoft Edge’s typo protection.
• Avoid providing personal information or payment details to unverified sources: Look for red flags in job listings, such as requests for payment or communication through informal platforms like text messages, WhatsApp, nonbusiness Gmail accounts, or requests to contact someone on a personal device for more information.

Using Microsoft’s security signal to combat fraud

Microsoft is actively working to stop fraud attempts using AI and other technologies by evolving large-scale detection models based on AI, such as machine learning, to play defense by learning from and mitigating fraud attempts. Machine learning is the process that helps a computer learn without direct instruction using algorithms to discover patterns in large datasets. Those patterns are then used to create a comprehensive AI model, allowing for predictions with high accuracy.

We have developed in-product safety controls that warn users about potential malicious activity and integrate rapid detection and prevention of new types of attacks.

Our fraud team has developed domain impersonation protection using deep-learning technology at the domain creation stage, to help protect against fraudulent e-commerce websites and fake job listings. Microsoft Edge has incorporated website typo protection, and we have developed AI-powered fake job detection systems for LinkedIn.

Microsoft Defender Smartscreen is a cloud-based security feature that aims to prevent unsafe browsing habits by analyzing websites, files, and applications based on their reputation and behavior. It is integrated into Windows and the Edge browser to help protect users from phishing attacks, malicious websites, and potentially harmful downloads.

Furthermore, Microsoft’s Digital Crimes Unit (DCU) partners with others in the private and public sector to disrupt the malicious infrastructure used by criminals perpetuating cyber-enabled fraud. The team’s longstanding collaboration with law enforcement around the world to respond to tech support fraud has resulted in hundreds of arrests and increasingly severe prison sentences worldwide. The DCU is applying key learnings from past actions to disrupt those who seek to abuse generative AI technology for malicious or fraudulent purposes. 

Quick Assist features and remote help combat tech support fraud

To help combat tech support fraud, we have incorporated warning messages to alert users about possible tech support scams in Quick Assist before they grant access to someone approaching them purporting to be an authorized IT department or other support resource.

Windows users must read and click the box to acknowledge the security risk of granting remote access to the device.

Microsoft has significantly enhanced Quick Assist protection for Windows users by leveraging its security signal. In response to tech support scams and other threats, Microsoft now blocks an average of 4,415 suspicious Quick Assist connection attempts daily, accounting for approximately 5.46% of global connection attempts. These blocks target connections exhibiting suspicious attributes, such as associations with malicious actors or unverified connections.

Microsoft’s continual focus on advancing Quick Assist safeguards seeks to counter adaptive cybercriminals, who previously targeted individuals opportunistically with fraudulent connection attempts, but more recently have sought to target enterprises with more organized cybercrime campaigns that Microsoft’s actions have helped disrupt.

Our Digital Fingerprinting capability, which leverages AI and machine learning, drives these safeguards by providing fraud and risk signals to detect fraudulent activity. If our risk signals detect a possible scam, the Quick Assist session is automatically ended. Digital Fingerprinting works by collecting various signals to detect and prevent fraud.

For enterprises combating tech support fraud, Remote Help is another valuable resource for employees. Remote Help is designed for internal use within an organization and includes features that make it ideal for enterprises.

By reducing scams and fraud, Microsoft aims to enhance the overall security of its products and protect its users from malicious activities.

Consumer protection tips

Fraudsters exploit psychological triggers such as urgency, scarcity, and trust in social proof. Consumers should be cautious of:

• Impulse buying—Scammers create a sense of urgency with “limited-time” deals and countdown timers.
• Trusting fake social proof—AI generates fake reviews, influencer endorsements, and testimonials to appear legitimate.
• Clicking on ads without verification—Many scam sites spread through AI-optimized social media ads. Consumers should cross-check domain names and reviews before purchasing.
• Ignoring payment security—Avoid direct bank transfers or cryptocurrency payments, which lack fraud protections.

Job seekers should verify employer legitimacy, be on the lookout for common job scam red flags, and avoid sharing personal or financial information with unverified employers.

• Verify employer legitimacy—Cross-check company details on LinkedIn, Glassdoor, and official websites to verify legitimacy.
• Notice common job scam red flags—If a job requires upfront payments for training materials, certifications, or background checks, it is likely a scam. Unrealistic salaries or no-experience-required remote positions should be approached with skepticism. Emails from free domains (such as johndoehr@gmail.com instead of hr@company.com) are also typically indicators of fraudulent activity.
• Be cautious of AI-generated interviews and communications—If a video interview seems unnatural, with lip-syncing delays, robotic speech, or odd facial expressions, it could be deepfake technology at work. Job seekers should always verify recruiter credentials through the company’s official website before engaging in any further discussions.
• Avoid sharing personal or financial information—Under no circumstances should you provide a Social Security number, banking details, or passwords to an unverified employer.

Microsoft is also a member of the Global Anti-Scam Alliance (GASA), which aims to bring governments, law enforcement, consumer protection organizations, financial authorities and providers, brand protection agencies, social media, internet service providers, and cybersecurity companies together to share knowledge and protect consumers from getting scammed.

Recommendations

• Remote Help: Microsoft recommends using Remote Help instead of Quick Assist for internal tech support. Remote Help is designed for internal use within an organization and incorporates several features designed to enhance security and minimize the risk of tech support hacks. It is engineered to be used only within an organization’s tenant, providing a safer alternative to Quick Assist.
• Digital Fingerprinting: This identifies malicious behaviors and ties them back to specific individuals. This helps in monitoring and preventing unauthorized access.
• Blocking full control requests: Quick Assist now includes warnings and requires users to check a box acknowledging the security implications of sharing their screen. This adds a layer of helpful “security friction” by prompting users who may be multitasking or preoccupied to pause to complete an authorization step.

Kelly Bissell: A cybersecurity pioneer combating fraud in the new era of AI

Kelly Bissell’s journey into cybersecurity began unexpectedly in 1990. Initially working in computer science, Kelly was involved in building software for healthcare patient accounting and operating systems at Medaphis and Bellsouth, now AT&T.

His interest in cybersecurity was sparked when he noticed someone logged into a phone switch attempting to get free long-distance calls and traced the intruder back to Romania. This incident marked the beginning of Kelly’s career in cybersecurity.

“I stayed in cybersecurity hunting for bad actors, integrating security controls for hundreds of companies, and helping shape the NIST security frameworks and regulations such as FFIEC, PCI, NERC-CIP,” he explains.

Currently, Kelly is Corporate Vice President of Anti-Fraud and Product Abuse within Microsoft Security. Microsoft’s fraud team employs machine learning and AI to build better detection code and understand fraud operations. They use AI-powered solutions to detect and prevent cyberthreats, leveraging advanced fraud detection frameworks that continuously learn and evolve.

“Cybercrime is a trillion-dollar problem, and it’s been going up every year for the past 30 years. I think we have an opportunity today to adopt AI faster so we can detect and close the gap of exposure quickly. Now we have AI that can make a difference at scale and help us build security and fraud protections into our products much faster.”

Previously Kelly managed the Microsoft Detection and Response Team (DART) and created the Global Hunting, Oversight, and Strategic Triage (GHOST) team that detected and responded to attackers such as Storm-0558 and Midnight Blizzard.

Prior to Microsoft, during his time at Accenture and Deloitte, Kelly collaborated with companies and worked extensively with government agencies like the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation, where he helped build security systems inside their operations.

His time as Chief Information Security Officer (CISO) at a bank exposed him to addressing both cybersecurity and fraud, leading to his involvement in shaping regulatory guidelines to protect banks and eventually Microsoft.

Kelly has also played a significant role in shaping regulations around the National Institute of Standards and Technology (NIST) and Payment Card Industry (PCI) compliance, which helps ensure the security of businesses’ credit card transactions, among others.

Internationally, Kelly played a crucial role in helping establish agencies and improve cybersecurity measures. As a consultant in London, he helped stand up the United Kingdom’s National Cyber Security Centre (NCSC), which is part of the Government Communications Headquarters (GCHQ), the equivalent of CISA. Kelly’s efforts in content moderation with several social media companies, including YouTube, were instrumental in removing harmful content.

That’s why he’s excited about Microsoft’s partnership with GASA. GASA brings together governments, law enforcement, consumer protection organizations, financial authorities, internet service providers, cybersecurity companies, and others to share knowledge and define joint actions to protect consumers from getting scammed.

“If I protect Microsoft, that’s good, but it’s not sufficient. In the same way, if Apple does their thing, and Google does their thing, but if we’re not working together, we’ve all missed the bigger opportunity. We must share cybercrime information with each other and educate the public. If we can have a three-pronged approach of tech companies building security and fraud protection into their products, public awareness, and sharing cybercrime and fraudster information with law enforcement, I think we can make a big difference,” he says.

Next steps with Microsoft Security

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Methodology: Microsoft platforms and services, including Azure, Microsoft Defender for Office, Microsoft Threat Intelligence, and Microsoft Digital Crimes Unit (DCU), provided anonymized data on threat actor activity and trends. Additionally, Microsoft Entra ID provided anonymized data on threat activity, such as malicious email accounts, phishing emails, and attacker movement within networks. Additional insights are from the daily security signals gained across Microsoft, including the cloud, endpoints, the intelligent edge, and telemetry from Microsoft platforms and services. The $4 billion figure represents an aggregated total of fraud and scam attempts against Microsoft and our customers in consumer and enterprise segments (in 12 months).

The post Cyber Signals Issue 9 | AI-powered deception: Emerging fraud threats and countermeasures appeared first on Microsoft Security Blog.

A multi-pronged approach to securing remote assistance with Zero Trust

For too long, remote assistance security has been presumed rather than intentionally designed into its architecture. The rise in sophisticated cyberthreats demands a fundamental shift in our approach. Organizations must rethink remote assistance security through the lens of Zero Trust, using the three key principles of verify explicitly, use least privilege, and assume breach as a guide and ensuring that every session, user, and device is verified, compliant, and monitored before access is granted. 

Discover how implementing Zero Trust can fortify your remote assistance security by visiting our Zero Trust Workshop, where you’ll find an interactive guide to embedding security into your IT operations.  

This requires a structured approach with a foundation of: 

1. Identity and access control—ensuring that only authenticated, compliant users and devices can initiate or receive remote assistance. 
2. Endpoint security and compliance—enforcing security baselines and conditional access across all managed devices. 
3. Embedded security in remote assistance—building security into the very foundation of remote assistance tools, eliminating gaps that cyberattackers can exploit. 

Identity and access control: The first line of cybersecurity defense

Identity security is the cornerstone of any secure remote assistance strategy. A compromised identity is often the first step in a cyberattack, making it critical to ensure only verified users and devices can initiate or receive remote assistance sessions. Organizations must enforce: 

• Explicit identity verification—using multi-factor authentication (MFA) and risk-based conditional access to ensure only authorized users gain access. 
• Least privilege access—ensuring remote assistance is granted only for the necessary duration and with minimal privileges to reduce the risk of exploitation. 
• Real-time risk assessment—continuously evaluating access requests for anomalies or suspicious activity to prevent unauthorized access. 

By shifting the security perimeter to identity, organizations create an environment where trust is earned dynamically, not assumed.  

Closing the gaps with endpoint security and compliance with Microsoft Intune

Cyberattackers frequently exploit outdated, misconfigured, or non-compliant endpoints to gain a foothold in enterprise environments. IT and security leaders must ensure that remote assistance is built on a strong endpoint security foundation, where every device connecting to corporate resources meets strict compliance standards. This highlights the need for organizations to establish consistent security policies across all devices, ensuring they are up to date and compliant before being granted remote access.  

Microsoft Intune provides the necessary tools to: 

• Enforce compliance policies—restrict remote assistance to managed, up-to-date, and policy-compliant devices. 
• Apply security baselines—standardize configurations across endpoints to minimize security gaps. 
• Integrate with Microsoft’s security ecosystem—connecting remote assistance workflows with Microsoft Entra, Microsoft Defender product family, and other security tools for real-time monitoring and cyberthreat mitigation.  

Remote Help: Secure remote assistance built for Zero Trust 

As organizations work toward a Zero Trust model, secure remote assistance must align with core security principles. This means moving beyond reactive security measures and embedding proactive, policy-driven controls into every remote session. Microsoft Intune Remote Help was designed with these imperatives in mind, providing a robust solution that enhances IT support while minimizing security risks. 

While legacy remote assistance tools can lack enterprise-grade security controls, Remote Help is built to align with Zero Trust principles. Unlike traditional solutions, Remote Help: 

• Integrates directly with Microsoft Entra ID—enhancing security where authentication and access controls can consistently take place. 
• Provides session transparency—IT teams can track and monitor remote assistance activity in real time. 
• Enforces compliance requirements—only compliant, managed devices can participate in remote assistance sessions.  

For highly regulated industries, Remote Help offers an alternative to third-party tools that may introduce security blind spots. By embedding security directly into remote assistance workflows, organizations can significantly reduce the risk of unauthorized access.  

Engaging customers and partners to strengthen cyber resilience 

Cybersecurity is a team sport. As cyberthreat actors grow more sophisticated, collaboration across industries is essential. Microsoft is committed to engaging with customers and partners to drive security innovation and resilience. Initiatives such as the Windows Resiliency Initiative (WRI) focus on: 

• Reducing the need for admin privileges—helping organizations adopt a least privilege approach at scale.
• Enhancing identity protection—strengthening defenses against phishing and identity-based attacks.
• Quick machine recovery—empowering IT teams with tools to rapidly store compromised devices remotely.

By fostering collaboration and continuously evolving security measures, Microsoft is helping organizations stay ahead of emerging cyberthreats. These on-going conversations with our customers and partners are crucial in shaping resilient security strategies that adapt to an ever-changing cyberthreat landscape.   

A security-first approach for the future 

The increasing reliance on remote assistance demands a security-first mindset. Organizations must recognize that every remote access session presents an opportunity for exploitation from an ever-evolving cast of cyberattackers. Rather than treating security as an afterthought, it must be deeply integrated into the architecture of the remote assistance solutions. A modern approach requires proactive risk mitigation, continuous verification, and seamless security controls that support productivity without compromising protection.  

Now is the time for IT and security leaders to: 

• Evaluate your current remote assistance tools—identifying the gaps and areas for improvement. 
• Adopt Zero Trust principles—ensuring the access is verified and explicitly and continuously monitored. 
• Leverage solutions like Microsoft Intune and Remote Help—deploying secure, enterprise-grade remote assistance capabilities. 

By taking these steps, you can strengthen your security posture, minimize risk, and ensure that remote assistance remains a tool for operational efficiency rather than a gateway for cyberthreats.  

To explore how Zero Trust can enhance your remote assistance security, visit the Zero Trust Workshop, an interactive, step-by-step guide to embedding security into every layer of IT operations, ensuring a comprehensive and measurable approach to security transformation. 

Learn more with Microsoft Security

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

The post Rethinking remote assistance security in a Zero Trust world appeared first on Microsoft Security Blog.

Unique characteristics of QR code phishing campaigns

Like with other phishing techniques, the goal of QR code phishing attacks is to get the user to click on a malicious link that seems legitimate. They often use minimalistic emails to deliver malicious QR codes that prompt seemingly legitimate actions—like password resets or two-factor authentication verifications. A QR code can also be easily manipulated to redirect unsuspecting victims to malicious websites or to download malware in exactly the same way as URLs.

Figure 1. QR code as an image within email body redirecting to a malicious website.

The normal warning signs users might notice on larger screens can often go unnoticed on mobile devices. While the tactics, techniques, and procedures (TTPs) vary depending on which bad actor is at work, Microsoft Defender for Office 365 has detected a key set of patterns in QR code phishing attacks, including but not limited to:

• URL redirection, where a click or tap takes you not where you expected, but to a forwarded URL.
• Minimal to no text, which reduces the signals available for analysis and machine learning detection.
• Exploiting a known or trusted brand, using their familiarity and reputation to increase likelihood of interaction.
• Exploiting known email channels that trusted, legitimate senders use.
• A variety of social lures, including multifactor authentication, document signing, and more.
• Embedding QR codes in attachments.

The impact of QR code phishing campaigns on the broader email security industry

With the most common intent of QR code phishing being credential theft, malware distribution, or financial theft, QR code campaigns are often massive—exceeding 1,000 users and follow targeted information gathering reconnaissance by bad actors.²

Microsoft security researchers first started noticing an increase in QR-code based attacks in September 2023. We saw attackers quickly morphing their techniques in two keys ways: First by manipulating the way that the QR code rendered (such as different colors and tables), and second by manipulating the embedded URL to do redirection.

The dynamic nature of QR codes made it challenging for traditional email security mechanisms that were designed for link-based phishing techniques to effectively filter and protect against these types of cyberattacks. A key reason was the fact that extensive image content analysis was not commonly done for every image in every message, and did not represent a standard in the industry at the time of the surge.

As a result, for several months our customers saw an increase in bad email that contained malicious QR codes as we were adapting and evolving our technology to be effective against QR codes. This was a challenging time for our customers and those of other email security vendors. We added incremental resources and redirected all our engineering energy to address these issues, and along the way not only delivered new technological innovations but also modified our processes and modernized components of our pipeline to be more resilient in the future. Now these challenges have been addressed through a key set of innovations, and we want to share our learnings and technology advancements moving forward.

For bad actors, QR code phishing has become a lucrative business, and attackers are utilizing AI and large language models (LLMs) like ChatGPT to increase the speed and improve the believability of their attacks. Recent research by Insikt Group noted that bad actors can generate 1,000 phishing emails in under two hours for as little as $10.³ For the security industry, this necessitates a multifaceted response including improved employee training and a renewed commitment to innovation.

The necessity of innovation in QR code phishing defense

Innovation in the face of evolving QR code phishing risk is not just beneficial, it’s imperative. As cybercriminals continually refine their tactics to exploit new technologies, security solutions must evolve at a similar pace to remain effective. In response to the growing threat of QR code phishing, Microsoft Defender for Office 365 took decisive action to leverage advanced machine learning and AI—developing robust defenses capable of detecting and neutralizing QR code phishing attacks in real time. Our team meticulously analyzed these cyberthreats across trillions of signals, gaining valuable insights into their mechanisms and evolving patterns. This knowledge helped us refine our security protocols and enhance our platform’s resilience with several strategic updates. As the largest email security provider, we have seen a significant decline in QR code phishing attempts. At the height, Defender for Office 365 was blocking 3 million attempts daily, and with the delivery of innovative protection we have seen this number shrink to 200,000 QR code phishing attempts every day. This is testament that our innovation is having the desired effect: reducing the effectiveness of QR code-based attacks and forcing attackers to shift their tactics.

Figure 2. QR code phishing blocked by Microsoft Defender for Office 365.

Recent innovations and protections we’ve implemented and improved within Microsoft Defender for Office 365 to help combat QR code phishing include:

• URL extraction enhancements: Microsoft Defender for Office 365 has improved its capabilities to extract URLs from QR codes, substantially boosting the system’s ability to detect and counteract phishing links hidden within QR images. This enhancement enables a more thorough analysis of potential cyberthreats embedded in QR codes. In addition, we now extract metadata from QR codes, which enriches the contextual data available during threat assessments, enhancing our ability to detect suspicious activities early in the attack chain.
• Advanced image processing: Advanced image processing techniques at the initial stage of the mail flow process allow us to extract and log URLs hidden within QR codes. This proactive measure disrupts attacks before they have a chance to compromise end user inboxes, addressing cyberthreats at the earliest possible point.
• Advanced hunting and remediation: To offer a comprehensive response to QR code threats across email, endpoint, and identities with our advanced hunting capabilities, security teams across organizations are well equipped to specifically identify and filter out malicious activities linked to these codes.
• User resilience against QR code phishing: To further equip our organization against these emerging threats, Microsoft Defender for Office 365 has expanded its advanced capabilities to include QR code threats, maintaining alignment with email platforms and specific cyberattack techniques. Our attack simulation training systems along with standard setup of user selection, payload configuration, and scheduling, now have specialized payloads for QR code phishing to simulate authentic attack scenarios.

Read more technical details on how to hunt and respond to QR code-based attacks. By integrating all these capabilities across the Microsoft Defender XDR platform, we can help ensure any QR code-related threats identified in emails are thoroughly analyzed in conjunction with endpoint and identity data, creating a robust security posture that addresses threats on multiple fronts.

Staying ahead of the evolving threat landscape 

The enhancements of Microsoft Defender for Office 365 to defend against QR code-based phishing attacks showcased our need to advance Microsoft’s email and collaboration security faster. The rollout of the above has closed this gap and made Defender for Office 365 effective against these attacks, and as the use of QR codes expands, our defensive tactics will now equally advanced to combat them.

Our continuous investment in analyzing the cyberthreat landscape, learning from past gaps, and our updated infrastructure will enable us to effectively handle present issues and proactively address future risks faster as threats emerge across email and collaboration tools. We will soon be sharing more exciting innovation that will showcase our commitment to delivering the best email and collaboration security solution to customers.

For more information, view the data sheet on protecting against QR code phishing or visit the website to learn more about Microsoft Defender for Office 365.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Attackers Weaponizing QR Codes to Steal Employees Microsoft Credentials, Cybersecurity News. August 22, 2023.

²Hunting for QR Code AiTM Phishing and User Compromise, Microsoft Tech Community. February 12, 2024.

³Security Challenges Rise as QR Code and AI-Generated Phishing Proliferate, Recorded Future. July 18, 2024.

The post How Microsoft Defender for Office 365 innovated to address QR code phishing attacks appeared first on Microsoft Security Blog.

Microsoft has embraced Zero Trust principles, both in our security products and in the way we secure our own enterprise environment. We’ve been helping thousands of organizations worldwide transition to a Zero Trust security model, including military departments and civilian agencies. Over the past three years, we’ve listened to our US government customers, so we can build rich new security features that help them meet the requirements described in the Executive Order, and then support their deployments. These advancements include certificate-based authentication in the cloud, Conditional Access authentication strength, cross-tenant access settings, FIDO2 provisioning APIs, Azure Virtual Desktop support for passwordless authentication, and device-bound passkeys.

The illustration below depicts the Zero Trust Maturity Model Pillars adopted by the US Cybersecurity and Infrastructure Security Agency (CISA).

As the memo’s deadline approaches, we’d like to celebrate the progress our customers have made using the capabilities in Microsoft Entra ID not only to meet requirements for the Identity pillar, but also to reduce complexity and to improve the user experience for their employees and partners.

Microsoft Entra ID is helping US government customers meet the M-22-09 requirements for identity

US government agencies are adopting Microsoft Entra ID to consolidate siloed identity solutions, reduce operational complexity, and improve control and visibility across all their users, as the memo requires. With Microsoft Entra ID, agencies can enforce multifactor authentication at the application level for more granular control. They can also strengthen security by enabling phishing-resistant authentication for staff, contractors, and partners, and by evaluating device information before authorizing access to resources.

Vision:

Agency staff use enterprise-managed identities to access the applications they use in their work. Phishing-resistant multifactor authentication protects those personnel from sophisticated online attacks.

Actions:

Source: M-22-09: Moving the US Government Toward Zero Trust Cybersecurity Principles, issued by the US Office of Management and Budget, January 2022, page 5.

Many of our US government civilian and military customers want to use the same solutions across their different environments. Since it’s available in secret and top-secret Microsoft Azure Government clouds, agencies can standardize on Microsoft Entra ID to secure user identities, to configure granular access permissions in one place, and to provide simpler, easier, and more secure sign-in experiences to applications their employees use in their work.

Microsoft Entra ID

Establish Zero Trust access controls, prevent identity attacks, and manage access to resources.

Try for free

Using Microsoft Entra ID as a centralized identity management system

Anyone who has struggled to manage multiple identity systems understands that it’s an expensive and inefficient approach. Government customers who have adopted Microsoft Entra ID as their central agency identity provider (IdP) gained a holistic view of all users and their access permissions as required by the memo. They also gained a centralized access policy engine that combines signals from multiple sources, including identities and devices, to detect anomalous user behavior, assess risk, and make real-time access decisions that adhere to Zero Trust principles.

Moreover, Microsoft Entra ID enables single sign-on (SSO) to resources and apps, including apps from Microsoft and thousands of other vendors, whether they’re on-premises or in Microsoft commercial or government clouds. When deployed as the central agency IdP, Microsoft Entra ID also secures access to resources in clouds from Amazon, Google, and Oracle.

Many government customers are facilitating secure collaboration among different organizations by using Microsoft Entra External ID for business-to-business (B2B) collaboration to enable cross-cloud access scenarios. They don’t have to give collaboration partners separate credentials for accessing applications and documents in their environment, which reduces their cyberattack surface and spares their partner users from maintaining multiple sets of credentials for multiple identity systems.

Using Microsoft Entra ID to facilitate cross-organizational collaboration

One of our government customers, along with their partner agency, configured cross-tenant access settings to trust multifactor authentication claims from each user’s home tenant. Their partner agency can now trust and enforce strong phishing-resistant authentication for the customer’s users without forcing them to sign in multiple times to collaborate. The partner agency also explicitly enforces, through a Conditional Access authentication strength policy, that the customer’s users must sign in using a personal identity verification (PIV) card or a common access card (CAC) before gaining access.

Another government customer needed to give employees from different organizations within the same agency access to shared services applications such as human resources systems. They used Microsoft Entra External ID for B2B collaboration along with cross-cloud settings to enable seamless and secure collaboration and resource sharing for all agency employees, other government agencies (OGAs), and external partners. They used Microsoft Entra Conditional Access policy and cross-tenant access settings to require that employees sign in using phishing-resistant authentication before accessing shared resources. Trust relationships ensure that this approach works whether the home tenant of an employee is in an Azure commercial or government cloud. They also enabled collaboration with agencies that use an IdP other than Microsoft Entra ID by setting up federation through the SAML 2.0 and WS-Fed protocols.

Next step after standardizing on Microsoft Entra ID as your centralized IdP: Use Microsoft Entra ID Governance to automate lifecycle management of guest accounts in your tenant, so guest users only get access to the resources they need, for only as long as they need it. Start here: What are lifecycle workflows?

Enabling strong multifactor authentication

Standardizing on Microsoft Entra ID has made it possible for our government customers to enable phishing-resistant authentication methods. Over the past 18 months, we’ve worked with our US government customers to increase adoption of phishing-resistant multifactor authentication with Microsoft Entra by almost 2,000%.

From there, customers configure Conditional Access policies that require strong phishing-resistant authentication for accessing applications and resources, as required by the memo. Using Conditional Access authentication strength, they can even set policies to require additional, stronger authentication based on the sensitivity of the application or resource the user is trying to access, or the operation they’re trying to perform.

Microsoft Entra supports strong phishing-resistant forms of authentication:

• Certificate-based authentication (CBA) using Personal Identification Cards (PIV) or Common Access Cards (CAC)
• Device-bound passkeys
  • FIDO2 security keys
  • Passkeys in the Microsoft Authenticator app
• Windows Hello for Business
• Platform single sign-on SSO for macOS devices (in preview)

For a deep dive into phishing resistant authentication in Microsoft Entra, explore the video series Phishing-resistant authentication in Microsoft Entra ID.

While Microsoft Entra ID can prevent the use of common passwords, identify compromised passwords, and enable self-service password reset, many of our government customers prefer to require the most secure forms of authentication, such as smart cards with x.509 certificates and passkeys, which don’t involve passwords at all. This makes signing in more secure, simplifies the user experience, and reduces management complexity.

Implementing phishing-resistant multifactor authentication methods with Microsoft Entra ID

To reduce the cost and complexity of maintaining an on-premises authentication infrastructure using Active Directory Federation Services (AD FS) for employee PIV cards, one agency wanted to use certificate-based authentication (CBA) in Microsoft Entra ID. To ensure the transition went smoothly, they moved users with Staged Rollout, carefully monitoring threat activity using Microsoft Entra ID Protection dashboards and Microsoft Graph API logs exported to their security information and event management (SIEM) system. They migrated all their users to cloud-based CBA in Microsoft Entra in less than three months and after monitoring the environment for a time, confidently decommissioned their AD FS servers.

A local government department chose an opt-in approach for moving employees and vendors to phishing-resistant authentication. Every user contacting the help desk for a password reset instead received help onboarding to Windows Hello for Business. This agency also gave FIDO2 keys to all admins and set a Conditional Access authentication strength policy requiring all vendors to perform phishing-resistant authentication. Their next step will be to roll out device-bound passkeys managed in the Microsoft Authenticator app and enforce their use through Conditional Access. This will save them the expense of issuing separate physical keys and give their users the familiar experience of authenticating securely from their mobile device.

By giving users access to applications and resources through Azure Virtual Desktop, another large agency avoids the overhead of maintaining and supporting individual devices and the software running on them. They also protect their environment from potentially unhealthy, misconfigured, or stolen devices. Whether employees use devices running Windows, MacOS, iOS, or Android, they run the same Virtual Desktop image and sign in, as policy requires, using phishing-resistant, passwordless authentication.

Next step after enabling strong multifactor authentication: Configure Conditional Access authentication strength to enforce phishing-resistant authentication for accessing sensitive resources. Start here: Overview of Microsoft Entra authentication strength.

Using Conditional Access policies to authorize access to resources

Using Conditional Access, our government customers have configured fine-tuned access policies that consider contextual information about the user, their device, their location, and real-time risk levels to control which apps and resources users can access and under what conditions.

To satisfy the memo’s third identity requirement, these customers include device-based signals in policies that make authorization decisions. For example, Microsoft Entra ID Protection can detect whether a device’s originating network is safe or unsafe based on its geographic location, IP address range, or whether it’s coming from an anonymous IP address (for example, TOR). Conditional Access can evaluate signals from Microsoft Intune or other mobile device management systems to determine whether a device is properly managed and compliant before granting access. It can also consider device threat signals from Microsoft Defender for Endpoint.

Enabling Microsoft Entra Conditional Access risk-based policies

One government department enabled risk-based Conditional Access policies across their applications, requiring more stringent sign-in methods depending on levels of user and sign-in risk. For example, a user evaluated as ‘no-risk’ must always perform multifactor authentication, a user evaluated as ‘low-medium risk’ must sign in using phishing-resistant multifactor authentication, and a user deemed ‘high-risk’ must sign in using a specific certificate issued to them by the department. The customer has also configured policy to require compliant devices, enable token protection, and define sign-in frequency. To facilitate threat hunting and automatic mitigation, they send their sign-in and other Microsoft Entra logs to Microsoft Sentinel.

Next step after configuring basic Conditional Access policies: Configure risk-based Conditional Access policies using Microsoft Intune. Start here: Configure and enable risk policies.

Next steps

On July 10, 2024, the White House issued Memorandum M-21-14, “Administration Cybersecurity Priorities for the FY 2026 Budget.” One budget priority calls on agencies to transition toward fully mature Zero Trust architectures by September 30, 2026. Agencies need to submit an updated implementation plan to the Office of Management and Budget within 120 days of the memo’s release.

Microsoft is here to help you rearchitect your environment and implement your Zero Trust strategy, so you can comply with every milestone of the Executive Order. We’ve published technical guidance and detailed documentation to help federal agencies use Microsoft Entra ID to meet identity requirements. We’ve also published detailed guidance on meeting the Department of Defense Zero Trust requirements with Microsoft Entra ID.

In the coming weeks and months, you’ll see announcements about additional steps we’re taking to simplify your Zero Trust implementation, such as the general availability of support for device-bound passkeys in Microsoft Authenticator and Microsoft-managed Conditional Access policies that enable multifactor authentication by default for US government customers.

We look forward to supporting you through the next phases of your Zero Trust journey.

1. Standardize on Microsoft Entra ID as your centralized identity provider to secure every identity and to secure access to your apps and resources. Start here: What is Microsoft Entra ID?
2. To facilitate secure cross-organization collaboration, configure cross-tenant access settings and Conditional Access policies to require that partners accessing your resources sign in using phishing-resistant authentication. Start here: Microsoft Entra B2B in government and national clouds.
3. If you’re using CBA on AD FS, migrate to cloud-based CBA using Staged Rollout and retire your on-premises federation servers. Start here: Migrate from AD FS Certificate-based Authentication (CBA) to Microsoft Entra ID CBA.
4. Eliminate passwords altogether by enabling passwordless phishing-resistant authentication using CBA, Windows Hello for Business, device-bound passkeys (FIDO2 security keys or passkeys managed in the Microsoft Authenticator app), or Platform SSO for MacOS. Start here: Plan a passwordless authentication deployment in Microsoft Entra ID.
5. Implement risk-based Conditional Access policies to adjust access requirements dynamically. Start here: DoD Zero Trust Strategy for the user pillar.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post How Microsoft Entra ID supports US government agencies in meeting identity security requirements appeared first on Microsoft Security Blog.

As part of any robust incident response plan, organizations often work through potential security weaknesses by responding to hypothetical cyberthreats. In this blog post, we’ll imagine a scenario in which a threat actor uses malware to infect the network, moving laterally throughout the environment and attempting to escalate their admin rights along the way. In this hypothetical scenario, we’ll assume containment of the incident requires a mass password reset.

Despite technological advances, many organizations still depend heavily on passwords, making them vulnerable to cyberthreats. During a ransomware attack, the need for mass password resets becomes urgent. Unfortunately, admins can quickly become overwhelmed, burdened with the daunting task of resetting passwords for countless users across multiple connected devices. The surge in help desk calls and service tickets as users face authentication issues on multiple fronts can significantly disrupt business operations. But it’s imperative to secure all digital access points to swiftly mitigate risks and restore system integrity. So how do we manage a mass password reset while minimizing disruption to users and the business?

This blog post delves into the processes and technologies involved in managing a mass password reset, in alignment with expert advice from Microsoft Incident Response. We’ll explore the necessity of mass password resets and the specific methods and security measures that Microsoft recommends to effectively safeguard identities. For a more technical explanation, read our Tech Community post.

Surge in password-based cyberattacks

According to the most recent Microsoft Digital Defense Report, password-based attacks in 2023 increased tenfold over the previous year, with Microsoft blocking about 4,000 attacks per second through Microsoft Entra.¹ This alarming rise underscores the vulnerability of password-dependent security systems. Despite this, too many companies haven’t adopted multifactor authentication, leaving them vulnerable to a variety of cyberattacks, such as phishing, credential stuffing, and brute force attacks. This makes a mass password reset not just a precaution, but a necessity in certain situations.

Deciding on a mass password reset

When the Microsoft Incident Response team determines a threat actor has had extensive access to a customer’s identity plane, a mass password reset may be the best option to restore environment security and prevent unauthorized access. Here are a few of the first questions we ask:

• When should you perform a mass password reset?
• What challenges might you face during the process?
• How should you prepare for it?

Microsoft Incident Response

Dedicated experts work with you before, during, and after a cybersecurity incident.

Explore services

How to manage a mass password reset effectively

In today’s world, many of us are working from anywhere, blending home and office environments. This diversity makes executing a mass password reset particularly challenging, and the decision isn’t always clear. Organizations need to weigh the risk to the business from ransomware and down time against the disruption to users and the often overwhelming strain on IT staff. Here are the two main drivers of mass password resets, as well as advanced security measures a cybersecurity team can apply.

User-driven resets

In environments where identities sync through Microsoft Entra, there’s no need for a direct office connection to reset passwords. Using Microsoft Entra ID capabilities allows users to change their credentials at their next login. Opting for Microsoft Entra ID can also add layers of security through features like Conditional Access, making the reset process both secure and user-friendly. Conditional Access policies work by evaluating the context of each sign-in attempt and allowing you to configure requirements based on that context—like requiring users to complete multifactor authentication challenges if they’re accessing files from outside the corporate network, for example. Conditional Access policies can significantly enhance security by preventing unauthorized access during the reset process.

Administrator-driven resets

This method is crucial when immediate action is needed. Resetting all credentials quickly might disrupt user access, but it’s sometimes necessary to secure the system. Providing options like self-service password reset (SSPR) can help users regain access without delay. SSPR allows users to authenticate using alternative methods such as personal email addresses, phone numbers, or security questions—options available when they have been previously configured. This method not only restores access quickly but also reduces the load on help desk and support hotline departments during critical recovery phases.

Advanced security measures: Beyond basic resets

In addition to the primary reset methods, advanced security measures should be considered to enhance the security posture further. For highly privileged accounts, using privileged identity management (PIM) can manage just-in-time access, reducing the risk of exposure. PIM enables granular control over privileged accounts, allowing administrators to activate them only when necessary, which minimizes the opportunity for attackers to exploit these high-level credentials. To explore more scenarios where mass password reset might be the best option, read through our technical post.

Securing emergency access: Don’t forget to monitor

For critical accounts, manually resetting credentials ensures tighter security. It’s essential to equip emergency access accounts with phishing-resistant authentication, such as FIDO2 security keys and support from the Microsoft Authenticator app. Monitoring the activities from these accounts is crucial to ensure they are used correctly and only in emergencies. IT admins can leverage Microsoft Entra ID logs to keep a close watch on login patterns and activities, viewing real-time alerts and ensuring quick response to any suspicious actions.

Passwordless authentication and enhancing incident response

As cybersecurity evolves, the move toward passwordless authentication is becoming integral to enhancing incident response strategies. Traditional passwords—often vulnerable to breaches—are giving way to more secure methods like Windows Hello for Business, Microsoft Authenticator, and FIDO2 security keys. These technologies leverage biometrics and secure tokens, reducing common attack vectors such as password theft and phishing, and thereby streamlining the incident response process. Policies like a Temporary Access Pass can be configured to empower a move towards passwordless authentication, making it easier for users to register new strong authentication methods.

Implementing multifactor authentication also further strengthens security frameworks. Multifactor authentication is an essential component of basic security hygiene that can prevent 99% of account compromise attacks.¹ When integrated with phishing-resistant authentication methods, together they form a formidable barrier against unauthorized access. This dual approach not only speeds up the response during security incidents but also reduces potential entry points for attackers. This transformative phase in cybersecurity shifts focus on reactive to proactive security measures, promising a future where digital safety is inherent and user interactions are inherently secure. An option to enable phish-resistant authentication is the newly released ability to use passkeys with the Microsoft Authenticator.

A mass password reset is just one of the many tools organizations need to understand and consider as part of their robust incident response plan. For a more in-depth look at scenarios that may require mass password reset, read our technical post.

Learn more

Learn more about Microsoft Incident Response and Microsoft Entra.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2023.

The post Microsoft Incident Response tips for managing a mass password reset appeared first on Microsoft Security Blog.