{"id":135958,"date":"2024-10-08T09:00:00","date_gmt":"2024-10-08T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=135958"},"modified":"2024-10-08T10:37:08","modified_gmt":"2024-10-08T17:37:08","slug":"file-hosting-services-misused-for-identity-phishing","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/08\/file-hosting-services-misused-for-identity-phishing\/","title":{"rendered":"File hosting services misused for identity phishing"},"content":{"rendered":"\n<p>Microsoft has observed campaigns misusing legitimate file hosting services increasingly use defense evasion tactics involving files with restricted access and view-only restrictions. While these campaigns are generic and opportunistic in nature, they involve sophisticated techniques to perform social engineering, evade detection, and expand threat actor reach to other accounts and tenants. These campaigns are intended to compromise identities and devices, and most commonly lead to business email compromise (BEC) attacks to propagate campaigns, among other impacts such as financial fraud, data exfiltration, and lateral movement to endpoints.<\/p>\n\n\n\n<p>Legitimate hosting services, such as SharePoint, OneDrive, and Dropbox, are widely used by organizations for storing, sharing, and collaborating on files. However, the widespread use of such services also makes them attractive targets for threat actors, who exploit the trust and familiarity associated with these services to deliver malicious files and links, often avoiding detection by traditional security measures.<\/p>\n\n\n\n<p>Importantly, Microsoft takes action against malicious users violating the <a href=\"https:\/\/www.microsoft.com\/servicesagreement\">Microsoft Services Agreement<\/a> in how they use apps like SharePoint and OneDrive. To help protect enterprise accounts from compromise, by default <a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/admin\/security-and-compliance\/multi-factor-authentication-microsoft-365\">both Microsoft 365 and Office 365 support multi-factor authentication (MFA)<\/a> and passwordless sign-in. Consumers can also <a href=\"https:\/\/support.microsoft.com\/account-billing\/how-to-go-passwordless-with-your-microsoft-account-674ce301-3574-4387-a93d-916751764c43\">go passwordless<\/a> with their Microsoft account. Because security is a team sport, Microsoft also works with third parties like Dropbox to share threat intelligence and protect mutual customers and the wider community.<\/p>\n\n\n\n<p>In this blog, we discuss the typical attack chain used in campaigns misusing file hosting services and detail the recently observed tactics, techniques, and procedures (TTPs), including the increasing use of certain defense evasion tactics. To help defenders protect their identities and data, we also share mitigation guidance to help reduce the impact of this threat, and detection details and hunting queries to locate potential misuse of file hosting services and related threat actor activities. By understanding these evolving threats and implementing the recommended mitigations, organizations can better protect themselves against these sophisticated campaigns and safeguard digital assets.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"attack-overview\">Attack overview<\/h2>\n\n\n\n<p>Phishing campaigns exploiting legitimate file hosting services have been trending throughout the last <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2023\/12\/07\/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks\/\">few<\/a> <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2023\/06\/08\/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign\/\">years<\/a>, especially due to the relative ease of the technique. The files are delivered through different approaches, including email and email attachments like PDFs, OneNote, and Word files, with the intent of compromising identities or devices. These campaigns are different from traditional phishing attacks because of the sophisticated defense evasion techniques used.<\/p>\n\n\n\n<p>Since mid-April 2024, we observed threat actors increasingly use these tactics aimed at circumventing defense mechanisms:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Files with restricted access<\/strong>: The files sent through the phishing emails are configured to be accessible solely to the designated recipient. This requires the recipient to be signed in to the file-sharing service\u2014be it Dropbox, OneDrive, or SharePoint\u2014or to re-authenticate by entering their email address along with a one-time password (OTP) received through a notification service.<\/li>\n\n\n\n<li><strong>Files with view-only restrictions<\/strong>: To bypass analysis by email detonation systems, the files shared in these phishing attacks are set to &#8216;view-only&#8217; mode, disabling the ability to download and consequently, the detection of embedded URLs within the file.<\/li>\n<\/ul>\n\n\n\n<p>An example attack chain is provided below, depicting the updated defense evasion techniques being used across stages <strong>4<\/strong>, <strong>5<\/strong>, and <strong>6<\/strong>:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/Figure-1.-Example-attack-chain-1024x700.webp\" alt=\"Attack chain diagram. Step 1, attacker compromises a user of a trusted vendor via password spray\/AiTM\u200b attack. Step 2, attacker replays stolen token a few hours later to sign into the user\u2019s file hosting app\u200b. Step 3, attacker creates a malicious file in the compromised user\u2019s file hosting app\u200b. Step 4, attacker shares the file with restrictions to a group of targeted recipients. Step 5, targeted recipient accesses the automated email notification with the suspicious file. Step 6, recipient is required to re-authenticate before accessing the shared file\u200b. Step 7, recipient accesses the malicious shared file link\u200b, directing to an AiTM page. Step 8, recipient submits password and MFA, compromising the user\u2019s session token. Lastly, step 9, file shared on the compromised user\u2019s file hosting app is used for further AiTM and BEC attack\u200bs.\" class=\"wp-image-135960\"\/><figcaption class=\"wp-element-caption\"><em>Figure 1. Example attack chain<\/em><\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"initial-access\">Initial access<\/h3>\n\n\n\n<p>The attack typically begins with the compromise of a user within a trusted vendor. After compromising the trusted vendor, the threat actor hosts a file on the vendor\u2019s file hosting service, which is then shared with a target organization. This misuse of legitimate file hosting services is particularly effective because recipients are more likely to trust emails from known vendors, allowing threat actors to bypass security measures and compromise identities. Often, users from trusted vendors are added to allow lists through policies set by the organization on Exchange Online products, enabling phishing emails to be successfully delivered.<\/p>\n\n\n\n<p>While file names observed in these campaigns also included the recipients, the hosted files typically follow these patterns:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Familiar topics based on existing conversations\n<ul class=\"wp-block-list\">\n<li>For example, if the two organizations have prior interactions related to an audit, the shared files could be named \u201c<em>Audit Report 2024<\/em>\u201d.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Familiar topics based on current context\n<ul class=\"wp-block-list\">\n<li>If the attack has not originated from a trusted vendor, the threat actor often impersonates administrators or help desk or IT support personnel in the sender display name and uses a file name such as \u201c<em>IT Filing Support 2024<\/em>\u201d, \u201c<em>Forms related to Tax submission<\/em>\u201d, or \u201c<em>Troubleshooting guidelines<\/em>\u201d.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Topics based on urgency\n<ul class=\"wp-block-list\">\n<li>Another common technique observed by the threat actors creating these files is that they create a sense of urgency with the file names like \u201c<em>Urgent:Attention Required<\/em>\u201d and \u201c<em>Compromised Password Reset<\/em>\u201d.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"defense-evasion-techniques\">Defense evasion techniques<\/h3>\n\n\n\n<p>Once the threat actor shares the files on the file hosting service with the intended users, the file hosting service sends the target user an automated email notification with a link to access the file securely. This email is <strong>not a phishing email<\/strong> but a notification for the user about the sharing action. In scenarios involving SharePoint or OneDrive, the file is shared from the user\u2019s context, with the compromised user\u2019s email address as the sender. However, in the Dropbox scenario, the file is shared from <em>no-reply@dropbox[.]com<\/em>. The files are shared through automated notification emails with the subject: \u201c<em>&lt;User&gt; shared &lt;document&gt; with you<\/em>\u201d. To evade detections, the threat actor deploys the following additional techniques:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Only the intended recipient can access the file<ul><li>The intended recipient needs to re-authenticate before accessing the file<\/li><\/ul>\n<ul class=\"wp-block-list\">\n<li>The file is accessible only for a limited time window<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>The PDF shared in the file cannot be downloaded<\/li>\n<\/ul>\n\n\n\n<p>These techniques make detonation and analysis of the sample with the malicious link almost impossible since they are restricted.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"identity-compromise\">Identity compromise<\/h3>\n\n\n\n<p>When the targeted user accesses the shared file, the user is prompted to verify their identity by providing their email address:<\/p>\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/Figure-2.-Screenshot-of-SharePoint-identity-verification-785x1024.webp\" alt=\"Screenshot of the SharePoint identity verification page\" class=\"wp-image-135961 webp-format\" style=\"width:455px;height:auto\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/Figure-2.-Screenshot-of-SharePoint-identity-verification-785x1024.webp 785w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/Figure-2.-Screenshot-of-SharePoint-identity-verification-230x300.webp 230w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/Figure-2.-Screenshot-of-SharePoint-identity-verification-768x1002.webp 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/Figure-2.-Screenshot-of-SharePoint-identity-verification.webp 820w\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/Figure-2.-Screenshot-of-SharePoint-identity-verification-785x1024.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 2. Screenshot of SharePoint identity verification<\/em><\/figcaption><\/figure>\n\n\n\n<p>Next, an OTP is sent from <em>no-reply@notify.microsoft[.]com<\/em>. Once the OTP is submitted, the user is successfully authorized and can view a document, often masquerading as a preview, with a malicious link, which is another lure to make the targeted user click the \u201cView my message\u201d access link.<\/p>\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/Figure-3.-Final-landing-page-post-authorization.webp\" alt='Screenshot displaying a message noting a completed document due on 7\/11\/2024. The button at the bottom states \"View my message\". ' class=\"wp-image-135962 webp-format\" style=\"width:507px;height:auto\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/Figure-3.-Final-landing-page-post-authorization.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 3. Final landing page post authorization<\/em><\/figcaption><\/figure>\n\n\n\n<p>This link redirects the user to an adversary-in-the-middle (AiTM) phishing page, where the user is prompted to provide the password and complete multifactor authentication (MFA). The compromised token can then be leveraged by the threat actor to perform the second stage BEC attack and continue the campaign.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"recommended-actions\">Recommended actions<\/h2>\n\n\n\n<p>Microsoft recommends the following mitigations to reduce the impact of this threat:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable\u00a0<a href=\"https:\/\/learn.microsoft.com\/azure\/active-directory\/conditional-access\/overview\" target=\"_blank\" rel=\"noreferrer noopener\">Conditional Access policies<\/a>\u00a0in Microsoft Entra, especially risk-based access policies.\u00a0Conditional access\u00a0policies evaluate sign-in requests using additional identity-driven signals like user or group membership, IP address location information, and device status, among others, are enforced for suspicious sign-ins. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as compliant devices, Azure trusted IP address requirements, or risk-based policies with proper access control. If you are still evaluating Conditional Access, use\u00a0<a href=\"https:\/\/learn.microsoft.com\/azure\/active-directory\/fundamentals\/concept-fundamentals-security-defaults\" target=\"_blank\" rel=\"noreferrer noopener\">security defaults<\/a>\u00a0as an initial baseline set of policies to improve identity security posture.<\/li>\n\n\n\n<li>Implement\u00a0<a href=\"https:\/\/learn.microsoft.com\/azure\/active-directory\/conditional-access\/concept-continuous-access-evaluation\" target=\"_blank\" rel=\"noreferrer noopener\">continuous access evaluation<\/a>.<\/li>\n\n\n\n<li>Implement\u00a0<a href=\"https:\/\/learn.microsoft.com\/azure\/active-directory\/authentication\/concept-authentication-passwordless#fido2-security-keys\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Entra passwordless sign-in with FIDO2 security keys<\/a>.<\/li>\n\n\n\n<li>Turn on\u00a0<a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-endpoint\/enable-network-protection\" target=\"_blank\" rel=\"noreferrer noopener\">network protection<\/a>\u00a0in Microsoft Defender for Endpoint to block connections to malicious domains and IP addresses.<\/li>\n\n\n\n<li>Implement\u00a0<a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/mtd\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Defender for Endpoint &#8211; Mobile Threat Defense<\/a>\u00a0on mobile devices used to access enterprise assets.<\/li>\n\n\n\n<li>Leverage Microsoft Edge to automatically\u00a0<a href=\"https:\/\/learn.microsoft.com\/deployedge\/microsoft-edge-security-smartscreen\" target=\"_blank\" rel=\"noreferrer noopener\">identify and block malicious websites<\/a>, including those used in this phishing campaign, and <a href=\"https:\/\/learn.microsoft.com\/defender-office-365\/tenant-allow-block-list-about\">Microsoft Defender for Office 365<\/a> to\u00a0detect and block malicious emails, links, and files. <a href=\"https:\/\/learn.microsoft.com\/entra\/id-protection\/howto-identity-protection-configure-notifications\" target=\"_blank\" rel=\"noreferrer noopener\">Monitor suspicious or anomalous activities<\/a>\u00a0in Microsoft Entra ID Protection. Investigate sign-in attempts with suspicious characteristics (such as the location, ISP, user agent, and use of anonymizer services). Educate users about the risks of secure file sharing and emails from trusted vendors.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"appendix\">Appendix<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-xdr-detections\">Microsoft Defender XDR detections<\/h3>\n\n\n\n<p>Microsoft Defender XDR raises the following alerts by combining Microsoft Defender for Office 365 <a href=\"https:\/\/learn.microsoft.com\/defender-office-365\/safe-links-about\">URL click<\/a> and Microsoft Entra ID Protection <a href=\"https:\/\/learn.microsoft.com\/entra\/id-protection\/howto-identity-protection-investigate-risk\">risky sign-ins<\/a> signal.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Risky\u00a0sign-in\u00a0after\u00a0clicking\u00a0a\u00a0possible\u00a0AiTM\u00a0phishing\u00a0URL<\/li>\n\n\n\n<li>User\u00a0compromised\u00a0through\u00a0session\u00a0cookie\u00a0hijack<\/li>\n\n\n\n<li>User\u00a0compromised\u00a0in\u00a0a\u00a0known\u00a0AiTM\u00a0phishing\u00a0kit<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"hunting-queries\">Hunting queries<\/h3>\n\n\n\n<p><strong>Microsoft Defender XDR<\/strong>&nbsp;<\/p>\n\n\n\n<p>The file sharing events related to the activity in this blog post can be audited through the <a href=\"https:\/\/learn.microsoft.com\/defender-xdr\/advanced-hunting-cloudappevents-table\"><em>CloudAppEvents<\/em><\/a> telemetry. Microsoft Defender XDR customers can run the following query to find related activity in their networks:&nbsp;<\/p>\n\n\n\n<p><strong>Automated email notifications and suspicious sign-in activity<\/strong><\/p>\n\n\n\n<p>By correlating the email from the Microsoft notification service or Dropbox automated notification service with a suspicious sign-in activity, we can identify compromises, especially from securely shared SharePoint or Dropbox files.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; auto-links: false; gutter: false; title: ; notranslate\" title=\"\">\nlet usersWithSuspiciousEmails = EmailEvents\n    | where SenderFromAddress in (&quot;no-reply@notify.microsoft.com&quot;, &quot;no-reply@dropbox.com&quot;) or InternetMessageId startswith &quot;&lt;OneTimePasscode&quot;\n    | where isnotempty(RecipientObjectId)\n    | distinct RecipientObjectId;\nAADSignInEventsBeta\n| where AccountObjectId in (usersWithSuspiciousEmails)\n| where RiskLevelDuringSignIn == 100\n<\/pre><\/div>\n\n\n<p><strong>Files share contents and suspicious sign-in activity<\/strong><\/p>\n\n\n\n<p>In the majority of the campaigns, the file name involves a sense of urgency or content related to finance or credential updates. By correlating the file share emails with suspicious sign-ins, compromises can be detected. (For example: <em>Alex shared \u201cPassword Reset Mandatory.pdf\u201d with you<\/em>). Since these are observed as campaigns, validating that the same file has been shared with multiple users in the organization can support the detection.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; gutter: false; title: ; notranslate\" title=\"\">\nlet usersWithSuspiciousEmails = EmailEvents\n    | where Subject has_all (&quot;shared&quot;, &quot;with you&quot;)\n    | where Subject has_any (&quot;payment&quot;, &quot;invoice&quot;, &quot;urgent&quot;, &quot;mandatory&quot;, &quot;Payoff&quot;, &quot;Wire&quot;, &quot;Confirmation&quot;, &quot;password&quot;)\n    | where isnotempty(RecipientObjectId)\n    | summarize RecipientCount = dcount(RecipientObjectId), RecipientList = make_set(RecipientObjectId) by Subject\n    | where RecipientCount &gt;= 10\n    | mv-expand RecipientList to typeof(string)\n    | distinct RecipientList;\nAADSignInEventsBeta\n| where AccountObjectId in (usersWithSuspiciousEmails)\n| where RiskLevelDuringSignIn == 100\n<\/pre><\/div>\n\n\n<p><strong>BEC: File sharing tactics based on the file hosting service used<\/strong><\/p>\n\n\n\n<p>To initiate the file sharing activity, these campaigns commonly use certain action types depending on the file hosting service being leveraged. Below are the action types from the audit logs recorded for the file sharing events. These action types can be used to hunt for activities related to these campaigns by replacing the action type for its respective application in the queries below this table.<\/p>\n\n\n\n<figure class=\"wp-block-table table\"><table><tbody><tr><td><strong>Application<\/strong><\/td><td><strong>Action type<\/strong><\/td><td><strong>Description<\/strong><\/td><\/tr><tr><td rowspan=\"5\">OneDrive\/<br>SharePoint<\/td><td>AnonymousLinkCreated<\/td><td>Link created for the document, anyone with the link can access, prevalence is rare since mid-April 2024<\/td><\/tr><tr><td>SharingLinkCreated<\/td><td>Link created for the document, accessible for everyone, prevalence is rare since mid-April 2024<\/td><\/tr><tr><td>AddedToSharingLink<\/td><td>Complete list of users with whom the file is shared is available in this event<\/td><\/tr><tr><td>SecureLinkCreated<\/td><td>Link created for the document, specifically can be accessed only by a group of users. List will be available in the <em>AddedToSecureLink<\/em> Event<\/td><\/tr><tr><td>AddedToSecureLink<\/td><td>Complete list of users with whom the file is securely shared is available in this event<\/td><\/tr><tr><td rowspan=\"5\">Dropbox<\/td><td>Created shared link<\/td><td>A link for a file to be shared with external user created<\/td><\/tr><tr><td>Added shared folder to own Dropbox<\/td><td>A shared folder was added to the user&#8217;s Dropbox account<\/td><\/tr><tr><td>Added users and\/or groups to shared file\/folder<\/td><td rowspan=\"3\">These action types include the list of external users with whom the files have been shared.<\/td><\/tr><tr><td>Changed the audience of the shared link<\/td><\/tr><tr><td>Invited user to Dropbox and added them to shared file\/folder<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>OneDrive or SharePoint<\/strong>: The following query highlights that a specific file has been shared by a user with multiple participants. Correlating this activity with suspicious sign-in attempts preceding this can help identify lateral movements and BEC attacks.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; gutter: false; title: ; notranslate\" title=\"\">\nlet securelinkCreated = CloudAppEvents\n    | where ActionType == &quot;SecureLinkCreated&quot;\n    | project FileCreatedTime = Timestamp, AccountObjectId, ObjectName;\nlet filesCreated = securelinkCreated\n    | where isnotempty(ObjectName)\n    | distinct tostring(ObjectName);\nCloudAppEvents\n| where ActionType == &quot;AddedToSecureLink&quot;\n| where Application in (&quot;Microsoft SharePoint Online&quot;, &quot;Microsoft OneDrive for Business&quot;)\n| extend FileShared = tostring(RawEventData.ObjectId)\n| where FileShared in (filesCreated)\n| extend UserSharedWith = tostring(RawEventData.TargetUserOrGroupName)\n| extend TypeofUserSharedWith = RawEventData.TargetUserOrGroupType\n| where TypeofUserSharedWith == &quot;Guest&quot;\n| where isnotempty(FileShared) and isnotempty(UserSharedWith)\n| join kind=inner securelinkCreated on $left.FileShared==$right.ObjectName\n\/\/ Secure file created recently (in the last 1day)\n| where (Timestamp - FileCreatedTime) between (1d .. 0h)\n| summarize NumofUsersSharedWith = dcount(UserSharedWith) by FileShared\n| where NumofUsersSharedWith &gt;= 20\n<\/pre><\/div>\n\n\n<p><strong>Dropbox<\/strong>: The following query highlights that a file hosted on Dropbox has been shared with multiple participants.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; gutter: false; title: ; notranslate\" title=\"\">\nCloudAppEvents\n| where ActionType in (&quot;Added users and\/or groups to shared file\/folder&quot;, &quot;Invited user to Dropbox and added them to shared file\/folder&quot;)\n| where Application == &quot;Dropbox&quot;\n| where ObjectType == &quot;File&quot;\n| extend FileShared = tostring(ObjectName)\n| where isnotempty(FileShared)\n| mv-expand ActivityObjects\n| where ActivityObjects.Type == &quot;Account&quot; and ActivityObjects.Role == &quot;To&quot;\n| extend SharedBy = AccountId\n| extend UserSharedWith = tostring(ActivityObjects.Name)\n| summarize dcount(UserSharedWith) by FileShared, AccountObjectId\n| where dcount_UserSharedWith &gt;= 20\n<\/pre><\/div>\n\n\n<p><strong>Microsoft Sentinel<\/strong><\/p>\n\n\n\n<p>Microsoft Sentinel customers can use the resources below to find related activities similar to those described in this post:<\/p>\n\n\n\n<p>The following query identifies files with specific keywords that attackers might use in this campaign that have been shared through OneDrive or SharePoint using a Secure Link and accessed by over 10 unique users. It captures crucial details like target users, client IP addresses, timestamps, and file URLs to aid in detecting potential attacks:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; gutter: false; title: ; notranslate\" title=\"\">\nlet OperationName = dynamic(&#x5B;&#039;SecureLinkCreated&#039;, &#039;AddedToSecureLink&#039;]);\nOfficeActivity\n| where Operation in (OperationName)\n| where OfficeWorkload in (&#039;OneDrive&#039;, &#039;SharePoint&#039;)\n| where SourceFileName has_any (&quot;payment&quot;, &quot;invoice&quot;, &quot;urgent&quot;, &quot;mandatory&quot;, &quot;Payoff&quot;, &quot;Wire&quot;, &quot;Confirmation&quot;, &quot;password&quot;, &quot;paycheck&quot;, &quot;bank statement&quot;, &quot;bank details&quot;, &quot;closing&quot;, &quot;funds&quot;, &quot;bank account&quot;, &quot;account details&quot;, &quot;remittance&quot;, &quot;deposit&quot;, &quot;Reset&quot;)\n| summarize CountOfShares = dcount(TargetUserOrGroupName), \n            make_list(TargetUserOrGroupName), \n            make_list(ClientIP), \n            make_list(TimeGenerated), \n            make_list(SourceRelativeUrl) by SourceFileName, OfficeWorkload\n| where CountOfShares &gt; 10\n<\/pre><\/div>\n\n\n<p>Considering that the attacker compromises users through AiTM,&nbsp; possible AiTM phishing attempts can be detected through the below rule:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Solutions\/SecurityThreatEssentialSolution\/Analytic%20Rules\/PossibleAiTMPhishingAttemptAgainstAAD.yaml\">Possible AiTM Phishing Attempt<\/a><\/li>\n<\/ul>\n\n\n\n<p>In addition, customers can also use the following identity-focused queries to detect and investigate anomalous sign-in events that may be indicative of a compromised user identity being accessed by a threat actor:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Solutions\/Cloud%20Identity%20Threat%20Protection%20Essentials\/Hunting%20Queries\/Signins-From-VPS-Providers.yaml\">Signins From VPS Providers<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Solutions\/Cloud%20Identity%20Threat%20Protection%20Essentials\/Hunting%20Queries\/Signins-from-NordVPN-Providers.yaml\">Signins from Nord VPN Providers<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Solutions\/Business%20Email%20Compromise%20-%20Financial%20Fraud\/Hunting%20Queries\/SuccessfulSigninFromNon-CompliantDevice.yaml\">Successful Signin From Non-Compliant Device<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"learn-more\">Learn more<\/h2>\n\n\n\n<p>For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog:&nbsp;<a href=\"https:\/\/aka.ms\/threatintelblog\">https:\/\/aka.ms\/threatintelblog<\/a>.<\/p>\n\n\n\n<p>To get notified about new publications and to join discussions on social media, follow us on LinkedIn at <a href=\"https:\/\/www.linkedin.com\/showcase\/microsoft-threat-intelligence\">https:\/\/www.linkedin.com\/showcase\/microsoft-threat-intelligence<\/a>, and on X (formerly Twitter) at&nbsp;<a href=\"https:\/\/twitter.com\/MsftSecIntel\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/twitter.com\/MsftSecIntel<\/a>.<\/p>\n\n\n\n<p>To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: <a href=\"https:\/\/thecyberwire.com\/podcasts\/microsoft-threat-intelligence\">https:\/\/thecyberwire.com\/podcasts\/microsoft-threat-intelligence<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Since mid-April 2024, Microsoft has observed an increase in defense evasion tactics used in campaigns abusing file hosting services like SharePoint, OneDrive, and Dropbox. These campaigns use sophisticated techniques to perform social engineering, evade detection, and compromise identities, and include business email compromise (BEC) attacks.<\/p>\n","protected":false},"author":153,"featured_media":136028,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3663],"topic":[3687],"products":[3690,3721,3851,3692,3695,3693,3702,4139,3720,3726],"threat-intelligence":[3727,3728,3730,3736],"tags":[3917,3896,3926],"coauthors":[3380],"class_list":["post-135958","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-research","topic-threat-intelligence","products-microsoft-defender","products-microsoft-defender-experts-for-hunting","products-microsoft-defender-experts-for-xdr","products-microsoft-defender-for-cloud-apps","products-microsoft-defender-for-office-365","products-microsoft-defender-xdr","products-microsoft-entra","products-microsoft-entra-id-protection","products-microsoft-security-experts","products-microsoft-sentinel","threat-intelligence-attacker-techniques-tools-and-infrastructure","threat-intelligence-business-email-compromise","threat-intelligence-cybercrime","threat-intelligence-social-engineering-phishing","tag-adversary-in-the-middle","tag-credential-theft","tag-token-theft","review-flag-1694638265-576","review-flag-1694638271-781","review-flag-1-1694638265-354","review-flag-2-1694638266-864","review-flag-3-1694638266-241","review-flag-4-1694638266-512","review-flag-5-1694638266-171","review-flag-6-1694638266-691","review-flag-and-o-1694638265-458","review-flag-lever-1694638263-909","review-flag-new-1694638263-340"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>File hosting services misused for identity phishing | Microsoft Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/08\/file-hosting-services-misused-for-identity-phishing\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"File hosting services misused for identity phishing | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"Since mid-April 2024, Microsoft has observed an increase in defense evasion tactics used in campaigns abusing file hosting services like SharePoint, OneDrive, and Dropbox. These campaigns use sophisticated techniques to perform social engineering, evade detection, and compromise identities, and include business email compromise (BEC) attacks.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/08\/file-hosting-services-misused-for-identity-phishing\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2024-10-08T16:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-10-08T17:37:08+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/Social-card-diagram-4.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"675\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Microsoft Threat Intelligence\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Threat Intelligence\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/08\/file-hosting-services-misused-for-identity-phishing\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/08\/file-hosting-services-misused-for-identity-phishing\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/microsoft-security-threat-intelligence\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Threat Intelligence\"}],\"headline\":\"File hosting services misused for identity phishing\",\"datePublished\":\"2024-10-08T16:00:00+00:00\",\"dateModified\":\"2024-10-08T17:37:08+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/08\/file-hosting-services-misused-for-identity-phishing\/\"},\"wordCount\":2038,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/08\/file-hosting-services-misused-for-identity-phishing\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/blog3-scaled.jpg\",\"keywords\":[\"Adversary-in-the-middle (AiTM)\",\"Credential theft\",\"Token theft\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/08\/file-hosting-services-misused-for-identity-phishing\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/08\/file-hosting-services-misused-for-identity-phishing\/\",\"name\":\"File hosting services misused for identity phishing | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/08\/file-hosting-services-misused-for-identity-phishing\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/08\/file-hosting-services-misused-for-identity-phishing\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/blog3-scaled.jpg\",\"datePublished\":\"2024-10-08T16:00:00+00:00\",\"dateModified\":\"2024-10-08T17:37:08+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/08\/file-hosting-services-misused-for-identity-phishing\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/08\/file-hosting-services-misused-for-identity-phishing\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/08\/file-hosting-services-misused-for-identity-phishing\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/blog3-scaled.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/blog3-scaled.jpg\",\"width\":2560,\"height\":1706,\"caption\":\"Man in coffee shop at laptop\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/08\/file-hosting-services-misused-for-identity-phishing\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"File hosting services misused for identity phishing\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"File hosting services misused for identity phishing | Microsoft Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/08\/file-hosting-services-misused-for-identity-phishing\/","og_locale":"en_US","og_type":"article","og_title":"File hosting services misused for identity phishing | Microsoft Security Blog","og_description":"Since mid-April 2024, Microsoft has observed an increase in defense evasion tactics used in campaigns abusing file hosting services like SharePoint, OneDrive, and Dropbox. These campaigns use sophisticated techniques to perform social engineering, evade detection, and compromise identities, and include business email compromise (BEC) attacks.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/08\/file-hosting-services-misused-for-identity-phishing\/","og_site_name":"Microsoft Security Blog","article_published_time":"2024-10-08T16:00:00+00:00","article_modified_time":"2024-10-08T17:37:08+00:00","og_image":[{"width":1200,"height":675,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/Social-card-diagram-4.png","type":"image\/png"}],"author":"Microsoft Threat Intelligence","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Microsoft Threat Intelligence","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/08\/file-hosting-services-misused-for-identity-phishing\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/08\/file-hosting-services-misused-for-identity-phishing\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/microsoft-security-threat-intelligence\/","@type":"Person","@name":"Microsoft Threat Intelligence"}],"headline":"File hosting services misused for identity phishing","datePublished":"2024-10-08T16:00:00+00:00","dateModified":"2024-10-08T17:37:08+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/08\/file-hosting-services-misused-for-identity-phishing\/"},"wordCount":2038,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/08\/file-hosting-services-misused-for-identity-phishing\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/blog3-scaled.jpg","keywords":["Adversary-in-the-middle (AiTM)","Credential theft","Token theft"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/08\/file-hosting-services-misused-for-identity-phishing\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/08\/file-hosting-services-misused-for-identity-phishing\/","name":"File hosting services misused for identity phishing | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/08\/file-hosting-services-misused-for-identity-phishing\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/08\/file-hosting-services-misused-for-identity-phishing\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/blog3-scaled.jpg","datePublished":"2024-10-08T16:00:00+00:00","dateModified":"2024-10-08T17:37:08+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/08\/file-hosting-services-misused-for-identity-phishing\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/08\/file-hosting-services-misused-for-identity-phishing\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/08\/file-hosting-services-misused-for-identity-phishing\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/blog3-scaled.jpg","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/10\/blog3-scaled.jpg","width":2560,"height":1706,"caption":"Man in coffee shop at laptop"},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/08\/file-hosting-services-misused-for-identity-phishing\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"File hosting services misused for identity phishing"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/135958"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/153"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=135958"}],"version-history":[{"count":6,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/135958\/revisions"}],"predecessor-version":[{"id":135992,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/135958\/revisions\/135992"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/136028"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=135958"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=135958"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=135958"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=135958"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=135958"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=135958"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=135958"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}