Defend your digital landscape with Microsoft 365

Microsoft Malware Protection Center - Wed, 04/17/2019 - 12:00pm

What is it about the middle of the night that brings our fears to the surface? For me, it’s the unknown dangers that may confront my young daughter and how I will protect her.

Fear of the unknown can also disrupt the sleep of a chief information security officer (CISO) who worries about the inevitable attack they have yet to discover. What will they do when the company is breached? Is the organization ready? How bad will it be? This is why we adopt an “assume breach” mindset. Organizations must prevent as many attacks as they can, but they also must be able to detect when a bad actor has made it past their defenses and be ready to act.

If you are suffering from sleepless nights, the Defend your digital landscape e-book may offer peace of mind. The e-book shows how Microsoft 365 can help you quickly reconstruct an attack timeline and improve your defenses. It focuses on a (fictitious) Security Operations team lead, Cathy, who uses Microsoft 365 Enterprise E5 products to prevent, detect, and respond to a breach.

Prevent a breach

Phishing campaigns continue to be one of the most popular methods that bad actors use to compromise an identity and gain access to an enterprise. Even as users have gotten smarter, the attackers have improved their tactics. Defend your digital landscape describes how you can use Microsoft 365 security to prevent employees from accessing links or attachments that are a likely threat, or better yet, block damaging emails from reaching them in the first place.

Detect a breach quickly to minimize impact

To uncover a breach, you need to identify when users behave atypically. Each of your users has “normal” behavioral patterns related to how and where they access your network and resources. Microsoft 365 security can monitor usage and behavior across a variety of tools and platforms to develop a baseline for what is “normal” for each user. Once it knows what’s normal, it will recognize when something atypical has occurred and initiate action. The Defend your digital landscape e-book provides several examples of how you can use this capability to automate a response.

Respond to security incidents

If you are coordinating between several different security products, it isn’t always easy to reconstruct an attack timeline. This is important because attackers may have compromised several users or endpoints before you detect them. The e-book provides clear examples of how Microsoft 365 products work together to help you correlate details and uncover what happened, so that you can rapidly respond and take back control.

Learn more

As a parent, one of my jobs is to raise a child who is resilient in the face of setbacks. I can’t eliminate all threats, but I can teach my daughter how to respond and recover when things don’t go as planned. This basic survival concept also applies to security professionals.

To learn more, download the first three e-books in our series:

Also, stay tuned for the fourth e-book in our series, “Understand and improve your security posture,” which provides recommendations to help you build a strong security posture.

The post Defend your digital landscape with Microsoft 365 appeared first on Microsoft Security.

Discover and manage shadow IT with Microsoft 365

Microsoft Malware Protection Center - Mon, 04/15/2019 - 12:00pm

While IT teams methodically plan corporate adoption of cloud services, the rest of us have dived in headfirst. Ten years ago, a vendor shared a video file with me via Dropbox because it was too big to email. It was my first experience with a cloud file sharing service, and when I realized I could get free storage, I was hooked. I created an account for work projects, and I also created personal folders to share photos and music with friends. It was super easy to use, and best of all, I was able to do it without needing a technical background or access to a corporate server. In fact, it didn’t even occur to me that IT might need to know that I was accessing a cloud app from the corporate network.

A lot has happened in the past decade. Mobile phones function as secondary work computers, cloud app usage has proliferated, and I’ve gotten much smarter about cybersecurity. What hasn’t changed is how cloud apps are introduced to the enterprise: through industrious employees, coworkers, partners, and vendors. This is one of the big challenges that we in the security community face. Bad actors use sophisticated methods to exploit personal devices and cloud apps to gain access to enterprise resources, because it’s hard to track and secure the technologies that employees use to stay connected and productive.

Our second e-book in the series, Discover and manage shadow IT, delves into this problem and provides real-world solutions. It tells the story of how a (fictitious) SecOps manager named Luis uses the security capabilities in Microsoft 365 to help the sales team find the best tools to collaborate without putting the enterprise at risk.

Discover unsanctioned cloud apps

If you feel uncertain about the state of your own shadow IT, you aren’t alone. According to Microsoft’s internal numbers, on average, enterprises are using over 1,100 cloud apps, yet 61 percent go undetected by IT. The Discover and manage shadow IT e-book illustrates how Microsoft Cloud App Security and other products in Microsoft 365 Enterprise E5 can help you detect the apps that people in your organization use. You can even be alerted when new cloud apps are introduced.

Detect which apps are risky and block them

Once you discover a cloud app, how do you know if it is safe or not? The e-book provides several examples of how Microsoft 365 Enterprise E5 harnesses the intelligence across all its products and endpoints to help you evaluate the risk level of each app. You can dig into details including who is using the app and how privileged their access is. If an app doesn’t meet your compliance and risk standards, you can use Microsoft Cloud App Security to block it.

Manage devices and apps

Unknown devices can be just as risky as cloud apps. If a user hasn’t maintained their device operating system or software, there may be a security vulnerability that can be exploited. The Discover and manage shadow IT e-book shows how Microsoft Intune helps to enforce security policies for personal devices. You’ll also learn how you can onboard sanctioned apps to make it easier and more secure for users to access them.

Learn more

Like most people, my use of cloud apps has increased over the years. I still use Dropbox to share personal files, but I’ve also added Box and Microsoft OneDrive. Most often, I access these apps using my personal iPhone. Intune keeps my personal and work data separate, and Microsoft Cloud App Security applies corporate security policies whenever I sign in to a cloud service. It’s just as easy to access the apps I need as it was ten years ago, but now I don’t worry about putting my company at risk.

To learn more, download the first two e-books in our series:

Also, stay tuned for the third e-book in our series, “Defend your digital landscape,” which provides tips for defending and responding to a security breach.

The post Discover and manage shadow IT with Microsoft 365 appeared first on Microsoft Security.

Introducing the security configuration framework: A prioritized guide to hardening Windows 10

Microsoft Malware Protection Center - Thu, 04/11/2019 - 11:00am

In the past, we left defining the security configuration for Windows 10 as a task for every customer to sort out. As a result, we saw as many different configurations as we saw customers. Standardization has many advantages, so we developed a security configuration framework to help simplify security configuration while still allowing enough flexibility to allow you to balance security, productivity, and user experience. We are defining discrete prescriptive Windows 10 security configurations (levels 5 through 1) to meet many of the common device scenarios we see today in the enterprise.

While building out this framework, we thought: what are key considerations for a security professional in today’s world?


What do I do next?

This is the question security professionals must constantly ask themselves. Nearly every security architect I’ve met with has a pile of security assessments on their desk (and a list of vendors eager to give them more); their challenge is never identifying something that they can do, but identifying which is the next most important thing to do from the massive list they have already identified!

I also get questions from customers who are just now planning their Windows 10 deployment and are hoping to configure as many security features as possible – but since they haven’t deployed yet, they don’t have guidance from the Microsoft Defender ATP Secure Score yet (we’ll discuss that in a minute) – how can they prioritize the features to initially enable? Achieving early wins is a key aspect to driving business value from the investment in this deployment.

Clearly, a key aspect for a security configuration framework is to help drive a smart set of priorities.


Understanding where you lie in a continuum of security is also valuable. You see, there is no perfect score in security; everyone could always get better. What we really need to drive is a cycle of continuous improvement. But without an absolute target to pursue, how do you get a sense of how good is good enough? Looking at the posture of others is helpful. Being the best in security is of course aspirational, but being the worst is something you must avoid! There are other unintended consequences of being the “best” to be mindful of as well. Security configuration may be at odds with productivity or user experience; imagine if you worked for a software company and couldn’t test your own code because it wasn’t on your organizational safe programs list yet?

I want to be careful not to overemphasize the competitive aspect here. You don’t want to go deliberately misleading your peers in the industry – in fact, one thing I’m deeply passionate about is improving cooperation among the people on the side of good. Why is this so important? Because bad people have, through innovations of commerce on the dark web, devised a system of cooperation that is shockingly effective. In an environment of inherent distrust (think about it – literally everyone involved is, by definition, untrustworthy), they work together. We’re at a significant disadvantage if we don’t learn to cooperate at least as well!

Secure score in Microsoft Defender ATP

In Microsoft Defender ATP, the secure score is the path to achieving this. Through the top recommendations, we suggest a prioritized list for securing your devices, with a relative ranking of the overall impact to your security posture. We are also exploring ways to provide useful comparisons using this framework.

Secure score represents our best recommendations for securing your endpoint devices (among other things). It’s context-aware, driven by your existing configuration and the threats impacting your environment.


One of the questions we’ve been asking is – what should you do if you have not yet purchased or deployed Microsoft Defender ATP in order to compute your secure score? What if you haven’t even deployed Windows 10? What if you don’t know exactly how to configure a given set of features? We thought we should supplement secure score to help people in all these scenarios with the security configuration framework.

The security configuration framework

The security configuration framework is designed to assist with exactly this scenario. We sat down and asked ourselves this question: if we didn’t know anything at all about your environment, what security policies and security controls would we suggest you implement first? We worked with a select group of pilot customers, experts from Microsoft’s engineering team, and the Microsoft sales field to develop this guidance.

Rather than making an itemized list, we grouped recommendations into coherent and discrete groups, which makes it easier for you to see where you stand in terms of your defensive posture. In this initial draft, we have defined 5 discrete levels of security configuration. Mimicking the DEFCON levels used to determine alert state by the United States Armed Forces, lower numbers indicate a higher degree of security hardening:

  1. Enterprise security – We recommend this configuration as the minimum-security configuration for an enterprise device. Recommendations for this security configuration level are generally straightforward and are designed to be deployable within 30 days.
  2. Enterprise high security – We recommend this configuration for devices where users access sensitive or confidential information. Some of the controls may have an impact to app compatibility, and therefore will often go through an audit-configure-enforce workflow. Recommendations for this level are generally accessible to most organizations and are designed to be deployable within 90 days.
  3. Enterprise VIP security – We recommend this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (for example, one organization identified users who handle data whose theft would directly and seriously impact their stock price). An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration. Recommendations for this security configuration level can be complex (for example, removing local admin rights for some organizations can be a long project in and of itself) and can often go beyond 90 days.
  4. DevOps workstation – We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and credential theft attacks that attempt to gain access to servers and systems containing high-value data or where critical business functions could be disrupted. We are still developing this guidance, and will make another announcement as soon as it is ready.
  5. Administrator workstation – Administrators (particularly of identity or security systems) face the highest risk, through data theft, data alteration, or service disruption. We are still developing this guidance, and will make another announcement as soon as it is ready.

How do you choose the configuration that’s best for your organization? If you’re an organization that’s already looking to Windows security baselines to provide advanced levels of security (now also available in preview for Intune), then level 3 incorporates these baselines as the foundation. If you’re earlier in your journey, then you should find level 5 a great starting point and can then balance the enhanced security of higher levels against your application readiness and risk tolerance.

We are releasing this draft version to gather additional feedback from organizations looking to organize their device security hardening program. You can find the draft security configuration framework documentation and provide us feedback at

We are eager to gather feedback on how we could make this guidance more useful, and if there are security controls and configurations you feel may be misplaced (or missing)!


The post Introducing the security configuration framework: A prioritized guide to hardening Windows 10 appeared first on Microsoft Security.

Forcepoint DLP integration with Microsoft Information Protection—protecting your critical data

Microsoft Malware Protection Center - Wed, 04/10/2019 - 3:00pm

Many organizations are undergoing a rapid digital transformation that is challenging their traditional approach to data security. Organizations in highly regulated industries or who partner with organizations in regulated industries are often faced with accelerated timelines and requirements to protect sensitive data such as protected health information, personal identifiable information, and intellectual property. Failure to comply could have significant financial and brand consequences. Even organizations who aren’t yet impacted by regulatory compliance requirements find it imperative to protect their critical data in a changing digital landscape.

Organizations often engage their employees in the data labeling process by providing tools to enable safe data handling practices. This engagement empowers employees to take ownership in the process and reinforces ongoing awareness of how to properly handle sensitive data. This traditional approach can be quite effective. But what if you could enhance it? Humans will make mistakes—whether through neglect or by accident. Augmenting this approach with additional controls, such as automation, can provide greater capabilities and minimize the risk of human error.

That’s where Forcepoint Data Loss Prevention (DLP) and Microsoft Information Protection solutions can help. As a member of Microsoft Intelligent Security Association, Forcepoint has worked closely with Microsoft to develop an integrated solution that makes it easy to discover, classify, label, and protect critical business data.

Microsoft Information Protection simplifies the process by integrating sensitivity labeling capabilities into commonly used Microsoft applications. Users can utilize document and email labeling to properly identify the sensitivity of the data being accessed or created. But user-applied data labeling may not be enough.

For example, let’s assume a user is working on a document that contains sensitive information (perhaps it contains details about an upcoming acquisition that is intended for executive leadership eyes only) and the user labels the document as “Private” instead of “Restricted.” The user may not fully understand which labels designate what information is limited to executive leadership audiences versus all management audiences within the organization. It’s an honest mistake but could lead to sensitive data inadvertently being shared with unauthorized users within the organization.

Proper data protection requires the ability to detect and control how sensitive data moves in and out of an organization without disrupting a user’s ability to do their job. DLP solutions, such as Forcepoint DLP, empower organizations with enhanced visibility and control of their data across all channels where people work and collaborate across networks, endpoints, and the cloud. With single console policy management, organizations can define and deploy policies across their enterprise with ease to detect and respond when incidents of mislabeled documents arise—as described in the previous scenario. With a DLP solution in place, employee coaching (via pop-up windows) could provide addition guidance to users, educating them on what action was done in error and providing guidance on how to remediate the risk in real-time.

When Microsoft Information Protection is utilized with Forcepoint DLP, the combined data protection capabilities enable more accurate detection and protection of critical data. The integration enables three core capabilities: (1) Ability to import label schemas, (2) Ability to create custom classifiers, and (3) Ability to automate document labeling.*

Label taxonomy

With the Forcepoint Security Manager (FSM), practitioners can seamlessly import label schemas available in Microsoft Information Protection, leveraging pre-define labels to reduce the need for manual label creation. It ensures label taxonomy consistency between the Microsoft 365 Security & Compliance Center and those made available via FSM. Practitioners can apply those labels based on defined policies. For example, encryption of any document sent via email to an internal recipient that is labeled as “Highly confidential.” With FSM, practitioners can control and manage these policies across all channels—endpoints, network, web, email, and the cloud—from a single console, providing a single pane-of-glass view of everywhere users access data.

Custom classifier creation

Practitioners have the flexibility to create user-defined classifiers for the labels appropriate to their business. These classifiers are used in policies to trigger an alert when detected by DLP. By enabling custom classifiers, an organization has the flexibility to create a classification or category for sensitive data that may be unique to their organization. For example, perhaps an organization uses an employee identifier such as an employee badge ID number with non-standard characters or passwords with abnormally long alphanumeric characters. Custom classifiers make it categorize and define which classifiers should be linked to policies that will trigger an alert when this data is detected. Fingerprinting capabilities in Forcepoint DLP would detect the sensitive data (based on the classifier) and would alert the practitioner when data exfiltration attempts are made.

Automated labeling

This integration establishes the framework to automate the application of classification labels and validation of Microsoft Information Protection sensitivity labels and rights management at endpoints using Forcepoint DLP. This soon-to-be-released capability will reduce the risk of data exfiltration as a result of user error or neglect associated with document labeling.

Real-life scenario

So, what do these capabilities look like in a real-life scenario? Let’s assume a user copies partial content from a sensitive document labeled as “Highly confidential” and pastes that content to a new Microsoft Word document (a method commonly used to get around the security policies). They proceed to label that document as “Public” (accidently or intentionally). When the user attempts to save that file to a USB, advanced detection capabilities in Forcepoint DLP (such as fingerprinting) detect the sensitive data (such as keywords or classifications linked to highly confidential content), triggering a rule and alert.

Utilizing the Microsoft Information Protection API, the correct sensitivity label “Highly confidential” is retrieved and enforced on the DLP side via a policy that automatically applies the correct label to the document. The result is protection against data exfiltration and reduced risk of compromised IP or compliance violation.

We recognize one size does not fit all. Organizations want the flexibility to select their preferred data classification and rights management solutions while getting optimal protection from their DLP solution. This integration establishes the framework to enable flexibility for enhanced capabilities with Microsoft Information Protection, as well as other labeling and classification technologies. The result: solutions that keep your critical data protected while helping you gain data handling efficiencies and accuracy.

Learn more

Regardless of where you are on your security maturity journey, data protection should enable you to reduce risk by giving you control and oversight of your data. Forcepoint solutions can help you get there. To learn more about how Forcepoint DLP can help you on your security maturity journey, visit

*Automated data labeling for Forcepoint DLP and Microsoft Information Protection will be available later this year.

The post Forcepoint DLP integration with Microsoft Information Protection—protecting your critical data appeared first on Microsoft Security.

4 tried-and-true prevention strategies for enterprise-level security

Microsoft Malware Protection Center - Wed, 04/10/2019 - 12:00pm

Why is it that dentists advise people over and over to floss, yet so few do it? It only takes a minute of your time, yet if you’re running late or feeling tired, you may be tempted to skip it. That is until you remember your upcoming teeth cleaning appointment. There is nothing like the memory of a long and painful visit to the dentist to motivate good dental hygiene. Smart habits today can save you time and money later.

Good habits are also important in cybersecurity. It is typically much cheaper to prevent an attack than to respond to one already in motion. A great example is the WannaCry ransomware attack. Attackers exploited a vulnerability, which resulted in as much as $4 billion worth of damage around the world. The vulnerability had been patched in a security update released by Microsoft one month prior to the attack, so organizations who had installed the latest updates were spared.

Sometimes cyber hygiene advice is ignored because it’s not the new, shiny whiz-bang solution du jour. It’s easier to get attention for a sparkly light-up electric toothbrush than for a plain old piece of dental floss, but that “plain old” floss is key to keeping your choppers cavity free.

With this in mind, we broke out the four best practices of cyber hygiene, outlined in 24th edition of the Microsoft Security Intelligence Report (SIR), to help reduce your risk of attack:

  1. Practice good security hygiene.
  2. Implement access tiers among employees.
  3. Always back up important data.
  4. Teach employees how to spot and report suspicious activity.
Practice good security hygiene

Good security hygiene includes routine policies and procedures to maintain and protect your IT systems and devices:

  • Use only trusted software—If you can’t validate the credibility of the vendor or supplier, don’t use it. Avoid free software from an unknown source.
  • Deploy software updates—Keep your software and operating systems up to date. Vendors regularly release security updates to their applications, and the only way you can take advantage of this is if you deploy the updates. You should also be sure to apply the security configuration baselines provided by your software vendors.
  • Protect email and browsers—Attackers frequently conduct social engineering attacks through email and browsers, so it’s important to deploy security updates as soon as they are available. And deploy advanced threat protection capabilities for your email, browser, and email gateway to help safeguard your organization from modern phishing variants.
Implement access tiers among employees

The principle of least privilege should guide your access control policies. Malicious actors want to take control of the most privileged accounts in your organization, so the fewer people that have them the better. You also should be mindful that even though your company may have a “trusted software only” mandate, employees may unwittingly download unsafe software that can spread “malcode” throughout your organization.

  • Give system access on a need-to-know basis—Set up role-based access to easily onboard users to the systems they need to do their jobs and nothing more. Keep administrative accounts separate from information worker accounts, so that users only sign in to administrative accounts when they need them. Set up just-in-time privileges that give users with administrative accounts access to systems only when they need them and for a limited time.
  • Don’t allow users to download applications from anywhere but an app store—Deploy strong code integrity policies, including restricting the applications that users can run with whitelisting. If possible, adopt a security solution to restrict the code that runs in the system core (kernel) and can block unsigned scripts and other forms of untrusted code.
Always back up important data

Your organization’s data is often its most valuable asset. If you suffer a security breach or a ransomware attack, a good backup process can save you if your data is destroyed or removed.

  • Back up data online—Use cloud storage services for automatic backup of data online.
  • Use the 3-2-1 method for your most important data—For on-premises data, keep three backups of your data, on two different storage types, and at least one backup offsite.
Teach employees how to spot and report suspicious activity

Your employees are a constant target of attackers, and many are tricked into downloading malicious software or sharing their credentials. They can also be your first line of defense. A strong cybersecurity education program can turn employees from targets to first responders.

  • Recognize social engineering and spear-phishing attacks—Attackers continuously update the methods they use to gain employee trust and access. Provide context about how these attacks work, including the latest techniques and relevant examples.
  • Use your web browser safely—Educate employees about the dangers of unsafe websites, such as cryptocurrency mining. Ensure they keep their browsers up to date with the latest security features and solutions that provide warnings about unsafe sites.
  • Identify suspicious file types—Teach employees to look for suspicious files if a computer is running exceptionally slow and encourage them to submit a sample to the operating system vendor.
  • Engage IT if you’re not sure about something—Make sure that employees know how to report suspicious communications or get advice from IT on what to do about it.
Learn more

There’s probably nothing that surprised you on this list, but can you confirm with 100 percent certainty that your company is practicing and enforcing all of these cyber hygiene recommendations? Instituting security preventative practices may not be as easy as flossing your teeth, but there are resources that can help.

For more details about these and other security recommendations:

The post 4 tried-and-true prevention strategies for enterprise-level security appeared first on Microsoft Security.

Building the security operations center of tomorrow—better insights with compound detection

Microsoft Malware Protection Center - Wed, 04/10/2019 - 12:00pm

In the physical world, humans are fantastic at connecting low quality signals into high quality analysis. Consider speaking with someone in a crowded place. You may not hear every word they say, but because you are fluent in the language and can piece together context from the words, you can hear and figure it out. For example, if you’re with a colleague in a noisy station who says, “Our (inaudible) is about to arrive,” you can be pretty confident that based on where you are and the way their mouth moved that “(inaudible)” is “train.”

In the digital world, we need tools that can perform similar feats of adaptive analysis. Effective cybersecurity depends on rapid detection and remediation to limit the damage from high-impact activities. It also requires intelligence across on-premises, hybrid cloud environments, mobile devices, IoT, threat intelligence, partner information, and other endpoints to uncover stealth attacks.

Tomorrow’s security operations center (SOC) tools need to analyze low risk incidents that our current systems are missing. We also need to account for uncertainty and the changing tactics of attackers to anticipate the next step in the kill chain and uncover novel attacks. This is what compound detection is designed to do.

As we’ve written in two previous posts, the law of data gravity provides the framework for addressing both speed and insight correlation across data sources. Microsoft recently released the public preview of Fusion technology, which is based on compound detection, provides the technology that can accelerate the analysis, and helps connect the dots between your data lakes.

The law of data gravity

The law of data gravity states that the bigger the mass of data, the more services and apps are attracted to it, accelerated by the need to decrease latency and maximize bandwidth. According to this law, whenever possible you should run analysis where the data is. When applied to security, this means instead of waiting to gather all your log files into a traditional security information and event management (SIEM) system to do analysis, you can leverage security data that your vendors have amassed in their clouds to detect and remediate threats. For example, if malware is positively identified in one cloud endpoint, you can block it quickly across all endpoints and prevent threats from spreading. Insights from each of your security platforms can then be connected to uncover stealth attacks or novel approaches.

The traditional SIEM was designed to handle correlated data across multiple on-premises systems; however, SIEMs suffer from two related problems. They surface so many alerts, many of which are false positives. This places a huge burden on security analysts who must triage the alerts and correlate them with alerts from other products. To make matters more frustrating, the SIEM’s brittle and static rules can miss important events, leading to false negatives. It’s no wonder that analysts suffer from alert fatigue.

Fusion technology, as part of Azure Sentinel, is the first cloud native SIEM tool to remove some of the burden from security analysts. Fusion uses scalable machine learning algorithms to reduce the alerts from thousands to a manageable list of high fidelity cases.

Compound detection can reduce both false positives and false negatives

Fusion technology is based on the concept of compound detection. As we learned from the shortcomings of the traditional SIEM, we need tools that are able to improve their accuracy over time and can quickly correlate alerts across platforms to reduce the number of false positives that analysts must investigate.

Compound detection works by graphing low and high risk alerts, high-impact activities, such as a successful phishing campaign, and linking elements. Probability algorithms correlate behavior between the alerts and high-impact activities and simulate different attack paths. Because machine learning algorithms can work faster than manual human analysis, compound detection is able to analyze all events—even the low risk ones. It can uncover multi-stage attacks, and it updates its model of the kill chain to improve its ability to detect early stages of a new attack. When the analysis is done, millions of lower fidelity anomalous activities could be reduced to dozens of high-fidelity cases, leaving security analysts the time needed to focus on the security issues that make the biggest difference.

Learn more

The days of alert fatigue may not be over yet, but with solutions like compound detection, we’re working towards solving the problem. Read about Azure Sentinel and its underlying technology to find out more.

In the coming weeks, we’ll share another post in this series on the Security blog, where we’ll address the concept of data architecture and provide guidance on what information needs to be pulled together for insights and what can remain where it is.

The post Building the security operations center of tomorrow—better insights with compound detection appeared first on Microsoft Security.

Analysis of a targeted attack exploiting the WinRar CVE-2018-20250 vulnerability

Microsoft Malware Protection Center - Wed, 04/10/2019 - 11:00am

In early March, we discovered a cyberattack that used an exploit for CVE-2018-20250, an old WinRar vulnerability disclosed just several weeks prior, and targeted organizations in the satellite and communications industry. A complex attack chain incorporating multiple code execution techniques attempted to run a fileless PowerShell backdoor that could allow an adversary to take full control of compromised machines.

The WinRar vulnerability was discovered by Check Point researchers, who demonstrated in a February 20 blog post that a specially crafted ACE file (a type of compressed file) could allow remote code execution. Attackers quickly took advantage of the vulnerability in attacks, including a targeted attack that 360 Total Security researchers discovered just two days after disclosure. The exploit has since been observed in multiple malware attacks.

The use of ACE files is not uncommon in malware campaigns. A combination of machine learning, advanced heuristics, behavior-based detections, and detonation enables Office 365 Advanced Threat Protection (ATP) to regularly detect and block a variety of threats that are packed in ACE files, including common malware like Fareit, Agent Tesla, NanoCore, LokiBot and some ransomware families.

The same capabilities in Office 365 ATP detected malicious ACE files carrying the CVE-2018-20250 exploit. We spotted one of these ACE files in the sophisticated targeted attack that we describe in this blog and that stood out because of unusual, interesting techniques. Notably, the attack used techniques that are similar to campaigns carried out by the activity group known as MuddyWater, as observed by other security vendors like Trend Micro.

Figure 1. Attack chain that delivered the CVE-2018-20250 exploit

Attack chain overview

A spear-phishing email purporting to be from the Ministry of Foreign Affairs (MFA) of the Islamic Republic of Afghanistan was sent to very specific targets and asked for “resources, telecommunication services and satellite maps”. The email came with a Word document attachment.

Figure 2. Spear phishing email containing lure Word Document

When opened, the document asks the recipient to download another document from a now-inactive OneDrive link. While the URL was down during our analysis, we still reported the case to the OneDrive team.

The use of a document with just a link—no malicious macro or embedded object—was likely meant to evade conventional email security protection. This didn’t work against Office 365 ATP, which has the capability to scan emails and Office documents for URLs and analyze links for malicious behavior.

Figure 3. Word document lure containing OneDrive link

Clicking the link downloads an archive file containing a second Word document, which has malicious macro. Microsoft Word opens the document with security warning. Enabling the macro starts a series of malicious actions that leads to the download of the malware payload.

Figure 4. Downloaded document with malicious macro

Interestingly, the document has a “Next Page” button. Clicking that button displays a fake message signifying that a certain DLL file is missing, and that the computer needs to restart. This is a social engineering technique that ensures the computer is restarted, which is needed for the payload to run. (More on this later.)

Figure 5. Fake message instructing user to restart the computer

Meanwhile, with the macro enabled, the malicious code performs the following in the background:

  • Extract and decode a data blob from TextBox form and drop it as C:\Windows\Temp\id.png
  • Create a malicious Visual Basic Script (VBScript) and drop it as C:\Windows\Temp\temp.vbs
  • Add persistence by creating a COM object and adding autorun registry key to launch the created shell object
  • Launch temp.vbs, which is a wrapper for the malicious PowerShell command that decodes the id.png file, which results in the second-stage PowerShell script that is highly obfuscated and contains multi-layered encryption (this PowerShell script is similar to a script that has been used in past MuddyWater campaigns)

The second-stage PowerShell script collects system information, generates unique computer ID, and sends these to remote location. It acts as a backdoor and can accept commands, including:

  • Download arbitrary file
  • Run command using cmd.exe
  • Decode a base64-encoded command and run it using PowerShell

The PowerShell script’s ability to accept commands and download programs provided a way for a remote attacker to deliver the malicious ACE file containing CVE-2018-20250 exploit. When triggered, the exploit then drops the payload dropbox.exe.
The next sections discuss in detail the key components of this attack chain.

Malicious macro

The highly obfuscated malicious macro code used in this attack has a unique way of running malicious code by chaining several programs. It first extracts an encoded data taken from UserForm.TextBox, before decoding and saving it as C:\Windows\Temp\id.png. This file contains an encoded PowerShell command that is executed later by the first-stage PowerShell script.

Figure 6. Obfuscated macro code

The malicious macro code then creates an Excel.Application object to write the VBScript code.

Figure 7. VBScript code created by the malicious macro

It then runs wscript.exe to launch the PowerShell script at runtime. The PowerShell script itself does not touch the disc, making it a fileless component of the attack chain. Living-off-the-land, the technique of using resources that are already available on the system (e.g., wscript.exe) to run malicious code directly in memory, is another way that this attack tries to evade detection.


The first-stage PowerShell script contains multiple layers of obfuscation. When run, it decodes the file id.png to produce another PowerShell script that’s responsible for the rest of the actions.

Figure 8. Obfuscated first-stage PowerShell code

Figure 9. De-obfuscated first-stage PowerShell script

The decrypted PowerShell script is also highly obfuscated. Fully de-obfuscating the malicious script requires over 40 layers of script blocks.

The second-stage PowerShell script collects system information, such as operating system, OS architecture, username, domain name, disk information, enabled-only IP addresses, and gateway IP address. It computes the MD5 hash of collected system information. The computed hash is used as the BotID (some researchers also refer to this as SYSID).

It then concatenates the hash and system information in a string that looks like the following:

<BotID>**<OS>|Disk information**<IP Address List>**<OS Architecture>**<Hostname>**<Domain>**<Username>**<Gateway IP>

For example:

6e6bdbd3d8b102305f016b06e995a384**Microsoft Windows 10 Enterprise|C:\WINDOWS|\Device\Harddisk0\Partition3**192[.]168[.]61[.]1-192[.]168[.]32[.]1-157[.]59[.]24[.]113**64-bit**<Hostname>**<Domain>**<Username>**131[.]107[.]160[.]113

It then encodes each character of the collected system information in decimal value by applying simple custom algorithm with hardcoded key (public key): 959,713. The result is formatted as XML-like data:

{“data”:”665 545 145 145 222 545 222 145 73 367 665 438 438 438 598 616 145 518 616 566 438 [REDACTED] 616 73 145 145 665 518 365 438 316 665 513 513 432 261 181 344}

It sends the encoded data to a hardcoded remote command-and-control (C&C), likely to check and register the infected computer: hxxp://162[.]223[.]89[.]53/oa/.

It continuously waits until the remote attacker sends back “done”. Then, it sends an HTTP request to the same C&C address passing the BotID, likely to wait for command: hxxp://162[.]223[.]89[.]53/oc/api/?t=<BOTID>.

It can accept command to download and execute command and sends back the output, encoded in Base64 format, to the remote C2 server using HTTP POST: hxxp://162[.]223[.]89[.]53/or/?t=<BOTID>.

CVE-2018-20250 exploit

In their analysis of the CVE-2018-20250 vulnerability, Check Point researchers found that when parsing ACE files, WinRar used an old DLL named unacev2.dll that was vulnerable to directory traversal.

Malicious ACE files that carry the CVE-2018-20250 exploit can be spotted through:

  • Directory traversal string – The validation from Unacev2.dll for the destination path when extracting ACE is not enough. If attacker can craft relative path that can bypass the checks in place, it may lead to extraction of the embedded payload to the specified location.
  • Drop zone – In-the-wild samples commonly use the Startup folder, but it’s also possible to drop the file to known or pre-determined SMB shared folders.
  • Payload – The malicious payload, as in this attack, is commonly an .exe file, but in-the-wild samples and other ACE files that we’ve seen use other malicious scripts like VBScript executable.

Figure 10. ACE file with CVE-2018-20250 exploit

The ACE file contains three JPEG files that may look related to the email and Word document lures. When the user attempts to extract any of them, the exploit triggers and drops the payload, dropbox.exe, to the Startup folder.

Figure 11. Contents of the malicious ACE file

Going back to the fake error message about a missing DLL and asking the user to restart the computer: The CVE-2018-20250 vulnerability only allows file write to specified folder but has no capability to run the file immediately. Since the payload was dropped in the Startup folder, it is launched when the computer restarts.

The payload dropbox.exe performs the same actions as the malicious macro component, which helps ensure that the PowerShell backdoor is running. The PowerShell backdoor could allow a remote attacker to take full control of the compromised machine and make it a launchpad for more malicious actions. Exposing and stopping the attacks at the early stages is critical in preventing additional, typically more damaging impact of undetected malware implants.

Stopping attacks at the entry point with Office 365 ATP

The targeted attack we discussed in this blog and other attacks that use the CVE-2018-20250 exploit show how quickly attackers can take advantage of known vulnerabilities. Attackers are always in search of new vectors to reach more victims. In this attack, they also used some sophisticated code injection techniques. Protections against cyberattacks should be advanced, real-time, and comprehensive.

The URL detonation capabilities in Office 365 ATP was instrumental in detecting and blocking the malicious behaviors across the multiple stages of this sophisticated attack, protecting customers from potentially damaging outcomes. URL detonation, coupled with heuristics, behavior-based detections, and machine learning, allow Office 365 ATP to protect customers not only from targeted attacks, but also well-crafted spear phishing attacks—in real time.

Unified protection across multiple attack vectors with Microsoft Threat Protection

These advanced defenses from Office 365 ATP are shared with other services in Microsoft Threat Protection, which provides seamless, integrated, and comprehensive protection against multiple attack vectors. Through signal-sharing, Microsoft threat Protection orchestrates threat remediation.

For endpoints that are not protected by Office 365 ATP, Microsoft Defender ATP detects the attacker techniques used in this targeted attack. Microsoft Defender ATP is a unified endpoint protection platform for attack surface reduction, next generation protection, endpoint detection & response (EDR), auto investigation & remediation, as well as recently announced managed threat hunting and threat & vulnerability management.

Microsoft Defender ATP uses machine learning, behavior monitoring, and heuristics to detect sophisticated threats. Its industry-leading optics, integration with Office 365 ATP and other Microsoft Threat Protection services, and use of AMSI give it unique capabilities to detect attacker techniques, including the exploit, obfuscation, detection evasion, and fileless techniques observed in this attack.

The attacks that immediately exploited the WinRar vulnerability demonstrate the importance of threat & vulnerability management in reducing organizational risk. Even if your organization was not affected by this attack against specific organizations in the satellite and communications industry, there are other malware campaigns that used the exploits.

Microsoft Defender ATP’s threat & vulnerability management capability uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities. As a component of a unified endpoint protection platform, threat & hunting vulnerability management in Microsoft Defender ATP provides these unique benefits:

  • Real-time correlation of EDR insights with info on endpoint vulnerabilities
  • Invaluable endpoint vulnerability context for incident investigations
  • Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager

Figure 12. Sample Threat & Vulnerability Management dashboard showing WinRAR vulnerabilities on managed endpoints

The complex attack chain that incorporated sophisticated techniques observed in this targeted attack highlights the benefits of a comprehensive protection enriched by telemetry collected across the entire attack chain. Microsoft Threat Protection continues to evolve to provide integrated threat protection solution for the modern workplace.


Rex Plantado
Office 365 ATP Research Team


Indicators of compromise

Files (SHA-256):

  • 68133eb271d442216e66a8267728ab38bf143627aa5026a4a6d07bb616b3d9fd (Original email attachment, detected as Trojan:O97M/Maudon.A)
  • ef3617a68208f047ccae2d169b8208aa87df9a4b8959e529577fe11c2e0d08c3 (Document hosted in OneDrive link, detected as Trojan:O97M/Maudon.A)
  • 4cb0b2d9a4275d7e7f532f52c1b6ba2bd228a7b50735b0a644d2ecae96263352 (ACE file with CVE-2018-20250 exploit, detected as Exploit:Win32/CVE-2018-20250)
  • 6f78748f5b2902c05e88c1d2e45de8e7c635512a5f25d25217766554534277fe (dropbox.exe (Win64 Payload), detected as Trojan:Win32/Maudon.A)
  • c0c22e689e1e9fa11cbf8718405b20ce57c1d7c85d8e6e45c617e2b095b01b15 (Encoded id.png, detected as Trojan:PowerShell/Maudon.A)
  • 0089736ee162095ac2e4e66de6468dbb7824fe73996bbea48a3bb85f7fdd53e4 (temp.vbs, detected as ThreatRelated)
  • 1c25286b8dea0ebe4e8fca0181c474ff47cf822330ef3613a7d599c12b37ff5f (PowerShell script decrypted from id.png, detected as Trojan:PowerShell/Maudon.A)
  • 144b3aa998cf9f30d6698bebe68a1248ca36dc5be534b1dedee471ada7302971 (Decrypted PowerShell, detected as Trojan:PowerShell/Maudon.A)


  • hxxps://1drv[.]ms/u/s!AgvJCoYH9skpgUNf3Y3bfhSyFQao
  • hxxp://162[.]223[.]89[.]53/oa/
  • hxxp://162[.]223[.]89[.]53/oc/api/?t=<BOTID>
  • hxxp://162[.]223[.]89[.]53/or/?t=<BOTID>


The post Analysis of a targeted attack exploiting the WinRar CVE-2018-20250 vulnerability appeared first on Microsoft Security.

Step 8. Protect your documents and email: top 10 actions to secure your environment

Microsoft Malware Protection Center - Tue, 04/09/2019 - 12:00pm

The “Top 10 actions to secure your environment” series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. In “Step 8. Protect your documents and email,” you’ll learn how to deploy Azure Information Protection and use Office 365 Advanced Threat Protection (ATP) and Exchange Online Protection to help secure your documents and emails.

There are two types of risks to plan for when it comes to documents and emails. The first risk is that sensitive information will be distributed, often unintentionally, to others that should not have access to it inside or outside of your company. The second is that users in your organization will click links in phishing emails that trick them into giving up their credentials or open attachments that unleash malware. This blog will address ways to protect your company against both.

Azure Information Protection, which is part of Microsoft Information Protection, helps protect your sensitive information wherever it lives or travels. To set up Azure Information Protection, you need to discover where your sensitive information resides, classify and label the information based on its sensitivity, apply policy-based protection settings to control information access and sharing, and continuously monitor your sensitive data landscape. Then Office 365 Advanced Threat Protection (ATP) and Exchange Online Protection can help you protect your mailboxes, files, online storage, and applications against sophisticated attacks in real-time by setting up anti-phishing policies, enabling Safe Links, and setting up Safe Attachments.

Deploy Azure Information Protection to protect your sensitive documents and emails

You may have hundreds or thousands of users creating and sharing documents and sending emails every day. Many files may not contain sensitive information, but the ones that have personal identifiable information, financial data, health-related information, or confidential company information could cause you serious reputational, financial, or legal harm if it gets into the wrong hands.

You can protect your critical documents and emails by implementing the right policies and controls across the information protection lifecycle:

  • Discover: Identify sensitive data in apps and repositories.
  • Classify and label: Classify data and apply labels based on sensitivity level.
  • Protect: Apply policy-based protection actions including encryption and access restrictions.
  • Monitor and remediate: Receive alerts flagging potential issues or risky behavior and take action.

You can download the Azure Information Protection—Deployment Acceleration Guide for a deeper overview of these phases and learnings from our engineering team. Read on for a high-level overview of the core concepts and resources.


The first phase in the approach is the discovery phase. In the discovery process, you gain visibility into the data that currently exists across your environment. To discover data in your on-premises file servers, run the Azure Information Protection scanner in discover mode. It will generate a report that catalogs data that has already been labeled, and the sensitive information types that Azure Information Protection has detected (Figure 1).

Figure 1. Azure Information Protection scanner report allows you to view overall volume and distribution of labeled files, and the types of sensitive data detected.

As discussed in Step 7. Discover shadow IT and take control of your cloud apps, you can use Microsoft Cloud App Security to scan files in cloud repositories to discover sensitive information. Once you’ve inspected data across your cloud repositories and on-premises repositories, you will move on to the classify and label phase.

Classify and label

Classification is determining the sensitivity of a document or email based on its content, and labeling is the application (either automatically or manually) of a sensitivity label, such as “Highly Confidential.” Azure Information Protection provides a recommended default label taxonomy in new tenants that can be modified for use by your organization. We also provide an online example of our current taxonomy that was developed by Microsoft over years of testing. We recommend using this taxonomy if your organization does not already have one established. If your organization has its own taxonomy or you plan to create one, the default label names in Azure Information Protection are easy to change or modify. It’s important not to overcomplicate your taxonomy, so review the Azure Information Protection—Deployment Acceleration Guide for guidance on how to develop your taxonomy.

Labels persist with files even when the files are shared or moved, ensuring that protection travels with the document. There are four options for applying labels:

  • Apply manually by users.
  • Apply a default label automatically to all new documents.
  • Recommend labels based on the data detected.
  • Apply labels automatically based on pre-defined classification and policies.

If you want users to apply labels manually, you can make it easy for them by automatically applying a default label to all new documents. In our default taxonomy, this would be the “General” label. A default label of “General,” which doesn’t apply encryption, allows anyone to view and edit the document, which may be a reasonable baseline for many documents in your organization. Users will need to think about applying a higher sensitivity label, such as “Confidential,” when they’re dealing with more sensitive data. We recommend that you enable the Azure Information Protection policy setting, which requires users to justify and explain why they lowered a classification level or removed a label (Figure 2).

Figure 2. You can require that users supply a justification if they lower the classification label.

Enable recommended labels in Azure Information Protection to provide guidance for users on how to label a document based on its content (Figure 3). This recommendation is based on the conditions that you define. For example, if Azure Information Protection detects credit card numbers in a document, you could define policies that recommend that the user label it as “Confidential.”

Figure 3. Azure Information Protection can be configured to recommend labels based on the information detected in the document.

You can also define conditions that, if matched, will apply the corresponding label automatically with no user involvement, and you can configure the Azure Information Protection scanner and Microsoft Cloud App Security to scan, classify, and label documents already saved on-premises and in cloud repositories, respectively.


Several protection actions can be applied to documents and emails based on sensitivity label, including applying encryption, rights restrictions, or visual markings (such as headers or footers). To encrypt files based on classification label, you will need to set up usage rights based on role. Azure Information Protection includes the following predefined roles:

  • Viewer: Allows users to view the data and nothing else.
  • Reviewer: Allows users to edit the data but NOT copy information out or change the protection applied.
  • Co-Author: Allows users to edit the data AND copy information out but NOT change the protection applied.
  • Co-Owner: Allows users to have Full Control that also allows users to copy and change/remove protection and change the Azure Information Protection label.

You’ll need to determine the type of protection that will be applied and the users that can access specific types of content. We recommend using sub-labels to define the audience of the content and the usage rights available to that audience. The Azure Information Protection—Deployment Acceleration Guide describes this concept in more detail with tips on how to apply it to your organization.

Monitor and remediate

Azure Information Protection Analytics gives you tools to view the state of your sensitive information, including the volume of labeled and protected files and emails, the application used to apply the label, the location of sensitive files, and the type of data that was detected (Figure 4). We recommend using the Azure Information Protection Analytics dashboards to see detailed information on information protection activities. This provides rich usage and activity data but requires consumption on an Azure subscription that incurs an additional cost based on usage.

Reporting data can help you refine the policies that you’ve established for labeling and protecting documents and identify potential risky behavior or over-sharing. Plan to regularly revisit your Azure Information Protection policies to optimize for your users and data needs.

Deploying Office 365 ATP

Bad actors continue to use email as a primary method for gaining initial access to your organization. Phishing and malware campaigns have increased in sophistication, increasing the chances that one or more of your users will accidentally provide their credentials or open an attachment that gives hackers access. Set up Office 365 ATP to protect against advanced attacks such as phishing and zero-day malware.

Figure 4: The Data discovery dashboard provides information on the location of sensitive data within your organization.

To get started, you’ll need to set up policies for the following:

  • Anti-phishing
  • Safe Links
  • Safe Attachments

Anti-phishing policies

When you enable anti-phishing in Office 365 ATP, machine learning models trained to detect phishing messages are applied to every incoming message. Anti-phishing polices are designed to protect against email spoofing, impersonation, and compromised email accounts. Additionally, Office 365 ATP learns how each individual user communicates with other users inside and outside the organization and builds a map of these relationships. This map allows Office 365 ATP to understand more details about how to ensure the right messages are identified as impersonation. Anti-phishing policies can be added, edited, and deleted in the Office 365 Security & Compliance Center. Each organization in Office 365 has a default anti-phishing policy that applies to all users. You can create custom anti-phishing policies that you can scope to specific users, groups, or domains within your organization.

Safe Links policies

When a user clicks a link in an email or document, Office 365 ATP Safe Links scans the website or the reputation of the link and determines if it is safe or malicious. Based on the ATP Safe Links policies configured, users will either be able to open the link, receive a warning, or be blocked from accessing it.

Safe Attachments policies

The Office 365 ATP Safe Attachments scans email attachments and files in SharePoint Online, OneDrive for Business, and Microsoft Teams to determine if they are malicious. Once identified as malicious, the file is blocked, replaced, or delivered based on the ATP Safe Attachments policies configured.

ATP Safe Attachments policies can be configured to:

  • Block emails with malicious attachments from proceeding.
  • Deliver messages immediately while the attachment is scanned in the background.
  • Remove detected malware from emails and notify the user.

Take a look at our best practices for configuring Exchange Online Protection for more tips on blocking unwanted emails from reaching your users.

Learn more

Check back in a few weeks for our next blog post, “Step 9: Protect your OS,” which will give you tips for configuring Windows Defender Advanced Threat Protection to block new and emerging threats on Windows 10.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.


The post Step 8. Protect your documents and email: top 10 actions to secure your environment appeared first on Microsoft Security.

The language of InfoSec

Microsoft Malware Protection Center - Mon, 04/08/2019 - 11:00am

As the cybersecurity industry has evolved, one dynamic has remained consistent: our industry-“speak”. We use a language that is very unique, difficult for new folks to understand, and oftentimes just plain sensationalistic. While any industry has its own technical terms, our language can also be a barrier to recruitment for many. This should be of concern to all of us in cybersecurity as we look to become more inclusive, rather than exclusive.

Language often reflects and supports a culture. Culture is defined by language norms and values of its people. It is easy to become conditioned to the way we speak and use terminology. As we look to how we can encourage industry growth and maturity, we should strive to evolve the way we use our industry’s nomenclature to be more open and consider how we are defining and shaping our industry’s culture through language. The exciting thing is, the opportunity is right before us, because cybersecurity is constantly evolving.

There are many examples of words that are part of the InfoSec culture – words that do not easily translate to people without a deep industry background. My approach is to avoid hyper technical or sensationalistic terms, and to create a language baseline that is simple and inclusive. Then, I put it to the test: Is the cyber language we’re speaking something my family can understand? Are there other terms we could use to simplify unique technical terms? Can we all agree to search for new words and try them out?

Let’s consider terms like sandboxing, detonation chamber, whitelists, blacklists, and so forth. While each have specific purposes, we should ask ourselves: are there different ways of saying the same things or defining these terms? What would the synonym be for “blacklist” and would “filtering known bad sites” or “risk lists” suffice?

We must also examine and test whether ways that are more easily understood help to make the industry appear more open and accepting to a broader, more diverse audience or talent population. This is not a matter appearing politically correct – it is a matter of being pragmatic and understanding we will not solve the talent shortage in cybersecurity if we do not make some fundamental changes to the industry. One of the simple changes we could make is to make our common industry vernacular less intimidating.

Testing the waters, I fielded this very topic about whether our industry terms are terrifying and/or confusing to those not in the industry. While many shared examples of cyber terms we should explore, there was agreement that most of our vernacular leans to weaponized or militaristic language.

As a technology professional with 30 years of experience working for companies that are not pure security focused, I have spent many hours creating glossaries and explaining InfoSec language to my colleagues. Quite often there are raised eyebrows and snickers at some of the things we consider common language – as well as questioning and commentary on how unique security people are. I have no issue with uniqueness or deep skills, but that does not mean everything the industry does needs to be unique. The days of security by obscurity are dead.

The cyber insiders club we have created for ourselves is not what makes us special. What makes us special is that we are required to adapt quickly, evolve, and grow. If we don’t, we will become extinct. Bad actors are continually changing and modernizing their tools and methods. They recognize the evolution of InfoSec as an opportunity of scale. By allowing more people to easily understand the fundamentals of security and take an active role in shaping its culture, we can and will build better defenses. Imagine how much easier your job would be if you didn’t spend the first 30-minutes of every InfoSec-related meeting developing a common understanding of language.

If we are to truly influence and shape our industry’s culture, I am asking everyone in the industry to examine how and what we communicate, how we can make cybersecurity easier to understand by the language we use. Thus we will become more open and inclusive. We can do so much if we embrace change and growth, and open our arms to those who have so much to contribute, but who may not “speak” our language.

The post The language of InfoSec appeared first on Microsoft Security.

Steer clear of tax scams

Microsoft Malware Protection Center - Fri, 04/05/2019 - 12:00pm

In the month of February, we saw an average of 300,000 phishing attempts across Microsoft’s browsing platforms daily. Our security experts expect these attempted scams to become increasingly more prevalent through the April 15 Tax Day, especially in the two weeks leading up to it, when about 25 percent of people file their taxes. The phishing campaigns we’ve seen aren’t just in the U.S., though; we’ve also recently uncovered similar tactics in Canada, Brazil and India. It’s important for users across the globe to follow best practices and stay vigilant.

With less than a month until the filing deadline in the U.S., we are urging the public to take the following simple steps to avoid tax scams – especially during the last-minute rush to file taxes.

  • Watch for suspicious emails. Be suspicious of all links and attachments, especially when the email seems “off” or unexpected – like an unexpected email from your credit card company, or financial institution. Phish-y emails often include spelling and grammatical errors, or will ask you to send personal information. In these cases, you can apply additional scrutiny on the sender, the content, and any links and attachments. If you know the sender, for example, you can double-check with them before opening or downloading the file.
  • Carefully inspect URLs. Hover over links to verify that the URL goes to the website where it’s supposed to direct you. Is it pointing to the site you expected? URL shorteners provide a lot of convenience, but can make this inspection difficult. If you’re unsure, rather than clicking a link, use search engines like Bing to get to the tax-related website you’re looking for and log in from there.
We recently discovered a phishing campaign targeting Canadian Tax payers where scammers were pretending to help Canadian taxpayers get their refunds, but really aimed to steal banking credentials. We’ve also seen old phishing documents resurface – these claim to be from the Canada Revenue Agency (CRA), inform victims that they have a refund via e-transfer from the CRA, and ask them to divulge their bank details where the funds will be “deposited”. We’ve also seen similar campaigns in Brazil and India.
  • Be wary of any attachments. If you haven’t just made a purchase for tax software, don’t be tricked by getting an email with an invoice from a tax preparation company. Sending fake invoices for services is one of the top methods attackers use to trick people into opening a malicious attachment that could automatically execute malware on your computer. Malicious attachments could also contain links that download and execute malicious programs. We’ve seen PDFs that contain innocuous-looking links that lead to people accidentally downloading malicious software designed to steal credentials, like usernames and passwords.
  • Don’t rely on passwords alone. Scammers take advantage of weak or stolen passwords used across multiple websites, so don’t just rely on your password to keep you safe. When possible, always use multi-factor authentication like the Microsoft Authenticator app for managing your sign-ins for Microsoft accounts and others, and Windows Hello for easy and secure sign-in to your Windows 10 device. These solutions enable biometric authentications like your face or fingerprint to quickly and safely sign in across devices, apps and browsers without you having to remember passwords. Did you know that with a Microsoft Account, you can securely and automatically sign-in to other Microsoft cloud-based applications including Bing, MSN, Cortana,, Xbox Live (PC only), Microsoft Store and Office?
  • Keep software current. Run a modern operating system, like Windows 10 or Windows 10 in S mode, with the latest security and feature updates, in tandem with next-generation anti-malware protection, such as Windows Defender Antivirus.

Microsoft security solutions can proactively inspect links and attachments, as well as block phishing documents and other malicious downloads to help protect users, even if they accidentally click a phishing link or open a malicious attachment. We expect tax scams to be on the rise in the next several months as global tax deadlines approach so our experts will be on the lookout for new campaigns.

Here’s a couple of examples of what we’ve seen just in the last few weeks: two documents named irs_scanned_551712.doc and Tax(IP.PIN).doc. You’ll notice that the security tools built into Microsoft Office caught these and displayed a warning at the top. Before enabling content like these, ensure that the sender is a trusted source, and notice things like missing or misspelled words.

Be on the lookout for scams like we’ve described here. There will undoubtedly be more schemes that crop up. Stay vigilant! Learn how to report phishing scam websites through Microsoft Edge or Internet Explorer and suspicious email messages through, Outlook 2016, or Office 365.

Keep these tips and tricks handy, and share with your networks so we can increase awareness of and stop the spread of Tax Day scams! For more information about Microsoft Security, please visit

The post Steer clear of tax scams appeared first on Microsoft Security.

Secure access to your enterprise with Microsoft 365 Enterprise E5

Microsoft Malware Protection Center - Wed, 04/03/2019 - 3:00pm

Most lessons in cybersecurity are born out of necessity. In this case, it was my need for a haircut.

Last weekend, I was reminded why it’s time to rethink the conventional wisdom about secure passwords and user access. I was making an appointment online and at the very end of the process, the website asked me to sign in to complete the transaction. The problem? I had forgotten my password. I was prompted to answer security questions and then reset my password with a new eight-character word that includes at least one capital letter, one lowercase letter, a number, and a symbol. The thing that bothers me is that I considered re-using another password—maybe the one I use for Facebook or OpenTable—at least then I’d remember it! But I’m in the security industry. I know better. I’ve heard too many stories about a hacker stealing a password from some no-name site only to parlay it into access to a large organization. In the end, I did what we always tell our users to do and generated a unique password (I really needed that haircut), but I understand why so many users don’t. It’s an impossible task, and the truth is, these rules aren’t making us any more secure.

What if we could make user access simpler for users and simultaneously more secure for the enterprise? That’s the topic of the first e-book in a six-part series that describes how you can use the full Microsoft 365 Enterprise E5 suite to comprehensively address today’s security challenges without reducing employee productivity.

The first e-book, Secure access to your enterprise, tells the story of Christina, Vice President of Operations, who is savvy about security, but is also very busy. The e-book gives you a real-world perspective on how the requirements of her job can put the enterprise at risk, even when she does everything right. Learn how Azure Active Directory (Azure AD) integrates with other security products in Microsoft 365 to reduce the likelihood that a user’s password will be stolen, detect when a user has been compromised, and to give you back control when a user is compromised.

Reduce the likelihood that a user’s credentials will be stolen

One of the reasons that user credentials are stolen or guessed is because people must remember so many of them. Even your most senior users may use the same password for several applications, which increases the likelihood that the password will be stolen. A good user access solution simplifies access, so your users are encouraged to use secure authentication methods, and it verifies user identity at every sign-in. The Secure access to your enterprise e-book provides more context around why passwords are at risk and offers up solutions such as Azure AD single sign-on (SSO) that are simple and more secure.

Detect when a user has been compromised

Even when good preventative practices are in place, you need to adopt an “assume breach” mindset. Bad actors have the patience and resources to find and exploit even the smallest vulnerability. Eventually someone in your organization will be compromised. Conditional access can detect when user sign-in behavior deviates from the norm and apply automated, custom policies to confirm identity before providing access.

Take back control of compromised identities

Once you’ve determined that a user has been compromised, you need to respond quickly. Bad actors have been known to sell credentials on the dark web, and once they are inside your organization, they will look for ways to get access to your most valuable data. The Secure access to your enterprise e-book includes several examples of how Microsoft 365 Enterprise E5 products help you respond quickly to limit the damage if you suffer a security breach.

Learn more

Download the Secure access to your enterprise e-book for more details on how you can move your organization towards a password-less future. Check back next week to read the second e-book in this series, “Discover and manage shadow IT,” which describes how to safeguard your organization against unsanctioned cloud apps and rogue devices.

The post Secure access to your enterprise with Microsoft 365 Enterprise E5 appeared first on Microsoft Security.

Announcing new capabilities for the Microsoft Azure Security Center

Microsoft Malware Protection Center - Wed, 04/03/2019 - 11:05am

Microsoft Azure Security Center—the central hub for monitoring and protecting against related incidents within Azure—has released new capabilities. The following features—announced at Hannover Messe 2019—are now generally available for the Azure Security Center:

  • Advanced Threat Protection for Azure Storage—Layer of protection that helps customers detect and respond to potential threats on their storage account as they occur—without having to be an expert in security.
  • Regulatory compliance dashboard—Helps Security Center customers streamline their compliance process by providing insight into their compliance posture for a set of supported standards and regulations.
  • Support for Virtual Machine Scale Sets (VMSS)—Easily monitor the security posture of your VMSS with security recommendations.
  • Dedicated Hardware Security Module (HSM) service, now available in U.K., Canada, and Australia—Provides cryptographic key storage in Azure and meets the most stringent customer security and compliance requirements.
  • Azure disk encryption support for VMSS—Now Azure disk encryption can be enabled for Windows and Linux VMSS in Azure public regions—enabling customers to help protect and safeguard the VMSS data at rest using industry standard encryption technology.

In addition, support for virtual machine sets are now generally available as part of the Azure Security Center. To learn more, read our Azure blog.

The post Announcing new capabilities for the Microsoft Azure Security Center appeared first on Microsoft Security.

Announcing the Microsoft Graph Security Hackathon winners

Microsoft Malware Protection Center - Mon, 04/01/2019 - 3:00pm

Bringing together information from multiple disconnected security systems to solve today’s security challenges is complex. We recently asked Microsoft Graph Security Hackathon participants to come up with innovative solutions using the Microsoft Graph Security API, and they did not disappoint.

We were excited to get a diverse set of submissions that covered real world security use cases, including security operations, user risk management, alerts enrichment, incident response, and analytics. It was truly inspiring to see the effort and creativity that teams and individuals put into their applications.

With that, please join us in congratulating the winners of the Microsoft Graph Security Hackathon.

First place: Microsoft User Security Evaluation Reporter

The Microsoft User Security Evaluation Reporter (MS-USER), from Darren Robinson, helps service desks and cybersecurity leads get instant visibility into their organization’s user security posture. Leveraging the Graph Security API and Microsoft Secure Score, the MS-USER app pulls together user and event information and includes recommended actions for remediating risks. The application also checks against the Have I Been Pwned database to give administrators and service desk personnel additional context on a user’s password security. This solution makes it easy to reach out to users and give them simple, actionable advice to improve their security, and as a result, the security of the rest of the organization. Darren will be joining us at our session at the Microsoft Build conference in Seattle, Washington, May 6-8, 2019. Definitely take a moment to check out his app today at

Runner up: Microsoft Graph Security—Security Alerts Enrichment

The Security Alerts Enrichments solution, submitted by Josh Rickard, is based on the Swimlane platform and ties together alerts with threat indicators and actions. The team created two applications that use Graph Security alerts to automate the creation of a threat intelligence feed, which can then be used to automate remediation of threats in the customer’s on-premises firewall appliance, which in this case is the Palo Alto Panorama Firewall. The second application ties in five different threat intelligence sources for enrichment. This is a great example of the power of a Security Orchestration Automation and Response (SOAR) solution. We encourage you to check it out at

Popular choice: OneGraph

The OneGraph application, from Abhishek Joshi, enables organizations to quickly investigate, analyze, and respond to security threats. The application allows users can get a quick view of all their alerts and statuses, and easily drill down into things like specific threats, users affected, and alerts from specific providers. We really liked the tie-in with Microsoft Planner that allows for alerts to get assigned to specific people or groups. The integration with Microsoft Teams was a great use case that enables quick response. We hope you take a moment to look at this app at

Again, congratulations to the winners and a huge thank you to all participants in the hackathon. We also wanted to take a moment to thank our all-star panel of judges for taking time out of their busy schedules to review and provide feedback on all the submissions. Many thanks for the support to Ann Johnson, Rich Howard, Scott Hanselman, Mark Russinovich, Troy Hunt, and Olli Vanhoja.

Finally, if any of this has inspired to you develop your own security app or solution, here are some resources to get you started:

The post Announcing the Microsoft Graph Security Hackathon winners appeared first on Microsoft Security.