Widespread malware campaign seeks to silently inject ads into search results, affects multiple browsers

A persistent malware campaign has been actively distributing an evolved browser modifier malware at scale since at least May 2020. At its peak in August, the threat was observed on over 30,000 devices every day. The malware is designed to inject ads into search engine results pages. The threat...

Business email compromise campaign targets wide range of orgs with gift card scam

Cybercriminals continue to target businesses to trick recipients into approving payments, transferring funds, or, in this case, purchasing gift cards. This kind of email attack is called business email compromise BEC—a damaging form of phishing designed to gain access to critical business...

A guide to balancing external threats and insider risk

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with Rockwell Automation Vice President and...

odix and Microsoft: Protecting users against malware attacks with free FileWall license

This blog post is part of the Microsoft Intelligent Security Association MISA guest blog series. Learn more about MISA. The fight against malware has become the epic battle of our generation, placing businesses of all sizes against a never-ending stream of hackers and zero-day attacks bent on...

Microsoft discovers threat actor targeting SolarWinds Serv-U software with 0-day exploit

Microsoft has detected a 0-day remote code execution exploit being used to attack SolarWinds Serv-U FTP software in limited and targeted attacks. The Microsoft Threat Intelligence Center MSTIC attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on...

Business email compromise: How Microsoft is combating this costly threat

Amongst all cybercrime, phishing attacks continue to be the most prevalent today. With over 90 percent of attacks coming via email, it’s important that every organization has a plan to prevent these threats from reaching users. At Microsoft, we’re passionate about providing our customers with...

Understanding the threat landscape and risks of OT environments

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with Chris Sistrunk, Technical Manager in...

How to build a privacy program the right way

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with attorney Whitney Merrill, an expert on...

Improve your threat detection and response with Microsoft and Wortell

This blog post is part of the Microsoft Intelligent Security Association MISA guest blog series. Learn more about MISA. The way of working is changing rapidly. Many workloads are moving to the cloud and the pandemic accelerated organizations to provide infrastructure to aid employees working from...

Breaking down NOBELIUM’s latest early-stage toolset

As we reported in earlier blog posts, the threat actor NOBELIUM recently intensified an email-based attack that it has been operating and evolving since early 2021. We continue to monitor this active attack and intend to post additional details as they become available. In this blog, we highlight...

ZINC attacks against security researchers

In recent months, Microsoft has detected cyberattacks targeting security researchers by an actor we track as ZINC. The campaign originally came to our attention after Microsoft Defender for Endpoint detected an attack in progress. Observed targeting includes pen testers, private offensive securit...

5 steps to enable your corporate SOC to rapidly detect and respond to IoT/OT threats

As organizations connect massive numbers of IoT/OT devices to their networks to optimize operations, boards and management teams are increasingly concerned about the expanding attack surface and corporate liability that they represent. These connected devices can be compromised by adversaries to...

Protecting on-premises Exchange Servers against recent attacks

For the past few weeks, Microsoft and others in the security industry have seen an increase in attacks against on-premises Exchange servers. The target of these attacks is a type of email server most often used by small and medium-sized businesses, although larger organizations with on-premises...

Our commitment to our customers’ security

This guest blog post is by Terry Myerson / Executive Vice President, Windows and Devices Group Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. And we take this responsibility very seriousl...

Build a stronger cybersecurity team through diversity and training

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest post of our Voice of the Community blog series, Microsoft Security Product Marketing Manager Natalia Godyla talks with Heath Adams, Chief...

Recent enhancements for Microsoft Power Platform governance

An emerging trend in digital transformation efforts has been the rise of low-code development platforms. Of course, these low-code platforms must be grounded in best-of-breed governance capabilities which include security and compliance features. Without strong governance, the full benefits of...

Automating and operationalizing data protection with Dataguise and Microsoft Information Protection

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA. In technical literature, the terms data discovery, classification, and tagging are sometimes used interchangeably, but there are real differences in what they actually mean—and each...

New macOS vulnerability, “powerdir,” could lead to unauthorized user data access

Following our discovery of the “Shrootless” vulnerability, Microsoft uncovered a new macOS vulnerability, “powerdir,” that could allow an attacker to bypass the operating system’s Transparency, Consent, and Control TCC technology, thereby gaining unauthorized access to a user’s protected data. We...

Stopping Carbanak+FIN7: How Microsoft led in the MITRE Engenuity® ATT&CK® Evaluation

In MITRE Engenuity’s recent Carbanak+FIN7 ATT&CK Evaluation, Microsoft demonstrated that we can stop advanced, real-world attacks by threat actor groups with our industry-leading security capabilities. In this year’s evaluation, we engaged our unified Microsoft 365 Defender stack, with...

XLM + AMSI: New runtime defense against Excel 4.0 macro malware

We have recently expanded the integration of Antimalware Scan Interface AMSI with Office 365 to include the runtime scanning of Excel 4.0 XLM macros, to help antivirus solutions tackle the increase in attacks that use malicious XLM macros. This integration, an example of the many security feature...

Patch me if you can: Cyberattack Series

Many organizations utilize third-party apps for identity security solutions to automate and unburden overtaxed IT admins from tedious tasks that employees can perform via self-service without IT assistance. But in September 2021, our researchers observed threat actors exploiting one such...

How to proactively defend against Mozi IoT botnet

Mozi is a peer-to-peer P2P botnet that uses a BitTorrent-like network to infect IoT devices such as network gateways and digital video records DVRs. It works by exploiting weak telnet passwords1 and nearly a dozen unpatched IoT vulnerabilities2 and it’s been used to conduct distributed...

Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers

We, along with the security industry and our partners, continue to investigate the extent of the Solorigate attack. While investigations are underway, we want to provide the defender community with intelligence to understand the scope, impact, remediation guidance, and product detections and...

How one data scientist is pioneering techniques to detect security threats

Data science is an increasingly popular field of study that’s relevant to every industry. When Maria Puertas Calvo was a student, she never imagined that one day she would pioneer data science techniques to detect security threats. She started her Microsoft career on the Safety Platform team,...

Microsoft is a Leader in the 2021 Forrester Endpoint Security Software as a Service Wave

We are excited to share that Microsoft has been named a Leader in The Forrester Wave: Endpoint Security Software as a Service, Q2 20211, receiving one of the highest scores in the strategy category and among the top three scores in the current offering category. Forrester notes that “the focus on...

Profiling DEV-0270: PHOSPHORUS’ ransomware operations

Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations,...

Becoming resilient by understanding cybersecurity risks: Part 2

In part one of this blog series, we looked at how being resilient to cybersecurity threats is about understanding and managing the organizational impact from the evolution of human conflict that has existed since the dawn of humanity. In part two of this series, we further explore the imperative ...

Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure

Trickbot, a sophisticated trojan that has evolved significantly since its discovery in 2016, has continually expanded its capabilities and, even with disruption efforts and news of its infrastructure going offline, it has managed to remain one of the most persistent threats in recent years. The...

Cadet Blizzard emerges as a novel and distinct Russian threat actor

As Russia’s invasion of Ukraine continues into its second year and Microsoft continues to collaborate with global partners in response, the exposure of destructive cyber capabilities and information operations provide greater clarity into the tools and techniques used by Russian state-sponsored...

How security can keep media and sources safe

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with Runa Sandvik, an expert on journalistic...

Microsoft finds new NETGEAR firmware vulnerabilities that could lead to identity theft and full system compromise

The continuous improvement of security solutions has forced attackers to explore alternative ways to compromise systems. The rising number of firmware attacks and ransomware attacks via VPN devices and other internet-facing systems are examples of attacks initiated outside and below the operating...

DEV-1101 enables high-volume AiTM campaigns with open-source phishing kit

Adversary-in-the-middle AiTM phishing kits are part of an increasing trend that is observed supplanting many other less advanced forms of phishing. AiTM phishing is capable of circumventing multifactor authentication MFA through reverse-proxy functionality. DEV-1101 is an actor tracked by Microso...

Microsoft research uncovers new Zerobot capabilities

Botnet malware operations are a constantly evolving threat to devices and networks. Threat actors target Internet of Things IoT devices for recruitment into malicious operations as IoT devices’ configurations often leave them exposed, and the number of internet-connected devices continue to grow...

Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign

This guide provides steps that organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2022-21894 via a Unified Extensible Firmware Interface UEFI bootkit called BlackLotus. UEFI bootkits are particularly dangerous as they run at computer...

Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware

The Microsoft Threat Intelligence Center MSTIC alongside the Microsoft Security Response Center MSRC has uncovered a private-sector offensive actor, or PSOA, that we are calling SOURGUM in possession of now-patched, Windows 0-day exploits CVE-2021-31979 and CVE-2021-33771. Private-sector offensiv...

Windows Defender Antivirus cloud protection service: Advanced real-time defense against never-before-seen malware

For cybercriminals, speed is the name of the game. It takes newly released malware an average of just four hours to achieve its goal—steal financial information, extort money, or cause widespread damage. In a recent report, the Federal Trade Commission FTC said that cybercriminals will use hacked...

A deep-dive into the SolarWinds Serv-U SSH vulnerability

Several weeks ago, Microsoft detected a 0-day remote code execution exploit being used to attack the SolarWinds Serv-U FTP software in limited and targeted attacks. The Microsoft Threat Intelligence Center MSTIC attributed the attack with high confidence to DEV-0322, a group operating out of Chin...

Links in phishing-like emails lead to tech support scam

Note: Our Tech support scams FAQ page has the latest info on this type of threat, including scammer tactics, fake error messages, and the latest scammer hotlines. You can also read our latest blog, New tech support scam launches communication or phone call app. Tech support scams continue to...

Detecting reflective DLL loading with Windows Defender ATP

Today's attacks put emphasis on leaving little, if any, forensic evidence to maintain stealth and achieve persistence. Attackers use methods that allow exploits to stay resident within an exploited process or migrate to a long-lived process without ever creating or relying on a file on disk. In...

New Surface PCs enable virtualization-based security (VBS) by default to empower customers to do more, securely

VBS and HVCI-enabled devices help protect from advanced attacks Escalation of privilege attacks are a malicious actor’s best friend, and they often target sensitive information stored in memory. These kinds of attacks can turn a minor user mode compromise into a full compromise of your OS and...

SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965

April 11, 2022 update – Azure Web Application Firewall WAF customers with Regional WAF with Azure Application Gateway now has enhanced protection for critical Spring vulnerabilities - CVE-2022-22963, CVE-2022-22965, and CVE-2022-22947. See Detect and protect with Azure Web Application Firewall...

Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection

Microsoft has discovered a vulnerability that could allow an attacker to bypass System Integrity Protection SIP in macOS and perform arbitrary operations on a device. We also found a similar technique that could allow an attacker to elevate their privileges to root an affected device. We shared...

How to mitigate rapid cyberattacks such as Petya and WannaCrypt

In the first blog post of this 3-part series, we introduced what rapid cyberattacks are and illustrated how rapid cyberattacks are different in terms of execution and outcome. In the second blog post, we provided some details on Petya and how it worked. In this final blog post, we will share:...

Mitigating and eliminating info-stealing Qakbot and Emotet in corporate networks

The threat to sensitive financial information is greater than ever. Data breaches, phishing attacks, and other forms of information theft are all too common in today’s threat landscape. Point-of-sale systems and ATMs have been targeted by hackers. Information-stealing trojans pose a risk to data...

Securing our approach to domain fronting within Azure

Every single day our teams analyze the trillions of signals we see to understand attack vectors, and then take those learnings and apply them to our products and solutions. Having that understanding of the threat landscape is key to ensuring our customers are kept safe every day. However, being a...

Key layers for developing a Smarter SOC with CyberProof-managed Microsoft Azure security services

This blog post is part of the Microsoft Intelligent Security Association MISA guest blog series. Learn more about MISA here. Security teams are struggling to reduce the time to detect and respond to threats due to the complexity and volume of alerts being generated from multiple security...

Microsoft investigates Iranian attacks against the Albanian government

Shortly after the destructive cyberattacks against the Albanian government in mid-July, the Microsoft Detection and Response Team DART was engaged by the Albanian government to lead an investigation into the attacks. At the time of the attacks and our engagement by the Albanian government,...

Combating a spate of Java malware with machine learning in real-time

In recent weeks, we have seen a surge in emails carrying fresh malicious Java .jar malware that use new techniques to evade antivirus protection. But with our research team’s automated expert systems and machine learning models, Windows 10 PCs get real-time protection against these latest threats...

Threat actor leverages coin miner techniques to stay under the radar – here’s how to spot them

Cryptocurrency miners are typically associated with cybercriminal operations, not sophisticated nation state actor activity. They are not the most sophisticated type of threats, which also means that they are not among the most critical security issues that defenders address with urgency. Recent...

Investigating a unique “form” of email delivery for IcedID malware

Microsoft threat analysts have been tracking activity where contact forms published on websites are abused to deliver malicious links to enterprises using emails with fake legal threats. The emails instruct recipients to click a link to review supposed evidence behind their allegations, but are...