#BeCyberSmart: When we learn together, we’re more secure together

2021 has been a watershed year in cybersecurity. The pandemic continued to bring new challenges as attackers took advantage of overstretched security teams to unleash new human-operated ransomware1, malware, and nation-state attacks like those against Colonial Pipeline2 and JBS Food3. With the mo...

3 key resources to accelerate your passwordless journey

Every organization today faces password-related challenges—phishing campaigns, productivity loss, and password management costs to name just a few. The risks now outweigh the benefits when it comes to passwords. Even the strongest passwords are easily phish-able and vulnerable to attacks, such as...

Defend against zero-day exploits with Microsoft Defender Application Guard

Zero-day security vulnerabilities—known to hackers, but unknown to software creators, security researchers, and the public—are like gold to attackers. With zero-days, or even zero-hours, developers have no time to patch the code, giving hackers enough access and time to explore and map internal...

How nation-state attackers like NOBELIUM are changing cybersecurity

This is the first post in a four-part series on the NOBELIUM nation-state cyberattack. Microsoft started telling the industry about this extremely advanced cyberattack in December 2020. The NOBELIUM blog series—which mirrors Microsoft’s four-part video series “Decoding NOBELIUM”—will pull the...

A simpler, more integrated approach to data governance

It’s no secret that the volume of data created by organizations and people multiplies daily. And, in the digital—and hybrid work—world we live in, that data is spread across more tools, platforms, devices, and clouds than ever before, creating regulatory challenges and security risks. Organizatio...

FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor

Microsoft continues to work with partners and customers to track and expand our knowledge of the threat actor we refer to as NOBELIUM, the actor behind the SUNBURST backdoor, TEARDROP malware, and related components. As we stated before, we suspect that NOBELIUM can draw from significant...

A guide to combatting human-operated ransomware: Part 2

This blog is part two of a two-part series focused on how Microsoft DART helps customers with human-operated ransomware. For more guidance on human-operated ransomware and how to defend against these extortion-based attacks, refer to our human-operated ransomware docs page. In part one of this bl...

3 trends shaping identity as the center of modern security

I recently returned from Kenya, where I visited our Microsoft Nairobi development center. Like many of you, I’ve mostly worked from home for the past year and more, so it was refreshing to meet members of our global team and inspiring to feel their passion for our mission: delivering identity...

Catching the big fish: Analyzing a large-scale phishing-as-a-service operation

In researching phishing attacks, we came across a campaign that used a rather high volume of newly created and unique subdomains—over 300,000 in a single run. This investigation led us down a rabbit hole as we unearthed one of the operations that enabled the campaign: a large-scale...

A guide to combatting human-operated ransomware: Part 1

This blog is part one of a two-part series focused on how Microsoft DART helps customers with human-operated ransomware. For more guidance on human-operated ransomware and how to defend against these extortion-based attacks, refer to our human-operated ransomware docs page. Microsoft’s Detection...

Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability

In August, Microsoft Threat Intelligence Center MSTIC identified a small number of attacks less than 10 that attempted to exploit a remote code execution vulnerability in MSHTML using specially crafted Microsoft Office documents. These attacks used the vulnerability, tracked as CVE-2021-40444, as...

The passwordless future is here for your Microsoft account

Nobody likes passwords. They’re inconvenient. They’re a prime target for attacks. Yet for years they’ve been the most important layer of security for everything in our digital lives—from email to bank accounts, shopping carts to video games. We are expected to create complex and unique passwords,...

Afternoon Cyber Tea: Learn how to stop misinformation threats from nation-state bad actors

Information has long been wielded as an instrument of national power and influence. In today’s digital world, misinformation can also be just as powerful. On a special episode of Afternoon Cyber Tea with Ann Johnson, Sandra Joyce, Executive Vice President and Head of Mandiant Intelligence at...

Combat attacks with security solutions from Trustwave and Microsoft

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA. In 2021, cyberattacks and instances of ransomware demands against companies, agencies, and institutions have dominated the headlines. These kinds of attacks are on the rise and often...

Why diversity is important for a strong cybersecurity team

Medicine. Aeronautics. Academia. When you’re a cybersecurity professional, the colleague next to you could have started in one of these industries—or just about any other you can imagine. The backgrounds of cybersecurity professionals are more diverse than those of professionals in other...

3 steps to prevent and recover from ransomware

On July 14, 2021, the National Cybersecurity Center of Excellence1 NCCoE at the National Institute of Standards and Technology2 NIST hosted a virtual workshop3 to seek feedback from government and industry experts on practical approaches to preventing and recovering from ransomware and other...

A deep-dive into the SolarWinds Serv-U SSH vulnerability

Several weeks ago, Microsoft detected a 0-day remote code execution exploit being used to attack the SolarWinds Serv-U FTP software in limited and targeted attacks. The Microsoft Threat Intelligence Center MSTIC attributed the attack with high confidence to DEV-0322, a group operating out of Chin...

Get free DMARC visibility with Valimail Authenticate and Microsoft Office 365

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA. Phishing and email spoofing not only erode brand trust but also leave recipients vulnerable to financial loss and serious invasions of privacy. These tactics have been around for...

Microsoft a Leader in 2021 Gartner® Magic Quadrant™ for Unified Endpoint Management Tools

In today’s changing business world, where flexibility is more crucial than ever, we’re honored that Gartner has again recognized Microsoft as a Leader in the Magic Quadrant for Unified Endpoint Management UEM Tools1. Over the last 18 months, millions of employees worldwide have had to shift their...

How to prepare for CMMC compliance as a defense industrial base supplier using the Microsoft cloud

In 2020, the US Department of Defense DoD began the phased rollout of a new framework for protecting their supply chain, known as the defense industrial base DIB. This new Cybersecurity Maturity Model Certification1 CMMC system requires regular audits that will bolster the security of the DIB,...

Widespread credential phishing campaign abuses open redirector links

Microsoft has been actively tracking a widespread credential phishing campaign using open redirector links. Attackers combine these links with social engineering baits that impersonate well-known productivity tools and services to lure users into clicking. Doing so leads to a series of...

Cybersecurity’s next fight: How to protect employees from online harassment

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with Leigh Honeywell, CEO and Co-founder of Ta...

How Vodafone Global Security Director creates an inclusive and secure workplace

Moving to more flexible remote work policies has caused telecommunications giant Vodafone to rethink cybersecurity and the potential friction to users. Instead of relying on physical security controls in the office, the company has embraced a Zero Trust strategy that requires authenticating...

How to proactively defend against Mozi IoT botnet

Mozi is a peer-to-peer P2P botnet that uses a BitTorrent-like network to infect IoT devices such as network gateways and digital video records DVRs. It works by exploiting weak telnet passwords1 and nearly a dozen unpatched IoT vulnerabilities2 and it’s been used to conduct distributed...

Automating security assessments using Cloud Katana

Today, we are open sourcing Cloud Katana, a cloud-native serverless application built on the top of Azure Functions to assess security controls in the cloud and hybrid cloud environments. We are currently covering only use cases in Azure, but we are working on extending it to other cloud provider...

Trend-spotting email techniques: How modern phishing emails hide in plain sight

With the massive volume of emails sent each day, coupled with the many methods that attackers use to blend in, identifying the unusual and malicious is more challenging than ever. An obscure Unicode character in a few emails is innocuous enough, but when a pattern of emails containing this obscur...

Migrating content from traditional SIEMs to Azure Sentinel

In part two of this three-part series, we covered the five types of side-by-side security information and event management SIEM configurations commonly used during a long-term migration to Microsoft Azure Sentinel. For part three, we’ll be looking at best practices for migrating your data and...

Microsoft and NIST collaborate on EO to drive Zero Trust adoption

2020s Nobelium attack sent shock waves through both government and private sectors. 2021 has already seen large-scale nation-state attacks such as Hafnium1 alongside major ransomware attacks2 on critical infrastructure. The breadth and boldness of these attacks show that, far from being deterred,...

Attackers use Morse code, other encryption methods in evasive phishing campaign

Cybercriminals attempt to change tactics as fast as security and protection technologies do. During our year-long investigation of a targeted, invoice-themed XLS.HTML phishing campaign, attackers changed obfuscation and encryption mechanisms every 37 days on average, demonstrating high motivation...

7 ways to harden your environment against compromise

Here at the global Microsoft Compromise Recovery Security Practice CRSP, we work with customers who have experienced disruptive security incidents to restore trust in identity systems and remove adversary control. During 2020, the team responded to many incidents involving ransomware and the...

How security can keep media and sources safe

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with Runa Sandvik, an expert on journalistic...

Sharing the first SimuLand dataset to expedite research and learn about adversary tradecraft

Last month, we introduced the SimuLand project to help security researchers around the world deploy lab environments to reproduce well-known attack scenarios, actively test detections, and learn more about the underlying behavior and implementation of adversary techniques. Since the release of th...

Spotting brand impersonation with Swin transformers and Siamese neural networks

Every day, Microsoft Defender for Office 365 encounters millions of brand impersonation emails. Our security solutions use multiple detection and prevention techniques to help users avoid divulging sensitive information to phishers as attackers continue refining their impersonation tricks. In thi...

How to manage a side-by-side transition from your traditional SIEM to Azure Sentinel

With every week bringing new headlines about crippling cyberattacks, and with organizations growing increasingly distributed, security teams are constantly asked to do more with less. Moving to cloud-native security information and event management SIEM can help security teams analyze data with t...

When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks

Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. Part 1 covered the evolution of the threat, how it spreads, and how it impacts organizations. Part 2 provides a deep dive on the attacker...

Attack AI systems in Machine Learning Evasion Competition

Today, we are launching MLSEC.IO, an educational Machine Learning Security Evasion Competition MLSEC for the AI and security communities to exercise their muscle to attack critical AI systems in a realistic setting. Hosted and sponsored by Microsoft, alongside NVIDIA, CUJO AI, VM-Ray, and MRG...

Microsoft at Black Hat 2021: Sessions, bug bounty updates, product news, and more

Black Hat USA 2021 is about understanding the needs of security professionals and meeting you where you are. With last year’s pandemic-related firefighting still fresh in our minds, this year’s event will provide a welcome respite to learn about cutting-edge security solutions, build our skillset...

BazaCall: Phony call centers lead to exfiltration and ransomware

Our continued investigation into BazaCall campaigns, those that use fraudulent call centers that trick unsuspecting users into downloading the BazaLoader malware, shows that this threat is more dangerous than what’s been discussed publicly in other security blogs and covered by the media. Apart...

Zero Trust Adoption Report: How does your organization compare?

From the wide adoption of cloud-based services to the proliferation of mobile devices. From the emergence of advanced new cyberthreats to the recent sudden shift to remote work. The last decade has been full of disruptions that have required organizations to adapt and accelerate their security...

Combing through the fuzz: Using fuzzy hashing and deep learning to counter malware detection evasion techniques

Today’s cybersecurity threats continue to find ways to fly and stay under the radar. Cybercriminals use polymorphic malware because a slight change in the binary code or script could allow the said threats to avoid detection by traditional antivirus software. Threat actors customize their wares...

How to protect your CAD data files with MIP and HALOCAD

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA. Computer-aided design CAD files are used by design professionals in the manufacturing, engineering, architecture, surveying, and construction industries. These highly valuable files...

A guide to balancing external threats and insider risk

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with Rockwell Automation Vice President and...

When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure

Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. Part 1 covers the evolution of the threat, how it spreads, and how it impacts organizations. Part 2 is a deep dive on the attacker behavi...

Microsoft acquires CloudKnox Security to offer unified privileged access and cloud entitlement management

Today on the Official Microsoft Blog, Microsoft announced the acquisition of CloudKnox Security, a leader in Cloud Infrastructure Entitlement Management CIEM. CloudKnox offers complete visibility into privileged access. It helps organizations right-size permissions and consistently enforce...

The evolution of a matrix: How ATT&CK for Containers was built

Note: The content of this post is being released jointly with the Center for Threat-Informed Defense. It is co-authored with Chris Ante and Matthew Bajzek. The Center post can be found here. As containers become a major part of many organizations’ IT workloads, it becomes crucial to consider the...

Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware

The Microsoft Threat Intelligence Center MSTIC alongside the Microsoft Security Response Center MSRC has uncovered a private-sector offensive actor, or PSOA, that we are calling SOURGUM in possession of now-patched, Windows 0-day exploits CVE-2021-31979 and CVE-2021-33771. Private-sector offensiv...

Microsoft delivers comprehensive solution to battle rise in consent phishing emails

Microsoft threat analysts are tracking a continued increase in consent phishing emails, also called illicit consent grants, that abuse OAuth request links in an attempt to trick recipients into granting attacker-owned apps permissions to access sensitive data. This blog offers a look into the...

MISA expands portfolio and looks ahead during Microsoft Inspire

This blog post is part of the Microsoft Intelligent Security Association MISA guest blog series. Learn more about MISA. Welcome to fiscal year 2022 FY22 and my first official blog as the MISA Lead. It’s been a whirlwind couple of months getting up to speed with all things MISA—closing out FY21...

How Microsoft Security empowers partners to build customer trust

As I reflect on my first year at Microsoft, it was both challenging and exceptional: from my remote onboarding in the middle of a pandemic to dramatic changes in the cyber landscape, to Microsoft’s critical role as a frontline responder in some of the most sophisticated cyberattacks in history an...

Microsoft discovers threat actor targeting SolarWinds Serv-U software with 0-day exploit

Microsoft has detected a 0-day remote code execution exploit being used to attack SolarWinds Serv-U FTP software in limited and targeted attacks. The Microsoft Threat Intelligence Center MSTIC attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on...