Ghost in the shell: Investigating web shell attacks

Recently, an organization in the public sector discovered that one of their internet-facing servers was misconfigured and allowed attackers to upload a web shell, which let the adversaries gain a foothold for further compromise. The organization enlisted the services of Microsoft’s Detection and...

Office 365 Advanced Threat Protection defense for corporate networks against recent Office exploit attacks

The Office 365 Threat Research team has seen an uptick in the use of Office exploits in attacks across various industry sectors in recent months. In this blog, we will review several of these exploits, including a group of Office moniker exploits that attackers have used in targeted as well as...

Microsoft works with researchers to detect and protect against new RDP exploits

On November 2, 2019, security researcher Kevin Beaumont reported that his BlueKeep honeypot experienced crashes and was likely being exploited. Microsoft security researchers collaborated with Beaumont as well as another researcher, Marcus Hutchins, to investigate and analyze the crashes and...

Defending Exchange servers under attack

Securing Exchange servers is one of the most important things defenders can do to limit organizational exposure to attacks. Any threat or vulnerability impacting Exchange servers should be treated with the highest priority because these servers contain critical business data, as well as highly...

Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk

At a time when remote work is becoming universal and the strain on SecOps, especially in healthcare and critical industries, has never been higher, ransomware actors are unrelenting, continuing their normal operations. Multiple ransomware groups that have been accumulating access and maintaining...

Hawkeye Keylogger – Reborn v8: An in-depth campaign analysis

Much of cybercrime today is fueled by underground markets where malware and cybercriminal services are available for purchase. These markets in the deep web commoditize malware operations. Even novice cybercriminals can buy malware toolkits and other services they might need for malware campaigns...

Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself

Microsoft processes 24 trillion signals every 24 hours, and we have blocked billions of attacks in the last year alone. Microsoft Security tracks more than 35 unique ransomware families and 250 unique threat actors across observed nation-state, ransomware, and criminal activities. That depth of...

In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks

Our experience in detecting and blocking threats on millions of endpoints tells us that attackers will stop at nothing to circumvent protections. Even one gap in security can be disastrous to an organization. At Microsoft, we don’t stop finding new ways to fill in gaps in security. We go beyond...

Windows Defender ATP device risk score exposes new cyberattack, drives Conditional access to protect networks

Several weeks ago, the Windows Defender Advanced Threat Protection Windows Defender ATP team uncovered a new cyberattack that targeted several high-profile organizations in the energy and food and beverage sectors in Asia. Given the target region and verticals, the attack chain, and the toolsets...

Zerologon is now detected by Microsoft Defender for Identity

There has been a huge focus on the recently patched CVE-2020-1472 Netlogon Elevation of Privilege vulnerability, widely known as ZeroLogon. While Microsoft strongly recommends that you deploy the latest security updates to your servers and devices, we also want to provide you with the best...

Tackling phishing with signal-sharing and machine learning

Across services in Microsoft Threat Protection, the correlation of security signals enhances the comprehensive and integrated security for identities, endpoints, user data, cloud apps, and infrastructure. Our industry-leading visibility into the entire attack chain translates to enriched protecti...

Web shell attacks continue to rise

One year ago, we reported the steady increase in the use of web shells in attacks worldwide. The latest Microsoft 365 Defender data shows that this trend not only continued, it accelerated: every month from August 2020 to January 2021, we registered an average of 140,000 encounters of these threa...

How Microsoft 365 Security integrates with your broader IT ecosystem—part 3

Todays post was coauthored by Debraj Ghosh, Senior Product Marketing Manager, and Diana Kelley, Cybersecurity Field CTO. Customer satisfaction is one of the most important goals for Microsoft 365 Security. In part 1 of this series, we discussed Microsofts overall security strategy for connecting...

Analysis of a targeted attack exploiting the WinRAR CVE-2018-20250 vulnerability

In early March, we discovered a cyberattack that used an exploit for CVE-2018-20250, an old WinRAR vulnerability disclosed just several weeks prior, and targeted organizations in the satellite and communications industry. A complex attack chain incorporating multiple code execution techniques...

Silk Typhoon targeting IT supply chain

Executive summary: Microsoft Threat Intelligence identified a shift in tactics by Silk Typhoon, a Chinese espionage group, now targeting common IT solutions like remote management tools and cloud applications to gain initial access. While they haven't been observed directly targeting Microsoft...

Analyzing attacks taking advantage of the Exchange Server vulnerabilities

Microsoft continues to monitor and investigate attacks exploiting the recent on-premises Exchange Server vulnerabilities. These attacks are now performed by multiple threat actors ranging from financially motivated cybercriminals to state-sponsored groups. To help customers who are not able to...

HAFNIUM targeting Exchange Servers with 0-day exploits

Update 03/08/2021: Microsoft continues to see multiple actors taking advantage of unpatched systems to attack organizations with on-premises Exchange Server. To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed ...

Exposing POLONIUM activity and infrastructure targeting Israeli organizations

Microsoft successfully detected and disabled attack activity abusing OneDrive by a previously undocumented Lebanon-based activity group Microsoft Threat Intelligence Center MSTIC tracks as POLONIUM. The associated indicators and tactics were used by the OneDrive team to improve detection of attac...

SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965

April 11, 2022 update – Azure Web Application Firewall WAF customers with Regional WAF with Azure Application Gateway now has enhanced protection for critical Spring vulnerabilities - CVE-2022-22963, CVE-2022-22965, and CVE-2022-22947. See Detect and protect with Azure Web Application Firewall...

Windows Defender ATP machine learning and AMSI: Unearthing script-based attacks that ‘live off the land’

Scripts are becoming the weapon of choice of sophisticated activity groups responsible for targeted attacks as well as malware authors who indiscriminately deploy commodity threats. Scripting engines such as JavaScript, VBScript, and PowerShell offer tremendous benefits to attackers. They run...

Protect against BlueKeep

Worms are the cause of many cyber headaches. They can easily replicate themselves to spread malicious malware to other computers in your network. As the field responders providing Microsoft enterprise customers with onsite assistance to serious cybersecurity threats, our Detection and Response Te...

Taking apart a double zero-day sample discovered in joint hunt with ESET

In late March 2018, I analyzed an interesting PDF sample found by ESET senior malware researcherAnton Cherepanov. The sample was initially reported to Microsoft as a potential exploit for an unknown Windows kernel vulnerability. During my investigation in parallel with ESET researchers, I was...

Securing the modern workplace with Microsoft 365 threat protection – part 1

This post is authored by Debraj Ghosh, Senior Product Marketing Manager, Microsoft 365 Security. The roots of Microsoft 365 threat protection Over the next few weeks, well introduce you to Microsoft 365s threat protection services and demonstrate how Microsoft 365s threat protection leverages...

When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure

Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. Part 1 covers the evolution of the threat, how it spreads, and how it impacts organizations. Part 2 is a deep dive on the attacker behavi...

When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks

Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. Part 1 covered the evolution of the threat, how it spreads, and how it impacts organizations. Part 2 provides a deep dive on the attacker...

Now you see me: Exposing fileless malware

Attackers are determined to circumvent security defenses using increasingly sophisticated techniques. Fileless malware boosts the stealth and effectiveness of an attack, and two of last years major ransomware outbreaks Petya and WannaCry used fileless techniques as part of their kill chains. The...

Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082

October 1, 2022 update – Added information about Exploit:Script/ExchgProxyRequest.A, Microsoft Defender AV’s robust detection for exploit behavior related to this threat. We also removed a section on MFA as a mitigation, which was included in a prior version of this blog as standard guidance...

FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines

Office 365 Advanced Threat Protection Office 365 ATP blocked many notable zero-day exploits in 2017. In our analysis, one activity group stood out: NEODYMIUM. This threat actor is remarkable for two reasons: Its access to sophisticated zero-day exploits for Microsoft and Adobe software Its use of...

Best practices for defending Azure Virtual Machines

One of the things that our Detection and Response Team DART and Customer Service and Support CSS security teams see frequently during investigation of customer incidents are attacks on virtual machines from the internet. This is one area in the cloud security shared responsibility model where...

Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability

January 10, 2022 recap – The Log4j vulnerabilities represent a complex and high-risk situation for companies across the globe. This open-source component is widely used across many suppliers’ software and services. By nature of Log4j being a component, the vulnerabilities affect not only...

Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets

Since February 2023, Microsoft has observed password spray activity against thousands of organizations carried out by an actor we track as Peach Sandstorm HOLMIUM. Peach Sandstorm is an Iranian nation-state threat actor who has recently pursued organizations in the satellite, defense, and...

New sophisticated email-based attack from NOBELIUM

Microsoft Threat Intelligence Center MSTIC has uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware, and other related components. The campaign, initially observed and...

Secured-core PCs: A brief showcase of chip-to-cloud security against kernel attacks

Gaining kernel privileges by taking advantage of legitimate but vulnerable kernel drivers has become an established tool of choice for advanced adversaries. Multiple malware attacks, including RobbinHood, Uroburos, Derusbi, GrayFish, and Sauron, and campaigns by the threat actor STRONTIUM, have...

Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint

The increasing pervasiveness of cloud services in today’s work environments, accelerated by a crisis that forced companies around the globe to shift to remote work, is significantly changing how defenders must monitor and protect organizations. Corporate data is spread across multiple...

Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability

In August, Microsoft Threat Intelligence Center MSTIC identified a small number of attacks less than 10 that attempted to exploit a remote code execution vulnerability in MSHTML using specially crafted Microsoft Office documents. These attacks used the vulnerability, tracked as CVE-2021-40444, as...

Gamifying machine learning for stronger security and AI models

To stay ahead of adversaries, who show no restraint in adopting tools and techniques that can help them attain their goals, Microsoft continues to harness AI and machine learning to solve security challenges. One area we’ve been experimenting on is autonomous systems. In a simulated enterprise...

Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021

Over the past year, the Microsoft Threat Intelligence Center MSTIC has observed a gradual evolution of the tools, techniques, and procedures employed by malicious network operators based in Iran. At CyberWarCon 2021, MSTIC analysts presented their analysis of these trends in Iranian nation state...

MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations

In recent weeks, the Microsoft Threat Intelligence Center MSTIC and Microsoft 365 Defender Research Team detected Iran-based threat actor MERCURY leveraging exploitation of Log4j 2 vulnerabilities in SysAid applications against organizations all located in Israel. MSTIC assesses with high...

Threat actor DEV-0322 exploiting ZOHO ManageEngine ADSelfService Plus

Microsoft has detected exploits being used to compromise systems running the ZOHO ManageEngine ADSelfService Plus software versions vulnerable to CVE-2021-40539 in a targeted campaign. Microsoft Threat Intelligence Center MSTIC attributes this campaign with high confidence to DEV-0322, a group...

Preparing your enterprise to eliminate passwords

Anyone who uses the internet knows the hassles of using a user name and password to access their own information, whether it’s their banking, online shopping, social media, medical information, etc. If you’re a CIO, a CISO, or any other exec at a company who is thinking about digital security, th...

Automatic on-premises Exchange Server mitigation now in Microsoft Defender Antivirus

As cybercriminals continue to exploit unpatched on-premises versions of Exchange Server 2013, 2016, and 2019, we continue to actively work with customers and partners to help them secure their environments and respond to associated threats. To date, we have released a comprehensive Security Updat...

Using Microsoft 365 Defender to protect against Solorigate

Microsoft security researchers continue to investigate and respond to the sophisticated cyberattack known as Solorigate also referred to as Sunburst by FireEye involving a supply chain compromise and the subsequent compromise of cloud assets. While the related investigations and impact assessment...

Combing through the fuzz: Using fuzzy hashing and deep learning to counter malware detection evasion techniques

Today’s cybersecurity threats continue to find ways to fly and stay under the radar. Cybercriminals use polymorphic malware because a slight change in the binary code or script could allow the said threats to avoid detection by traditional antivirus software. Threat actors customize their wares...

How to proactively defend against Mozi IoT botnet

Mozi is a peer-to-peer P2P botnet that uses a BitTorrent-like network to infect IoT devices such as network gateways and digital video records DVRs. It works by exploiting weak telnet passwords1 and nearly a dozen unpatched IoT vulnerabilities2 and it’s been used to conduct distributed...

Attackers use Morse code, other encryption methods in evasive phishing campaign

Cybercriminals attempt to change tactics as fast as security and protection technologies do. During our year-long investigation of a targeted, invoice-themed XLS.HTML phishing campaign, attackers changed obfuscation and encryption mechanisms every 37 days on average, demonstrating high motivation...

BazaCall: Phony call centers lead to exfiltration and ransomware

Our continued investigation into BazaCall campaigns, those that use fraudulent call centers that trick unsuspecting users into downloading the BazaLoader malware, shows that this threat is more dangerous than what’s been discussed publicly in other security blogs and covered by the media. Apart...

Preparing for your migration from on-premises SIEM to Azure Sentinel

The pandemic of 2020 has reshaped how we engage in work, education, healthcare, and more, accelerating the widespread adoption of cloud and remote-access solutions. In today’s workplace, the security perimeter extends to the home, airports, the gym—wherever you are. To keep pace, organizations...

Spotting brand impersonation with Swin transformers and Siamese neural networks

Every day, Microsoft Defender for Office 365 encounters millions of brand impersonation emails. Our security solutions use multiple detection and prevention techniques to help users avoid divulging sensitive information to phishers as attackers continue refining their impersonation tricks. In thi...

Mitigating vulnerabilities in endpoint network stacks

The skyrocketing demand for tools that enable real-time collaboration, remote desktops for accessing company information, and other services that enable remote work underlines the tremendous importance of building and shipping secure products and services. While this is magnified as organizations...

Microsoft finds new elevation of privilege Linux vulnerability, Nimbuspwn

Microsoft has discovered several vulnerabilities, collectively referred to as Nimbuspwn, that could allow an attacker to elevate privileges to root on many Linux desktop endpoints. The vulnerabilities can be chained together to gain root privileges on Linux systems, allowing attackers to deploy...