Building Zero Trust networks with Microsoft 365

The traditional perimeter-based network defense is obsolete. Perimeter-based networks operate on the assumption that all systems within a network can be trusted. However, todays increasingly mobile workforce, the migration towards public cloud services, and the adoption of Bring Your Own Device...

How to share content easily and securely

This is the seventh post in our eight-blog series on deploying Intelligent Security scenarios. To read the previous entries, check out the Deployment series page. Cumbersome restrictions and limitations on mobile devices, apps, and remote access can be taxing from an IT perspective and frustratin...

Latest Astaroth living-off-the-land attacks are even more invisible but not less observable

Following a short hiatus, Astaroth came back to life in early February sporting significant changes in its attack chain. Astaroth is an info-stealing malware that employs multiple fileless techniques and abuses various legitimate processes to attempt running undetected on compromised machines. Th...

Developing connected security solutions

Many organizations deploy dozens of security products and services from Microsoft and others to combat increasing cyberthreats. As a result, the ability to quickly extract value from these solutions has become more challenging. This creates opportunity for developers to build solutions that augme...

Widespread malware campaign seeks to silently inject ads into search results, affects multiple browsers

A persistent malware campaign has been actively distributing an evolved browser modifier malware at scale since at least May 2020. At its peak in August, the threat was observed on over 30,000 devices every day. The malware is designed to inject ads into search engine results pages. The threat...

Best practices for securely using Microsoft 365—the CIS Microsoft 365 Foundations Benchmark now available

This post was cowritten by Jonathan Trull, Chief Security Advisor, Cybersecurity Solutions Group, and Sean Sweeney, Chief Security Advisor, Cybersecurity Solutions Group. Were excited to announce the availability of the Center for Internet Securitys CIS Microsoft 365 Foundations Benchmarkdevelope...

CISO series: Secure your privileged administrative accounts with a phased roadmap

In my role, I often meet with CISOs and security architects who are updating their security strategy to meet the challenges of continuously evolving attacker techniques and cloud platforms. A frequent topic is prioritizing security for their highest value assets, both the assets that have the mos...

Windows Defender ATP has protections for USB and removable devices

Meet Jimmy. Jimmy is an employee in your company. He Does Things With Computers official title. Last Wednesday, as Jimmy got out of his car after parking in the company-owned parking lot, he saw something on the ground. That something is a 512GB USB flash drive! Jimmy picks up the drive, whistlin...

Oversharing and safety in the age of social media

Many years ago, I worked with healthcare organizations to install infrastructure to support the modernization of their information systems. As I traversed hospitals – both in public and private sectors – I was often struck by one particular best practice: the privacy reminders were ubiquitous. If...

How security can keep media and sources safe

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with Runa Sandvik, an expert on journalistic...

The state of apps by Microsoft identity: Azure AD app gallery apps that made the most impact in 2020

2020 was an unprecedented year, to say the least. The COVID-19 global pandemic drastically changed how we work, learn, and collaborate. Organizations had to find new ways to connect and maintain productivity while providing secure access to critical apps and resources. Our own Microsoft services,...

Virtualization-based security (VBS) memory enclaves: Data protection through isolation

The escalating sophistication of cyberattacks is marked by the increased use of kernel-level exploits that attempt to run malware with the highest privileges and evade security solutions and software sandboxes. Kernel exploits famously gave the WannaCry and Petya ransomware remote code execution...

Profiling DEV-0270: PHOSPHORUS’ ransomware operations

Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations,...

Office VBA + AMSI: Parting the veil on malicious macros

As part of our continued efforts to tackle entire classes of threats, Office 365 client applications now integrate with Antimalware Scan Interface AMSI, enabling antivirus and other security solutions to scan macros and other scripts at runtime to check for malicious behavior. Macro-based threats...

3 strategies for building an information protection program

Five years ago, we started on a journey to update and simplify information protection at Microsoft. We had a manual data classification process that our users didn’t use effectively and didn’t work with our data storage or database technology. We had to find ways to re-classify data and build...

CISO series: Build in security from the ground up with Azure enterprise

As an executive security advisor at Microsoft and a former CISO, I meet with other CISOs every week to discuss cybersecurity, cloud architecture, and sometimes everything under the sun regarding technology. During these discussions with CISOs and other senior security executives of large...

Microsoft Threat Protection leads in real-world detection in MITRE ATT&CK evaluation

The latest round of MITRE ATT&CK evaluations proved yet again that Microsoft customers can trust they are fully protected even in the face of such an advanced attack as APT29. When looking at protection results out of the box, without configuration changes, Microsoft Threat Protection MTP: Provid...

How to prevent lateral movement attacks using Microsoft 365 Defender

It’s been 10 years since the first version of the Mitigating Pass-the-Hash Attacks and Other Credential Theft whitepaper was made available, but the techniques are still relevant today, because they help prevent attackers from gaining a network foothold and using credential-dumping tools to extra...

The AI cybersecurity impact for IoT

I meet with customers around the globe in all sectorsbanks with ATM networks, energy companies with critical infrastructure, natural resource companies with remote automated operations, healthcare organizations with medical devices, manufacturing companies with production environmentsand they all...

Connect to the Intelligent Security Graph using a new API

Most organizations deal with high volumes of security data and have dozens of security solutions in their enterprise, making the task of integrating various products and services daunting and complex. The cost, time, and resources necessary to connect systems, enable correlation of alerts, and...

Microsoft Intelligent Security Association welcomes members of the Microsoft Virus Initiative

As we head into our annual partner conference, Microsoft Inspire, I’m excited to make a major announcement! The Microsoft Virus Initiative MVI is formally joining the Microsoft Intelligent Security Association MISA. For more than 20 years, Microsoft and our antimalware partners have collaborated...

What’s new in Windows Defender ATP

Across Windows Defender Advanced Threat Protection Windows Defender ATP engineering and research teams, innovation drives our mission to protect devices in the modern workplace. Our goal is to equip security teams with the tools and insights to protect, detect, investigate, and automatically...

Microsoft investigates Iranian attacks against the Albanian government

Shortly after the destructive cyberattacks against the Albanian government in mid-July, the Microsoft Detection and Response Team DART was engaged by the Albanian government to lead an investigation into the attacks. At the time of the attacks and our engagement by the Albanian government,...

Insights from the MITRE ATT&CK-based evaluation of Windows Defender ATP

In MITREs evaluation of endpoint detection and response solutions, Windows Defender Advanced Threat Protection demonstrated industry-leading optics and detection capabilities. The breadth of telemetry, the strength of threat intelligence, and the advanced, automatic detection through machine...

Multi-stage downloader Trojan sLoad abuses BITS almost exclusively for malicious activities

Many of today’s threats evolve to incorporate as many living-off-the-land techniques as possible into the attack chain. The PowerShell-based downloader Trojan known as sLoad, however, puts all its bets on BITS. Background Intelligent Transfer Service BITS is a component of the Windows operating...

Step 10. Detect and investigate security incidents: top 10 actions to secure your environment

"Step 10. Detect and investigate security incidents" is the final installment in the Top 10 actions to secure your environment blog series. Here we walk you through how to set up Azure Advanced Threat Protection Azure ATP to secure identities in the cloud and on-premises. Azure ATP is a service i...

New macOS vulnerability, “powerdir,” could lead to unauthorized user data access

Following our discovery of the “Shrootless” vulnerability, Microsoft uncovered a new macOS vulnerability, “powerdir,” that could allow an attacker to bypass the operating system’s Transparency, Consent, and Control TCC technology, thereby gaining unauthorized access to a user’s protected data. We...

Azure Sentinel updates: Improve your security operations with innovations from a cloud-native SIEM

Just a month ago, I communicated the details about Azure Sentinel reaching general availability. Since then, many customers have shared how Azure Sentinel has empowered their teams to be nimble and more efficient. ASOS, one of the largest online fashion retailers, is an excellent example of this...

Council of EU Law Enforcement Protocol improves cross-border cooperation

Last March, the Council of the European Union announced the new EU Law Enforcement Emergency Response Protocol to address the growing problem of planning and coordinating between governments, agencies, and companies when cyberattacks occur across international boundaries. Remember well-known...

Azure Sentinel—the cloud-native SIEM that empowers defenders is now generally available

Machine learning enhanced with artificial intelligence AI holds great promise in addressing many of the global cyber challenges we see today. They give our cyber defenders the ability to identify, detect, and block malware, almost instantaneously. And together they give security admins the abilit...

Step 2. Manage authentication and safeguard access: top 10 actions to secure your environment

This series outlines the most fundamental steps you can take with your investment in Microsoft 365 security solutions. We will provide advice on activities such as setting up identity management through active directory, malware protection, and more. In this post, we explain how to enable single...

Top 10 security steps in Microsoft 365 that political campaigns can take today

The increasing frequency of cyberattacks make clear that more must be done to protect key democratic institutions from cyber-enabled interference. Withjust a fewweeks left before theU.S.midtermelections and early voting under way,campaignsmust stay vigilant in protecting against cyberattacks to...

Microsoft research uncovers new Zerobot capabilities

Botnet malware operations are a constantly evolving threat to devices and networks. Threat actors target Internet of Things IoT devices for recruitment into malicious operations as IoT devices’ configurations often leave them exposed, and the number of internet-connected devices continue to grow...

From unstructured data to actionable intelligence: Using machine learning for threat intelligence

The security community has become proficient in using indicators of compromise IoC feeds for threat intelligence. Automated feeds have simplified the task of extracting and sharing IoCs. However, IoCs like IP addresses, domain names, and file hashes are in the lowest levels of the threat...

CISO series: Partnering with the C-Suite on cybersecurity

In my last blog, we looked at five communication techniques that can help engage business managers in the work of cybersecurity. This week, well look at how to use those techniques to bring the C-Suite into the conversation. Not too long ago, I was speaking with the CIO of a large company some...

CISO series: Better cybersecurity requires a diverse and inclusive approach to AI and machine learning

Artificial Intelligence AI and machine learning have created lots of buzz with vendors. Being cast as the superheroes of technology is great for getting attention. But even Superman and Supergirl had their kryptonite. Could the lack of diversity and inclusiveness in the design teams and data type...

How to recover from a security breach

Experts estimate that ransomware attacks are up over 600 percent. For most companies, the issue isn’t if a cyberattack is going to happen, but when. Some security experts advise that the best way to recover from a security breach is to plan for it before it happens. Today we take you through:...

Key layers for developing a Smarter SOC with CyberProof-managed Microsoft Azure security services

This blog post is part of the Microsoft Intelligent Security Association MISA guest blog series. Learn more about MISA here. Security teams are struggling to reduce the time to detect and respond to threats due to the complexity and volume of alerts being generated from multiple security...

Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV

Consider this scenario: Two never-before-seen, heavily obfuscated scripts manage to slip past file-based detection and dynamically load an info-stealing payload into memory. The scripts are part of a social engineering campaign that tricks potential victims into running the scripts, which use the...

Two new Microsoft 365 offerings help address security and compliance needs

Today, were introducing two new offerings to help address the security and compliance needs in an age of increasingly sophisticated cybersecurity threats as well as complex information protection needs due to regulations like GDPR. The new Identity & Threat Protection and Information Protection &...

Top 5 use cases to help you make the most of your Cloud Access Security Broker

The number of apps and the flexibility for users to access them from anywhere continues to increase. This presents a challenge for IT departments in ensuring secure access and protecting the flow of critical data with a consistent set of controls. Cloud Access Security Brokers CASBs are a new...

Introducing Windows Defender System Guard runtime attestation

At Microsoft, we want users to be in control of their devices, including knowing the security health of these devices. If important security features should fail, users should be aware. Windows Defender System Guard runtime attestation, a new Windows platform security technology, fills this need...

Microsoft Security—detecting empires in the cloud

Microsoft consistently tracks the most advanced threat actors and evolving attack techniques. We use these findings to harden our products and platform and share them with the security community to help defenders everywhere better protect the planet. Recently, the Microsoft Threat Intelligence...

Investigating identity threats in hybrid cloud environments

As the modern workplace transforms, the identity attack surface area is growing exponentially, across on-premises and cloud, spanning a multitude of endpoints and applications. Security Operations SecOps teams are challenged to monitor user activities, suspicious or otherwise, across all dimensio...

Ovum recommends Microsoft security to safeguard your hybrid and multi cloud environments

According to a new Ovum report, "Azure Sentinel…positions Microsoft to be a force for change in a security information and events management SIEM market that is ripe for disruption at the moment." As enterprises migrate to the cloud, they’re increasingly operating on-premises and cloud environmen...

Protecting Android clipboard content from unintended exposure

Considering mobile users often use the clipboard to copy and paste sensitive information, like passwords or payment information, clipboard contents can be an attractive target for cyberattacks. Leveraging clipboards can enable attackers to collect target information and exfiltrate useful data...

Secure your journey to the cloud with free DMARC monitoring for Office 365

Not knowing who is sending email “from” your organization is an enormous problem for IT managers for two reasons. One problem is “shadow IT”—cloud services that employees have signed up for without IT oversight. Many of these services send mail—to employees, customers, or marketing prospects—whic...

When prompts become shells: RCE vulnerabilities in AI agent frameworks

In this article 1. A representative case study: Semantic Kernel 2. CVE-2026-26030: In-Memory Vector Store 3. CVE-2026-25592: Arbitrary file write through SessionsPythonPlugin 4. The vulnerability 5. Attack chain overview 6. Defending the agentic edge 7. Not bugs, but developed by design 8. CTF...

Vulnerable SDK components lead to supply chain risks in IoT and OT environments

December 8, 2022 update - Reflected additional research on Boa-related CVEs and updated supply chain diagram. Vulnerabilities in network components, architecture files, and developer tools have become increasingly popular attack vectors to gain access into secure networks and devices. External...

Executing on the vision of Microsoft Threat Protection

Over the last several months, we’ve provided regular updates on the rapid progress we’re making with Microsoft Threat Protection, which enables your organization to: Protect your assets with identity-driven security and powerful conditional access policies which ensure your assets are secured fro...