Microsoft

Faster, more personalized service begins at the frontline with Microsoft Intune

Microsoft Malware Protection Center - 3 hours 57 sec ago

In healthcare, patient trust often begins at the frontline with people who deliver care, respond to questions, and manage crucial in-the-moment decisions. Increasingly, those experiences are shaped by the tools frontline workers use. When devices are secure, responsive, and tailored to clinical workflows, they enable faster, more informed, and more compassionate care.

For chief technology officers (CTOs), this raises important questions: How can frontline devices enhance productivity and responsiveness? And just as critically, how can organizations ensure those devices are secure, compliant, and ready to go at a moment’s notice?

Healthcare isn’t alone in these challenges. Industries like retail, where frontline teams also engage directly with the public in fast-paced, high-stakes environments, face similar pressures around device management, security, and scalability. This blog focuses on how modern endpoint management supports care and delivery at the frontline, with parallel insights drawn from the retail world to highlight shared strategies and solutions.

Learn how Microsoft Intune can help your organization securely manage frontline devices.

Microsoft Intune

Secure and manage every device from one place.

Learn more Why endpoint management matters at the frontline

Every frontline interaction is a potential brand moment that impacts trust and outcomes. A poor experience can ripple quickly, but the right tools in the hands of frontline staff can lead to faster, more personalized service. To deliver those experiences at scale, CTOs should consider three foundational principles for frontline device strategy:

Recognize that many devices are shared. With shift-based work, secure and seamless sign-on backed by a Zero Trust approach helps provide the right person access to the right tools, without delay.
Use a cloud-native approach to manage all devices. Whether company-issued or bring-your-own device (BYOD), cross-platform management keeps devices are up-to-date and ready to go, reducing setup times and support tickets.
Embrace innovations like Microsoft Copilot and Microsoft 365. AI-powered tools and Cloud PCs help organizations scale faster, enhance security, and give workers access to the latest experiences, without disruption.

Now let’s explore what this looks like in practice, starting with healthcare.

Healthcare in focus: Modern management for care delivery

In healthcare, frontline workers rely on shared devices that must be secure, personalized, and compliant. Microsoft Intune has helped hospitals like Milton Keynes University Hospital implement endpoint management for shared tablets used in nurse stations—tools that support real-time monitoring and communication.

Because staff rotate across shifts, easy sign-in is essential, and devices must only receive updates during defined maintenance windows. These shared tablets also require network restrictions and strict access controls to meet security standards without interrupting care.

Intune also supports iPad OS and configuration, helping frontline staff access patient information quickly and securely at the bedside, reducing friction and improving the overall care experience.

With AI-powered tools like Microsoft Copilot in Intune, healthcare IT teams can proactively identify issues, troubleshoot devices, and maintain compliance, all while reducing operational burden. As new AI agent capabilities emerge, they’ll enable even faster remediation of vulnerabilities, protecting sensitive patient data in an evolving cyberthreat landscape.

And with Windows 365 Frontline, healthcare organizations can provide scalable, secure access to virtual desktops for rotating clinical staff, delivering performance without the need to deploy and manage a physical device for every user.

Retail in focus: Elevating service and speed on the store floor

In retail environments, every frontline interaction is a brand opportunity, and device performance can make or break that moment.

At the National Retail Federation (NRF) conference in January 2025, companies like IKEA and Levi’s showcased how giving employees access to personalized devices helps them visualize products with customers and provide more tailored service.

Retail staff often rely on shared devices across shifts, so it’s critical that sign-in is fast, interfaces are familiar, and access is secure but streamlined. Temporary session PINs and pre-configured apps let employees start working, and serving customers, immediately.

At Schwarz Group (which includes 575,000 employees across 13,900 stores in 32 countries, including the Lidl and Kaufland retail brands) Intune supports staging and managing tens of thousands of employee devices. IT can remotely provision new devices with pre-defined configurations, eliminating time-consuming setups and ensuring tools are ready before the employee even logs in.

Retailers can also take advantage of Windows 365 Cloud PCs and Windows 365 Frontline to give employees secure access to key tools across locations and shifts, while simplifying management and keeping costs down.

Streamline and secure your device ecosystem with Microsoft Intune A better frontline experience leads to better outcomes

Whether it’s a customer shopping in store or a patient receiving care, the frontline experience shapes how people perceive your organization. When frontline tools are secure, responsive, and tailored to the user, staff can serve with confidence—and people feel the difference.

Now is the time to reassess your endpoint strategy. For healthcare organizations, secure, cloud-native device management can be one of the most powerful levers for improving patient outcomes and operational efficiency. And for industries with similar frontline demands, like retail, the same principles can deliver meaningful gains in speed, security, and customer satisfaction.

Explore how other leading organizations are benefiting from modern, cloud-native endpoint management. For more, check out Intune’s recent “From the frontlines” blog for retail or for healthcare, or other examples of Intune customer stories.

Learn more

Learn more about Microsoft Intune.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Faster, more personalized service begins at the frontline with Microsoft Intune appeared first on Microsoft Security Blog.

Categories: Microsoft

Explore practical best practices to secure your data with Microsoft Purview

Microsoft Malware Protection Center - Fri, 04/25/2025 - 12:00pm

According to the Microsoft 2024 Data Security Index, organizations experience an average of 156 data security incidents annually, and this cyberthreat continues to be a top concern for data security decision-makers.1 A full 82% of security decision-makers believe a comprehensive, fully integrated platform is superior to managing multiple isolated tools. Yet on average, teams are juggling 12 different data security solutions, creating complexity that increases their vulnerability.1

Also, as organizations increasingly turn to generative AI tools, the risk of sensitive data exposure or unauthorized use grows. This shift makes broad visibility into data risks across the digital landscape not only important—but essential. To effectively safeguard data in today’s environment, organizations need a robust and integrated data security strategy, bringing together data and user context across cloud apps, services, devices, AI tools, and more. Achieving this requires a holistic approach—one that unifies people, processes, and technology to protect what matters most.

At Microsoft, we help empower data security leaders to keep their most valuable assets—data—safe, and now we’re publishing Securing your data with Microsoft Purview: A practical handbook. This guide is designed for data security leaders to initiate and enhance data security practices, leveraging the extensive experience of Microsoft subject matter experts (SMEs) and relevant customer insights. The guide aims to help customers efficiently and effectively implement data security with Microsoft Purview, maximizing the solution’s value by focusing on a integrated strategy.

Learn more with Securing your data with Microsoft Purview: A practical handbook Stronger data security begins with a clear plan

Data security is critically important and with the right approach, it doesn’t need to be overly complicated. As in the implementation of any technology, when securing data, proper preparation can help organizations avoid major roadblocks and realize greater efficiency and value going forward. The guide we’re sharing can help data security teams frame their goals and prioritize opportunities that are actionable, attainable, and can lead to quick wins—such as effective initial policies and greater organizational commitment to data security goals.

Every organization faces unique data security challenges and have varying levels of risk tolerance. However, a universal struggle remains: balancing employee productivity with robust data security. This guide walks leaders through several key considerations for creating data security goals that integrate business objectives and compliance needs. It also provides insights on how to collaborate across the organization to understand the full scope of data security requirements and develop a cross-functional team of stakeholders.

Lastly, preparation also includes defining what success will look like for your organization’s data security strategy. The guide helps leaders choose clear metrics for evaluating the effectiveness of their data security deployments with Microsoft Purview and includes examples of success metrics to consider. Additionally, the guide helps organizations focus on resolving their biggest data security risks first, while allowing the flexibility to modify, add, or change success metrics as challenges and maturity level change.

Read the guide: Securing your data with Microsoft Purview Leveraging Microsoft Purview to secure your organization’s data

Once organizations set goals and prioritize data security opportunities, it’s time to assess their environment and implement robust protections to secure their data.

Teams today are under constant pressure to protect sensitive data from leaks, unintentional oversharing, insider cyberthreats and more—all while enabling collaboration and innovation. Businesses need tools to understand where their data is, who’s accessing it, and how it’s being used. With advanced detection and prevention capabilities, companies can identify potential risks before they become incidents—whether it’s an employee sharing confidential information externally or sensitive data being stored in the wrong location. By automating policy enforcement and surfacing actionable insights, companies can reduce human error, strengthen their data security posture, and respond swiftly to emerging cyberthreats, without disrupting everyday workflows.

With Microsoft Purview, organizations can aim to establish a strong data security program by uncovering hidden risks to data throughout its lifecycle, safeguarding against data loss, and mitigating risks from both internal and external security incidents. To successfully leverage these capabilities, the guidance included in the asset walks us through a deeply integrated suite of products, ensuring a cohesive approach to data security.

This practical guide will enable data security teams to get up to speed with Microsoft Purview’s integrated set of solutions and establish a strong data security program from the start. From understanding your organization’s data to developing policies that align with the business and compliance needs of your organization, there are several steps to take to ensure data security programs are better set up for success. This guide is designed to empower data security teams to confidently establish the right strategy to secure their organization’s data, from policy design to implementation, troubleshooting, and continual improvement—providing a comprehensive approach for organizations to prevent data risks.

Discover more with Securing your data with Microsoft Purview: A practical handbook The next steps on your data security journey

Once your organization has deployed Microsoft Purview and navigated the initial steps, you’ll be well poised to go deeper into adjacent opportunities and scenarios to further protect your organization.

From empowering data security teams and deep-content investigation with the application of generative AI, to integrating data security into the Security Operations Center experience, continuing your data security journey with intentionality can lead to enhanced protection and operational efficiency. Looking across the other aspects of data within an organization is also crucial, as data compliance and data governance complement data security—ensuring comprehensive protection and management of data across its lifecycle, while meeting regulatory requirements and unlocking value creation from data.

Securing your organization’s data is not just about implementing the right tools, but also about fostering a culture of security awareness and collaboration. By leveraging Microsoft Purview and following the best practices outlined in this guide, you can create a robust data security strategy that protects your valuable assets and supports your business objectives. Remember, data security is a continuous journey, and with the right approach, you can navigate it successfully.

Download Securing your data with Microsoft Purview: A practical handbook and set up your organization for a successful implementation today.

To learn more about our latest data security innovations, check out the Microsoft Secure announcement blog for more news across Microsoft Purview.

Learn more with Microsoft Security

1Microsoft 2024 Data Security Index: The Risk of AI, Threatscape.

The post Explore practical best practices to secure your data with Microsoft Purview appeared first on Microsoft Security Blog.

Categories: Microsoft

New whitepaper outlines the taxonomy of failure modes in AI agents

Microsoft Malware Protection Center - Thu, 04/24/2025 - 12:00pm

We are releasing a taxonomy of failure modes in AI agents to help security professionals and machine learning engineers think through how AI systems can fail and design them with safety and security in mind.

The taxonomy continues Microsoft AI Red Team’s work to lead the creation of systematization of failure modes in AI; in 2019, we published one of the earliest industry efforts enumerating the failure modes of traditional AI systems. In 2020, we partnered with MITRE and 11 other organizations to codify the security failures in AI systems as Adversarial ML Threat Matrix, which has now evolved into MITRE ATLAS™. This effort is another step in helping the industry think through what the safety and security failures in the fast-moving and highly impactful agentic AI space are.

Taxonomy of Failure Mode in Agentic AI Systems

Microsoft's new whitepaper explains the taxonomy of failure modes in AI agents, aimed at enhancing safety and security in AI systems.

Read the whitepaper

To build out this taxonomy and ensure that it was grounded in concrete and realistic failures and risk, the Microsoft AI Red Team took a three-prong approach:

We catalogued the failures in agentic systems based on Microsoft’s internal red teaming of our own agent-based AI systems.
Next, we worked with stakeholders across the company—Microsoft Research, Microsoft AI, Azure Research, Microsoft Security Response Center, Office of Responsible AI, Office of the Chief Technology Officer, other Security Research teams, and several organizations within Microsoft that are building agents to vet and refine this taxonomy.
To make this useful to those outside of Microsoft, we conducted systematic interviews with external practitioners working on developing agentic AI systems and frameworks to polish the taxonomy further.

To help frame this taxonomy in a real-world application for readers, we also provide a case study of the taxonomy in action. We take a common agentic AI feature of memory and we walk through how an cyberattacker could corrupt an agent’s memory and use that as a pivot point to exfiltrate data.

Figure 1. Failure modes in agentic AI systems.

Core concepts in the taxonomy

While identifying and categorizing the different failure modes, we broke them down across two pillars, safety and security.

Security failures are those that result in core security impacts, namely a loss of confidentiality, availability, or integrity of the agentic AI system; for example, such a failure allowing a threat actor to alter the intent of the system.
Safety failure modes are those that affect the responsible implementation of AI, often resulting in harm to the users or society at large; for example, a failure that causes the system to provide differing quality of service to different users without explicit instructions to do so.

We then mapped the failures along two axes—novel and existing.

Novel failure modes are unique to agentic AI and have not been observed in non-agentic generative AI systems, such as failures that occur in the communication flow between agents within a multiagent system.
Existing failure modes have been observed in other AI systems, such as bias or hallucinations, but gain in importance in agentic AI systems due to their impact or likelihood.

As well as identifying the failure modes, we have also identified the effects these failures could have on the systems they appear in and the users of them. Additionally we identified key practices and controls that those building agentic AI systems should consider to mitigate the risks posed by these failure modes, including architectural approaches, technical controls, and user design approaches that build upon Microsoft’s experience in securing software as well as generative AI systems.

The taxonomy provides multiple insights for engineers and security professionals. For instance, we found that memory poisoning is particularly insidious in AI agents, with the absence of robust semantic analysis and contextual validation mechanisms allows malicious instructions to be stored, recalled, and executed. The taxonomy provides multiple strategies to combat this, such as limiting the agent’s ability to autonomously store memories by requiring external authentication or validation for all memory updates, limiting which components of the system have access to the memory, and controlling the structure and format of items stored in memory.

Read the new “Taxonomy of Failure Mode in Agentic AI Systems” whitepaper How to use this taxonomy

For engineers building agentic systems:
- We recommend that this taxonomy is used as part of designing the agent, augmenting the existing Security Development Lifecycle and threat modeling practice. The guide helps walk through the different harms and the potential impact.
- For each harm category, we provide suggested mitigation strategies that are technology agnostic to kickstart the process.
For security and safety professionals:
- This is a guide on how to probe AI systems for failures before the system launches. It can be used to generate concrete attack kill chains to emulate real world cyberattackers.
- This taxonomy can also be used to help inform defensive strategies for your agentic AI systems, including providing inspiration for detection and response opportunities.
For enterprise governance and risk professionals, this guide can help provide an overview of not just the novel ways these systems can fail but also how these systems inherit the traditional and existing failure modes of AI systems.

Learn more

Like all taxonomies, we consider this a first iteration and hope to continually update it, as we see the agent technology and cyberthreat landscape change. If you would like to contribute, please reach out to airt-agentsafety@microsoft.com.

The taxonomy was led by Pete Bryan; the case study on poisoning memory was led by Giorgio Severi. Others that contributed to this work: Joris de Gruyter, Daniel Jones, Blake Bullwinkel, Amanda Minnich, Shiven Chawla, Gary Lopez, Martin Pouliot, Whitney Maxwell, Katherine Pratt, Saphir Qi, Nina Chikanov, Roman Lutz, Raja Sekhar Rao Dheekonda, Bolor-Erdene Jagdagdorj, Eugenia Kim, Justin Song, Keegan Hines, Daniel Jones, Richard Lundeen, Sam Vaughan, Victoria Westerhoff, Yonatan Zunger, Chang Kawaguchi, Mark Russinovich, Ram Shankar Siva Kumar.

The post New whitepaper outlines the taxonomy of failure modes in AI agents appeared first on Microsoft Security Blog.

Categories: Microsoft

Understanding the threat landscape for Kubernetes and containerized assets

Microsoft Malware Protection Center - Wed, 04/23/2025 - 12:00pm

The dynamic nature of containers can make it challenging for security teams to detect runtime anomalies or pinpoint the source of a security incident, presenting an opportunity for attackers to stay undetected. Microsoft Threat Intelligence has observed threat actors taking advantage of unsecured workload identities to gain access to resources, including containerized environments. Microsoft data showed that in the past year, 51% of workload identities were completely inactive, representing a potential attack vector for threat actors.

Microsoft released and updated the threat matrix for Kubernetes, an active knowledge base for security threats that target Kubernetes clusters, to systematically map the attack surface of Kubernetes. We also worked with MITRE to develop the ATT&CK® for Containers matrix in 2021. As the adoption of containers-as-a-service among organizations rises, Microsoft Threat Intelligence continues to monitor the unique security threats that affect containerized environments.

Threats in Kubernetes environments

Containerized assets (including Kubernetes clusters, Kubernetes nodes, Kubernetes workloads, container registries, container images, and more) are at risk of several different types of attacks. To fully secure containerized workloads, organizations must secure the containers and the code running within them, software dependencies and libraries, continuous integration and continuous delivery (CI/CD) pipelines, runtime, and more.

Threats in Kubernetes environments can come from six primary areas:

Compromised accounts: In cases where Kubernetes clusters are deployed in public clouds (such as Azure Kubernetes Service (AKS) or Google Kubernetes Engine (GKE)), compromised cloud credentials could lead to cluster takeover, as attackers who have access to account credentials can get access to the cluster’s management layer.
Vulnerable or misconfigured images: Images that are not updated regularly might contain vulnerabilities that can be exploited in malicious attacks.
Environment misconfigurations: An attacker with access to the Kubernetes API, either through exposed management interfaces or lack of appropriate authentication/authorization controls, could completely take down the server, deploy malicious containers, or hijack the entire cluster.
App-level attacks: Applications could be exploited through several typical methods, such as SQL injection, cross-site scripting, and remote file inclusion.
Node-level attacks: Attackers can gain initial access through nodes (host machines that containers run on) that run on vulnerable code or software, have open management interfaces such as SSH, or run commands from the cloud control plane. There is also the risk of pod escape, where a compromised pod can provide access to the node or to other pods in the cluster.
Unauthorized traffic: Insecure networking between the different containers within the cluster and between the pods and outside world could be subject to malicious traffic if not secured.

Figure 1. Overview of attacks against Kubernetes environments Case study: Password spray attack leads to containers being used for cryptomining

In the past year, Microsoft Threat Intelligence has observed AzureChecker threats (tracked as Storm-1977) launching password spray attacks against cloud tenants in the education sector. The attack involves the use of AzureChecker.exe, a Command Line Interface (CLI) tool that is being used by a wide range of threat actors.

We observed that AzureChecker.exe connected to sac-auth[.]nodefunction[.]vip to download AES-encrypted data that when decrypted reveals the list of password spray targets. The tool then also accepted the file accounts.txt, which contained the username and password combinations to be used for the attack, as input. The threat actor then used the information from both files and posted the credentials to the target tenants for validation.

Microsoft Threat Intelligence was able to observe an instance of successful account compromise and found that the threat actor leveraged a guest account to create a resource group within the compromised subscription. The threat actor then created more than 200 containers within the resource group and used them for cryptomining activity.

Securing containerized environments

The following best practices can help secure containerized assets against commonly observed threats.

Secure code prior to deployment

Ensuring that containers have secure code prior to deployment is essential to preventing issues during deployment and runtime. To facilitate this, Microsoft Defender for Cloud scans container images for vulnerabilities and misconfigurations and alerts customers of issues before a container is deployed.

Defender for Cloud DevOps also provides visibility into the security posture of the CI/CD platform. Additional best practices such as restricting access to DevOps tooling, using a secret store instead of hard-coding secrets in code or documentation, and using hardened DevOps workstations to build and deploy code can help prevent security issues before code is deployed.

Secure container deployment and runtime

Container deployment refers to the phase of the lifecycle where container images are pulled from the static container registry to be run on virtual machines hosts. During deployment, you should ensure the following best security practices:

Ensure containers are immutable: Prevent patches from running containers whenever possible. As best practice, if you notice that a running container needs updates, you should rebuild the image and deploy the new container. Introducing new code in running containers can introduce new vulnerabilities, bypass secure development lifecycle protections, as well as pose an operational risk in case a container is restarted and run again with the original container image content without any runtime modifications.
Leverage Admission Controllers: Configure policies to prevent containers from being deployed from untrusted registries, from running out of alignment with the minimal Pod Security Standard that fits the pod requirement (such as restricting root privileges), and from utilizing too many resources in the event of a denial-of-service attack. These can be enforced with Azure Policy Add-On for Kubernetes.
Gate deployments of vulnerable images: Ensure that the containers being deployed are free of vulnerabilities and misconfigurations by running a vulnerability scan in the Build and Ship phases. Any image with high or critical severity vulnerabilities should be blocked from deployment.

Container runtime refers to the phase of the lifecycle where containers are running on the virtual hosts. During runtime, monitor your running containers for any new vulnerabilities that might have been introduced during runtime. In cases where a container image was not scanned in build time or in registry before being deployed to the cluster, Microsoft Defender Vulnerability Management supports Azure vulnerability assessments .

Additionally, monitor each node, pod, and container during runtime for any sort of anomalous or malicious activity that may be occurring:

Look for malicious API calls and unusual activity using a monitoring system to identify any unusual Kubernetes API server requests for malicious activity. Defenders can query Kubernetes API calls in Defender XDR advanced hunting using the CloudAuditEvents table.
For AKS clusters, Container Insights offers the ability to collect Syslog events from Linux nodes, to then be accessed within Azure’s built-in workbooks.

Defender for Containers’ Agentless discovery for Kubernetes provides API-based discovery of Kubernetes clusters, their configurations, and deployments. Defender for Cloud also identifies runtime threats at both the API level and the workload level. Additionally, organizations can use Microsoft Defender for Cloud to identify and remediate attack paths to address any potential attack vectors.

Secure user accounts and permissions

Attackers are increasingly using compromised identities for initial access and for establishing long-term persistence within an environment. If a compromised user has access to Kubernetes services, an attacker could use that identity to access those services using portal access or the command-line interface. In cases where Kubernetes clusters are deployed in public clouds (such as AKS in Azure or GKE in Google Cloud Platform (GCP)), compromised cloud credentials could lead to cluster takeover as attackers who have access to account credentials can get access to the cluster’s management layer.

The following recommendations, focused on requiring strong authentication to services and following the principle of least privilege, can help secure cloud credentials from compromise:

Use strong authentication when exposing sensitive interfaces to the internet. For example, attacks were observed against exposed Kubeflow and Argo workloads that were not configured to use OpenID Connect or other authentication methods.
Use strong authentication methods to the Kubernetes API to help prevent attackers from gaining access to the cluster even if valid credentials such as kubeconfig were achieved. For example, in AKS use Entra ID authentication instead of basic authentication. By using Entra ID authentication, a short-lived credential of the cluster is retrieved after authenticating to Entra ID.
Avoid using the read-only endpoint of Kubelet in port 10255, which doesn’t require authentication. In newer versions of managed clusters, this port is disabled.
Implement multifactor authentication (MFA).
Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions. This applies also to other external authorization providers such as Azure RBAC in AKS.
In a managed cluster, Kubernetes credentials are often retrieved or generated by the cloud provider through API call. To reduce the attack surface, grant permissions to the cloud provider API only to necessary accounts. In the case of Azure, make sure that only required identities have permissions to call: /subscriptions/resourceGroups/providers/Microsoft.ContainerService/managedClusters/listClusterUserCredential
The kubeconfig file can contain credentials of accounts that allow interaction with a cluster. By applying the least privilege principle to all accounts, you can limit the impact of an account compromised through the kubeconfig file. To further limit misuse of the kubeconfig file, enable Microsoft Entra-based authentication to AKS and disable the local admin account, avoiding the use of the kubeconfig file altogether.

The Kubernetes project also lists the following recommendations for permissions and role assignment best practices:

Avoid wildcard permissions, especially to all resources.
Use RoleBinding instead of ClusterAdminBinding to give access within a namespace.
Avoid adding users to the system:master group as it bypasses RBAC.
Use impersonation rights for admins instead of adding to the cluster admin role. Audit and monitor when impersonation is being done.
Avoid granting the escalate or bind permissions to roles when not needed, audit and monitor when escalation is being made.
Avoid adding users to the system:unauthenticated group.
Limit permissions to issue certificate signing requests (CSR) and certificates.
Avoid granting users with create rights on service accounts/token, which could be exploited to create TokenRequests and issue tokens for existing service accounts.
Users with control over validatingwebhookconfigurations or mutatingwebhookconfigurations can control webhooks that can read any object admitted to the cluster, and in the case of mutating webhooks, also mutate admitted objects

Secure container images

Secure the CI/CD environment. Secure code repositories and CI/CD environment by placing gates to restrict unauthorized access and modification of content. This can include enforcing RBAC permissions to access and make changes to code, artifacts and build pipelines, ensure governed process for pull-request approval, apply branch policies and others.
Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies. By ensuring consistent and comprehensive image assurance policy across the build, ship, and run development stages. One approach of ensuring images pass assurance or compliance checks it to sign the container images, so the image signature can be checked downstream when deploying to Kubernetes clusters at runtime.
Take and store data backups from pod-mounted volumes for critical workloads. Ensure backup and storage systems are hardened and kept separate from the Kubernetes environment to prevent compromise.

Restrict network traffic

The Kubernetes API server is the gateway to the cluster. Restricting access to the API server, as well as restricting how pods can communicate, can prevent unwanted access to the clusters management, even if an adversary gained valid credentials to the cluster. The following best practices can help harden clusters against attacks.

Restrict access to the API server using intrusion detection signatures, network policies, and a web application firewall to block traffic at network boundaries to pods and services in a Kubernetes cluster. In managed clusters, cloud providers often support native built-in firewalls, which can restrict the IP addresses that are allowed to access the API server.
- Implement a Next-Generation Firewall (NGFW) such as Azure Firewall, which offers a solution for AKS to monitor inbound and outbound traffic. You can integrate Azure Firewall as well as several third-party firewalls into Azure Sentinel to accumulate all logs into a centralized location. AKS also supports Retina, a cloud-agnostic platform for analysis of Kubernetes’ workload traffic.
- Use Kubernetes network policies to control traffic and manage how pods communicate.
- Adapt a network intrusion prevention solution to a Kubernetes environment if needed, in order to route network traffic destined to services through the security solution. In some cases, this can be done by deploying a containerized version of a network intrusion prevention solution to the Kubernetes cluster and be part of the cluster network, and in some cases, routing ingress traffic to Kubernetes services through an external appliance, requiring that all ingress traffic only come from such an appliance.
Enable Just In Time (JIT) access to the API server through Microsoft Entra conditional access. Employing JIT elevated access to the Kubernetes API server helps reduce the attack surface by allowing access only at specific times, and through a governed escalation process. Enabling JIT access in Kubernetes is often done together with OpenID authentication, which includes processes and tools to manage JIT access. One example of such OpenID authentication is Azure Active Directory authentication to Kubernetes clusters. The JIT approval is performed in the cloud control plane level. Therefore, even if attackers have access to account credentials, their access to the cluster is limited.
Limit access to services over network. Avoid exposing sensitive interfaces insecurely to the internet or limit access to it. Sensitive interfaces include management tools and applications that allow the creation of new containers in the cluster. Some of those services do not use authentication by default and are not intended to be exposed. Examples of services that were exploited include Weave Scope, Apache NiFi, and more.
- If services need to be exposed to the internet and are exposed using a LoadBalancer service, use IP restriction (loadBalancerSourceRanges) when possible. This reduces the attack surface of the application and can prevent attackers from being able to reach the sensitive interfaces.

Detection details Microsoft Defender for Cloud

Microsoft Defender for Containers provides security alerts on the cluster level and on the underlying cluster nodes by monitoring both the control plane (the API server) and the containerized workload itself.

Exposed Postgres service with trust authentication configuration in Kubernetes detected (Preview)
Exposed Postgres service with risky configuration in Kubernetes detected (Preview)
Attempt to create a new Linux namespace from a container detected
A history file has been cleared
Abnormal activity of managed identity associated with Kubernetes (Preview)
Abnormal Kubernetes service account operation detected
An uncommon connection attempt detected
Attempt to stop apt-daily-upgrade.timer service detected
Behavior similar to common Linux bots detected (Preview)
Command within a container running with high privileges
Container running in privileged mode
Container with a sensitive volume mount detected
CoreDNS modification in Kubernetes detected
Creation of admission webhook configuration detected
Detected file download from a known malicious source
Detected suspicious file download
Detected suspicious use of the nohup command
Detected suspicious use of the useradd command
Digital currency mining container detected
Digital currency mining related behavior detected
Docker build operation detected on a Kubernetes node
Exposed Kubeflow dashboard detected
Exposed Kubernetes dashboard detected
Exposed Kubernetes service detected
Exposed Redis service in AKS detected
Indicators associated with DDOS toolkit detected
K8S API requests from proxy IP address detected
Kubernetes events deleted
Kubernetes penetration testing tool detected
New container in the kube-system namespace detected
New high privileges role detected
Possible attack tool detected
Possible backdoor detected
Possible command line exploitation attempt
Possible credential access tool detected
Possible Cryptocoinminer download detected
Possible Log Tampering Activity Detected
Possible password change using crypt-method detected
Potential port forwarding to external IP address
Potential reverse shell detected
Privileged container detected
Process associated with digital currency mining detected
Process seen accessing the SSH authorized keys file in an unusual way
Role binding to the cluster-admin role detected
Security-related process termination detected
SSH server is running inside a container
Suspicious file timestamp modification
Suspicious request to Kubernetes API
Suspicious request to the Kubernetes Dashboard
Potential crypto coin miner started
Suspicious password access
Possible malicious web shell detected
Burst of multiple reconnaissance commands could indicate initial activity after compromise
Suspicious Download Then Run Activity
Access to kubelet kubeconfig file detected
Access to cloud metadata service detected
MITRE Caldera agent detected

Recent updates to Microsoft Defender for Cloud enhance its container security capabilities from development to runtime. Defender for Cloud now offers enhanced discovery, providing agentless visibility into Kubernetes environments, tracking containers, pods, and applications. The updates also strengthen security posture through continuous and granular scanning from build to runtime, helping maintain compliance and secure configurations across the SDLC.

Defender for Cloud’s native integration with Defender XDR enables threat protection with real-time monitoring, prioritizing vulnerabilities based on risk and enabling SOC analysts to detect and respond to threats faster through rich contextual insights and cloud-native response tools

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint also detects threats on endpoints running container hosts, focusing on suspicious behavior commonly observed on endpoints, including stealing locally stored credentials for accessing the cloud, downloading and running malicious images, and privilege escalation from dockers to hosts.

Microsoft Defender External Attack Surface Management

Microsoft Defender External Attack Surface Management detects Docker and Kubernetes instances with known vulnerabilities or misconfigurations using the following alerts:

ASI: Open Docker Daemon API Service
ASI: Unauthenticated Kubelet API

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

Incident investigation
Microsoft User analysis
Threat actor profile
Threat Intelligence 360 report based on MDTI article
Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Hunting queries

In addition to the below hunting queries, the open-source tool KubiScan, developed by CyberArk Labs, can be used to scan clusters for risky permissions and users. Results can be used to manage RBAC within the environment and eliminate unnecessary permissions; it can also be used in incident response to identify the potential exposure of compromised users.

Microsoft Defender XDR

In addition to viewing alerts and incidents within Defender XDR, you can now use Azure Resource Manager (ARM) logs as well as Kubernetes audits logs for further investigation using the advanced hunting capabilities.

If a hunting query provides a good indicator of malicious or unsanctioned activity in your environment, you can create a custom rule detection in the Defender XDR portal by going to the Advanced unting page > Manage rules > Create custom detection.

Privileged pod deployment

The following query surfaces deployment of a privileged pod:

CloudAuditEvents | where Timestamp > ago(1d) | where DataSource == "Azure Kubernetes Service" | where OperationName == "create" | where RawEventData.ObjectRef.resource == "pods" and isnull(RawEventData.ObjectRef.subresource) | where RawEventData.ResponseStatus.code startswith "20" | extend PodName = RawEventData.RequestObject.metadata.name | extend PodNamespace = RawEventData.ObjectRef.namespace | mv-expand Container = RawEventData.RequestObject.spec.containers | extend ContainerName = Container.name | where Container.securityContext.privileged == "true" | extend Username = RawEventData.User.username | project Timestamp, AzureResourceId , OperationName, IPAddress, UserAgent, PodName, PodNamespace, ContainerName, Username

Exec command

The following query identifies use of the exec command in the kube-system namespace:

CloudAuditEvents | where Timestamp > ago(1d) | where DataSource == "Azure Kubernetes Service" | where OperationName == "create" | where RawEventData.ObjectRef.resource == "pods" and RawEventData.ResponseStatus.code == 101 | where RawEventData.ObjectRef.namespace == "kube-system" | where RawEventData.ObjectRef.subresource == "exec" | where RawEventData.ResponseStatus.code == 101 | extend RequestURI = tostring(RawEventData.RequestURI) | extend PodName = tostring(RawEventData.ObjectRef.name) | extend PodNamespace = tostring(RawEventData.ObjectRef.namespace) | extend Username = tostring(RawEventData.User.username) | where PodName !startswith "tunnelfront-" and PodName !startswith "konnectivity-" and PodName !startswith "aks-link" | extend Commands = extract_all(@"command=([^\&]*)", RequestURI) | extend ParsedCommand = url_decode(strcat_array(Commands, " ")) | project Timestamp, AzureResourceId , OperationName, IPAddress, UserAgent, PodName, PodNamespace, Username, ParsedCommand

Cluster-admin role binding

The following query identifies the creation of cluster-admin role binding:

CloudAuditEvents | where Timestamp > ago(1d) | where OperationName == "create" | where RawEventData.ObjectRef.resource == "clusterrolebindings" | where RawEventData.ResponseStatus.code startswith "20" | where RawEventData.RequestObject.roleRef.name == "cluster-admin" | mv-expand Subject = RawEventData.RequestObject.subjects | extend SubjectName = tostring(Subject.name) | extend SubjectKind = tostring(Subject["kind"]) | extend BindingName = tostring(RawEventData.ObjectRef.name) | extend ActionTakenBy = tostring(RawEventData.User.username) | where ActionTakenBy != "acsService" //Remove FP | project Timestamp, AzureResourceId , OperationName, ActionTakenBy, IPAddress, UserAgent, BindingName, SubjectName, SubjectKind References

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Understanding the threat landscape for Kubernetes and containerized assets appeared first on Microsoft Security Blog.

Categories: Microsoft

Securing our future: April 2025 progress report on Microsoft’s Secure Future Initiative

Microsoft Malware Protection Center - Mon, 04/21/2025 - 11:00am

The Microsoft Secure Future Initiative (SFI) stands as the largest cybersecurity engineering project in history and most extensive effort of its kind at Microsoft. Since inception, we’ve dedicated the equivalent of 34,000 engineers working full-time for 11 months to mitigate risks and address the highest priority security tasks. Now, we are sharing the second SFI progress report, which highlights progress made in our multi-year journey to improve the security posture of Microsoft, our customers, and the industry at large.

Read the latest Secure Future Initiative report

We have made progress across culture and governance by fostering a security-first mindset in every employee and investing in holistic governance structures to address cybersecurity risk across our enterprise.

To better protect our customers, engineering teams across the company are delivering innovation aligned with our security principles, such as the new Secure by Design UX Toolkit which we tested with 20 product teams, rolled out to 22,000 employees, and shared publicly. This toolkit embeds security best practices into product development and is already delivering results. It includes best practices, conversation cards, and workshop tools to help teams build security capability, pinpoint vulnerabilities in products, and prioritize where to focus.

We have also made progress in every engineering pillar and objective, continuously hardening our identity security, reducing the risk of lateral movement across networks and tenants, improving our ability to detect and respond to cyberthreats, and partnering with the industry to protect customers from zero days. Insights and learnings from this progress inform ongoing innovations in our Microsoft Security portfolio—Microsoft Entra, Microsoft Defender, and Microsoft Purview—that helps better protect customers and Microsoft.

To better protect signing keys, in September 2024 we announced that we have moved Entra ID and Microsoft Account (MSA) access token signing keys to hardware-based security modules (HSMs) and virtualization-based security in Windows, with automatic rotation. Since then, we’ve applied new defense-in-depth protections in response to our Red Team research and assessments, migrated the MSA signing service to Azure confidential VMs, and are migrating Entra ID signing service to the same. Each of these improvements help mitigate the attack vectors that we suspect the actor used in the 2023 Storm-0558 attack on Microsoft.

We have also improved our ability to detect and respond to cyberthreats, adding more than 200 additional detections against top tactics, techniques, and procedures (TTPs), which will be integrated into Microsoft Defender where applicable. Partnering with the security research community proactively discovered 180 vulnerabilities in the high-impact areas of cloud and AI, and expanded our program to address vulnerabilities within a reduced time to mitigate to cover more products, environments, and lower severities.

Key highlights from the full SFI progress report can be found below:

Read the full SFI Progress Report Secure by Design, Default, and in Operations

In this report, you’ll find examples of how we’re building in protections from the start, aligned with our security principles:

New Secure by Design UX Toolkit, tested by 20 product teams and rolled out to 22,000 employees as well as a publicly available version, is helping teams build more secure, user-centered experiences.
The launch of 11 new innovations across Microsoft Azure, Microsoft 365, Windows, and Microsoft Security that help improve security by default.
AI development processes that now include dedicated security and safety reviews led by the Artificial Generative Intelligence Safety and Security Organization.
Applying secure operations practices across our AI systems, as outlined in our Responsible AI Transparency Report.
New policies, behavioral-based detection models, and investigation methods that thwarted $4 billion in fraud attempts.

These advances help protect our customers and Microsoft.

Security-first mindset, company-wide

Security starts with people. In the past year, we’ve activated a security-first culture across every corner of the company, from engineering to operations to customer support.

Every Microsoft employee now has a Security Core Priority tied directly to performance reviews.
50,000 employees have participated in the Microsoft Security Academy to improve their security skills.
99% of employees have completed our Security Foundations and Trust Code courses.

This shift isn’t about compliance, it’s about empowerment. We want every person at Microsoft to understand their role in keeping our customers safe and to have the tools to act on that responsibility.

Stronger governance to manage enterprise-wide risk

In May 2024, we introduced a new governance structure to improve risk visibility and accountability. Since then, we’ve deepened our investment:

We’ve appointed a Deputy Chief Information Security Officer (CISO) for Business Applications, and consolidated responsibility for Microsoft 365 and Experiences and Devices.
All 14 Deputy CISOs across Microsoft have completed a risk inventory and prioritization, creating a shared view of enterprise-wide security risk.

This kind of structure is critical for scale, ensuring security isn’t just centralized, but embedded throughout the organization.

Driving measurable progress across all pillars

We continue to make progress in every pillar and objective. Out of 28 objectives, five are nearing completion, 11 have made significant progress, and we continue to make progress against the rest. As a result of SFI our platforms and services are more secure and we have improved our ability to detect and respond to cyberthreats.

1. Protect identities and secrets: We have improved identity security for Microsoft services and customers

New defense-in-depth protections for Microsoft Entra ID and Microsoft Account (MSA) token signing keys already stored in hardware-based security modules. The Microsoft Account (MSA) signing service has been migrated to Azure confidential VMs.
90% of identity tokens from Microsoft Entra ID for Microsoft apps are validated by one consistent and hardened identity Software Development Kit (SDK).
To mitigate risk from advanced cyberattacks, 92% of employee productivity accounts now use phishing-resistant multifactor authentication (MFA).

2. Protect tenants and isolate production systems: We continue to remove legacy and unused resources, and increase isolation, to reduce the risk of lateral movement

We transitioned more than 88% of resources to Azure Resource Manager, removed a total of 6.3 million tenants (an additional 550,000 since September), and all new tenants are now automatically registered in our security emergency response system.
We use an automated lifecycle management solution for all Microsoft Entra ID applications in the production environment.
Authentication to 4.4 million production environment managed identities is now restricted to specific network locations, further protecting these critical assets.

3. Protect networks: Progress made against all objectives has improved the security of our network and delivered new innovations to help customers protect their networks

More than 99% of network assets have been inventoried and use enhanced security standards.
We continue to add additional layers of defense in depth by applying network isolation and segmentation to our network.
We introduced four new security capabilities to help customers secure their networks: Network Security Perimeter (NSP), DNS Security Extensions (DNSSEC), Azure Bastion Premium, and a private subnet feature.

4. Protect engineering systems: We have improved the security of systems we use to build, test, and deploy code

99.2% of pipelines have a complete inventory, which is enforced at creation and validated within 24 hours.
MFA protects 81% of production code branches through proof-of-presence checks.
Broad adoption of Central Feed Services, which helps to provide developers with a governed open-source feed.

5. Monitor and detect threats: To improve our ability to investigate and respond to cyberthreats

We track 97% of our production infrastructure assets centrally.
Engineering teams continue to adopt our security logging standard, including the two-year minimum retention policy.
We added more than 200 additional detections against top tactics, techniques, and procedures (TTPs). Applicable detections will be integrated into Microsoft Defender.

6. Accelerate response and remediation: We are addressing more vulnerabilities, more quickly, and continue to improve security-related customer communications

73% success rate addressing cloud vulnerabilities in our reduced time to mitigate, with significantly expanded program scope.
As part of Zero Day Quest, researchers identified 180 new vulnerabilities in the high impact areas of cloud and AI, enabling us to address them proactively.
We introduced new processes and playbooks to improve security incident communications to customers.

A future of secure innovation

Progress in cybersecurity is never linear. Cyberthreats evolve. Technology shifts. New risks emerge. But every step we take to secure our platforms is an investment in a safer future, for Microsoft, our customers, and the entire ecosystem.

SFI is how we’re rising to that challenge. We are applying Zero Trust principles, driving security from the engineering core, and sharing what we learn. There is more work ahead and we are committed to the journey.

We also know that security is a team sport. It takes collaboration across customers, partners, and the broader industry to move forward together. As part of our commitment to the broader ecosystem, we’re proud to continue to support initiatives like the CISA Secure by Design pledge, reinforcing our belief that security is the foundation of trust.

Thank you for your trust—and your partnership. Let’s keep building a secure future together.

Read the latest SFI Progress Report Learn more with Microsoft Security

To learn more about Microsoft Security solutions and Microsoft’s Secure Future Initiative, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Securing our future: April 2025 progress report on Microsoft’s Secure Future Initiative appeared first on Microsoft Security Blog.

Categories: Microsoft

Microsoft’s Secure by Design journey: One year of success

Microsoft Malware Protection Center - Thu, 04/17/2025 - 12:00pm

Cybersecurity is one of the top risks facing businesses. Organizations are struggling to navigate the ever-evolving cyberthreat landscape in which 600 million identity attacks are carried out daily.1 The median time for a cyberattacker to access private data from phishing is 1 hour and 12 minutes, and nation-state cyberattacks are on the rise.2 Organizations also face unprecedented complexity, making security jobs harder—57% of organizations are using more than 40 security tools, which requires significant resourcing and effort to integrate workflows and data.3 These challenges are magnified by the global security talent shortage organizations are facing and there are more than 4 million security jobs unfilled worldwide, rising insider risks, and the rapidly evolving regulatory landscape today.4 These cybersecurity challenges can not only increase significant business disruptions, they can also create devastating economic damages—the cost of cybercrime is expected to grow at 15% year over year, reaching $15.6 trillion by 2029.5

Get the latest Secure Future Initiative updates

In November 2023, to address the evolution of the digital and regulatory landscape, and the unprecedented changes in the cyberthreat landscape, we announced the Microsoft Secure Future Initiative. The Secure Future Initiative (SFI) is a multiyear effort to revolutionize the way we design, build, test, and operate our products and services, to achieve the highest security standards. SFI is our commitment to improve Microsoft’s security posture, thereby improving the security posture of all our customers, and to work with governments and industry to improve the security posture of the entire ecosystem.

Last year, the Cybersecurity and Infrastructure Security Agency (CISA), through its “Secure by Design” pledge, called on the technology industry to prioritize security at every stage of product development and deployment. This approach of embedding cybersecurity in digital delivery from the outset is also reflected in the United Kingdom’s Government’s Cyber Security Strategy as well as in the Australian Cyber Security Centre (ACSC)’s “Essential Eight” mitigation strategies to protect against cyberthreats. Throughout this blog post, the term “Secure by Design” encompasses both “secure by design” and “secure by default.”

Read CISA’s Secure by Design pledge

Microsoft committed to work towards key goals across a spectrum of Secure by Design principles advocated by numerous government agencies around the world. These goals aim to enhance security outcomes for customers by embedding robust cybersecurity practices throughout the product lifecycle. We continue to take our learnings, feed them back into our security standards, and operationalize these learnings as paved paths that can enable secure design and operations at scale. Our SFI updates provide examples of Microsoft’s progress in implementing secure by design, secure by default, and secure in operations principles, and provide best practices based on Microsoft’s own experience, demonstrating our dedication to improving security for customers.

Keep reading to learn about the initiatives Microsoft has undertaken over the past 18 months to support secure by design objectives as part of our SFI initiative. It is organized around our SFI principles to provide our customers and partners with an understanding of the robust security measures we are implementing to safeguard their digital environments.

Enhancing security with multifactor authentication and default password management

Phishing-resistant multifactor authentication provides the most robust defense against password-based cyberattacks, including credential stuffing and password theft. This includes promoting multifactor authentication among customers, implementing it as a default requirement for access, and participating in efforts to establish long-term standards in authentication.

In October 2024, Microsoft implemented mandatory multifactor authentication for the Microsoft Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center. Since then, Microsoft has worked with our customers to reduce extensions and rapidly advance multifactor authentication adoption. A key achievement is our progress in eliminating passwords across products. Microsoft has introduced enhancements to streamline authentication and improve sign-in experiences, emphasizing usability and security. Users can now remove passwords from their accounts and use passkeys instead, addressing vulnerabilities and preventing unauthorized access.

On March 26, 2025, Microsoft launched a new sign-in experience for more than 1 billion users. By the end of April 2025, most Microsoft account users will see updated sign-in and sign-up user experience flows for web and mobile apps. This new user experience is optimized for a passwordless and passkey-first experience. Microsoft is also updating the account sign-in logic to make passkey the default sign-in choice whenever possible.

Additional examples of Microsoft improving authentication and how customers can learn from Microsoft’s approach and solutions include:

Microsoft recommendations for organizations to get started deploying phishing-resistant passwordless authentication using Microsoft Entra ID.
Security defaults make it easier to help protect against identity-related cyberattacks like password spray, replay, and phishing common in today’s environments. Learn more about preconfigured security settings available in Microsoft Entra ID.
Microsoft’s Conditional Access uses identity-driven signals as part of access control decisions.
To help prevent phishing, Microsoft added additional hardening to Windows Hello, which is the multifactor authentication solution built-in to Windows. Windows Hello has also been extended to support passkeys, which are an industry standard, and which we continue to evolve. With Hello and passkeys, on Windows, it means much of the web can be protected with multifactor authentication, and people no longer need to choose between a simple sign-in and a safe sign-in.
Learn how Microsoft is advancing decentralized identity standards and verifiable credentials.
Following GitHub’s April 2024 update on a year of progress in pushing multifactor authentication adoption, further cohorts requiring multifactor authentication enablement have been rolled out in the past year. This effort continues to drive multifactor authentication utilization with almost 50% of contributing GitHub users having multifactor authentication enabled. Of those, more than 38% of users have two or more methods of two-factor authentication enabled and more than 3.6 million users have a passkey enabled on their account. Additionally, GitHub has pushed for best practices in multifactor authentication methods, and in November 2024 shipped enhancements to the management of multifactor authentication settings for organizations and enterprises that allow the restriction of insecure methods of multifactor authentication such as text messaging.

Reducing entire classes of vulnerabilities

Most exploited vulnerabilities today stem from types that can often be mitigated on a large scale, such as SQL injection, cross-site scripting, and memory safety language vulnerabilities. Governments aim to reduce these by encouraging companies to adopt practices like eliminating authorization validation logic mistakes, enabling the use of memory-safe languages, creating secure firmware architectures, and implementing secure administrative protections. The goal is to minimize exploitation risks by addressing systemic vulnerabilities at their root.

Our introduction of mandatory use of the Microsoft Authentication Library (MSAL) across all Microsoft applications helps ensure that advanced identity defenses, such as token binding, continuous access evaluation, and advanced application attack detections, are consistently implemented. This standardizes secure authentication processes, making it significantly harder for attackers to exploit identity-related vulnerabilities. MSAL enables developers to acquire security tokens from the Microsoft identity platform to authenticate users and access secured web APIs.

Read the updated Windows Security book and stay secure with Windows

Microsoft is also committed to adopting memory-safe languages, such as Rust, for developing new products and transitioning existing ones. This approach addresses common vulnerabilities related to memory safety. Microsoft is investing heavily into safe language to enhance the safety of our code, and we are applying this new approach to our security platform and other key areas like Microsoft Surface and Pluton security firmware.

In Windows 11, we’ve applied a secure by design strategy from the very first line of code. We have established a Hardware Security Baseline, which helps to ensure every Windows 11 PC has consistent hardware security forming a secure foundation. Windows 11 has secure by default settings and stronger controls for what apps and drivers are allowed to run. This is important as unverified apps and drivers lead to malware and script attacks. And most malware and ransomware apps are unsigned, which means they can be authored and distributed without being provably safe. For consumers and smaller organizations, Smart App Control is a new feature that uses cloud AI to enable millions of known safe apps to run, regardless of where you got them. For larger organizations, IT admins can layer on App Control for Business policies and deploy them using Intune.

With Windows powering business critical solutions across a wide variety of customers, we are committed to helping ensure that Windows remains the most secure and reliable platform. At Microsoft Ignite in 2024, we announced the Windows Resilience Initiative focused on enhancing the security and resilience of the Windows operating system. This involves implementing advanced security features, improving threat detection and response capabilities, and to help ensure that Windows can withstand and recover from cyberattacks. As part of the Windows Resilience Initiative, we are working to protect against common cyberattacks in addition to strengthening identity protection mentioned above.

As part of this we are addressing the long-standing challenge of overprivileged users and applications, which create significant risk. Yet many people do not want to give up admin control of their PC. To help strike the balance of admin privileges and security we are introducing Administrator protection (currently in Windows Insiders). Admin protection gives you the protection of standard user permissions by default, and when needed you can securely authorize a just-in-time system change using Windows Hello. Once the process has completed, the temporary admin token is destroyed. This means admin privileges do not persist. Admin protection will be disruptive to cyberattackers, as they no longer have elevated privileges by default, which will help organizations ensure they remain in control of Windows.

We are also collaborating with endpoint security partners to adopt safe deployment practices. This means all security product updates will be gradual, minimizing deployment risks and monitoring to help ensure any negative impact is kept to a minimum. Additionally, we are developing new Windows capabilities that allow security product developers to build their products outside of kernel mode, reducing the impact to Windows in the event of a security product crash.

Another key development is our secure by design user experience (UX) toolkit. Human error causes the majority of security breaches. The UX toolkit helps build more secure software and improve user security experiences. This toolkit represents a new way of thinking—where design and security aren’t siloed but are working together from the very beginning. Adopted internally and shared externally, the toolkit helps other software organizations in enhancing their security practices.

Other activities Microsoft has worked on to eliminate classes of vulnerabilities include:

Continued support to enable developers to use the memory safe language Rust on Windows.
Taking steps to mitigate Windows NT LAN (NTLM) Relay Attacks by default against Exchange Service, Active Directory Certificate Services and Lightweight Directory Access Protocol (LDAP).
Zero Trust Domain Name System (DNS) preview expanded to include Windows 11 enterprise customers. This feature helps lock down devices to only access-approved network destinations.
Surface embedded firmware products use of a common firmware architecture.
Launch of the Windows 365 Link, which is the first Cloud PC device for Windows 365. Windows 365 Link eliminates local data and apps and has no local admin users and provides employees a way to more securely stream their Windows 365 Cloud PC.
GitHub released CodeQL support for GitHub Actions workflow files. This new static analysis capability identifies common continuous integration and continuous delivery (CI/CD) flaws both in existing code bases and before they are introduced to help eliminate this class of vulnerabilities. Using this new feature, the GitHub Security Lab was able to help secure more than 75 GitHub Actions workflows in open source projects, disclosing more than 90 different vulnerabilities.

Boosting patch application rates

Timely and effective patch management is necessary for cybersecurity, as this is how we can reduce the window of opportunity for malicious actors to exploit software flaws.

Microsoft has made measurable increases in the installation of security patches, which we achieved by enabling automatic installation of software patches when possible and enabling this functionality by default, as well as by offering widespread support for these patches.

Microsoft continues to roll out major security updates on the second Tuesday of each month, known as Patch Tuesday. This regular schedule ensures that all systems receive timely updates to address critical vulnerabilities, thereby reducing the risk of exploitation by cyberattackers.

Building on this foundation, Microsoft has made significant strides in improving the update process with Windows 11. By reducing the number of required system restarts from 12 to four per year through the use of Hotpatch updates, we have further streamlined operations and encouraged organizations to remain compliant with patching requirements.

Other examples of our efforts in to boost patch and security update rates include:

Windows Hotpatch: Announced at Microsoft Ignite 2024, this provides a 60% reduction in time to adopt security updates, assisted by applying updates seamlessly without system restarts.
Microsoft has emphasized the importance of clearly communicating the expected lifespan of products at the time of sale and investing in provisioning capabilities to ease customer transitions to supported versions when products reach the end of their lifecycle. This strategy ensures that customers are well-informed and can smoothly adapt to new technologies.

Adopting a Vulnerability Disclosure Policy (VDP) and Common Vulnerabilities and Exposures (CVE)

Coordinated vulnerability disclosure, a practice Microsoft adopted more than a decade ago, benefits both security researchers and software manufacturers by enabling collaboration to enhance product security. A VDP that authorizes public testing of products, commits to refraining from legal action against those who follow the VDP in good faith, provides a clear channel for reporting vulnerabilities, and permits public disclosure of vulnerabilities according to coordinated vulnerability disclosure best practices and international standards makes a real difference for cybersecurity. Additionally, manufacturers can demonstrate transparency by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every CVE record for the manufacturer’s products.

Our adoption of the CWE and CPE standards in every CVE record for its products is an important achievement. This transparency facilitates accurate and detailed information about vulnerabilities, facilitating timely and effective remediation. By issuing CVEs promptly for all critical or high-impact vulnerabilities, Microsoft demonstrates its commitment to maintaining a secure environment and protecting its customers from potential cyberthreats.

Another notable highlight is the publication of a machine-readable CSAF files, which provide a clear channel for reporting vulnerabilities and authorizes public testing of Microsoft products. This fosters collaboration between security researchers and software manufacturers, enabling the identification and mitigation of vulnerabilities in a coordinated manner.

Other activities Microsoft has worked on to adopt VDP and CVE include:

Microsoft has published a security.txt file with links to different aspects of our VDP CVE related blogs generally.
Microsoft is now issuing CVEs for critical cloud service vulnerabilities, regardless of whether customers need to install a patch or to take other actions to protect themselves.
Microsoft has begun to publish root cause data for Microsoft CVEs using the CWE industry standard. By adopting CWE, more effective community discussion about discovering and mitigating weaknesses in existing software and hardware can be facilitated.
Microsoft added a new standard machine-readable format, called Common Security Advisory Framework (CSAF), to all Microsoft CVE information to help customer accelerate CVE response and remediation.

Empowering customers to detect and document intrusions

Organizations should do more to detect cybersecurity incidents and understand their impact. To ensure they can do that, manufacturers should provide artifacts and evidence-gathering tools, like audit logs.

An example of Microsoft’s commitment in this area is our implementation of robust sensors and logs, enhancing detection of cyberthreats. This initiative provides customers with actionable insights into potential intrusions, enabling swift responses and risk mitigation.

Other activities Microsoft has worked on to empower customers to detect and document inclusions include:

Microsoft Purview has expanded its audit logging and retention periods, among other security enhancements, to increase security visibility and incident response capabilities for cloud-based services.
Microsoft Security Copilot offers prebuilt promptbooks to automate security-related tasks, such as incident investigations, user analysis, and threat intelligence assessments, enhancing efficiency and accuracy in cybersecurity operations.
Microsoft has provided detailed guidance on implementing the United States Department of Defense (DoD) Zero Trust Strategy, with activities categorized into target and advanced phases to achieve full Zero Trust adoption by 2032.
Microsoft’s Expanded Cloud Logs Implementation Playbook provides detailed guidance on operationalizing new logging capabilities in Microsoft Purview Audit (Standard).
Microsoft has published a whitepaper on lessons learned from red teaming more than 100 generative AI products at Microsoft. The whitepaper highlights the importance of understanding AI systems, breaking them without computing gradients, and the necessity of human involvement in AI red teaming, among other topics.

GitHub shipped enhanced capabilities to the GitHub audit log to provide customers with increased visibility of API events and features to enable enterprise management, automation, and integration.

Read the latest SFI updates

1Microsoft Digital Defense Report 2024.

2Microsoft Digital Defense Report 2022.

3IDC North America Tools and Vendors Consolidation Survey, 2023.

42024 ISC2 Cybersecurity Workforce Study.

5Global cybercrime estimated cost 2029.

The post Microsoft’s Secure by Design journey: One year of success appeared first on Microsoft Security Blog.

Categories: Microsoft

Cyber Signals Issue 9 | AI-powered deception: Emerging fraud threats and countermeasures

Microsoft Malware Protection Center - Wed, 04/16/2025 - 7:00am

Introduction | Security snapshot | Threat briefing
Defending against attacks | Expert profile

Microsoft maintains a continuous effort to protect its platforms and customers from fraud and abuse. From blocking imposters on Microsoft Azure and adding anti-scam features to Microsoft Edge, to fighting tech support fraud with new features in Windows Quick Assist, this edition of Cyber Signals takes you inside the work underway and important milestones achieved that protect customers.

We are all defenders. 

Between April 2024 and April 2025, Microsoft:

Thwarted $4 billion in fraud attempts.
Rejected 49,000 fraudulent partnership enrollments.
Blocked about 1.6 million bot signup attempts per hour.

The evolution of AI-enhanced cyber scams

AI has started to lower the technical bar for fraud and cybercrime actors looking for their own productivity tools, making it easier and cheaper to generate believable content for cyberattacks at an increasingly rapid rate. AI software used in fraud attempts runs the gamut, from legitimate apps misused for malicious purposes to more fraud-oriented tools used by bad actors in the cybercrime underground.

AI tools can scan and scrape the web for company information, helping cyberattackers build detailed profiles of employees or other targets to create highly convincing social engineering lures. In some cases, bad actors are luring victims into increasingly complex fraud schemes using fake AI-enhanced product reviews and AI-generated storefronts, where scammers create entire websites and e-commerce brands, complete with fake business histories and customer testimonials. By using deepfakes, voice cloning, phishing emails, and authentic-looking fake websites, threat actors seek to appear legitimate at wider scale.

According to the Microsoft Anti-Fraud Team, AI-powered fraud attacks are happening globally, with much of the activity coming from China and Europe, specifically Germany due in part to Germany’s status as one of the largest e-commerce and online services markets in the European Union (EU). The larger a digital marketplace in any region, the more likely a proportional degree of attempted fraud will take place.

E-commerce fraud

Fraudulent e-commerce websites can be set up in minutes using AI and other tools requiring minimal technical knowledge. Previously, it would take threat actors days or weeks to stand up convincing websites. These fraudulent websites often mimic legitimate sites, making it challenging for consumers to identify them as fake.

Using AI-generated product descriptions, images, and customer reviews, customers are duped into believing they are interacting with a genuine merchant, exploiting consumer trust in familiar brands.

AI-powered customer service chatbots add another layer of deception by convincingly interacting with customers. These bots can delay chargebacks by stalling customers with scripted excuses and manipulating complaints with AI-generated responses that make scam sites appear professional.

In a multipronged approach, Microsoft has implemented robust defenses across our products and services to protect customers from AI-powered fraud. Microsoft Defender for Cloud provides comprehensive threat protection for Azure resources, including vulnerability assessments and threat detection for virtual machines, container images, and endpoints.

Microsoft Edge features website typo protection and domain impersonation protection using deep learning technology to help users avoid fraudulent websites. Edge has also implemented a machine learning-based Scareware Blocker to identify and block potential scam pages and deceptive pop-up screens with alarming warnings claiming a computer has been compromised. These attacks try to frighten users into calling fraudulent support numbers or downloading harmful software.

Job and employment fraud

The rapid advancement of generative AI has made it easier for scammers to create fake listings on various job platforms. They generate fake profiles with stolen credentials, fake job postings with auto-generated descriptions, and AI-powered email campaigns to phish job seekers. AI-powered interviews and automated emails enhance the credibility of job scams, making it harder for job seekers to identify fraudulent offers.

To prevent this, job platforms should introduce multifactor authentication for employer accounts to make it harder for bad actors to take over legitimate hirers’ listings and use available fraud-detection technologies to catch suspicious content.

Fraudsters often ask for personal information, such as resumes or even bank account details, under the guise of verifying the applicant’s information. Unsolicited text and email messages offering employment opportunities that promise high pay for minimal qualifications are typically an indicator of fraud.

Employment offers that include requests for payment, offers that seem too good to be true, unsolicited offers or interview requests over text message, and a lack of formal communication platforms can all be indicators of fraud.

Tech support scams

Tech support scams are a type of fraud where scammers trick victims into unnecessary technical support services to fix a device or software problems that don’t exist. The scammers may then gain remote access to a computer—which lets them access all information stored on it, and on any network connected to it or install malware that gives them access to the computer and sensitive data.

Tech support scams are a case where elevated fraud risks exist, even if AI does not play a role. For example, in mid-April 2024, Microsoft Threat Intelligence observed the financially motivated and ransomware-focused cybercriminal group Storm-1811 abusing Windows Quick Assist software by posing as IT support. Microsoft did not observe AI used in these attacks; Storm-1811 instead impersonated legitimate organizations through voice phishing (vishing) as a form of social engineering, convincing victims to grant them device access through Quick Assist.

Quick Assist is a tool that enables users to share their Windows or macOS device with another person over a remote connection. Tech support scammers often pretend to be legitimate IT support from well-known companies and use social engineering tactics to gain the trust of their targets. They then attempt to employ tools like Quick Assist to connect to the target’s device.

Quick Assist and Microsoft are not compromised in these cyberattack scenarios; however, the abuse of legitimate software presents risk Microsoft is focused on mitigating. Informed by Microsoft’s understanding of evolving cyberattack techniques, the company’s anti-fraud and product teams work closely together to improve transparency for users and enhance fraud detection techniques.

The Storm-1811 cyberattacks highlight the capability of social engineering to circumvent security defenses. Social engineering involves collecting relevant information about targeted victims and arranging it into credible lures delivered through phone, email, text, or other mediums. Various AI tools can quickly find, organize, and generate information, thus acting as productivity tools for cyberattackers. Although AI is a new development, enduring measures to counter social engineering attacks remain highly effective. These include increasing employee awareness of legitimate helpdesk contact and support procedures, and applying Zero Trust principles to enforce least privilege across employee accounts and devices, thereby limiting the impact of any compromised assets while they are being addressed.

Microsoft has taken action to mitigate attacks by Storm-1811 and other groups by suspending identified accounts and tenants associated with inauthentic behavior. If you receive an unsolicited tech support offer, it is likely a scam. Always reach out to trusted sources for tech support. If scammers claim to be from Microsoft, we encourage you to report it directly to us at https://www.microsoft.com/reportascam.

Building on the Secure Future Initiative (SFI), Microsoft is taking a proactive approach to ensuring our products and services are “Fraud-resistant by Design.” In January 2025, a new fraud prevention policy was introduced: Microsoft product teams must now perform fraud prevention assessments and implement fraud controls as part of their design process.

Recommendations

Strengthen employer authentication: Fraudsters often hijack legitimate company profiles or create fake recruiters to deceive job seekers. To prevent this, job platforms should introduce multifactor authentication and Verified ID as part of Microsoft Entra ID for employer accounts, making it harder for unauthorized users to gain control.
Monitor for AI-based recruitment scams: Companies should deploy deepfake detection algorithms to identify AI-generated interviews where facial expressions and speech patterns may not align naturally.
Be cautious of websites and job listings that seem too good to be true: Verify the legitimacy of websites by checking for secure connections (https) and using tools like Microsoft Edge’s typo protection.
Avoid providing personal information or payment details to unverified sources: Look for red flags in job listings, such as requests for payment or communication through informal platforms like text messages, WhatsApp, nonbusiness Gmail accounts, or requests to contact someone on a personal device for more information.

Using Microsoft’s security signal to combat fraud

Microsoft is actively working to stop fraud attempts using AI and other technologies by evolving large-scale detection models based on AI, such as machine learning, to play defense by learning from and mitigating fraud attempts. Machine learning is the process that helps a computer learn without direct instruction using algorithms to discover patterns in large datasets. Those patterns are then used to create a comprehensive AI model, allowing for predictions with high accuracy.

We have developed in-product safety controls that warn users about potential malicious activity and integrate rapid detection and prevention of new types of attacks.

Our fraud team has developed domain impersonation protection using deep-learning technology at the domain creation stage, to help protect against fraudulent e-commerce websites and fake job listings. Microsoft Edge has incorporated website typo protection, and we have developed AI-powered fake job detection systems for LinkedIn.

Microsoft Defender Smartscreen is a cloud-based security feature that aims to prevent unsafe browsing habits by analyzing websites, files, and applications based on their reputation and behavior. It is integrated into Windows and the Edge browser to help protect users from phishing attacks, malicious websites, and potentially harmful downloads.

Furthermore, Microsoft’s Digital Crimes Unit (DCU) partners with others in the private and public sector to disrupt the malicious infrastructure used by criminals perpetuating cyber-enabled fraud. The team’s longstanding collaboration with law enforcement around the world to respond to tech support fraud has resulted in hundreds of arrests and increasingly severe prison sentences worldwide. The DCU is applying key learnings from past actions to disrupt those who seek to abuse generative AI technology for malicious or fraudulent purposes.

Quick Assist features and remote help combat tech support fraud

To help combat tech support fraud, we have incorporated warning messages to alert users about possible tech support scams in Quick Assist before they grant access to someone approaching them purporting to be an authorized IT department or other support resource.

Windows users must read and click the box to acknowledge the security risk of granting remote access to the device.

Microsoft has significantly enhanced Quick Assist protection for Windows users by leveraging its security signal. In response to tech support scams and other threats, Microsoft now blocks an average of 4,415 suspicious Quick Assist connection attempts daily, accounting for approximately 5.46% of global connection attempts. These blocks target connections exhibiting suspicious attributes, such as associations with malicious actors or unverified connections.

Microsoft’s continual focus on advancing Quick Assist safeguards seeks to counter adaptive cybercriminals, who previously targeted individuals opportunistically with fraudulent connection attempts, but more recently have sought to target enterprises with more organized cybercrime campaigns that Microsoft’s actions have helped disrupt.

Our Digital Fingerprinting capability, which leverages AI and machine learning, drives these safeguards by providing fraud and risk signals to detect fraudulent activity. If our risk signals detect a possible scam, the Quick Assist session is automatically ended. Digital Fingerprinting works by collecting various signals to detect and prevent fraud.

For enterprises combating tech support fraud, Remote Help is another valuable resource for employees. Remote Help is designed for internal use within an organization and includes features that make it ideal for enterprises.

By reducing scams and fraud, Microsoft aims to enhance the overall security of its products and protect its users from malicious activities.

Consumer protection tips

Fraudsters exploit psychological triggers such as urgency, scarcity, and trust in social proof. Consumers should be cautious of:

Impulse buying—Scammers create a sense of urgency with “limited-time” deals and countdown timers.
Trusting fake social proof—AI generates fake reviews, influencer endorsements, and testimonials to appear legitimate.
Clicking on ads without verification—Many scam sites spread through AI-optimized social media ads. Consumers should cross-check domain names and reviews before purchasing.
Ignoring payment security—Avoid direct bank transfers or cryptocurrency payments, which lack fraud protections.

Job seekers should verify employer legitimacy, be on the lookout for common job scam red flags, and avoid sharing personal or financial information with unverified employers.

Verify employer legitimacy—Cross-check company details on LinkedIn, Glassdoor, and official websites to verify legitimacy.
Notice common job scam red flags—If a job requires upfront payments for training materials, certifications, or background checks, it is likely a scam. Unrealistic salaries or no-experience-required remote positions should be approached with skepticism. Emails from free domains (such as johndoehr@gmail.com instead of hr@company.com) are also typically indicators of fraudulent activity.
Be cautious of AI-generated interviews and communications—If a video interview seems unnatural, with lip-syncing delays, robotic speech, or odd facial expressions, it could be deepfake technology at work. Job seekers should always verify recruiter credentials through the company’s official website before engaging in any further discussions.
Avoid sharing personal or financial information—Under no circumstances should you provide a Social Security number, banking details, or passwords to an unverified employer.

Microsoft is also a member of the Global Anti-Scam Alliance (GASA), which aims to bring governments, law enforcement, consumer protection organizations, financial authorities and providers, brand protection agencies, social media, internet service providers, and cybersecurity companies together to share knowledge and protect consumers from getting scammed.

Recommendations

Remote Help: Microsoft recommends using Remote Help instead of Quick Assist for internal tech support. Remote Help is designed for internal use within an organization and incorporates several features designed to enhance security and minimize the risk of tech support hacks. It is engineered to be used only within an organization’s tenant, providing a safer alternative to Quick Assist.
Digital Fingerprinting: This identifies malicious behaviors and ties them back to specific individuals. This helps in monitoring and preventing unauthorized access.
Blocking full control requests: Quick Assist now includes warnings and requires users to check a box acknowledging the security implications of sharing their screen. This adds a layer of helpful “security friction” by prompting users who may be multitasking or preoccupied to pause to complete an authorization step.

Kelly Bissell: A cybersecurity pioneer combating fraud in the new era of AI

Kelly Bissell’s journey into cybersecurity began unexpectedly in 1990. Initially working in computer science, Kelly was involved in building software for healthcare patient accounting and operating systems at Medaphis and Bellsouth, now AT&T.

His interest in cybersecurity was sparked when he noticed someone logged into a phone switch attempting to get free long-distance calls and traced the intruder back to Romania. This incident marked the beginning of Kelly’s career in cybersecurity.

“I stayed in cybersecurity hunting for bad actors, integrating security controls for hundreds of companies, and helping shape the NIST security frameworks and regulations such as FFIEC, PCI, NERC-CIP,” he explains.

Currently, Kelly is Corporate Vice President of Anti-Fraud and Product Abuse within Microsoft Security. Microsoft’s fraud team employs machine learning and AI to build better detection code and understand fraud operations. They use AI-powered solutions to detect and prevent cyberthreats, leveraging advanced fraud detection frameworks that continuously learn and evolve.

“Cybercrime is a trillion-dollar problem, and it’s been going up every year for the past 30 years. I think we have an opportunity today to adopt AI faster so we can detect and close the gap of exposure quickly. Now we have AI that can make a difference at scale and help us build security and fraud protections into our products much faster.”

Previously Kelly managed the Microsoft Detection and Response Team (DART) and created the Global Hunting, Oversight, and Strategic Triage (GHOST) team that detected and responded to attackers such as Storm-0558 and Midnight Blizzard.

Prior to Microsoft, during his time at Accenture and Deloitte, Kelly collaborated with companies and worked extensively with government agencies like the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation, where he helped build security systems inside their operations.

His time as Chief Information Security Officer (CISO) at a bank exposed him to addressing both cybersecurity and fraud, leading to his involvement in shaping regulatory guidelines to protect banks and eventually Microsoft.

Kelly has also played a significant role in shaping regulations around the National Institute of Standards and Technology (NIST) and Payment Card Industry (PCI) compliance, which helps ensure the security of businesses’ credit card transactions, among others.

Internationally, Kelly played a crucial role in helping establish agencies and improve cybersecurity measures. As a consultant in London, he helped stand up the United Kingdom’s National Cyber Security Centre (NCSC), which is part of the Government Communications Headquarters (GCHQ), the equivalent of CISA. Kelly’s efforts in content moderation with several social media companies, including YouTube, were instrumental in removing harmful content.

That’s why he’s excited about Microsoft’s partnership with GASA. GASA brings together governments, law enforcement, consumer protection organizations, financial authorities, internet service providers, cybersecurity companies, and others to share knowledge and define joint actions to protect consumers from getting scammed.

“If I protect Microsoft, that’s good, but it’s not sufficient. In the same way, if Apple does their thing, and Google does their thing, but if we’re not working together, we’ve all missed the bigger opportunity. We must share cybercrime information with each other and educate the public. If we can have a three-pronged approach of tech companies building security and fraud protection into their products, public awareness, and sharing cybercrime and fraudster information with law enforcement, I think we can make a big difference,” he says.

Next steps with Microsoft Security

Methodology: Microsoft platforms and services, including Azure, Microsoft Defender for Office, Microsoft Threat Intelligence, and Microsoft Digital Crimes Unit (DCU), provided anonymized data on threat actor activity and trends. Additionally, Microsoft Entra ID provided anonymized data on threat activity, such as malicious email accounts, phishing emails, and attacker movement within networks. Additional insights are from the daily security signals gained across Microsoft, including the cloud, endpoints, the intelligent edge, and telemetry from Microsoft platforms and services. The $4 billion figure represents an aggregated total of fraud and scam attempts against Microsoft and our customers in consumer and enterprise segments (in 12 months).

The post Cyber Signals Issue 9 | AI-powered deception: Emerging fraud threats and countermeasures appeared first on Microsoft Security Blog.

Categories: Microsoft

Threat actors misuse Node.js to deliver malware and other malicious payloads

Microsoft Malware Protection Center - Tue, 04/15/2025 - 1:00pm

Since October 2024, Microsoft Defender Experts (DEX) has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to information theft and data exfiltration. While traditional scripting languages like Python, PHP, and AutoIT remain widely used in threats, threat actors are now leveraging compiled JavaScript—or even running the scripts directly in the command line using Node.js—to facilitate malicious activity. This shift in threat actor techniques, tactics, and procedures (TTPs) might indicate that while Node.js-related malware aren’t as prevalent, they’re quickly becoming a part of the continuously evolving threat landscape.

Node.js is an open-source, cross-platform JavaScript runtime environment that allows JavaScript code to run outside of a web browser. It’s widely used and trusted by developers because it lets them build frontend and backend applications. However, threat actors are also leveraging these Node.js characteristics to try to blend malware with legitimate applications, bypass conventional security controls, and persist in target environments.

Among the most recent attacks we’ve observed leveraging Node.js include a malvertising campaign related to cryptocurrency trading that attempts to lure users into downloading a malicious installer disguised as legitimate software. The said campaign is still active as of April 2025. This blog provides details of its attack chain, along with an example of the emerging inline script execution technique. This blog also includes recommendations to help users and defenders reduce the impact of these attacks in their environments.

Malicious ads deliver compiled Node.js executables

Malvertising has been one of the most prevalent techniques in Node.js attacks we’ve observed in customer environments. Attackers use malvertising campaigns to lure targets to fraudulent websites, where the targets then unknowingly download a malicious installer disguised as legitimate software. These fake websites often take advantage of popular themes such as financial services, software updates, and trending applications.

In this campaign, the downloaded installer contains a malicious DLL that gathers system information and sets up a scheduled task for persistence. This sets the stage for its other techniques and activities, such as defense evasion, data collection, and payload delivery and execution.

Figure 1. Overview of the malvertising campaign leveraging Node.js Initial access and persistence

This campaign uses malicious ads with a cryptocurrency trading theme to lure the target user into visiting a website and downloading a malicious installer disguised as a legitimate file from cryptocurrency-trading platforms like Binance or TradingView. This installer is a Wix-built package containing a malicious CustomActions.dll. When launched, the installer loads the DLL, which then gathers basic system information through a Windows Management Instrumentation (WMI) query and creates a scheduled task to ensure persistence of a PowerShell command. Simultaneously, the DLL launches a decoy by opening an msedge_proxy window that displays a legitimate cryptocurrency trading website.

Defense evasion

The created scheduled task runs PowerShell commands designed to exclude both the PowerShell process and the current directory from being scanned by Microsoft Defender for Endpoint. This action prevents subsequent PowerShell executions from being flagged, allowing the attack to continue undisturbed.

Figure 2. Command line used for the exclusions Data collection and exfiltration

With the exclusions set, an obfuscated PowerShell command is then launched through scheduled tasks to continuously fetch and run scripts from remote URLs. These scripts gather detailed system information, including:

Windows information: Registered owner, system root, installed software, email addresses
BIOS information: Manufacturer, name, release date, version
System information: Name, domain, manufacturer, model, domain membership, memory, logical processors, graphics processing units (GPUs), processors, network adapters
Operating system information: Name, version, locale, user access control (UAC) settings, country, language, time zone, install date

All this information is structured into a nested hash table, converted into JSON format, and then sent using HTTP POST to the attacker’s command-and-control (C2) server.

Figure 3. Excerpts from the script that gathers and exfiltrates data Payload delivery

After the data collection activity, another PowerShell script is launched to perform the following actions:

Download an archive file from the C2 and extract its contents, which typically include:
- node.exe (Node.js runtime)
- A JSC file (JavaScript compiled file)
- Several supporting library files/modules
Turn off proxy settings in the Windows registry
Launch the JSC that starts the attack’s next stage

Figure 4. Excerpts from the script that downloads and launches the payload Payload execution

The Node.js executable launches the downloaded JSC file, which then performs the following routines:

Load multiple library modules
Establish network connections
Add certificates to the device
Read and possibly exfiltrate sensitive browser information

These routines might indicate follow-on malicious activities such as credential theft, evasion, or secondary payload execution, which are commonly observed in other malware campaigns leveraging Node.js.

Figure 5. Command line used to launch the JSC file Beyond executables: Inline script execution in Node.js

Another notable technique we’ve observed emerging from campaigns leveraging Node.js involves inline JavaScript execution. In this technique, malicious scripts are run directly through Node.js to facilitate the deployment of malware.

One observed instance of this method was through a ClickFix social engineering attack, which attempts to deceive users into executing a malicious PowerShell command. This command initiates the download and installation of multiple components, including the Node.js binary (node.exe) and additional required modules. Once all the files are in place, the PowerShell script uses the Node.js environment to execute a JavaScript code directly in the command, rather than running it from a file.

The JavaScript further conducts network discovery by executing commands to map the domain structure and identify high-value assets. It also disguises the command-and-control traffic as legitimate Cloudflare activity and gains persistence by modifying registry run keys.

Figure 6. Excerpts from the malicious script, highlighting hardcoded C2 servers Figure 7. Excerpts from the malicious script, highlighting core HTTP functions Recommendations

Organizations can follow these recommendations to mitigate threats associated with Node.js misuse:

Educate users. Warn them about the risks of downloading software from unverified sources.
Monitor Node.js execution. Flag unauthorized node.exe processes.
Enforce PowerShell logging. Turn on script block logging to track obfuscation.
Turn on endpoint protection. Ensure endpoint detection and response (EDR) or extended detection and response (XDR) solutions are actively monitoring script execution.
Restrict outbound C2 communications. Implement firewall rules to block suspicious domains.

Microsoft also recommends the following mitigations to reduce the impact of this threat.

Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats.
Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
Allow investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
Understand and use PowerShell’s execution policies, which control how scripts are loaded and run. Set an appropriate execution policy based on your needs. Remember that execution policy alone is not foolproof; it can be bypassed.
Turn on and monitor PowerShell logging.
- Turn on script block logging, module logging, and transcription. These logs provide a trail of activity and help identify malicious behavior.
- Dive deeper into PowerShell security features.
Turn on tamper protection features to prevent attackers from stopping security services. Combine tamper protection with the DisableLocalAdminMerge setting to prevent attackers from using local administrator privileges to set antivirus exclusions.

Microsoft Defender XDR customers can turn on attack surface reduction rules to prevent common attack techniques:

Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender for Endpoint

The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity.

Suspicious PowerShell download or encoded command execution
Suspicious Task Scheduler activity
Suspicious behavior by powershell.exe was observed
Node binary loading suspicious combination of libraries
Activity that might lead to information stealer
Possible theft of passwords and other sensitive web browser information
Suspicious DPAPI Activity

Microsoft Security Copilot

Incident investigation
Microsoft User analysis
Threat Intelligence 360 report based on MDTI article

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

ClickFix and spoofed IT apps deliver RATs via Node.js over Cloudflare Quick Tunnels

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Suspicious JSC file

DeviceProcessEvents | where isnotempty(DeviceId) | where ProcessVersionInfoOriginalFileName == 'node.exe'   | where (ProcessCommandLine has_all (".jsc", ".js") and ProcessCommandLine matches regex @"\\\w*.jsc")

Suspicious inline JavaScript execution

Identify suspicious inline JavaScript

DeviceProcessEvents | where isnotempty(DeviceId) | where ProcessVersionInfoOriginalFileName == 'node.exe'   | where ProcessCommandLine has_all ('http', 'execSync',  'spawn', 'fs', 'path', 'zlib')

Node.js-based infostealer activity

Detect malicious access to sensitive credentials using Windows DPAPI

DeviceEvents | where isnotempty(DeviceId) | where ActionType == "DpapiAccessed" | where InitiatingProcessParentFileName endswith "powershell.exe" | where InitiatingProcessFileName =~ "node.exe" | where InitiatingProcessCommandLine has_all ("-r", ".js") and InitiatingProcessCommandLine endswith ".jsc" | where AdditionalFields has "SPCryptUnprotect" Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Below are the queries using Sentinel Advanced Security Information Model (ASIM) functions to hunt threats across both Microsoft first-party and third-party data sources. ASIM also supports deploying parsers to specific workspaces from GitHub, using an ARM template or manually.

Scheduled Task Creation

Detect network indicators of compromise communication to C2 servers:

let selectedTimestamp = datetime(2025-04-15T00:00:00.0000000Z); let ip = dynamic(['216.245.184.181', '212.237.217.182', '168.119.96.41']); let url = dynamic(['sublime-forecasts-pale-scored.trycloudflare.com', 'washing-cartridges-watts-flags.trycloudflare.com', 'investigators-boxing-trademark-threatened.trycloudflare.com', 'fotos-phillips-princess-baker.trycloudflare.com', 'casting-advisors-older-invitations.trycloudflare.com', 'complement-parliamentary-chairs-hc.trycloudflare.com']); search in (AlertEvidence,BehaviorEntities,CommonSecurityLog,DeviceInfo,DeviceNetworkEvents,DeviceNetworkInfo,DnsEvents,SecurityEvent,VMConnection,WindowsFirewall) TimeGenerated between ((selectedTimestamp - 1m) .. (selectedTimestamp + 90d)) // from April 15th runs the search for last 90 days, change the above selectedTimestamp or 90d accordingly. and (RemoteIP in (ip) or DestinationIP in (ip) or DeviceCustomIPv6Address1 in (ip) or DeviceCustomIPv6Address2 in (ip) or DeviceCustomIPv6Address3 in (ip) or DeviceCustomIPv6Address4 in (ip) or MaliciousIP in (ip) or SourceIP in (ip) or PublicIP in (ip) or LocalIPType in (ip) or RemoteIPType in (ip) or IPAddresses in (ip) or IPv4Dhcp in (ip) or IPv6Dhcp in (ip) or IpAddress in (ip) or NASIPv4Address in (ip) or NASIPv6Address in (ip) or RemoteIpAddress in (ip) or RemoteUrl in (url)) MITRE ATT&CK tactics and techniques observed
Tactic Technique Description Initial Access T1189 Drive-by Compromise Malware is downloaded from malicious websites, such as fake cryptocurrency trading websitesPersistence T1053.005 Scheduled Task/Job: Scheduled Task Ensures persistence by scheduling tasks or modifying registry settingsDefense Evasion T1564.001 Hide Artifacts: Hidden Files and Directories
T1027 Obfuscated Files or Information
T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion Bypasses security controls using hidden files, obfuscation, and sandbox detection Discovery T1082 System Information Discovery Gathers detailed system information, including hardware and software dataCredential Access T1003 OS Credential DumpingExtracts system credentials and browser dataCollection T1005 Data from Local System
T1082 System Information Discovery Captures system details, installed software, emails, BIOS data, running tasks, and network information Command and Control T1071.001 Application Layer Protocol: Web Protocols
T1105 Ingress Tool Transfer Periodically connects to remote servers (for example, Cloudflare tunnels) to send stolen data and receive commandsExfiltration T1041 Exfiltration Over C2 Channel Sends collected data to a remote server through HTTP POST Learn more

To know how Microsoft can help your team stop similar threats and prevent future compromise with human-led managed services, check out Microsoft Defender Experts for XDR.

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

The post Threat actors misuse Node.js to deliver malware and other malicious payloads appeared first on Microsoft Security Blog.

Categories: Microsoft

Transforming security with Microsoft Security Exposure Management initiatives

Microsoft Malware Protection Center - Tue, 04/15/2025 - 12:00pm

Just as nature sheds its winter coat, it’s time to prune outdated security measures and plant the seeds of a more robust defense. For years, Microsoft Secure Score has served as a foundational tool for organizations to assess their security posture. By providing a numerical representation of security posture based on configurations and recommended controls within Microsoft products, it has offered valuable baseline measurements and helped organizations benchmark their efforts.

However, as cybersecurity practices have matured, the limitations of relying solely on a single aggregate score have become evident. Security professionals and executives now require more granular insights to track specific objectives, address evolving cyberthreats, and effectively communicate the value of security investments. This shift reflects the need for tools that not only measure progress but also enable proactive transformation. In this blog, we’ll explore how Microsoft Security Exposure Management initiatives build on this foundation to offer a renewed perspective on managing cybersecurity risks.

Learn more about Microsoft Security Exposure Management Bridging the gap between security metrics and business outcomes

A single security score, while useful for general benchmarking, can obscure critical vulnerabilities in specific areas. Customer feedback has revealed the need for security teams to simultaneously monitor multiple metrics to achieve a comprehensive understanding of their security posture. Furthermore, executives often struggle to translate these technical metrics into tangible business outcomes, creating a communication gap between security teams and leadership. This understanding has driven the development of security initiatives to provide scores for various security objectives.

Consequently, when security teams can’t track and communicate risks or improvements effectively, critical projects stall, budgets tighten, and the divide between teams and leadership widens. Microsoft Security Exposure Management addresses these challenges by introducing security initiatives, which provide a simple yet powerful way to assess readiness for specific areas or workloads, helping teams view current risks and allocate resources effectively.

Microsoft Security Exposure Management currently includes the following types of initiatives:

Workload initiatives: Assess and manage risks associated with specific workload domains, such as endpoints, identity resources, and cloud assets.
Horizontal cyberthreat initiatives: Focus on managing risks for specific cyberthreat areas, such as ransomware protection or business email compromise-financial fraud.
Cyberthreat analytics initiatives: Based on up-to-date research from Microsoft threat analytics experts, these initiatives assess risks associated with threat actors and vectors as well as reports with actionable recommendations.
Zero trust initiative: Evaluate risks related to zero trust compliance, aligning with guidance from the zero trust adoption framework.

These initiatives help create a snapshot of an organization’s security posture that both technical teams and business leaders can understand. Helping teams’ scope, discover, prioritize, and validate security findings while ensuring effective communication with stakeholders. Let’s examine some particularly valuable initiatives our customers have found helpful for communicating with leadership.

Learn more about AI-first, end-to-end security at The Microsoft at RSAC Experience Key security initiatives that resonate with leadership

“We spend a lot of time on ransomware protection, so something helpful about the ransomware initiative is that you’re now able to start to appreciate the ‘what’, the ‘why’, and the ‘how’ can I improve not only the score, but where’s the low hanging fruit we can tackle?”

—Joe Lykowski, Cyber Defense Leader at Dow Inc.

Ransomware protection

The Ransomware protection initiative provides metrics that instantly resonate with leadership, showing progress indicators from high exposure (0) to no exposure (100). This initiative helps ensure recommended controls are properly configured and utilized, reducing the risk of successful ransomware attacks. By presenting these concrete metrics, you can demonstrate how implementing Microsoft-recommended controls directly minimizes ransomware risks to the business.

Critical asset protection

The critical asset protection initiative helps security teams identify and prioritize the organization’s most valuable assets, show targeted security measures protecting these assets, and demonstrate reduced exposure of mission-critical systems. Critical assets are based on default rules Microsoft Security Exposure Management determined as critical, but users can also create custom roles to tag additional critical assets. By implementing suggested recommendations to boost the Critical Asset Protection initiative score, the organization lowers the risk of cyberattackers being able to circumvent critical assets.

Identity security initiative

The Identity security initiative protects digital identities against phishing, malware, and data breaches. With identity-based cyberattacks continuing to be the primary entry point for breaches, this initiative provides clear metrics on progress that can be easily communicated to leadership. When presenting to boards or fellow executives, security leaders can show concrete improvements in identity protection posture, helping executives understand how investment in this area directly reduces organizational risk.

Beyond ransomware, critical assets, and identity, Microsoft Security Exposure Management continues to develop initiatives that address other vital areas of security. These include cyberattack surface reduction, which minimizes potential entry points for cyberthreats, and data security posture, which helps organizations understand and improve their ability to protect sensitive information. Please click here for our full list of security initiatives.

Security initiatives enable prioritization based on business impact rather than technical severity. Security metrics show current compliance versus target state, critical asset tags highlight high-business-impact systems, and recommendation scoring shows the relative impact of each change.

This data-driven approach helps security leaders make the case for specific investments by showing how they impact the overall security posture score that matters to executives. When budget discussions arise, security leaders can point to specific initiatives and show exactly how investments will improve scores in the areas that matter most to the business.

Embracing clarity over fragmentation with Microsoft Security Exposure Management

Security initiatives solve the fragmentation problem by organizing security metrics around business objectives rather than technical controls. This shift in approach with help from Microsoft Security Exposure Management initiatives, helps security leaders refresh stale conversations with leadership and align security priorities with business objectives. In focusing on initiatives that matter most to your organization and utilizing their clear metrics, you can transform presentations from technical debates into strategic discussions about business risk.

RSAC 2025

Learn more about AI-first, end-to-end security at The Microsoft at RSAC Experience. From our signature Pre-Day to demos and networking, discover how Microsoft Security can give you the advantage you need in the era of AI.

It’s time to refresh how we communicate security to leadership, replacing technical complexity with clarity, and uncertainty with measurable progress. After all, effective security requires not just strong controls, but strong communication. By leveraging Microsoft Security Exposure Management and our security initiatives, organizations can ensure that security investments are clearly tied to business outcomes and strategic goals, fostering a more collaborative and informed approach to cybersecurity

Learn more with Microsoft Security

To learn more about Microsoft Security Exposure Management, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Transforming security with Microsoft Security Exposure Management initiatives appeared first on Microsoft Security Blog.

Categories: Microsoft

Explore how to secure AI by attending our Learn Live Series

Microsoft Malware Protection Center - Mon, 04/14/2025 - 12:00pm

As organizations develop, use, and increasingly rely on AI applications, they must address new and amplified security risks. Are you prepared to secure your environment for AI adoption? How about identifying threats to your AI and safeguarding data? Register to attend one or all our Learn Live sessions.
Register to attend Learn Live: Security for AI with Microsoft Purview and Defender for Cloud starting April 15

In this month-long webinar series, IT pros and security practitioners can hone their security skillsets with a deeper understanding of AI-centric challenges, opportunities, and best practices using Microsoft Security solutions.

Each session will follow a hosted demo format and cover a Microsoft Learn module (topics listed below). You can ask the SMEs questions via the chat as they show you how to use Microsoft Purview and Microsoft Defender for Cloud to protect your organization in the age of AI.

Learn Live dates/topics include:

April 15 at 12pm PST – Manage AI Data Security Challenges with Microsoft Purview: Microsoft Purview helps you strengthen data security in AI environments, providing tools to handle challenges from AI technology. Learn to safeguard your data and adapt to evolving security challenges in AI technology. This session will help you:
Understand sensitivity labels in Microsoft 365 Copilot
Secure against generative AI data exposure with endpoint Data Loss Prevention
Detect generative AI usage with Insider Risk Management
Dynamically protect sensitive data with Adaptive Protection
April 22 at 12pm PST – Manage Compliance with Microsoft Purview with Microsoft 365 Copilot: Use Microsoft Purview for compliance management with Microsoft 365 Copilot. You’ll learn how to handle compliance aspects of Copilot’s AI functionalities through Purview. This session will teach you how to:
Audit Copilot interactions within Microsoft 365 using Microsoft Purview
Investigate Copilot interactions using Microsoft Purview eDiscovery
Manage Copilot data retention with Microsoft Purview Data Lifecycle Management
Monitor and mitigate risks in Copilot interactions using Microsoft Purview Communication Compliance
April 29 at 12pm PST – Identify and Mitigate AI Data Security Risks: Microsoft Purview Data Security Posture Management (DSPM) for AI helps organizations monitor AI activity, enforce security policies, and prevent unauthorized data exposure. Learn how to configure DSPM for AI, track AI interactions, run data assessments, and apply security controls to reduce risks associated with AI usage. You will learn how to:
Explain the purpose and benefits of Microsoft Purview DSPM for AI
Set up and configure DSPM for AI to monitor AI interactions
Identify and analyze AI security risks using reports and insights
Run and review AI data assessments to detect oversharing risks
Apply security policies, such as DLP and sensitivity labels, to protect AI-referenced data
May 13 at 10am PST – Enable Advanced Protection for AI Workloads with Microsoft Defender for Cloud: As organizations use and develop AI applications, they need to address new and amplified security risks. Prepare your environment for secure AI adoption to safeguard your data and identify threats to your AI. This session will help you:
Understand how Defender for Cloud can protect AI workloads
Enable threat protection workloads for AI
Gain application and end user context for AI alerts
Register today for these new sessions. We look forward to seeing you!

If you’re unable to attend a session, don’t worry—the recordings will be made available on-demand via YouTube.

The post Explore how to secure AI by attending our Learn Live Series appeared first on Microsoft Security Blog.

Categories: Microsoft

Stopping attacks against on-premises Exchange Server and SharePoint Server with AMSI

Microsoft Malware Protection Center - Wed, 04/09/2025 - 1:00pm

Exchange Server and SharePoint Server are business-critical assets and considered crown jewels for many organizations, making them attractive targets for attacks. To help customers protect their environments and respond to these attacks, Exchange Server and SharePoint Server now integrate with the Windows Antimalware Scan Interface (AMSI), a versatile standard that enables applications and services to work seamlessly with any AMSI-compatible antimalware product. The integration of AMSI with SharePoint and Exchange Server provides an essential layer of protection by preventing harmful web requests from reaching backend endpoints.

Threat actors have consistently relied on outdated or misconfigured assets, exploiting vulnerabilities that enable them to gain a persistent foothold inside the target. For instance, in the case of Exchange Server, ProxyShell and ProxyNotShell vulnerabilities were widely exploited in attacks long after they were fixed by security updates in 2021 and 2022, respectively. In these attacks, threat actors abused a combination of server-side request forgery (SSRF) and privilege escalation flaws, allowing remote code execution. Successful compromise enabled threat actors to drop web shells, conduct lateral movement, and exfiltrate sensitive data, often evading detection for extended periods. More recently, attackers have shifted to NTLM relay and credential leakage techniques. Office documents and emails sent through Outlook serve as effective entry points for attackers to exploit NTLM coercion vulnerabilities, given their ability to embed UNC links within them. Attackers exploit NTLM authentication by relaying credentials to a vulnerable server, potentially resulting in target account compromise. Microsoft has released mitigation guidance against NTLM relay attacks.

SharePoint Server has also been a consistent target for attackers exploiting critical vulnerabilities to gain persistent and privileged access inside the target. In recent attacks, stealthy persistence tactics, such as replacing or appending web shell code into existing files like signout.aspx, installing remote monitoring and management (RMM) tools for broader access, and other malicious activities were observed.

While cloud-based software offers some inherent security advantages in software updates and high availability, some organizations’ requirements mean they need to run on-premises Exchange and SharePoint implementations. As cyber threats continue to grow in sophistication, it has never been more important to ensure that the on-premises infrastructure remains secure. This AMSI integration on SharePoint Server and Exchange Server becomes especially important when attackers attempt to exploit security vulnerabilities, particularly zero-days. With AMSI integrated, these malicious attempts are detected and blocked in real-time, offering a critical defense mechanism while organizations work on installing official patches and updates. AMSI detections are surfaced on the Microsoft Defender portal, enabling SecOps teams to investigate, correlate with other malicious activity in the environment, and remediate.

In this blog post, we discuss different types of attacks targeting Exchange and SharePoint, and demonstrate how AMSI is helping organizations protect against these attacks. We also share mitigation and protection guidance, as well as detection details and hunting queries.

AMSI integration

In both SharePoint Server and Exchange Server, AMSI is integrated as a security filter module within the IIS pipeline to inspect incoming HTTP requests before they are processed by the application. The filter is triggered at the onBeginRequest stage through the SPRequesterFilteringModule for SharePoint Server and HttpRequestFilteringModule for Exchange Server, allowing it to analyze incoming requests before they reach authentication and authorization phases. This integration ensures that potential threats are identified before they interact with internal processing, mitigating the risk of exploitation. On detecting a malicious request, the application returns a HTTP 400 Bad Request response.

Figure 1. Overview of AMSI Integration in SharePoint and Exchange Server Figure 2. AMSI protecting against mailbox exfiltration using public tool MailSniper Extending AMSI with request body scan

When AMSI was first integrated, it provided an important layer of defense by scanning incoming request headers. This was crucial for identifying malicious activity, particularly SSRF attempts. However, many modern attacks are now embedded within request bodies, rather than just in the headers. This meant that header-only scans were no longer enough to catch the full range of sophisticated threats.

To address this emerging risk, we added newer improvements in both products. The Exchange Server November release extended capabilities to include scanning of request bodies, ensuring broader protection. A similar improvement is added to SharePoint Server currently in public preview. These enhanced security controls are not enabled by default, making it crucial for organizations to assess for stronger protection.

Microsoft recommends evaluating and enabling these extended options for better protection and visibility. These enhancements are especially important for detecting and mitigating remote code execution vulnerabilities and particularly post-authentication vulnerabilities where SSRF may not be needed. The introduction of request body scanning is a critical step in our commitment to protect these crown jewels against more sophisticated, evasive threats. With the ability to inspect the full content of incoming requests, AMSI now detects a wider range of malicious activities.

Attacks targeting Exchange and SharePoint servers SSRF exploitation

Server-side request forgery (SSRF) can allow attackers to make unauthorized requests on behalf of the server, potentially accessing internal services, metadata endpoints, or even escalating privileges. Attackers can exploit SSRF to bypass authentication mechanisms by leveraging internal API calls. Additionally, by chaining SSRF with additional flaws, attackers could gain unauthorized access to the backend and perform arbitrary remote code execution within the environment.

One example is CVE-2023-29357, a critical authentication bypass vulnerability in SharePoint Server. This flaw allowed attackers to bypass authentication and gain elevated privileges by exploiting improper validation of security tokens. In attacks, this was combined with another vulnerability, CVE-2023-24955, to achieve unauthenticated remote code execution on vulnerable SharePoint servers.

Figure 3. AMSI logs for CVE-2023-29357 with spoofed X-PROOF_TOKEN and Authorization headers

Another example is CVE-2022-41040, an AutoDiscover SSRF vulnerability in Exchange Server. By targeting AutoDiscover, attackers exploited the trust relationships within Exchange to impersonate users and trigger backend functionality that normally requires authentication, laying the groundwork for remote code execution.

Figure 4. AMSI logs for CVE-2022-41040 with malformed Autodiscover Request

AMSI acted as first layer of defense against these incidents, protecting customers against thousands of SSRF attempts observed on a daily basis, thereby breaking the exploitation chain.

Suspicious access indicative of web shell interaction

In many intrusions, attackers drop web shells into public-facing directories. In one such Exchange server compromise, AMSI logged a suspicious .aspx file interaction. This was highlighted by Microsoft Defender for Endpoint simply because there is no .aspx file by that name in the said folder path:

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts\premium\.

Attackers often rename web shells to legitimate filenames seen in different folder to avoid suspicion. In this case, the filename getidtoken is a default shipped file but with .htm extension.

Figure 5. suspicious POST request logged in AMSI hinting at web shell interaction

Similar stealthy activities have also been observed for SharePoint. In one case, the attackers modified the legitimate signout.aspx file by appending web shell code. This allowed attackers to create a stealthy backdoor and maintain persistence without raising suspicion.

Figure 6. Modified signout.aspx with web shell code appended at the end

AMSI acts as a real-time inspection and defense layer similar to a web application firewall (WAF) and plays a critical role in detecting and responding to active compromises. AMSI inspects incoming requests, captures malicious web shell interactions, and logs them for analysis. This level of visibility enables Microsoft Defender for Endpoint to pinpoint the exact location of malicious files on disk, such as within Exchange’s Outlook Web Application (OWA), where attackers commonly stage web shells. By correlating AMSI network logs with suspicious activity, Microsoft Defender for Endpoint can locate and remove previously undetected files, effectively cleaning the infected server and mitigating further damage. Importantly, this capability provides durable protection, allowing defenders to monitor and react to threats even in post-compromise scenarios.

Figure 7. Legitimate signout.aspx with hijacked ’username’ parameter supplied with command Suspicious mailbox access through Exchange Web Services (EWS) abuse

Exchange Web Services (EWS) is a core component of Microsoft Exchange that allows programmatic access to mailboxes through SOAP-based APIs. While this is critical for legitimate operations such as Outlook integration, mobile sync, and third-party app, the service is also widely abused by threat actors. Notably, in incidents like CVE-2023-23397, EWS was used post-compromise to search mailboxes for sensitive content and exfiltrate emails over HTTPS, blending in with legitimate traffic.

Attackers leverage EWS’s deep access to perform mailbox searches, download entire inboxes, and set up hidden forwarding rules, often using stolen credentials or after gaining a foothold via another Exchange vulnerability. Attackers commonly abuse EWS APIs — GetFolder, FindItem, and GetItem — to stealthily search and exfiltrate sensitive emails from compromised mailboxes. GetFolder API maps the mailbox structure, which can be used to identify key folders like Inbox and Sent Items. FindItem API allows searching for emails containing specific keywords or supplied datetime filter to retrieve relevant results. Finally, GetItem API is used to view full email contents and attachments.

This API-driven abuse technique blends in with legitimate EWS traffic, making detection challenging without deep content inspection. AMSI addresses this with request body scanning, which enables real-time detection of suspicious search patterns, abnormal access, and targeted email theft. Below is a sequence of suspicious SOAP calls logged by AMSI when attackers attempt to exfiltrate emails.

Figure 8. AMSI logs showing suspicious sequence of SOAP operations seen during remote mailbox access Insecure deserialization leading to RCE

The PowerShell application pool is a privileged component that handles remote PowerShell sessions in Exchange, typically invoked by Exchange Control Panel (ECP) or Exchange Management Shell (EMS). It runs under SYSTEM or high-privileged service accounts, making it a prime target for misuse. After gaining access to backend PowerShell endpoints, attackers can pass crafted cmdlets and arguments that trigger operations such as arbitrary file writes and command execution. This method has been observed in major incidents like ProxyShell and ProxyNotShell, where attackers execute system-level commands via crafted PowerShell requests.

A common pattern seen in these attacks is the use of legitimate management cmdlets like Get-Mailbox, New-MailboxExportRequest, or Set- commands, but with crafted arguments or malicious serialization payloads that trigger code execution in the backend. AMSI now has complete visibility into all the backend PowerShell commands along with the passed arguments to inspect the request buffer for any suspicious API calls such as Process.Start, various file write APIs and Assembly.load.

Figure 9. AMSI logs showing the malicious argument to Get-Mailbox cmdlet. Web control abuse

Exploitation of vulnerabilities like CVE-2024-38094, CVE-2024-38024, and CVE-2024-38023 exemplify attacks that abuse Site owner privileges to execute arbitrary code on the SharePoint server. The exploitation leverages the Business Data Connectivity (BDC) feature and malicious use of the BDCMetadata.bdcm file. This XML-based file defines connections to external data sources but could be abused to reference dangerous .NET classes and methods. Once the malicious .bdcm file is uploaded and registered in SharePoint’s BDC service (using site owner permissions), the attacker can trigger execution by creating an External List or web part that interacts with the BDC model. SharePoint processes this model and reflectively loads and executes the specified method, leading to RCE as the SharePoint service account, which typically has high privileges. With body scan enabled, the complete payload is available for inspection and surfaces LobSystem type as DotNetAssembly hinting at code execution. AMSI’s deep integration enables visibility into the malicious Base64 buffer, which Microsoft Defender for Endpoint leverages to detect and block code execution attempts.

Figure 10. AMSI logs showing upload of malicious .bdcm file with the package content Mitigation and protection guidance

As these attacks show, SharePoint and Exchange servers are high-value targets. These attacks also tend to be advanced threats with highly evasive techniques. Keeping these servers safe from these advanced attacks is of utmost importance. Here are steps that organizations can take:

Activate AMSI on Exchange Server and SharePoint Server. AMSI is a versatile standard that allows applications and services to integrate with any AMSI-capable anti-malware product present on a device. Starting with SharePoint Server Subscription Edition Version 25H1, AMSI extends its scanning capabilities to include the bodies of HTTP requests. The Exchange AMSI body scanning feature was introduced with the Exchange Server November 2024 Security Update (SU). Microsoft recommends updating Exchange Server and SharePoint Server to these versions or later to take advantage of the new improved body scanning feature. This request body scan feature is critical for detecting and mitigating threats that may be embedded in request payloads, providing a more comprehensive security solution. Check prerequisites and learn how to configure AMSI in the following resources:
- AMSI integration with Exchange Server
- Configure AMSI integration with SharePoint Server
Apply the latest security updates. Identify and remediate vulnerabilities or misconfigurations in Exchange and SharePoint Server. Deploy the latest security updates as soon as they become available. Use threat and vulnerability management to audit these servers regularly for vulnerabilities, misconfigurations, and suspicious activity.
Keep antivirus and other protections enabled. It’s critical to protect SharePoint and Exchange servers with antivirus software and other security solutions like firewall protection and MFA. Turn on cloud-delivered protection and automatic sample submission to use artificial intelligence and machine learning to quickly identify and stop new and unknown threats. Use attack surface reduction rules to automatically block behaviors like credential theft and suspicious use of PsExec and WMI. Turn on tamper protection features to prevent attackers from stopping security services. If you are worried that these security controls will affect performance or disrupt operations, engage with IT pros to help determine the true impact of these settings. Security teams and IT pros should collaborate on applying mitigations and appropriate settings.
Review sensitive roles and groups. Review highly privileged groups like Administrators, Remote Desktop Users, and Enterprise Admins. Attackers add accounts to these groups to gain foothold on a server. Regularly review these groups for suspicious additions or removal. To identify Exchange/SharePoint -specific anomalies, review the list of users in sensitive roles.
Restrict access. Practice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Enforce strong randomized, just-in-time local administrator passwords and Enable MFA. Use tools like LAPS.
Prioritize alerts. The distinctive patterns of SharePoint and Exchange server compromise aid in detecting malicious behaviors and inform security operations teams to quickly respond to the initial stages of compromise. Pay attention to and immediately investigate alerts indicating suspicious activities. Catching attacks in the exploratory phase, the period in which attackers spend several days exploring the environment after gaining access, is key. Public facing application pools are commonly hijacked by attackers through web shell deployment. Prioritize alerts related to processes such as net.exe, cmd.exe, and powershell.exe originating from these pools or w3wp.exe in general.

Microsoft Defender XDR detections

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threats on SharePoint Server as the following malware:

Exploit:Script/SPLobSystemRCE.A
Exploit:Script/SPLobSystemRCE.B
Exploit:Script/SPAuthBypass.A

Microsoft Defender Antivirus detects threats on Exchange Server as the following malware:

Exploit:Script/SuspMailboxSearchEWS.A
Exploit:Script/SuspExchgSession.D
Exploit:Script/ExchgProxyRequest

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts might indicate activity related to this threats discussed in this blog. Note, however, that these alerts can be also triggered by unrelated threat activity.

Possible web shell installation
Possible IIS web shell
Suspicious processes indicative of a web shell
Possible IIS compromise
Suspicious Exchange Process Execution
Possible exploitation of Exchange Server vulnerabilities

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used by the threats discussed in this blog:

CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2022-41040, CVE-2022-41082, CVE-2019-0604, CVE-2024-21413, CVE-2023-23397, CVE-2023-36563, CVE-2023-29357, CVE-2023-24955, CVE-2024-38094, CVE-2024-38024, CVE-2024-38023

Microsoft Security Exposure Management

Microsoft Security Exposure Management (MSEM) provides enhanced visibility for important assets by offering customers predefined classification logics for high-value assets. This includes both managed (Microsoft Defender for Endpoint-onboarded) and unmanaged Exchange servers.

Customers can review the device inventory and the critical classification library to identify Exchange servers and consider applying the new security settings on them.

Microsoft Security Copilot

Incident investigation
Microsoft User analysis
Threat actor profile
Threat Intelligence 360 report based on MDTI article
Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Hunting queries Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Processes run by the IIS worker process

Broadly search for processes executed by the IIS worker process. Further investigation should be performed on any devices where the created process is indicative of reconnaissance.

DeviceProcessEvents | where InitiatingProcessFileName == 'w3wp.exe' | where InitiatingProcessCommandLine contains "MSExchange" or InitiatingProcessCommandLine contains "SharePoint" | where FileName !in~ ("csc.exe","cvtres.exe","conhost.exe","OleConverter.exe","wermgr.exe","WerFault.exe","TranscodingService.exe") | project FileName, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp

Chopper web shell command line

Chopper is one of the most widespread web shells targeting SharePoint and Exchange servers. Use this query to hunt for Chopper web shell activity:

DeviceProcessEvents | where InitiatingProcessFileName =~ "w3wp.exe" and FileName == "cmd.exe" | where ProcessCommandLine has "&cd&echo"

Suspicious files in SharePoint or Exchange directories

DeviceFileEvents | where Timestamp >= ago(7d) | where InitiatingProcessFileName == "w3wp.exe" | where FolderPath has "\\FrontEnd\\HttpProxy\\" or FolderPath has "\\TEMPLATE\\LAYOUTS\\ " or FolderPath has "\\aspnet_client\\" | where InitiatingProcessCommandLine contains "MSExchange" or InitiatingProcessCommandLine contains "Sharepoint" | project FileName,FolderPath,SHA256, InitiatingProcessCommandLine, DeviceId, Timestamp Microsoft Sentinel

Our post on web shell threat hunting with Microsoft Sentinel also provides guidance on looking for web shells in general. The Exchange SSRF Autodiscover ProxyShell detection, which was created in response to ProxyShell, can be used for queries due to functional similarities with this threat. Also, the new Exchange Server Suspicious File Downloads and Exchange Worker Process Making Remote Call queries specifically look for suspicious downloads or activity in IIS logs. In addition to these, we have a few more that could be helpful in looking for post-exploitation activity:

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

The post Stopping attacks against on-premises Exchange Server and SharePoint Server with AMSI appeared first on Microsoft Security Blog.

Categories: Microsoft

How cyberattackers exploit domain controllers using ransomware

Microsoft Malware Protection Center - Wed, 04/09/2025 - 12:00pm

In recent years, human-operated cyberattacks have undergone a dramatic transformation. These attacks, once characterized by sporadic and opportunistic attacks, have evolved into highly sophisticated, targeted campaigns aimed at causing maximum damage to organizations, with the average cost of a ransomware attack reaching $9.36 million in 2024.1 A key catalyst to this evolution is the rise of ransomware as a primary tool for financial extortion—an approach that hinges on crippling an organization’s operations by encrypting critical data and demanding a ransom for its release. Microsoft Defender for Endpoint disrupts ransomware attacks in an average of three minutes, only kicking in when more than 99.99% confident in the presence of a cyberattack.

Disrupt ransomware with Microsoft Defender for Endpoint The evolution of ransomware attacks

What is ransomware?

Learn more

Modern ransomware campaigns are meticulously planned. Cyberattackers understand that their chances of securing a ransom increase significantly if they can inflict widespread damage across a victim’s environment. The rationale is simple: paying the ransom becomes the most viable option when the alternative—restoring the environment and recovering data—is technically unfeasible, time-consuming, and costly.

This level of damage happens in minutes and even seconds, where bad actors embed themselves within an organization’s environment, laying the groundwork for a coordinated cyberattack that can encrypt dozens, hundreds, or even thousands of devices within minutes. To execute such a campaign, threat actors must overcome several challenges such as evading protection, mapping the network, maintaining their code execution ability, and preserving persistency in the environment, building their way to securing two major prerequisites necessary to execute ransomware on multiple devices simultaneously:

High-privilege accounts: Whether cyberattackers choose to drop files and encrypt the devices locally or perform remote operations over the network, they must obtain the ability to authenticate to a device. In an on-premises environment, cyberattackers usually target domain admin accounts or other high-privilege accounts, as those can authenticate to the most critical resources in the environment.
Access to central network assets: To execute the ransomware attack as fast and as wide as possible, threat actors aim to achieve access to a central asset in the network that is exposed to many endpoints. Thus, they can leverage the possession of high-privilege accounts and connect to all devices visible in their line of sight.

The role of domain controllers in ransomware campaigns

Domain controllers are the backbone of any on-premises environment, managing identity and access through Active Directory (AD). They play a pivotal role in enabling cyberattackers to achieve their goals by fulfilling two critical requirements:

1. Compromising highly privileged accounts

Domain controllers house the AD database, which contains sensitive information about all user accounts, including highly privileged accounts like domain admins. By compromising a domain controller, threat actors can:

Extract password hashes: Dumping the NTDS.dit file allows cyberattackers to obtain password hashes for every user account.
Create and elevate privileged accounts: Cyberattackers can generate new accounts or manipulate existing ones, assigning them elevated permissions, ensuring continued control over the environment.

With these capabilities, cyberattackers can authenticate as highly privileged users, facilitating lateral movement across the network. This level of access enables them to deploy ransomware on a scale, maximizing the impact of their attack.

2. Exploiting centralized network access

Domain controllers handle crucial tasks like authenticating users and devices, managing user accounts and policies, and keeping the AD database consistent across the network. Because of these important roles, many devices need to interact with domain controllers regularly to ensure security, efficient resource management, and operational continuity. That’s why domain controllers need to be central in the network and accessible to many endpoints, making them a prime target for cyberattackers looking to cause maximum damage with ransomware attacks.

Given these factors, it’s no surprise that domain controllers are frequently at the center of ransomware operations. Cyberattackers consistently target them to gain privileged access, move laterally, and rapidly deploy ransomware across an environment. We’ve seen in more than 78% of human-operated cyberattacks, threat actors successfully breach a domain controller. Additionally, in more than 35% of cases, the primary spreader device—the system responsible for distributing ransomware at scale—is a domain controller, highlighting its crucial role in enabling widespread encryption and operational disruption.

Case study: Ransomware attack using a compromised domain controller

In one notable case, a small-medium manufacturer fell victim to a well-known, highly skilled threat actor, commonly identified as Storm-0300, attempting to execute a widespread ransomware attack:

Pre domain-compromise activity

After gaining initial access, presumably through leveraging the customer’s VPN infrastructure, and prior to obtaining domain admin privileges, the cyberattackers initiated a series of actions focused on mapping potential assets and escalating privileges. A wide, remote execution of secrets dump is detected on Microsoft Defender for Endpoint-onboarded devices and User 1 (domain user) is contained by attack disruption.

Post domain-compromise activity

Once securing domain admin (User 2) credentials, potentially through leveraging the victim’s non-onboarded estate, the attacker immediately attempts to connect to the victim’s domain controller (DC1) using Remote Desktop Protocol (RDP) from the cyberattacker’s controlled device. When gaining access to DC1, the cyberattacker leverages the device to perform the following set of actions:

Reconnaissance—The cyberattacker leverages the domain controller’s wide network visibility and high privileges to map the network using different tools, focusing on servers and network shares.
Defense evasion—Leveraging the domain controller’s native group policy functionality, the cyberattacker attempts to tamper with the victim’s antivirus by modifying security-related group policy settings.
Persistence—The cyberattacker leverages the direct access to Active Directory, creating new domain users (User 3 and User 4) and adding them to the domain admin group, thus establishing a set of highly privileged users that would later on be used to execute the ransomware attack.

Encryption over the network

Once the cyberattacker takes control over a set of highly privileged users, this provides them access to any domain-joined resource, including comprehensive network access and visibility. It will also allow them to set up tools for the encryption phase of the cyberattack.

Assuming they’re able to validate a domain controller’s effectiveness, they begin by running the payload locally on the domain controller. Attack disruption detects the threat actor’s attempt to run the payload and contains User 2, User 3, and the cyberattacker-controlled device used to RDP to the domain controller.

After successfully containing Users 2 and 3, the cyberattacker proceeded to log in to the domain controller using User 4, who had not yet been utilized. After logging into the device, the cyberattacker attempted to encrypt numerous devices over the network from the domain controller, leveraging the access provided by User 4.

Attack disruption detects the initiation of encryption over the network and automatically granularly contains device DC1 and User 4, blocking the attempted remote encryption on all Microsoft Defender for Endpoint-onboarded and targeted devices.

Help secure endpoints with Microsoft Defender for Endpoint Protecting your domain controllers

Given the central role of domain controllers in ransomware attacks, protecting them is critical to preventing large-scale damage. However, securing domain controllers is particularly challenging due to their fundamental role in network operations. Unlike other endpoints, domain controllers must remain highly accessible to authenticate users, enforce policies, and manage resources across the environment. This level of accessibility makes it difficult to apply traditional security measures without disrupting business continuity. Hence, security teams constantly face the complex challenge of striking the right balance between security and operational functionality.

To address this challenge, Defender for Endpoint introduced contain high value assets (HVA), an expansion of our contain device capability designed to automatically contain HVAs like domain controllers in a granular manner. This feature builds on Defender for Endpoint’s capability to classify device roles and criticality levels to deliver a custom, role-based containment policy, meaning that if a sensitive device, such a domain controller, is compromised, it is immediately contained in less than three minutes, preventing the cyberattacker from moving laterally and deploying ransomware, while at the same time maintaining the operational functionality of the device. The ability of the domain controller to distinguish between malicious and benign behavior helps keep essential authentication and directory services up and running. This approach provides rapid, automated cyberattack containment without sacrificing business continuity, allowing organizations to stay resilient against sophisticated human-operated cyberthreats.

Now your organization’s domain controllers can leverage automatic attack disruption as an extra line of defense against malicious actors trying to overtake high value assets and exert costly ransomware attacks.

Learn more

Explore these resources to stay updated on the latest automatic attack disruption capabilities:

Learn more about Microsoft Defender for Endpoint.
Read about the new containment features.
Learn how attack disruption safeguards your domain controllers in this video.
Check out our latest infographic.
Read about automatic attack disruption.

1Average cost per data breach in the United States 2006-2024, Ani Petrosyan. October 10, 2024.

The post How cyberattackers exploit domain controllers using ransomware appeared first on Microsoft Security Blog.

Categories: Microsoft

Exploitation of CLFS zero-day leads to ransomware activity

Microsoft Malware Protection Center - Tue, 04/08/2025 - 2:00pm

Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS) against a small number of targets. The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia. Microsoft released security updates to address the vulnerability, tracked as CVE-2025-29824, on April 8, 2025.

In addition to discovering the vulnerability, Microsoft also found that the exploit has been deployed by PipeMagic malware. Microsoft is attributing the exploitation activity to Storm-2460, which also used PipeMagic to deploy ransomware. Ransomware threat actors value post-compromise elevation of privilege exploits because these could enable them to escalate initial access, including handoffs from commodity malware distributors, into privileged access. They then use privileged access for widespread deployment and detonation of ransomware within an environment. Microsoft highly recommends that organizations prioritize applying security updates for elevation of privilege vulnerabilities to add a layer of defense against ransomware attacks if threat actors are able to gain an initial foothold.

This blog details Microsoft’s analysis of the observed CLFS exploit and related activity targeting our customers. This information is shared with our customers and industry partners to improve detection of these attacks and encourage rapid patching or other mitigations, as appropriate. A more comprehensive recommendations section, with indicators of compromise and detection details can be found at the end of the blog post.

CVE 2025-29824: A zero-day vulnerability in the Common Log File System (CLFS)

The exploit activity discovered by Microsoft targets a zero-day vulnerability in the Common Log File System (CLFS) kernel driver. Successful exploitation allows an attacker running as a standard user account to escalate privileges. The vulnerability is tracked as CVE-2025-29824 and was fixed on April 8, 2025.

Pre-exploitation activity

While Microsoft hasn’t determined the initial access vectors that led to the devices being compromised, there are some notable pre-exploitation behaviors by Storm-2460. In multiple cases, the threat actor used the certutil utility to download a file from a legitimate third-party website that was previously compromised to host the threat actor’s malware.

The downloaded file was a malicious MSBuild file, a technique described here, that carried an encrypted malware payload. Once the payload was decrypted and executed via the EnumCalendarInfoA API callback, the malware was found to be PipeMagic, which Kaspersky documented in October 2024. Researchers at ESET have also observed the use of PipeMagic in 2023 in connection with the deployment of a zero-day exploit for a Win32k vulnerability assigned CVE-2025-24983. A domain used by the PipeMagic sample was aaaaabbbbbbb.eastus.cloudapp.azure[.]com, which has now been disabled by Microsoft.

CLFS exploit activity

Following PipeMagic deployment, the attackers launched the CLFS exploit in memory from a dllhost.exe process.

The exploit targets a vulnerability in the CLFS kernel driver. It’s notable that the exploit first uses the NtQuerySystemInformation API to leak kernel addresses to user mode. However, beginning in Windows 11, version 24H2, access to certain System Information Classes within NtQuerySystemInformation became available only to users with SeDebugPrivilege, which typically only admin-like users can obtain. This meant that the exploit did not work on Windows 11, version 24H2, even if the vulnerability was present.

The exploit then utilizes a memory corruption and the RtlSetAllBits API to overwrite the exploit process’s token with the value 0xFFFFFFFF, enabling all privileges for the process, which allows for process injection into SYSTEM processes.

As part of the exploitation, a CLFS BLF file with the following path is created by the exploit’s dllhost.exe process: C:\ProgramData\SkyPDF\PDUDrv.blf.

Post-exploitation activity leads to ransomware activity

Upon successful exploitation, a payload is injected into winlogon.exe. This payload then injected the Sysinternals procdump.exe tool into another dllhost.exe and ran it with the following command line:

C:\Windows\system32\dllhost.exe -accepteula -r -ma lsass.exe c:\programdata\[random letters].

Having done this, the actor was able to dump the memory of LSASS and parse it to obtain user credentials.

Then, Microsoft observed ransomware activity on target systems. Files were encrypted and a random extension added, and a ransom note with the name !_READ_ME_REXX2_!.txt was dropped. Microsoft is tracking activity associated with this ransomware as Storm-2460.

Although we weren’t able to obtain a sample of ransomware for analysis, we’re including some notable events surrounding the activity to better help defenders:

Two .onion domains have been seen in the !_READ_ME_REXX2_!.txt ransom notes
- jbdg4buq6jd7ed3rd6cynqtq5abttuekjnxqrqyvk4xam5i7ld33jvqd.onion which has been tied to the RansomEXX ransomware family
- uyhi3ypdkfeymyf5v35pbk3pz7st3zamsbjzf47jiqbcm3zmikpwf3qd.onion
The ransomware is launched from dllhost.exe with the command line:

--do [path_to_ransom] (for example, C:\Windows\system32\dllhost.exe --do C:\foobar)

The file extension on the encrypted files is random per device, but the same for every file
Some typical ransomware commands that make recovery or analysis harder are executed, including:
- bcdedit /set {default} recoveryenabled no
- wbadmin delete catalog -quiet
- wevtutil cl Application
In one observed case the actor spawned notepad.exe as SYSTEM

Mitigation and protection guidance

Microsoft released security updates to address CVE 2025-29824 on April 8, 2025. Customers running Windows 11, version 24H2 are not affected by the observed exploitation, even if the vulnerability was present. Microsoft urges customers to apply these updates as soon as possible.

Microsoft recommends the following mitigations to reduce the impact of activity associated with Storm-2460:

Refer to our blog Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself for robust measures to defend against ransomware.
Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint. Ransomware attackers often identify unmanaged or legacy systems and use these blind spots to stage attacks.
Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. Use Microsoft Defender Vulnerability Management to assess your current status and deploy any updates that might have been missed.
Microsoft 365 Defender customers can turn on attack surface reduction rules to prevent common attack techniques used in ransomware attacks:
Use advanced protection against ransomware

Microsoft Defender XDR detections

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threats associated with this activity as the following malware:

SilverBasket (Win64/Windows)
MSBuildInlineTaskLoader.C (Script/Windows)

Microsoft Defender for Endpoint

The following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

A process was injected with potentially malicious code
Potential Windows DLL process injection
Suspicious access to LSASS service
Sensitive credential memory read
Suspicious process injection observed
File backups were deleted
Ransomware behavior detected in the file system

Microsoft Security Copilot

Incident investigation
Microsoft User analysis
Threat actor profile
Threat Intelligence 360 report based on MDTI article
Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Hunting queries Microsoft Sentinel

Search for devices having CVE-2025-29814 exposure

DeviceTvmSoftwareVulnerabilities | where CveId in ("CVE-2025-29814") | project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion, CveId,VulnerabilitySeverityLevel | join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId, CvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware ) on CveId | project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion, CveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware

Detect CLFS BLF file creation after exploitation of CVE 2025-29824

DeviceFileEvents | where FolderPath has "C:\\ProgramData\\SkyPDF\\" and FileName endswith ".blf"

LSSASS process dumping activity

SecurityEvent | where EventID == 4688 | where CommandLine has("dllhost.exe -accepteula -r -ma lsass.exe") | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer

Ransomware process activity

let cmdlines = dynamic(["C:\\Windows\\system32\\dllhost.exe --do","bcdedit /set {default} recoveryenabled no","wbadmin delete catalog -quiet","wevtutil cl Application"]); DeviceProcessEvents | where ProcessCommandLine has_any (cmdlines) | project TimeGenerated, DeviceName, ProcessCommandLine, AccountDomain, AccountName

PipeMagic and RansomEXX fansomware domains

let domains = dynamic(["aaaaabbbbbbb.eastus.cloudapp.azure.com","jbdg4buq6jd7ed3rd6cynqtq5abttuekjnxqrqyvk4xam5i7ld33jvqd.onion","uyhi3ypdkfeymyf5v35pbk3pz7st3zamsbjzf47jiqbcm3zmikpwf3qd.onion"]); DeviceNetworkEvents | where RemoteUrl has_any (domains) | project TimeGenerated, DeviceId, DeviceName, Protocol, LocalIP, LocalIPType, LocalPort,RemoteIP, RemoteIPType, RemotePort, RemoteUrl Indicators of compromise IndicatorTypeDescriptionC:\ProgramData\SkyPDF\PDUDrv.blfPathDropped during CLFS exploitC:\Windows\system32\dllhost.exe –doCommand lineInjected dllhostbcdedit /set {default} recoveryenabled noCommand lineRansomware commandwbadmin delete catalog -quietCommand lineRansomware commandwevtutil cl ApplicationCommand lineRansomware commandaaaaabbbbbbb.eastus.cloudapp.azure[.]comDomainUsed by PipeMagic References

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

The post Exploitation of CLFS zero-day leads to ransomware activity appeared first on Microsoft Security Blog.

Categories: Microsoft

Meet the Deputy CISOs who help shape Microsoft’s approach to cybersecurity

Microsoft Malware Protection Center - Tue, 04/08/2025 - 12:00pm

Microsoft launched its Cybersecurity Governance Council in 2024, and with it, named a group of deputy chief information security officers that ensure comprehensive oversight of the company’s cybersecurity risk, defense, and compliance. These leaders work in tandem with product and engineering leaders across the company to create accountability and advance cybersecurity protection for Microsoft, our customers, and the industry.

In this series, we will introduce these leaders and share more about their background, their role, and their priorities.

Q: Tell us about your current role and responsibilities.

Igor Sakhnov: “As Microsoft’s Corporate Vice President of Engineering for Identity, I lead data and platform engineering along with business-facing initiatives. Since April 2024, I’ve also served as Deputy Chief Information Security Officer (CISO) focusing on identity-related security risks.”

Mark Russinovich: “In my role, I work with a large team to identify and resolve the security risks that come up and evolve under the Microsoft Azure umbrella, the core operating system itself, and the groups that make up the core engineering systems that the entire company depends on. In all these cases, we want the risk mitigations to be durable so once they’re done, the system stays secure and doesn’t have to be revisited every year.”

Yonatan Zunger: “My job is to try and think about all the different ways in which things involving AI can go wrong, make sure that we have good, thoughtful plans for each of those things, and develop the right tools so we can design and run the right incident response for AI issues.”

Q: How did you get your start in cybersecurity?

Igor Sakhnov: “It didn’t really start in cybersecurity. My journey began with a deep interest in understanding how systems work and how they interact and perform at scale. Inevitably, the hard question of security surfaces and the interesting aspects of detection and prevention become top of mind.”

Mark Russinovich: “I’ve always been interested in the way computers and operating systems work. In junior high I started working with computers and figuring out the internals, then went to college and graduate school in it. There was a natural intersection with cybersecurity and operating systems design since both involve understanding complex systems, and I started doing more with cybersecurity.”

Yonatan Zunger: “I started my career as a theoretical physicist. I joined Google, spent years building search and infrastructure, and in 2011 I became the Chief Technology Officer of social. This was a few months before the launch of Google Plus, and I discovered that the hard parts of the job had nothing to do with technology. Instead, all the hard parts were security and privacy, and those were interesting problems to me. It quickly became clear that using these technologies in the right or wrong way can have a huge impact on people’s lives. That stuck with me, and it caused me to genuinely fall in love with the field.”

Q: What does your team do, and how do you work with others across the company?

Igor Sakhnov: “My team is responsible for the work and innovation in the Identity space, building a large-scale enterprise identity system. Over the past year, the point about larger systems being identity-driven has really come to fruition, with the new efforts that leverage identity in the network flows.”

Mark Russinovich: “My team focuses on technical strategy, architecture, and security risk management for the Azure platform, engineering systems, and core operating systems. We work closely with teams across Microsoft to implement durable security measures. I collaborate with emerging technology teams to understand customer requirements and guide Azure’s development while ensuring security remains a priority in all decisions and implementations.”

Yonatan Zunger: “We’re a very horizontal team and our work has six core pillars: AI research, infrastructure, empowerment, evaluation and review, incident response, and policy and engagement. Within those pillars are a lot of people working on a lot of things, from doing safety and teaching it to people, to thoroughly testing and vetting every piece of generative AI software that goes out the door at Microsoft, to bringing AI expertise into incident responses, to engaging with all sorts of stakeholders across the world, and talking and sharing with them but also listening and learning.”

Learn more about Microsoft Incident Response Q: How do you balance the need for security with the need for innovation in your team?

Igor Sakhnov: “Balancing is important and hard. We strive to integrate security into the development process from the outset, shifting left and avoiding interruptions. No matter how innovative the product is, it will not get adapted if it is not secure or not reliable.”

Mark Russinovich: “I don’t think it’s an either or, but it is a balance. The second something may turn into a widget or service that people will depend on, you need security, but if you create such a hardened system that no one can use it, you’ve wasted time. We have a commitment to our customers that security is always in the driver’s seat, but innovation is holding the road map, and we’re delivering on that.”

Yonatan Zunger: “Engineering is the art of building systems to solve problems. If you’re building a system that isn’t safe and secure, you aren’t solving the customer’s problem, you’re building a system that will give them more problems.”

Q: What are some of the biggest cybersecurity misconceptions that you encounter?

Igor Sakhnov: “The desire to make the perfect solution. This is why ‘assume breach’ is the mindset I cultivated with my team. Yes, we must focus on the protection at all costs, and we should expect that any protection will be circumvented. How we detect, reduce the impact, and mitigate in the shortest time is top of mind.”

Mark Russinovich: “The assumption that unless you can prove to me something is not secure, it’s secure. You of course must invest in prevention, but Microsoft has said for close to a decade now that you have to assume any system can and will be breached, so you have to minimize the impact and increase how you detect and mitigate those breaches.”

Yonatan Zunger: “The idea that security, privacy, and safety are three distinct things. They’re not. If you’ve ever seen a security team, say, ‘That sounds like a privacy problem,’ and a privacy team say, ‘That sounds like a security problem,’ and nobody fixes it, you know where this story ends. Artificial boundaries like these are a factory of nasty incidents.”

Assume breach and verify each request with the Zero Trust model Q: What’s one piece of advice you would give to your younger self?

Igor Sakhnov: “Shift focus from the local improvements and invest heavily into the influence to shift larger organization for all to move in the needed direction. Microsoft’s Secure Future Initiative is a notable example where a central push supersedes all the local innovation we have done over the years.”

Mark Russinovich: “I don’t look back and think about things that I’ve done wrong, but for those that are just starting out in a career or in life, I’d say this: When you find an area that you’re passionate about, learn that area and the areas around it, and learn one level deeper than you think necessary to be effective. My father gave me that advice and it’s what inspired me to pursue computers.”

Yonatan Zunger: “If you ever find yourself in a relationship where you can’t fully be yourself…leave.”

Microsoft Secure

To see these innovations in action, join us on April 9, 2025 for Microsoft Secure, a digital event focused on security in the age of AI.

Across identity, cloud ecosystems, and privacy, these leaders have independently arrived at similar conclusions: security enables rather than restricts, perfect protection is impossible, but resilience is achievable, and everyone—from engineers to customers—plays a role in defense.

Microsoft’s security transformation isn’t just about technology. It’s about people like Igor Sakhnov, Mark Russinovich, and Yonatan Zunger who demonstrate the diverse leadership needed to strengthen Microsoft’s security posture for our customers and the industry.

Watch for more profiles in this series as we highlight additional deputy chief information security officers, including leaders overseeing cloud infrastructure, customer security, threat intelligence, and more.

RSAC 2025

The post Meet the Deputy CISOs who help shape Microsoft’s approach to cybersecurity appeared first on Microsoft Security Blog.

Categories: Microsoft

Tech Accelerator: Azure security and AI adoption

Microsoft Malware Protection Center - Mon, 04/07/2025 - 12:00pm

Are you looking for guidance on how to effectively integrate security best practices within your Azure and AI projects? We know the pace of technological innovation offers as many opportunities as it does challenges. However, security cannot be an afterthought as you create Azure deployments and accelerate AI solutions.

That’s why we’re inviting you to attend Tech Accelerator: Azure Security and AI Adoption on April 22. Designed for developers and cloud architects, this one-day virtual event will equip you with the essential guidance and resources you need to securely plan, build, manage, and optimize your Azure deployments and AI projects.

Why should you attend?

During this event, you will learn how to leverage Microsoft security guidance, products, and tooling throughout your cloud journey – from the time you consider Azure to the point that you’re regularly managing and optimizing workloads. Discover how Microsoft protects its platform, how to identify security risks in your Azure environments, protect your infrastructure from security threats, design secure AI environments, and build and protect your AI applications.

What can you expect?

During this event, you’ll have the opportunity to:

Learn from the experts: Get in-depth technical guidance from Microsoft experts to secure your Azure deployments and AI applications.
Engage with the community: Connect with fellow developers, cloud architects, and IT professionals.

Event details

Dates: April 22, 2025
Duration: 8:00-11:30 AM Pacific Time
Format: One keynote + six 25-minute sessions with technical guidance and demos

April 22, 2025: Session Time Security: An essential part of your Azure and AI journey (keynote) 8:00 AM PT Secure by design: Azure datacenter and hardware security 8:30 AM PT Azure platform security: Embedded features and use cases 9:00 AM PT Enhancing security for cloud migration 9:30 AM PT How to secure your AI environment 10:00 AM PT How to design and build secure AI projects 10:30 AM PT Safeguard AI applications with Microsoft Defender for Cloud 11:00 AM PT

All sessions will be streamed live on the Microsoft Tech Community platform with live Q&A during the event with the speakers and subject experts. Q&A will close at 12:00 PM PT on Friday, April 25, 2025. Sessions will be available on demand immediately, so you can watch at your convenience.

Registration is not required. On each session page, you can find an Add to calendar link. Click the Attend button on the page to receive reminders. Please post questions early and often; we’re here to help!

Please save the date and join us: https://aka.ms/AzureEssentialsEvent

The post Tech Accelerator: Azure security and AI adoption appeared first on Microsoft Security Blog.

Categories: Microsoft

Threat actors leverage tax season to deploy tax-themed phishing campaigns

Microsoft Malware Protection Center - Thu, 04/03/2025 - 12:00pm

As Tax Day approaches in the United States on April 15, Microsoft has observed several phishing campaigns using tax-related themes for social engineering to steal credentials and deploy malware. These campaigns notably use redirection methods such as URL shorteners and QR codes contained in malicious attachments and abuse legitimate services like file-hosting services and business profile pages to avoid detection. These campaigns lead to phishing pages delivered via the RaccoonO365 phishing-as-a-service (PhaaS) platform, remote access trojans (RATs) like Remcos, and other malware like Latrodectus, BruteRatel C4 (BRc4), AHKBot, and GuLoader.

Every year, threat actors use various social engineering techniques during tax season to steal personal and financial information, which can result in identity theft and monetary loss. These threat actors craft campaigns that mislead taxpayers into revealing sensitive information, making payments to fake services, or installing malicious payloads. Although these are well-known, longstanding techniques, they could still be highly effective if users and organizations don’t use advanced anti-phishing solutions and conduct user awareness and training.

In this blog, we share details on the different campaigns observed by Microsoft in the past several months leveraging the tax season for social engineering. This also includes additional recommendations to help users and organizations defend against tax-centric threats. Microsoft Defender for Office 365 blocks and identifies the malicious emails and attachments used in the observed campaigns. Microsoft Defender for Endpoint also detects and blocks a variety of threats and malicious activities related but not limited to the tax threat landscape. Additionally, the United States Internal Revenue Service (IRS) does not initiate contact with taxpayers by email, text messages or social media to request personal or financial information.

BruteRatel C4 and Latrodectus delivered in tax and IRS-themed phishing emails

On February 6, 2025, Microsoft observed a phishing campaign that involved several thousand emails targeting the United States. The campaign used tax-themed emails that attempted to deliver the red-teaming tool BRc4 and Latrodectus malware. Microsoft attributes this campaign to Storm-0249, an access broker active since 2021 and known for distributing, at minimum, BazaLoader, IcedID, Bumblebee, and Emotet malware. The following lists the details of the phishing emails used in the campaign:

Example email subjects:

Notice: IRS Has Flagged Issues with Your Tax Filing
Unusual Activity Detected in Your IRS Filing
Important Action Required: IRS Audit

Example PDF attachment names:

lrs_Verification_Form_1773.pdf
lrs_Verification_Form_2182.pdf
lrs_Verification_Form_222.pdf

The emails contained a PDF attachment with an embedded DoubleClick URL that redirected users to a Rebrandly URL shortening link. That link in turn redirected the browser to a landing site that displayed a fake DocuSign page hosted on a domain masquerading as DocuSign. When users clicked the Download button on the landing page, the outcome depended on whether their system and IP address were allowed to access the next stage based on filtering rules set up by the threat actor:

If access was permitted, the user received a JavaScript file from Firebase, a platform sometimes misused by cybercriminals to host malware. If executed, this JavaScript file downloaded a Microsoft Software Installer (MSI) containing BRc4 malware, which then installed Latrodectus, a malicious tool used for further attacks.
If access was restricted, the user received a benign PDF file from royalegroupnyc[.]com. This served as a decoy to evade detection by security systems.

Figure 1. Sample phishing email that claims to be from the IRS Figure 2. PDF attachment masquerading as a DocuSign document

Latrodectus is a loader primarily used for initial access and payload delivery. It features dynamic command-and-control (C2) configurations, anti-analysis features such as minimum process count and network adapter check, C2 check-in behavior that splits POST data between the Cookie header and POST data. Latrodectus 1.9, the malware’s latest evolution first observed in February 2025, reintroduced scheduled tasks for persistence and added the ability to run Windows commands via the command prompt.

BRc4 is an advanced adversary simulation and red-teaming framework designed to bypass modern security defenses, but it has also been exploited by threat actors for post-exploitation activities and C2 operations.

Phishing email with QR code in a PDF links to RaccoonO365 infrastructure

Between February 12 and 28, 2025, tax-themed phishing emails were sent to over 2,300 organizations, mostly in the United States in the engineering, IT, and consulting sectors. The emails had an empty body but contained a PDF attachment with a QR code and subjects indicating that the documents needed to be signed by the recipient. The QR code pointed to a hyperlink associated with a RaccoonO365 domain: shareddocumentso365cloudauthstorage[.]com. The URL included the recipient email as a query string parameter, so the PDF attachments were all unique. RaccoonO365 is a PhaaS platform that provides phishing kits that mimic Microsoft 365 sign-in pages to steal credentials. The URL was likely a phishing page used to collect the targeted user’s credentials.

The emails were sent with a variety of display names, which are the names that recipients see in their inboxes, to make the emails appear as if they came from an official source. The following display names were observed in these campaigns:

EMPLOYEE TAX REFUND REPORT
Project Funding Request Budget Allocation
Insurance Payment Schedule Invoice Processing
Client Contract Negotiation Service Agreement
Adjustment Review Employee Compensation
Tax Strategy Update Campaign Goals
Team Bonus Distribution Performance Review
proposal request
HR|Employee Handbooks

Figure 3. Screenshot of the opened PDF with the QR code AHKBot delivered in IRS-themed phishing emails

On February 13, 2025, Microsoft observed a campaign using an IRS-themed email that targeted users in the United States. The email’s subject was IRS Refund Eligibility Notification and the sender was jessicalee@eboxsystems[.]com.

The email contained a hyperlink that directed users to download a malicious Excel file. The link (hxxps://business.google[.]com/website_shared/launch_bw[.]html?f=hxxps://historyofpia[.]com/Tax_Refund_Eligibility_Document[.]xlsm) abused an open redirector on what appeared to be a legitimate Google Business page. It redirected users to historyofpia[.]com, which was likely compromised to host the malicious Excel file. If the user opened the Excel file, they were prompted to enable macros, and if the user enabled macros, a malicious MSI file was downloaded and run.

The MSI file contained two files. The first file, AutoNotify.exe, is a legitimate copy of the executable used to run AutoHotKey script files. The second file, AutoNotify.ahk, is an AHKBot Looper script which is a simple infinite loop that receives and runs additional AutoHotKey scripts. The AHKBot Looper was in turn observed downloading the Screenshotter module, which includes code to capture screenshots from the compromised device. Both Looper and Screenshotter used the C2 IP address 181.49.105[.]59 to receive commands and upload screenshots.

Figure 4. Screenshot of the email showing the link to download a malicious Excel file Figure 5. Macro code to install the malicious MSI file from hxxps://acusense[.]ae/umbrella/ GuLoader and Remcos delivered in tax-themed phishing emails

On March 3, 2025, Microsoft observed a tax-themed phishing campaign targeting CPAs and accountants in the United States, attempting to deliver GuLoader and Remcos malware. The campaign, which consisted of less than 100 emails, began with a benign rapport-building email from a fake persona asking for tax filing services due to negligence by a previous CPA. If the recipient replied, they would then receive a second email with the malicious PDF. This technique increases the click rates on the malicious payloads due to the established rapport between attacker and recipient.

The malicious PDF attachment contained an embedded URL. If the attachment was opened and the URL clicked, a ZIP file was downloaded from Dropbox. The ZIP file contained various .lnk files set up to mimic tax documents. If launched by the user, the .lnk file uses PowerShell to download a PDF and a .bat file. The .bat file in turn downloaded the GuLoader executable, which then installed Remcos.

Figure 6. Sample phishing email shows the original benign request for tax filing services, followed by another email containing a malicious PDF attachment if the target replies. Figure 7. The PDF attachment contains a prominent blue “Download” button that links to download of the malicious payload. The button is overlaid over a blurred background mimicking a “W-2” tax form, which further contributes to the illusion of the attachment being a legitimate tax file.

GuLoader is a highly evasive malware downloader that leverages encrypted shellcode, process injection, and cloud-based hosting services to deliver various payloads, including RATs and infostealers. It employs multiple anti-analysis techniques, such as sandbox detection and API obfuscation, to bypass security defenses and ensure successful payload execution.

Remcos is a RAT that provides attackers with full control over compromised systems through keylogging, screen capturing, and process manipulation while employing stealth techniques to evade detection.

Mitigation and protection guidance

Microsoft recommends the following mitigations to reduce the impact of this threat.

Educate users about protecting personal and business information in social media, filtering unsolicited communication, identifying lure links in phishing emails, and reporting reconnaissance attempts and other suspicious activity.
Turn on Zero-hour auto purge (ZAP) in Defender for Office 365 to quarantine sent mail in response to newly-acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
Pilot and deploy phishing-resistant authentication methods for users.
Enforce multifactor authentication (MFA) on all accounts, remove users excluded from MFA, and strictly require MFA from all devices in all locations at all times.
Implement Entra ID Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites including phishing sites, scam sites, and sites that contain exploits and host malware.
Educate users about using the browser URL navigator to validate that upon clicking a link in search results they have arrived at an expected legitimate domain.
Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow and time-of-click verification of URLs and links in email messages, other Microsoft Office applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
Enable investigation and remediation in full automated mode to allow Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
Run endpoint detection and response (EDR) in block mode, so that Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts detected post-breach.

Microsoft Defender XDR detections

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components used in the campaigns shared in this blog as the following:

Microsoft Defender for Endpoint

The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

Possible Latrodectus activity
Brute Ratel toolkit related behavior
A file or network connection related to ransomware-linked actor Storm-0249 detected
Suspicious phishing activity detected

Microsoft Defender for Office 365

Microsoft Defender for Office 365 offers enhanced solutions for blocking and identifying malicious emails. These alerts, however, can be triggered by unrelated threat activity.

A potentially malicious URL click was detected
Email messages containing malicious URL removed after delivery
Email messages removed after delivery
A user clicked through to a potentially malicious URL
Suspicious email sending patterns detected
Email reported by user as malware or phish

Defender for Office 365 also detects the malicious PDF attachments used in the phishing campaign launched by Storm-0249.

Microsoft Security Copilot

Incident investigation
Microsoft User analysis
Threat actor profile
Threat Intelligence 360 report based on MDTI article
Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft Defender Threat Intelligence

Hunting queries Microsoft Sentinel

Furthermore, listed below are some sample queries utilizing Sentinel ASIM Functions for threat hunting across both Microsoft first-party and third-party data sources.

Hunt normalized Network Session events using the ASIM unifying parser _Im_NetworkSession for IOCs:

let lookback = 7d; let ioc_ip_addr = dynamic(["181.49.105.59 "]); _Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now()) | where DstIpAddr in (ioc_ip_addr) | summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor

Hunt normalized File events using the ASIM unifying parser imFileEvent for IOCs:

let ioc_sha_hashes=dynamic(["fe0b2e0fe7ce26ae398fe6c36dae551cb635696c927761738f040b581e4ed422","bb3b6262a288610df46f785c57d7f1fa0ebc75178c625eaabf087c7ec3fccb6a","9728b7c73ef25566cba2599cb86d87c360db7cafec003616f09ef70962f0f6fc", "3c482415979debc041d7e4c41a8f1a35ca0850b9e392fecbdef3d3bc0ac69960","165896fb5761596c6f6d80323e4b5804e4ad448370ceaf9b525db30b2452f7f5","a31ea11c98a398f4709d52e202f3f2d1698569b7b6878572fc891b8de56e1ff7", "a1b4db93eb72a520878ad338d66313fbaeab3634000fb7c69b1c34c9f3e17727","0b22a0d84afb8bc4426ac3882a5ecd2e93818a2ea62d4d5cbae36d942552a36a","4d5839d70f16e8f4f7980d0ae1758bb5a88b061fd723ea4bf32b4b474c222bec","9bffe9add38808b3f6021e6d07084a06300347dd5d4b7e159d97e949735cff1e"]); imFileEvent | where SrcFileSHA256 in (ioc_sha_hashes) or TargetFileSHA256 in (ioc_sha_hashes) | extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0]) | extend AlgorithmType = "SHA256"

Hunt normalized Web Session events using the ASIM unifying parser _Im_WebSession for IOCs:

let lookback = 7d; let ioc_domains = dynamic(["slgndocline.onlxtg.com ", "cronoze.com ", "muuxxu.com ", "proliforetka.com ", "porelinofigoventa.com ", "shareddocumentso365cloudauthstorage.com", "newsbloger1.duckdns.org"]); _Im_WebSession (starttime=ago(lookback), eventresult='Success', url_has_any=ioc_domains) | summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor

In addition to the above, Sentinel users can also leverage the following queries, which may be relevant to the content of this blog.

Indicators of compromise

BruteRatel C4 and Lactrodectus infection chain

IndicatorTypeDescription9bffe9add38808b3f6021e6d07084a06300347dd5d4b7e159d97e949735cff1eSHA-256lrs_Verification_Form_1730.pdf0b22a0d84afb8bc4426ac3882a5ecd2e93818a2ea62d4d5cbae36d942552a36aSHA-256Irs_verif_form_2025_214859.js4d5839d70f16e8f4f7980d0ae1758bb5a88b061fd723ea4bf32b4b474c222becSHA-256bars.msia1b4db93eb72a520878ad338d66313fbaeab3634000fb7c69b1c34c9f3e17727SHA-256BRc4, filename: nvidiamast.dllhxxp://rebrand[.]ly/243eaaDomain nameURL shortener to load fake DocuSign pageslgndocline.onlxtg[.]comDomain nameDomain used to host fake DocuSign pagecronoze[.]comDomain nameBRc4 C2muuxxu[.]comDomain nameBRc4 C2proliforetka[.]comDomain nameLatrodectus C2porelinofigoventa[.]comDomain nameLatrodectus C2hxxp://slgndocline.onlxtg[.]com/87300038978/URLFake DocuSign URLhxxps://rosenbaum[.]live/bars.phpURLJavaScript downloading MSI

RaccoonO365

IndicatorTypeDescriptionshareddocumentso365cloudauthstorage[.]comDomain nameRaccoonO365 domain

AHKBot

IndicatorTypeDescriptiona31ea11c98a398f4709d52e202f3f2d1698569b7b6878572fc891b8de56e1ff7SHA-256Tax_Refund_Eligibility_Document.xlsm165896fb5761596c6f6d80323e4b5804e4ad448370ceaf9b525db30b2452f7f5SHA-256umbrella.msi3c482415979debc041d7e4c41a8f1a35ca0850b9e392fecbdef3d3bc0ac69960SHA-256AutoNotify.ahk9728b7c73ef25566cba2599cb86d87c360db7cafec003616f09ef70962f0f6fcSHA-256AHKBot Screenshotter modulehxxps://business.google[.]com/website_shared/launch_bw.html?f=hxxps://historyofpia[.]com/Tax_Refund_Eligibility_Document.xlsmURLURL redirecting to URL hosting malicious Excel filehxxps://historyofpia[.]com/Tax_Refund_Eligibility_Document.xlsmURLURL hosting malicious Excel filehxxps://acusense[.]ae/umbrella/URLURL in macro that hosted the malicious MSI file181.49.105[.]59IP addressAHKBot C2

Remcos

IndicatorTypeDescriptionbb3b6262a288610df46f785c57d7f1fa0ebc75178c625eaabf087c7ec3fccb6aSHA-2562024 Tax Document_Copy (1).pdffe0b2e0fe7ce26ae398fe6c36dae551cb635696c927761738f040b581e4ed422SHA-2562024 Tax Document.ziphxxps://www.dropbox[.]com/scl/fi/ox2fv884k4mhzv05lf4g1/2024-Tax-Document.zip?rlkey=fjtynsx5c5ow59l4zc1nsslfi&st=gvfamzw3&dl=1URLURL in PDFnewsbloger1.duckdns[.]orgDomain nameRemcos C2 References

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

The post Threat actors leverage tax season to deploy tax-themed phishing campaigns appeared first on Microsoft Security Blog.

Categories: Microsoft

Transforming public sector security operations in the AI era

Microsoft Malware Protection Center - Tue, 04/01/2025 - 12:00pm

The cyberthreat landscape is evolving at an unprecedented pace, becoming increasingly dangerous and complex. Nation-state threat actors and cybercriminals are employing advanced tactics and generative AI to execute highly sophisticated attacks. This situation is further compounded by outdated technology and systems, shortage of cybersecurity talent, and antiquated processes, which are inefficient in handling the scale, complexity, and ever-evolving nature of these cyberattacks. With 62% of all cyberattacks targeting public sector organizations, it is crucial for these sectors to leverage state-of-the-art technology, powered by generative AI, to transform their cyber defense and stay ahead of these evolving threats.1

Microsoft’s Unified Security Operations for Public Sector

Discover how Microsoft helps public sectors modernize security operations to enhance cyber defense and streamline processes.

Read the datasheet Microsoft’s unified security operations for public sector

Embracing modern security technology, processes, and continuous skill development is vital for protecting public sector organizations. By leveraging innovations powered by generative AI, unparalleled threat intelligence, and best practices, public sectors can transform their security operations to effectively defend against emerging cyberthreats.

AI-powered security operations: Microsoft delivers innovations to effectively protect against today’s complex threat landscape. The AI-powered unified security operations platform offers an enhanced and streamlined approach to security operations by integrating security information and event management (SIEM), security orchestration, automation, and response (SOAR), extended detection and response (XDR), posture and exposure management, cloud security, threat intelligence, and AI into a single, cohesive experience, eliminating silos and providing end-to-end security operations (SecOps). The unified platform boosts analyst efficiency, reduces context switching, and delivers quicker time to value with less integration work.

Microsoft is committed to helping public sector customers accelerate threat detection and response through improved security posture across organizations with richer insights, multi-tenant management, early warnings, and increased efficiency through automation and generative AI. Through automatic attack disruption, Microsoft Defender XDR utilizes robust threat intelligence, advanced AI and machine learning to detect and contain sophisticated cyberattacks in real time, significantly reducing their impact. This high-fidelity detection and protection capability disrupts more than 40,000 incidents each month, like identity threats and human-operated cyberattacks, while maintaining a false positive rate below 1%.

“Speed is an important factor against adversaries, and gaining situational awareness across a complex landscape of threats is therefore key.”

—Customer in the healthcare industry

People and process modernization: Public-private partnerships play a vital role in fostering the exchange of best practices and developing standardized processes that drive efficiency in incident response and threat intelligence sharing. For example, adapting the threat triage process to leverage generative AI agents can enable teams to scale significantly with agents autonomously analyzing and triaging vast volumes of alerts in real time, prioritize critical cyberthreats, and recommend specific remediation steps based on historical patterns. These collaborations also empower organizations to build teams equipped with cutting-edge skills and a comprehensive understanding of generative AI capabilities, helping them stay ahead of emerging cyberthreats.

Collective cyber defense and threat intelligence: Using Microsoft’s global threat intelligence insights, public sector organizations can collaborate with each other and across other sectors to share deeper cyberthreat insights efficiently. This partnership enables public sector organizations to exchange threat intelligence in a standardized manner within a region or country.

“Collective defense collaborations are driven by mutual interests with industry peers and cybersecurity alliances on improving security postures and responding more effectively to emerging threats.”

—Customer in the transport industry

The power of generative AI in cyber operations

Generative AI brings several transformative benefits to cybersecurity, making it a cornerstone for public sector security operations center (SOC) modernization.

Enhanced threat detection and response: Generative AI has the potential to sift through data from firewalls, endpoints, and cloud workloads, surfacing actionable cyberthreats that might go unnoticed in manual reviews. Unlike traditional rule-based detection methods, generative AI can identify attack patterns, adapt to emerging cyberthreats, and prioritize incidents based on risk severity, helping security teams focus on the most critical issues. Generative AI can go beyond simply surfacing cyberthreats; it can contextualize attack signals, predict potential breaches, and recommend guided responses for remediation strategies, reducing the burden on security analysts. Microsoft Security Copilot is already covering a range of use cases and is expanding rapidly to seize the full potential of generative AI. By providing guided incident investigation and response, Security Copilot helps security operations center (SOC) teams to detect and respond to cyberthreats more effectively. It can help teams to learn about malicious actors and campaigns, provide rapid summaries, and even contact the user to check for suspicious behavior. Adoption is associated with 30% reduction in security incident mean time to resolution (MTTR).2

Reduced operational overheads: By automating routine tasks, generative AI can free analysts from repetitive processes like alert triage or patch validation, enabling them to focus on advanced threat hunting. Security teams can already leverage Security Copilot to translate complex scripts into natural language, highlighting and explaining key parts to enhance team skills and reduce investigation time for advanced investigations as much as by 85%, helping security teams operate at scale.3

“Increased support from AI is critical given the significant capacity challenge in the public sector: a shortage of talent, an influx of threats, and an ever-increasing volume of data, assets, and organizations.”

—National SOC customer

Building a resilient digital future together

As nation-state threat actors and cybercriminals increasingly employ generative AI in their cyberattacks, public sector organizations can no longer rely on fragmented, manual defenses. The path forward lies in public-private collaboration, centered on co-designing and innovating solutions tailored to the public sector’s unique needs.

By adopting Microsoft Security solutions, public sector organizations can leverage combined resources, expertise, and cutting-edge technology to fortify critical infrastructure, safeguard citizen data, and strengthen public trust.

Now is the time to act: Modernize your cyber defense in the AI era to collectively forge a more secure and resilient digital future for government and public sector operations.

Learn more

Learn more about the AI-Powered Security Operations Platform for more details on the unified Security Operations platform.

Learn more about Microsoft Sentinel.

1Microsoft Digital Defense Report 2024

2Generative AI and Security Operations Center Productivity: Evidence from Live Operations, Microsoft study. James Bono, Alec Xu, Justin Grana. November 24, 2024.

3Forrester Total Economic Impact™ of Microsoft Sentinel. The Total Economic Impact(TM) Of Microsoft Sentinel, a commissioned study conducted by Forrester Consulting, March 2024. Results are based on a composite organization representative of interviewed customers.

The post Transforming public sector security operations in the AI era appeared first on Microsoft Security Blog.

Categories: Microsoft

Biographical Information Summary - This is Just a Summary Joe Pearce
About Joe Pearce joeintenn
Links Joe Pearce
Flounder's Keylime Pie is the Best in the World, At Least I Think So... Joe Pearce
Harley Ride Joe Pearce
Cobra with New Cover Joe Pearce
Mustang Cobra After Ceramic Coating Joe Pearce
Carter County Cruise In Joe Pearce
2003 Ford Mustang SVT Cobra Convertible NAPA Auto Car Show Top 10 Joe Pearce
Ponies in the Smokies - Mustang Trophy Joe Pearce

Microsoft

Faster, more personalized service begins at the frontline with Microsoft Intune

Explore practical best practices to secure your data with Microsoft Purview

New whitepaper outlines the taxonomy of failure modes in AI agents

Understanding the threat landscape for Kubernetes and containerized assets

Securing our future: April 2025 progress report on Microsoft’s Secure Future Initiative

Microsoft’s Secure by Design journey: One year of success

Cyber Signals Issue 9 | AI-powered deception: Emerging fraud threats and countermeasures

Threat actors misuse Node.js to deliver malware and other malicious payloads

Transforming security with Microsoft Security Exposure Management initiatives

Explore how to secure AI by attending our Learn Live Series

Stopping attacks against on-premises Exchange Server and SharePoint Server with AMSI

How cyberattackers exploit domain controllers using ransomware

Exploitation of CLFS zero-day leads to ransomware activity

Meet the Deputy CISOs who help shape Microsoft’s approach to cybersecurity

Tech Accelerator: Azure security and AI adoption

Threat actors leverage tax season to deploy tax-themed phishing campaigns

Transforming public sector security operations in the AI era

Welcome to Joe Pearce's Home Page.

Web page offered by Joe Pearce © 2004 - 2025 - All rights reserved.

Thanks to the ETSU Computer and Information Sciences Department.

Thanks to the NSTCC Computer and Information Sciences and Computer Engineering Technologies Department.

This is my Favicon.

You are here

Microsoft

Welcome to Joe Pearce's Home Page.

Web page offered by Joe Pearce © 2004 - 2025 - All rights reserved.

Thanks to the ETSU Computer and Information Sciences Department.

Thanks to the NSTCC Computer and Information Sciences and Computer Engineering Technologies Department.

This is my Favicon.