Microsoft Support & Discussions

Since I published my last blog, Five identity priorities for 2020, COVID-19 has upended the way we work and socialize. Now that physical distancing has become essential to protect everyone’s health, more people than ever are going online to connect and get things done. As we all adjust to a new daily routine, the organizations we work for are turning to technology to help us collaborate and stay productive. In these challenging times, identity can make life simpler, both for people working from home and for IT administrators charged with keeping their environments secure. In my previous blog, I advised connecting all applications and cloud resources to Azure Active Dir…

With the bulk of end users now working remotely, legacy network architectures that route all remote traffic through a central corporate network are suddenly under enormous strain. The result can be poorer performance, productivity, and user experience. Many organizations are now rethinking their network infrastructure design to address these issues, especially for applications like Microsoft Teams and Office 365. At Microsoft, for example, we adopted split tunneling as part of our VPN strategy. Our customers have asked us for guidance on how to manage security in this changing environment. An architecture that routes all remote traffic back to the corporate network was…

I doubt I’d be in the role I am now if leaders at one of my first jobs hadn’t taken an interest in my career. Although I taught myself to code when I was young, I graduated from college with a degree in English Literature and began my post-college career in editorial. I worked my way up to Assistant Editor at a math and science college textbook publisher located in Boston, Massachusetts. I was responsible for acquisitions and training on the software that that the company distributed with its textbooks. The senior editors sent me to a conference in Florida to train the sales team on how to present the software to professors. This is where I met Jennifer. Jennifer headed u…

Artificial intelligence (AI) and connected devices have fueled digital transformation in the utilities industry. These technological advances promise to reduce costs and increase the efficiency of energy generation, transmission, and distribution. They’ve also created new vulnerabilities. Cybercriminals, nation state actors, and hackers have demonstrated that they are capable of attacking a nation’s power grid through internet-connected devices. As utilities and their suppliers race to modernize our infrastructure, it’s critical that cybersecurity measures are prioritized. In the first blog in the “Defending the power grid against cyberattacks” series, I walked through…

Following a short hiatus, Astaroth came back to life in early February sporting significant changes in its attack chain. Astaroth is an info-stealing malware that employs multiple fileless techniques and abuses various legitimate processes to attempt running undetected on compromised machines. The updated attack chain, which we started seeing in late 2019, maintains Astaroth’s complex, multi-component nature and continues its pattern of detection evasion. Figure 1. Microsoft Defender ATP data showing revival of Astaroth campaigns Figure 2. Geographic distribution of Astaroth campaigns this year, with majority of encounters recorded in Brazil When we fir…

The world has changed in unprecedented ways in the last several weeks due to the coronavirus pandemic. While it has brought out the best in humanity in many ways, as with any crisis it can also attract the worst in some. Cybercriminals use people’s fear and need for information in phishing attacks to steal sensitive information or spread malware for profit. Even as some criminal groups claim they’ll stop attacking healthcare and nursing homes, the reality is they can’t fully control how malware spreads. While phishing and other email attacks are indeed happening, the volume of malicious emails mentioning the coronavirus is very small. Still, customers are asking us wha…

Right now, we have a lot of concerns. For our families and colleagues. For our businesses and our customers. Many of us are now working remotely, and all of us have had our day-to-day lives impacted in unique ways. At Microsoft, our top priority is the health and safety of our employees, customers, partners, and communities. We have been evaluating the public health situation, and we understand the impact this is having on you, our valued customers. To ease one of the many burdens you are currently facing, and based on customer feedback, we have decided to delay the scheduled end of service date for the Enterprise, Education, and IoT Enterprise editions of Windows 10…

From the way our industry tackles cyber threats, to the language we have developed to describe these attacks, I’ve long been a proponent to challenging traditional schools of thought—traditional cyber-norms—and encouraging our industry to get outside its comfort zones. It’s important to expand our thinking in how we address the evolving threat landscape. That’s why I’m not a big fan of stereotypes; looking at someone and saying they “fit the mold.” Looking at my CV, one would think I wanted to study law, or politics, not become a cybersecurity professional. These biases and unconscious biases shackle our progression. The scale of our industry challenges is too great, and …

I’m proud to announce that Microsoft is positioned as a Leader in The Forrester Wave: Enterprise Detection and Response, Q1 2020. Among the Leaders in the report, Microsoft received the highest score in the current offering category. Microsoft also received the highest score of all participating vendors in the extended capabilities criteria. We believe Microsoft’s position as a Leader in this Forrester Enterprise Detection and Response Wave is not only a recognition of the value we deliver with our endpoint detection and response capabilities through Microsoft Defender Advanced Threat Protection (ATP), but recognition for our customers for their help in defining a market-…

Gaining kernel privileges by taking advantage of legitimate but vulnerable kernel drivers has become an established tool of choice for advanced adversaries. Multiple malware attacks, including RobbinHood, Uroburos, Derusbi, GrayFish, and Sauron, and campaigns by the threat actor STRONTIUM, have leveraged driver vulnerabilities (for example, CVE-2008-3431, CVE-2013-3956, CVE-2009-0824, CVE-2010-1592, etc.) to gain kernel privileges and, in some cases, effectively disable security agents on compromised machines. Defending against these types of threats—whether those that live off the land by using what’s already on the machine or those that bring in vulnerable drivers as…

Since the initial launch of Windows 10 in 2015, many of you have sought release-over-release efficiencies to ensure that the devices and users in your environments remain protected and productive. Based on discussions with, and feedback received from enterprise customers around the world, we recognize that the journey of keeping devices up to date and, more specifically, building “update velocity,” isn't always clear. To provide clarity to IT professionals managing Windows 10 environments, today we published an in-depth guide on Optimizing Windows 10 update adoption. In this guide, you'll find details on best practices and tips to help you increase update velocity, inc…

Terraform is a tool that enables you to completely automate infrastructure builds through configuration files. It provides versioning for configurations, which makes it easy to deploy and maintain your existing Windows Virtual Desktop deployments on Microsoft Azure. The following guide below describes how to deploy a new host pool or modify an existing host pool within Windows Virtual Desktop using Terraform. Note: Terraform is an open source tool hosted in GitHub. As such, it is published "as is" with no implied support from Microsoft or any other organization. However, we would like to welcome you to open issues using GitHub issues to collaborate toward future imp…

With many employees suddenly working from home, there are things an organization and employees can do to help remain productive without increasing cybersecurity risk. While employees in this new remote work situation will be thinking about how to stay in touch with colleagues and coworkers using chat applications, shared documents, and replacing planned meetings with conference calls, they may not be thinking about cyberattacks. CISOs and admins need to look urgently at new scenarios and new threat vectors as their organizations become a distributed organization overnight, with less time to make detailed plans or run pilots. Based on our experiences working with cus…

At the end of February, Microsoft announced the FIDO2 passwordless support for hybrid environments. The integration of FIDO2-based YubiKeys and Azure Active Directory (Azure AD) is a game changer. It combines the ubiquity of Azure AD, the usability of YubiKey, and the security of both solutions to put us on the path to eliminate passwords in the enterprise. Think about that for a moment. Imagine never being asked to change your password again, no more password spreadsheets or vault apps. No more phishing and password spray! Would it be too much to compare it to the moon landing? Probably. But it’s at least as monumental to security as the introduction of passwords themsel…

Do you know all the software your company uses? The software supply chain can be complex and opaque. It’s comprised of software that businesses use to run operations, such as customer relationship management (CRM), enterprise resource planning (ERP), and project management. It also includes the third-party components, libraries, and frameworks that software engineers use to build applications and products. All this software can be difficult to track and can be vulnerable to attack if not known and/or not managed properly. In the U.S. Department of Defense’s Defense Federal Acquisition Regulation Supplement, a supply chain risk is defined as “the risk that an adversary …

The Windows Insider Program gives you access to preview builds of Windows 10 and Windows Server 2019, so that you can try out new features and provide feedback directly to Microsoft. In essence, it helps you help us create smarter and better products that work the way you want. If you use Windows 10 at work, or have users that use Windows 10 at work, and would like to participate in the Windows Insider Program, we offer the Windows Insider Program for Business. The Windows Insider Program for Business offers benefits, such as the ability to manage the use of Windows Insider Preview builds across your organization and the ability to submit feedback that will help shape …

We have released the March security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month’s security updates can be found in the Security Update Guide. The post March 2020 security updates are available appeared first on Microsoft Security Response Center. Continue reading...

Cybersecurity can often feel like a game of whack-a-mole. As our tools get better at stopping one type of attack, our adversaries innovate new tactics. Sophisticated cybercriminals burrow their way into network caverns, avoiding detection for weeks or even months, as they gather information and escalate privileges. If you wait until these advanced persistent threats (APT) become visible, it can be costly and time-consuming to address. It’s crucial to augment reactive approaches to cybersecurity with proactive ones. Human-led threat hunting, supported by machine-learning-powered tools like Azure Sentinel, can help you root out infiltrators before they access sensitive data…

In today’s threat landscape—overrun by fileless malware that live off the land, highly polymorphic threats that mutate faster than traditional solutions can keep up with, human-operated attacks that adapt to what adversaries find on compromised machines, and other sophisticated threats—behavioral blocking and containment capabilities are a critical component of the unified endpoint protection delivered by Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). Behavioral blocking and containment capabilities leverage multiple Microsoft Defender ATP components and features to immediately stop attacks before they can progress. For example, next-generation…

When we published our first blog about the Microsoft Detection and Response Team (DART) in March of 2019, we described our mission as responding to compromises and helping our customers become cyber-resilient. In pursuit of this mission we had already been providing onsite reactive incident response and remote proactive investigations to our customers long before our blog. And our response expertise has been leveraged many times by government and commercial entities around the world to help secure their most sensitive, critical environments. When our team works on the frontlines of cybersecurity, chasing adversaries in many different digital estates on a daily basis, o…

For the past 15 years, organizations have been using Configuration Manager, now part of Microsoft Endpoint Manager, to perform upgrades to new operating systems, and we have seen many organizations use Configuration Manager task sequences to migrate to Windows 10. Configuring a task sequence for operating system deployments requires prior knowledge, research, and several steps to ensure that the correct conditions are met for an upgrade. Configuring and verifying prerequisites, compatibility, and logging can be time consuming—and has a high risk for human error. Our Microsoft FastTrack team has been doing a lot of work to make this whole process easier. Today, I want t…

Human-operated ransomware campaigns pose a significant and growing threat to businesses and represent one of the most impactful trends in cyberattacks today. In these hands-on-keyboard attacks, which are different from auto-spreading ransomware like WannaCry or NotPetya, adversaries employ credential theft and lateral movement methods traditionally associated with targeted attacks like those from nation-state actors. They exhibit extensive knowledge of systems administration and common network security misconfigurations, perform thorough reconnaissance, and adapt to what they discover in a compromised network. These attacks are known to take advantage of network config…

In 2020, many IT executives will roll out or expand their implementation of Multi-Factor Authentication (MFA) to better safeguard identities. This is one of the key findings of a survey conducted by Pulse Q&A for Microsoft in October 2019.1 Specifically, 59 percent of executives will implement or expand MFA within three to six months. Another 26 percent will do so within 12 months. These executives are initiating these projects because they believe that MFA provides better security preparedness. They’re right. MFA, which requires that users authenticate with at least two factors, can reduce the risk of identity compromise by as much as 99.9 percent over passwords alon…

With Multi-Factor Authentication (MFA) and single sign-on (SSO) being a few of the most effective countermeasures against modern threats, organizations should consider a Cloud Identity as a Service (IDaaS), and MFA solution, like Azure Active Directory (AD). Here are seven benefits: Azure AD is simple to set up and works with almost everything, meaning once identity is in the cloud. It may be accessed by any entity that requires access and used for all on-premises and cloud applications. Azure AD MFA—using the Microsoft Authenticator app—is one the easiest MFA solutions for users to adopt and one of the fastest ways to take a passwordless approach. To learn mo…