Skip to main content
Skip to main content
Microsoft Security

From the Cloud Security Alliance Congress EMEA: How IP addresses associated with malware infected devices help protect Microsoft cloud customers

  • Tim Rains

Recently, I delivered a keynote at the Cloud Security Alliance Congress EMEA in Rome, Italy. The speaker list at this conference was impressive and the attendees had great questions and diverse perspectives to share.

During my keynote I talked about many different things related to security and privacy. One topic that garnered a lot of attention was how Microsoft’s Digital Crimes Unit (DCU) tracks malware around the world and uses this information not only to disrupt and take down malware, but to help Microsoft’s cloud service customers understand if systems used to connect to their cloud services are potentially infected by botnets.

The DCU sinkholes IP addresses associated with infected devices following antimalware operations they perform. These IP addresses are attributed using publically available information to get latitude and longitude that to geo-locate infected devices. Figure 1 below depicts malware infections in Rome, Italy (the CSA Congress EMEA conference location). The figure illustrates detections for Citadel, Bamital, Zeus, Zero Access and other notorious malware families. The taller columns indicate a higher number of infections for the different malware families. This data reflects all infected machines that communicated with the DCU’s malware sinkhole in a 90 day period.

Figure 1: The volume of IP addresses associated with infected devices from malware operations by the DCU in Rome communicating with Microsoft’s sinkhole in a 90 day period.


The DCU has taken action to disrupt all the malware seen in Figure 1 over the past several years and provides lists of IP addresses associated with infected devices to ISPs and CERTs via Microsoft’s Cyber Threat Intelligence Program (C-TIP).

Another way Microsoft uses these IP addresses is to help inform our cloud customers when devices used to sign into the cloud appear to be infected by malware. Microsoft correlates IP addresses of the systems that sign into Microsoft Azure Active Directory Premium based services against IP addresses that the DCU has seen communicating with its malware sinkhole. Figure 2 illustrates an example of the type of reporting that customers get access to. This feature is only available for Microsoft Azure Active Directory Premium customers.

Figure 2: An example report illustrating “sign ins from possibly infected devices” available to Microsoft Azure Active Directory Premium customers.


This innovative feature that marries the DCU’s global malware tracking capabilities with the power of Microsoft Azure Active Directory Premium, provides an extra layer of protection for Microsoft’s cloud customers.

I’d like to thank the Cloud Security Alliance and all the attendees for the warm welcome they gave me in Rome.