Microsoft has been tracking activity related to the financially motivated threat actor Octo Tempest, whose evolving campaigns represent a growing concern for many organizations across multiple industries.
The world has changed in unprecedented ways in the last several weeks due to the coronavirus pandemic. While it has brought out the best in humanity in many ways, as with any crisis it can also attract the worst in some. Cybercriminals use people’s fear and need for information in phishing attacks to steal sensitive information or spread malware for profit. Even as some criminal groups claim they’ll stop attacking healthcare and nursing homes, the reality is they can’t fully control how malware spreads.
While phishing and other email attacks are indeed happening, the volume of malicious emails mentioning the coronavirus is very small. Still, customers are asking us what Microsoft is doing to help protect them from these types of attacks, and what they can do to better protect themselves. We thought this would be a useful time to recap how our automated detection and signal-sharing works to protect customers (with a specific recent example) as well as share some best practices you can use personally to stay safe from phishing attempts.
What Microsoft is doing
First, 91 percent of all cyberattacks start with email. That’s why the first line of defense is doing everything we can to block malicious emails from reaching you in the first place. A multi-layered defense system that includes machine learning, detonation, and signal-sharing is key in our ability to quickly find and shut down email attacks.
If any of these mechanisms detect a malicious email, URL, or attachment, the message is blocked and does not make its way to your inbox. All attachments and links are detonated (opened in isolated virtual machines). Machine learning, anomaly analyzers, and heuristics are used to detect malicious behavior. Human security analysts continuously evaluate user-submitted reports of suspicious mail to provide additional insights and train machine learning models.
Once a file or URL is identified as malicious, the information is shared with other services such as Microsoft Defender Advanced Threat Protection (ATP) to ensure endpoint detection benefits from email detection, and vice versa.
An interesting example of this in action occurred earlier this month, when an attacker launched a spear-phishing campaign that lasted less than 30 minutes.
Attackers crafted an email designed to look like a legitimate supply chain risk report for food coloring additives with an update based on disruptions due to coronavirus. The attachment, however, was malicious and delivered a sophisticated, multi-layer payload based on the Lokibot trojan (Trojan:Win32/Lokibot.GJ!MTB).
Had this payload been successfully deployed, hackers could have used it to steal credentials for other systems—in this case FTP accounts and passwords—which could then be used for further attacks.
Only 135 customer tenants were targeted, with a spray of 2,047 malicious messages, but no customers were impacted by the attack. The Office 365 ATP detonation service, signal-sharing across services, and human analysts worked together to stop it.
And thanks to signal sharing across services, customers not using a Microsoft email service like Office 365, hosted Exchange, or Outlook.com, but using a Windows PC with Microsoft Defender enabled, were fully protected. When a user attempted to open the malicious attachment from their non-Microsoft email service, Microsoft Defender kicked in, querying its cloud-based machine learning models and found that the attachment was blocked based on a previous Office 365 ATP cloud detection. The attachment was prevented from executing on the PC and the customer was protected.
What you can do
While bad actors are attempting to capitalize on the COVID-19 crisis, they are using the same tactics they always do. You should be especially vigilant now to take steps to protect yourself.
Make sure your devices have the latest security updates installed and an antivirus or anti-malware service. For Windows 10 devices, Microsoft Defender Antivirus is a free built-in service enabled through Settings. Turn on cloud-delivered protection and automatic sample submission to enable artificial intelligence (AI) and machine learning to quickly identify and stop new and unknown threats.
Use multi-factor authentication (MFA) on all your accounts. Most online services now provide a way to use your mobile device or other methods to protect your accounts in this way. Here’s information on how to use Microsoft Authenticator and other guidance on this approach.
MFA support is available as part of the Azure Active Directory (Azure AD) Free offering. Learn more here.
Educate yourself, friends, and colleagues on how to recognize phishing attempts and report suspected encounters. Here are some of the tell-tale signs.
- Spelling and bad grammar. Cybercriminals are not known for their grammar and spelling. Professional companies or organizations usually have an editorial staff to ensure customers get high-quality, professional content. If an email message is fraught with errors, it is likely to be a scam.
- Suspicious links. If you suspect that an email message is a scam, do not click on any links. One method of testing the legitimacy of a link is to rest your mouse—but not click—over the link to see if the address matches what was typed in the message. In the following example, resting the mouse on the link reveals the real web address in the box with the yellow background. Note that the string of IP address numbers looks nothing like the company’s web address.
- Suspicious attachments. If you receive an email with an attachment from someone you don’t know, or an email from someone you do know but with an attachment you weren’t expecting, it may be a phishing attempt, so we recommend you do not open any attachments until you have verified their authenticity. Attackers use multiple techniques to try and trick recipients into trusting that an attached file is legitimate.
- Do not trust the icon of the attachment.
- Be wary of multiple file extensions, such as “pdf.exe” or “rar.exe” or “txt.hta”.
- If in doubt, contact the person who sent you the message and ask them to confirm that the email and attachment are legitimate.
- Threats. These types of emails cause a sense of panic or pressure to get you to respond quickly. For example, it may include a statement like “You must respond by end of day.” Or saying that you might face financial penalties if you don’t respond.
- Spoofing. Spoofing emails appear to be connected to legitimate websites or companies but take you to phony scam sites or display legitimate-looking pop-up windows.
- Altered web addresses. A form of spoofing where web addresses that closely resemble the names of well-known companies, but are slightly altered; for example, “www.micorsoft.com” or “www.mircosoft.com”.
- Incorrect salutation of your name.
- Mismatches. The link text and the URL are different from one another; or the sender’s name, signature, and URL are different.
If you think you’ve received a phishing email or followed a link in an email that has taken you to a suspicious website, there are few ways to report what you’ve found.
If you think the mail you’ve received is suspicious:
- Outlook.com. If you receive a suspicious email message that asks for personal information, select the checkbox next to the message in your Outlook inbox. Select the arrow next to Junk, and then point to Phishing scam.
- Microsoft Office Outlook 2016 and 2019 and Microsoft Office 365. While in the suspicious message, select Report message in the Protection tab on the ribbon, and then select Phishing.
If you’re on a suspicious website:
- Microsoft Edge. While you’re on a suspicious site, select the More (…) icon > Send feedback > Report Unsafe site. Follow the instructions on the web page that displays to report the website.
- Internet Explorer. While you’re on a suspicious site, select the gear icon, point to Safety, and then select Report Unsafe Website. Follow the instructions on the web page that displays to report the website.
If you think you have a suspicious file:
- Submit the file for analysis.
- If you are using Office 365:
- Admins can use the Submissions portal in the Office 365 Security & Compliance Center to submit email messages, URLs, and attachments to Microsoft for scanning if they were received in one of their user’s Exchange Online mailboxes. More details can be found here.
This is just one area where our security teams at Microsoft are working to protect customers and we’ll share more in the coming weeks. For additional information and best practices for staying safe and productive through remote work, community support and education during these challenging times, visit Microsoft’s COVID-19 resources page for the latest information.