Threat management

Protect data from malware and attacks

Threat management includes protection from both malicious software and attacks against systems and networks. Microsoft products and services have built-in protection features to help defend your data against malware and other types of threats.

Microsoft cloud services help you protect against malware threats in multiple ways. Microsoft Antimalware is built for the cloud, and additional antimalware protections are provided in specific services. Denial-of-service (DoS) attacks can deny access to important resources and result in lost productivity, so Microsoft builds its services to defend against such attacks. Windows server and client operating systems include multiple technologies for protecting against these threats at the local level.

Secure identity

Microsoft threat management technologies help protect systems against malware, in both cloud and on-premises environments. Malware is a leading cause of identity compromise. It can run in the background and collect information, such as user names and passwords, and transmit them back to the attacker. With stolen credentials, an attacker can access, modify, or destroy your valuable data. If the compromised account has administrative privileges, the attacker can change system or account settings and do much more damage. Thus, an important element in keeping user identities secure is protecting them from the effects of malicious software.

Secure infrastructure

Security technologies

Microsoft uses many security technologies and practices to protect the cloud infrastructure and on-premises networks against modern, sophisticated threats:

  • Antimalware components and services for cloud services, virtual machines (VMs), and Windows clients and servers help identify and remove viruses, spyware, and other malicious software. Antimalware also provides real-time protection, on-demand scanning, basic configuration management, and monitoring. Microsoft Antimalware for Azure cloud services and virtual machines is built on the same antimalware platform as other Microsoft malware protection products, and provides a single-agent solution for applications and tenant environments.
  • Distributed denial-of-service defenses protect Microsoft's cloud services from network-layer high-volume attacks that choke network pipes and packet-processing capabilities by flooding the network with packets. Microsoft provides a distributed denial-of-service (DDoS) defense system that is part of the Azure continuous monitoring and penetration-testing processes. The Azure DDoS defense system is designed not only to withstand attacks from the outside, but also from other Azure tenants. The Azure DDoS defense technology provides detection and mitigation techniques such as SYN cookies, rate limiting, and connection limits to help ensure that network-layer high-volume attacks on the platform itself do not impact customer environments. Application-layer attacks, on the other hand, are direct attacks launched against a customer deployment. The Azure DDoS defense system doesn’t provide mitigation or actively block network traffic affecting individual customer deployments, as it's not possible for the system to interpret the expected behavior of customer applications.
  • Advanced Threat Analytics is technology that monitors normal usage patterns for networks, systems, and users, and employs machine learning to flag any behavior that is out of the ordinary. Advanced Threat Analytics uses information derived from networked devices and heuristics to detect suspicious activity that may indicate a threat; it then sends real-time alerts so that you can mount a response to protect your assets.

Microsoft threat management technologies were developed based on our experience addressing emerging threats in the public cloud, private cloud, and datacenter environments, and are driven by the “assume breach” approach.

Learn more about the assume breach approach

Microsoft Red Teaming

Threat management processes are designed to adapt quickly to the changing threat landscape. Highly specialized groups of security experts, known as the Red Team, use their expertise to strengthen threat detection, response, and defense for Microsoft enterprise cloud services. They simulate real-world breaches, conduct continuous security monitoring, and practice security incident response to validate and improve the security of the services.

Learn more about Microsoft Red Teaming

Secure apps and data

Expand all

  • Microsoft Antimalware for Azure cloud services and virtual machines is a real-time protection capability that helps identify and remove viruses, spyware, and other malicious software. You can configure alerts to inform you when known malicious or unwanted software attempts to install itself or run on your Azure systems. When malware is detected, Antimalware automatically responds by acting to delete or quarantine malicious files and clean up malicious registry entries.

    Learn more about Antimalware for cloud services and VMs
  • Distributed denial-of-service defenses. To protect its cloud services, Microsoft provides a distributed denial-of-service (DDoS) defense system that is part of the Azure continuous monitoring and penetration-testing processes. The Azure DDoS defense system is designed not only to withstand attacks from the outside, but also from other Azure tenants. Azure uses standard detection and mitigation techniques such as SYN cookies, rate limiting, and connection limits to protect against DDoS attacks.

  • Threat management partners. In addition to the robust security benefits built into Azure, Microsoft offers a rich array of additional security products for Azure that are built to meet your unique security needs.

    Find the right threat management partner in the Azure Marketplace
  • Azure Security Center (Security Center) provides a centralized portal from which you can secure your Azure deployments and prevent, detect, respond to threats, and increase visibility into the security of your Azure resources. Security Center also provides focused security recommendations and rapid deployment of integrated partner technologies. It uses behavioral analytics and machine learning for effective threat detection and helps you build an attack timeline for faster remediation.

    Learn more about Azure Security Center

Microsoft Dynamics 365 is built using Microsoft Antimalware to help you protect against online threats. To help mitigate threats, we employ intrusion detection, distributed denial-of-service (DDoS) attack prevention, regular penetration testing, and data analytics and machine learning tools.

Microsoft Intune includes Intune Endpoint Protection, and allows you to set policies to help ensure that computers are kept up to date with the latest antimalware definition updates. Intune can also deliver malware protection to PCs. When a PC is enrolled in Intune, a check is performed to see if any third-party antimalware solution is installed. If it is, the Intune malware protection agent will install, but will remain in a disabled state. If no antimalware solution exists, the Intune agent will be enabled and will begin protecting the PC from malware, spyware, and viruses.

Learn more about managing the cloud with Windows Intune

Microsoft Office 365 includes configurable options for Microsoft antimalware/antispam protection. Office 365 uses multi-engine antimalware scanning to protect incoming, outgoing, and internal messages from malicious software transferred through email. Administrators can manage antimalware/antispam controls in the Office 365 admin center; individual users can manage their safe senders and blocked senders from within their inboxes in Microsoft Outlook or Microsoft Outlook on the web. Office 365 also includes features that can mitigate the effects of malware attacks, including ransomware attacks.

Learn more about antimalware and antispam protection in Office 365

Office 365 uses defense-in-depth security principles to protect against internal and external risks. The Microsoft strategy for defending against DoS attacks is somewhat unique due to our scale and global footprint. Our size allows us to use strategies and techniques that few organizations (whether providers or customer organizations) can match. The cornerstone of our DoS strategy is leveraging our global presence. Microsoft engages with Internet providers, peering providers (public and private), and private corporations all over the world, giving us a significant Internet presence (which currently doubles about every 18 months). Having such a large presence enables Microsoft to absorb attacks across a very large surface area.

Learn more about defending Office 365 against DoS attacks

Exchange Online Protection provides email protection features that are deployed across a global network of datacenters, including multilayered, real-time antispam, and multi-engine antimalware protection.

Learn more about Exchange Online Protection

Exchange Online Advanced Threat Protection provides real-time protection from unknown and sophisticated attacks on your email. It also protects email from unsafe attachments and provides real-time, time-of-click protection from malicious links that are included in messages. Exchange Online Advanced Threat Protection complements the security features of Exchange Online Protection to help provide you with better protection from zero-day attacks on your organization’s email.

Learn more about Exchange Online Advanced Threat Protection

Power BI runs on the Azure infrastructure, and uses the threat management protections that are built into Azure. Specifically, Power BI helps protect against threats by separating the front-end web cluster from the back-end cluster, where activity and access to data are handled. It creates a further boundary on the back-end cluster between the Gateway and API Management roles and other roles that are accessible only by the system. Because only the Gateway and API Management roles are accessible over the Internet, this helps protect against DDoS attacks and unauthorized access.

Learn more about the Power BI architecture and security

Visual Studio Team Services (Team Services) helps protect customers against threats to data availability, service ability, service security, and data privacy. Team Services is hosted entirely in Azure datacenters and takes advantage of the threat management capabilities inherent in the core Azure services. The Team Services team also has procedures to protect data from accidental or malicious deletion, as well as backups of data to use in case of accidental deletion. Live-site management processes minimize the time to detect, respond to, and mitigate impacting issues.

A malicious DoS attack can affect service availability, but Azure has a DoS defense system that helps prevent attacks against Team Services. It uses standard detection and mitigation techniques such as SYN cookies, rate limiting, and connection limits. The system is designed not only to withstand attacks from the outside but also from within Azure. For application-specific attacks that could penetrate the Azure defense systems, Team Services establishes application and account level quotas and throttling to prevent any overuse of key service resources during an attack or accidental misuse of resources.

Learn more about how Team Services protects against threats

Windows Server, whether deployed on-premises or in the cloud, contains valuable data that must not be compromised. Windows Server 2016 has numerous built-in defenses to protect against common threats, including: