Microsoft security intelligence

Security research, threat intelligence, and Microsoft 365 Defender news.

Featured image for Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop

Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop

One missing link in the complex Solorigate attack chain is the handover from the Solorigate DLL backdoor to the Cobalt Strike loader. How exactly does the jump from the Solorigate backdoor (SUNBURST) to the Cobalt Strike loader (TEARDROP, Raindrop, and others) happen? What code gets triggered, and what indicators should defenders look for?
Read more Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop
Featured image for Increasing resilience against Solorigate and other sophisticated attacks with Microsoft Defender

Increasing resilience against Solorigate and other sophisticated attacks with Microsoft Defender

This blog is a guide for security administrators using Microsoft 365 Defender and Azure Defender to identify and implement security configuration and posture improvements that harden enterprise environments against Solorigate’s attack patterns.
Read more Increasing resilience against Solorigate and other sophisticated attacks with Microsoft Defender
Featured image for Using Microsoft 365 Defender to protect against Solorigate

Using Microsoft 365 Defender to protect against Solorigate

This blog is a comprehensive guide for security operations and incident response teams using Microsoft 365 Defender to identify, investigate, and respond to the Solorigate attack if it’s found in your environment.
Read more Using Microsoft 365 Defender to protect against Solorigate
Featured image for Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers

Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers

We, along with the security industry and our partners, continue to investigate the extent of the Solorigate attack. While investigations are underway, we want to provide the defender community with intel to understand the scope and impact, remediation guidance, and detections and protections we have built as a result.
Read more Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers
Featured image for Collaborative innovation on display in Microsoft’s insider risk management strategy

Collaborative innovation on display in Microsoft’s insider risk management strategy

Partnering with organizations like Carnegie Mellon University allows us to bring their rich research and insights to our products and services, so customers can fully benefit from our breadth of signals.  
Read more Collaborative innovation on display in Microsoft’s insider risk management strategy
Featured image for Ensuring customers are protected from Solorigate

Ensuring customers are protected from Solorigate

Microsoft is monitoring a dynamic threat environment surrounding the discovery of a sophisticated attack that included compromised binaries from a legitimate software. These binaries, which are related to the SolarWinds Orion Platform, could be used by attackers to remotely access devices. We have established a resource center that is constantly updated as more information becomes…
Read more Ensuring customers are protected from Solorigate
Featured image for Widespread malware campaign seeks to silently inject ads into search results, affects multiple browsers

Widespread malware campaign seeks to silently inject ads into search results, affects multiple browsers

A persistent malware campaign has been actively distributing Adrozek, an evolved browser modifier malware at scale since at least May 2020. At its peak in August, the threat was observed on over 30,000 devices every day. The malware is designed to inject ads into search engine results pages and affects multiple browsers.
Read more Widespread malware campaign seeks to silently inject ads into search results, affects multiple browsers
Featured image for EDR in block mode stops IcedID cold

EDR in block mode stops IcedID cold

Endpoint detection and response (EDR) in block mode in Microsoft Defender for Endpoint turns EDR detections into real-time blocking of threats. Learn how it stopped an IcedID attack.
Read more EDR in block mode stops IcedID cold
Featured image for Threat actor leverages coin miner techniques to stay under the radar – here’s how to spot them

Threat actor leverages coin miner techniques to stay under the radar – here’s how to spot them

BISMUTH, which has been running increasingly complex cyberespionage attacks as early as 2012, deployed Monero coin miners in campaigns from July to August 2020. The group's use of coin miners was unexpected, but it was consistent with their longtime methods of blending in.
Read more Threat actor leverages coin miner techniques to stay under the radar – here’s how to spot them
Featured image for Trickbot disrupted

Trickbot disrupted

Microsoft took action against the Trickbot botnet, disrupting one of the world’s most persistent malware operations. Microsoft worked with telecommunications providers around the world to disrupt key Trickbot infrastructure.
Read more Trickbot disrupted
Featured image for Sophisticated new Android malware marks the latest evolution of mobile ransomware

Sophisticated new Android malware marks the latest evolution of mobile ransomware

We found a piece of a particularly sophisticated Android ransomware with novel techniques and behavior, exemplifying the rapid evolution of mobile threats that we have also observed on other platforms.
Read more Sophisticated new Android malware marks the latest evolution of mobile ransomware
image of a man walking through a State-of-the-art facility uses eco-friendly solutions such as using reclaimed water to cool the data center. Featured image for Best practices for defending Azure Virtual Machines

Best practices for defending Azure Virtual Machines

One of the things that our Detection and Response Team (DART) and Customer Service and Support (CSS) security teams see frequently during investigation of customer incidents are attacks on virtual machines from the internet. This is one area in the cloud security shared responsibility model where customer tenants are responsible for security. Security is a…
Read more Best practices for defending Azure Virtual Machines