Microsoft Threat Intelligence

The latest East Asia report published by the Microsoft Threat Analysis Center (MTAC) notes that China is using fake social media accounts to poll U.S. voters on what divides them most to sow division and possibly influence the outcome of the U.S. presidential election in its favor. China has also increased its use of AI-generated content to further its goals around the world. The report also cites that North Korea has increased its cryptocurrency heists and supply chain attacks to fund and further its military goals and intelligence collection and that it has also begun to use AI to make its operations more effective and efficient. Learn more: https://msft.it/6045cFTlD

Read this FAQ on the XZ Utils vulnerability CVE-2024-3094 and get guidance on assessing your exposure and discovering affected devices using Microsoft Defender Vulnerability Management, Microsoft Defender for Cloud, and Microsoft Security Exposure Management: https://msft.it/6044cLJ3Y

At the Microsoft Security Response Center (MSRC), our mission is to protect our customers, communities, and Microsoft from current and emerging threats to security and privacy. We take this responsibility seriously, and one of the ways we achieve it is by collaborating closely with security researchers. Learn how our security vulnerability process works, what you can do to help us speed your submission through our process when reporting security vulnerabilities to Microsoft, and what to expect afterwards: https://lnkd.in/gm3gp33t

Microsoft Copilot for Security, generally available today, is informed by large-scale data and Microsoft threat intelligence to deliver insights and improve security outcomes. It has prebuilt promptbooks, collections of prompts that have been put together to accomplish specific security-related tasks, for example, incident investigation, threat actor profile, or suspicious script analysis. Promptbooks run one prompt after another, building on previous responses, to help defenders detect and respond to threats at machine speed and scale. Users can also create their own promptbooks using the promptbook builder to automate investigation flows and optimize repetitive steps customized to their needs and requirements. Users can then share promptbooks with others in the team, to help strengthen team efficiency and capabilities. Microsoft Copilot for Security also allows users to integrate their organization’s knowledge base as an additional source of information to give Copilot more context, resulting in responses that are more relevant, specific, and customized to the organization. Microsoft Copilot for Security is available as a standalone experience and as well as embedded in existing security products, assisting in scenarios like incident summarization, impact analysis, reverse engineering of scripts, and guided response. Users of Microsoft Defender XDR, Microsoft Entra, Microsoft Purview, and others can get Copilot capabilities and skills relevant to each specific platform. Learn more from the Microsoft Copilot for Security documentation: https://msft.it/6045cxFCF.

As much as 40% of vulnerabilities in open-source code don't have CVEs and are at risk of remaining widely unknown and unpatched. Chris Wysopal (Weld Pond), Veracode CTO and Co-founder, discusses how they use AI to identify vulnerabilities in open-source code, as well as to empower developers to find vulnerabilities in their own code and fix them. Chip Calhoun, VP for Counter Threat and Intelligence at bp, talks about the unique parts of securing critical infrastructure, and shares insights on the importance of threat intelligence in threat hunting: "...intelligence is very rare to get before something happens. Usually, you get it after it's happened to somebody else somewhere else, so then we go and search for it through our environment." Executive Director of Cybersecurity Architecture at Sealed Air Torrell F. also discusses how AI solutions like Copilot for Security can help create a feedback loop to surface potential program level issues from alerts and incidents, and find an area of focus to be solved at the program level. Learn more by listening to all three interviews in the full episode of The Microsoft Threat Intelligence podcast with Sherrod DeGrippo here: https://msft.it/6043cvk8T

Phishing campaigns related to known phishing-as-a-service (PhaaS) platforms like Tycoon and Naked Pages are taking advantage of the tax season in the US for social engineering. Microsoft observed a phishing campaign related to the Tycoon PhaaS platform involving emails masquerading as W-2 and W-9 tax form notifications, payroll tax documents, and other payment-related lures. The emails, sent using multiple compromised accounts, contain an HTML attachment that loads a Cloudflare Captcha check, followed by a Tycoon PhaaS phishing page. The Tycoon PhaaS platform provides attackers with ready-to-use phishing emails, website templates, and adversary-in-the-middle (AiTM) phishing capabilities to circumvent multifactor authentication (MFA). Microsoft also observed phishing campaigns related to NakedPages PhaaS platform, an open-source AiTM phishing kit used to bypass MFA through reverse-proxy. The emails masquerade as DocuSign shared documents related to tax adjustments and contained an image that when clicked initiates redirections that eventually lead to an hCaptcha check, followed by a NakedPages phishing page. Threat actors also used tax-related lures to deploy information-stealing malware. Microsoft observed a campaign involving phishing emails containing an HTML attachment that posed as a file related to tax returns. The HTML page hosted a JavaScript that then dropped an information stealer malware that collects cryptocurrency wallet information, PuTTY and WinSCP sign-in details, credentials stored in browsers, and email credentials through file or registry access. Learn more on different types of attacks observed during tax season and guidance from Microsoft on how to help protect from such threats here: https://msft.it/6048cW7Z0

Combining security expertise with data science, statistics, and machine learning expertise helps to better identify when an anomaly is actually malicious, especially in post-breach scenarios. Principal Applied Scientist Anna Bertiger provides insight on how Microsoft applies data science to better detect threats in this episode of The Microsoft Threat Intelligence podcast. Data Scientist Emily Yale also shares how analyzing data allows Microsoft to predict behaviors and build detections for potential threats, sharing that "... we might see a particular type of vulnerability that was exploited, for example, but we want to think more broadly about what is the behavior that we saw, and what could we build that captures that behavior that might take advantage of other vulnerabilities related to what we saw previously, but we haven't necessarily seen yet." Learn more in this episode, hosted by Sherrod DeGrippo: https://msft.it/6048cmDrm

Previews for all intel profiles in Microsoft Defender Threat Intelligence are now available to all Microsoft Defender XDR customers. Intel profiles are Microsoft’s definitive source of shareable finished threat intelligence written and continuously updated by our dedicated security researchers and threat intelligence experts. Our corpus of intel profiles currently contains 205+ tracked threat actors, 70+ malicious tools, and 75+ vulnerabilities, with more to be released on a continual basis. Previews for these intel profiles are now available to all Microsoft Defender XDR customers, representing Microsoft’s broadest expansion of threat intelligence content to non-MDTI premium customers. Learn more: https://msft.it/6048ccEV8

The new capabilities in Microsoft Copilot for Security will help security and IT professionals get more accurate insights on risks and respond faster to threats. Users can interact by asking a question in the prompt bar, trying suggested prompts, or using prebuilt promptbooks. Prebuilt promptbooks in Copilot can also help tackle end-to-end security scenarios such as incident response, threat hunting, intelligence gathering, and posture management. These promptbooks can generate full reports on threat actors, related malicious activities and TTPs, and recommended next steps, saving analysts time and effort better spent taking action on their conclusions. The embedded experiences in Microsoft Copilot for Security have been extended to Microsoft services such as Microsoft Entra and Microsoft Purview (in addition to Microsoft Defender XDR). These features, among others, will help security professionals amplify their skillsets to better defend their networks.

Microsoft recently released PyRIT (Python Risk Identification Tool for generative AI), an open access automation framework that allows security and machine learning engineers to proactively find security risks, such as malware generation and jailbreaking, in generative AI systems. PyRIT augments AI red teams’ domain expertise and automates tedious tasks. It provides the automation code to generate harmful prompts, send the prompts to a generative AI system, and evaluate the output using PyRIT's scoring engine. PyRIT represents Microsoft's continued commitment to develop tools and resources that enable organizations to innovate responsibly with the latest AI advances. Learn more about PyRIT and how automating AI red teaming can help better secure generative AI systems: https://msft.it/6042cjksw