Microsoft shares threat intelligence, security guidance during global crisis

With much of the world now transitioned to virtual work, digital safety has become a key area of concern. This is not something security professionals, were given time to prepare for, yet many of our customers have been thrust into a new environment and challenged to respond quickly.

Our threat intelligence teams at Microsoft are actively monitoring and responding to this shift in focus. Our data shows that these COVID-19 themed threats are rethreads of existing attacks that have been slightly altered to tie to this pandemic. This means we’re seeing a changing of lures, not a surge in attacks. Our intelligence shows that these attacks are settling into a rhythm that is the normal ebb and flow of the threat environment.

Here are some key trends:

• Attackers are capitalizing on fear: Our inboxes, mobile alerts, TVs, and news updates are overflowing with information about COVID-19 and attackers know that everyone is overwhelmed with it. They understand that stress levels are high and there is a tendency to click without looking and they are taking advantage of that. As a result, we are seeing an increase in the success of phishing and social engineering attacks.

• Increase in successful attacks: Every country in the world has seen at least one COVID-19 themed attack: The volume of successful attacks in outbreak-hit countries is increasing, as fear and the desire for information around Covid-19 grows. Microsoft’s telemetry data shows that China, the United States, and Russia have been hit the hardest.

• Rebranding of lures: The trendy and pervasive Trickbot and Emotet malware families are very active and rebranding their lures to take advantage of the outbreak. We have observed 76 threat variants to date globally using COVID-19 themed lures. Our data shows that these COVID-19 themed threats are retreads of existing attacks that have been slightly altered to tie to this pandemic. This means we are seeing a changing of lures, not a surge in attacks.

• Phishing, malicious attachments & URLS: Every week, Microsoft tracks thousands of email phishing campaigns containing millions of targeted, malicious messages. Of these, roughly 60,000 include COVID-19 related malicious attachments or malicious URLs. It is important to note that the number is less than two percent of the total volume of threats we actively track and protect against daily, which reinforces that the overall volume of threats is not increasing but attackers are shifting their techniques.

• More aggressive and agile attacks: In a single day, SmartScreen sees and processes more than 18,000 malicious COVID-19-themed URLs and IP addresses indicating that attackers are getting more aggressive and agile in the delivery of their attacks – using the same delivery methods but swapping out the malicious URLs on a more frequent basis in an effort to evade machine learning protections.

• Targeting economic fear: Microsoft Office 365 Advanced Threat Protection prevented a big phishing campaign that used a fake Office 365 sign-in page to capture credentials. Roughly 2,300 unique HTML attachments posing as COVID-19 financial compensation information were caught in 24 hours in this one campaign. We expect to see more campaigns that utilize the economic fear from lost income, as governments widen the mandatory shutdown of their economies.

• Impersonating established entities: Attackers are impersonating entities like the World Health Organization (WHO), Centers for Disease Control and Prevention (CDC), and the Department of Health to get into inboxes. Here’s an example of what just one of these malicious emails looks like now compared to before the COVID-19 crisis:

While phishing email is a common attack vector, it is only one of the many points of entry for attackers. Defenders need a much broader view and solutions for remediation than visibility into just one entry method. Defenders require visibility across each of these domains and automated correlation across emails, identities, endpoints, and cloud applications to see the full scope of compromise. Only with this view can defenders adequately remediate affected assets, apply Conditional Access, and prevent the same or similar attacks from being successful again.

Here are the protections Microsoft has built into products and the guidance for what to prioritize:

• Microsoft Defender ATP: Covers licensed users for up to five concurrent devices. Microsoft Defender ATP monitors threats from across platforms, including macOS. Microsoft’s tech community post includes additional guidance, best practices, onboarding, and licensing information.
• Multi-factor authentication (MFA) and Conditional Access through Azure Active Directory to protect identities: Microsoft recommends connecting all apps to Azure AD for single sign-on – from SaaS to on-premises apps; enabling MFA and applying Conditional Access policies; and extending secure access to contractors and partners.
• Safeguard inboxes and email accounts with Office 365 ATP: Cloud-based email filtering service, which shields against phishing and malware, including features to safeguard your organization from messaging-policy violations, targeted attacks, zero-days, and malicious URLs.
• Microsoft Cloud App Security can help protect against shadow IT and unsanctioned app usage, identify and remediate cloud-native attacks, and control how data travels across cloud apps from Microsoft or third-party applications.

Microsoft Threat Protection correlates signals from across each of these domains using Azure ATP, Microsoft Defender ATP, Office 365 ATP, and Microsoft Cloud App Security, to understand the entire attack chain to help defenders prioritize which threats are most critical to address and to auto-heal affected user identities, email inboxes, endpoints, and cloud apps back to a safe state. Our threat intelligence combines signals from not just one attack vector like email phishing, but from across emails, identities, endpoints, and cloud apps to understand how the threat landscape is changing and build that intelligence into our products to prevent attack sprawl and persistence. The built-in, automated remediation capabilities across these solutions can also help reduce the manual workload on defenders that comes from the multitude of new devices and connections.

Azure Sentinel is a cloud-native SIEM that brings together insights from Microsoft Threat Protection and Azure Security Center, along with the whole world of third-party and custom application logs to help security teams gain visibility, triage, and investigate threats across their enterprise. As with all Microsoft Security products, Azure Sentinel customers benefit from Microsoft threat intelligence to detect and hunt for attacks. Azure Sentinel makes it easy to add new data sources and scale existing ones with built-in workbooks, hunting queries, and analytics to help teams identify, prioritize, and respond to threats. We recently shared a threat hunting notebook developed to hunt for COVID-19 related threats in Azure Sentinel.

Microsoft is actively monitoring the threat landscape, we’re here to help: we’re providing resources, guidance, and for dire cases we have support available from services like the Microsoft Detection and Response (DART) team to help investigate and remediate.