Threat analytics is Microsoft 365 Defender’s in-product threat intelligence (TI) solution designed to help defenders like you to efficiently understand, prevent, identify, and stop emerging threats. It provides a unique combination of in-depth TI analysis and reports from expert Microsoft security researchers, and consolidated data showing your organization’s security posture relative to the threats. Threat analytics helps you respond to and minimize the impact of active attacks.
As part of a unified extended detection and response (XDR) experience in Microsoft 365 Defender, threat analytics is now available for public preview. It includes better data coverage, incident management across security pillars, automatic investigation and remediation, and cross-domain hunting capabilities. Microsoft 365 Defender threat analytics is available for Microsoft Defender for Office 365 and Microsoft Defender for Endpoint users.
If you’re familiar with threat analytics in Microsoft Defender for Endpoint, you’ll be excited to know that the integrated experience you’ll see in Microsoft 365 Defender threat analytics takes your report consumption to another level.
What’s new?
Threat analytics for Microsoft 365 Defender introduces:
- Better data coverage between Microsoft Defender for Endpoint and Microsoft Defender for Office 365, making combined incident management, automatic investigation, remediation, and proactive or reactive threat hunting across-the domain possible.
- Email-related detections and mitigations from Microsoft Defender for Office 365, in addition to the endpoint data already available from Microsoft Defender for Endpoint.
- A view of threat-related incidents that aggregate alerts into end-to-end attack stories across Microsoft Defender for Endpoint and Microsoft Defender for Office 365 to reduce the work queue, as well as simplify and speed up your investigation.
- Attack attempts detected and blocked by Microsoft Defender for Office 365. You can also see data that you can use to drive preventive actions that mitigate the risk of further exposure and increase resilience.
- Enhanced design that puts actionable information in the spotlight to help you quickly identify data to urgently focus on, investigate, and leverage from the reports.
What’s in each report?
With each threat analytics report, you’ll find:
- Detailed analyst report—deep-dive analysis, MITRE techniques, detection details, recommended mitigations, and advance hunting queries that expand detection coverage.
- Active alerts and incidents.
- Impacted assets, including your devices and mailboxes.
- Prevented email attempts, indicating whether you were a target of this threat even if the email has been blocked before delivery or delivered to the junk mail folder.
- Mitigations and their statuses, with options to investigate further and remediate weaknesses using threat and vulnerability management (please note that email related mitigations are found in the analyst report).
How do I get there?
- Threat analytics can be accessed from the Microsoft 365 security center navigation bar.
- When a new threat report is published or updated, you’ll get a badge in the navigation bar.
- A dedicated threat analytics card has also been added to the Microsoft 365 security center dashboard, so you can track the threats that are active on your network.
Ready to check it out? Explore these threat analytics reports.
Solorigate supply chain attack
Microsoft continues to work with partners and customers to expand our knowledge of the threat actor behind the nation-state cyberattacks that compromised the supply chain of SolarWinds and impacted multiple other organizations. Microsoft previously used ‘Solorigate’ as the primary designation for the actor, but moving forward, we want to place appropriate focus on the actors behind the sophisticated attacks, rather than one of the examples of malware used by the actors. Microsoft Threat Intelligence Center (MSTIC) has named the actor behind the attack against SolarWinds, the SUNBURST backdoor, TEARDROP malware, and related components as NOBELIUM. As we release new content and analysis, we will use NOBELIUM to refer to the actor and the campaign of attacks.
This report about the sophisticated attack details how NOBELIUM inserted malicious code into a supply chain development process. A malicious software class was included among many other legitimate classes and then signed with a legitimate certificate. The resulting binary included a backdoor and was then discreetly distributed into targeted organizations. This attack was discovered as part of an ongoing investigation.
Emotet breaks hiatus with spike in cybercrime activity
Understand how Emotet operators have started to ramp up activity starting July 2020. Notable for their involvement in Ryuk ransomware distribution, Emotet operators are back with basically the same goals, utilizing similar lure themes and macro-enabled documents. Despite the recent take-down which has interrupted Emotet, your security operation centers should continuously monitor Emotet-related alerts in your antivirus and EDR solutions. Secondary payloads delivered by Emotet prior to the take-down remain a serious and real threat to your network.
BazaLoader: Foothold for ransomware
Possibly tied to the same cybercriminals leveraging Trickbot infrastructure, these campaigns appear to be part of ongoing attempts to shift to other entry vectors. Started in late October 2020, these campaigns use phishing emails that take recipients through link chains to implant BazaLoader. Unsurprisingly, the new implant brings in potent tools like Cobalt Strike, which make persistent, direct human attack activity possible. Microsoft's security solutions remain effective against this threat, regardless of the recent BazaLoader activities that we've observed this month. Use advanced hunting to proactively hunt for this threat in your Microsoft 365 security portal (Microsoft 365 Defender) or Microsoft Security Center portal (Microsoft Defender for Endpoint).
IcedID's frosty arrival can lead to data theft
Get your shields up by learning about this modular banking trojan’s modus operandi and how Microsoft 365 Defender can help detect and stop IcedID campaigns at multiple points along the attack chain and across domains, including the very start.