Monthly news - October 2023

Heike Ritter · ‎Oct 02 2023

Microsoft 365 Defender
Monthly news
October 2023 Edition

This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from September 2023.

Legend:
	Product videos	Webcast (recordings)	Docs on Microsoft	Blogs on Microsoft
	GitHub	External	Product improvements	Previews / Announcements

Microsoft 365 Defender

Respond to threats across tenants more effectively with Microsoft 365 Defender multi-tenant support. The new multi-tenant management experience in Microsoft 365 Defender enables security teams to investigate and respond to threats across tenants more effectively. The new tenant switcher allows SOC teams to easily access multiple tenants in the same experience

More advanced hunting tables you can run in near real-time. (Preview) Custom detections using data from Microsoft Defender for Identity and Microsoft Defender for Cloud Apps, specifically the CloudAppEvents, IdentityDirectoryEvents, IdentityLogonEvents, and IdentityQueryEvents tables can now be run in near real-time Continuous (NRT) frequency.

Exciting news! Our season finale will unveil a groundbreaking cyber defense innovation only found in Microsoft 365 Defender. Tune in October 12th 9AM PT as we showcase the latest advancement in automatic attack disruption. Add this episode to your calendar: https://aka.ms/NinjaShow/506/calendar.

Watch previous episodes via our YouTube playlist.

Microsoft Security Experts

	A day in the life of a Defender Experts for XDR analyst. Dive into a few case studies that show what a day in the life of a Defender Experts analyst really looks like.
	The Vital Role of a Service Delivery Manager: Your Defender Experts for XDR Trusted Advisor. Explore examples of how service delivery managers enhance your Defender Experts for XDR journey.
	Get incident updates from Defender Experts for XDR in the SOC tools you use. Learn how you can get incident updates from Microsoft Defender Experts for XDR in the SOC tools you already use.
	Additional Ask Defender Experts credits. Defender Experts for Hunting and Defender Experts for XDR customers are now assigned 10 Ask Defender Experts credits, which they can use to submit questions, at the start of each calendar quarter. Unused credits from the current quarter roll up to the next one. They can use up to 20 credits only per quarter. All unused credits expire by the end of the calendar year or at the end of your subscription term, whichever comes first.
	Ninja Show episode "Improve your security posture with Microsoft Defender Experts for XDR" available on-demand on YouTube.

Microsoft Defender for Endpoint

	Microsoft Defender for Endpoint Plan 1 will be made available to all existing Microsoft 365 G3 environments starting November 1. Customers will then be able to use all endpoint security capabilities included in this plan. For more details go to aka.ms/mde.
	Microsoft Defender for Endpoint supports macOS Sonoma (14.0) as Apple made it generally available (September 26th, 2023). More "What's new in Defender for Endpoint on Mac" here.
	Performance mode is now available on Windows 11 as a new Microsoft Defender Antivirus capability. Performance mode reduces the performance impact of Microsoft Defender Antivirus scans for files stored on designated Dev Drive. The goal of performance mode is to improve functional performance for developers who use Windows 11 devices.

Microsoft Defender for Identity

	Updated Devices experiences for each Identity. Each relevant device in the Identity experience now includes full set of metadata, on par with the overall Devices experience.
	Identity hunting with an enhanced IdentityInfo table. Back in June 2023, we announced the enhanced IdentityInfo table in Microsoft 365 advanced hunting for Microsoft Defender for Identity customers. Today, we are expanding the availability of this table for all Microsoft defender for Cloud apps customers as part of our journey to enable this experience for all Microsoft 365 Defender customers.
	Defender for Identity reports moved to the main Reports area Now you can access Defender for Identity reports from Microsoft 365 Defender's main Reports area instead of the Settings area. Learn more.
	Go hunt button for groups in Microsoft 365 Defender We've added a new Go hunt button for Active directory groups in Microsoft 365 Defender. Users can use the Go hunt button to query for group-related activities and alerts during an investigation.

Microsoft Defender for IoT

Customer story: Global candy maker Mars enhances operational technology device management across 124 factories with Defender for IoT. Read the full customer story here.

Microsoft Defender for Cloud Apps

Continuous NRT frequency supported for CloudAPPEvents table (Preview). Defender for Cloud Apps now supports the Continuous (NRT) frequency for detection rules using the CloudAppEvents table.

Setting a custom detection to run in Continuous (NRT) frequency allows you to increase your organization's ability to identify threats faster. For more information, see Create and manage custom detections rules.

More discovery for Shadow IT events (Preview). Defender for Cloud Apps can now discover Shadow IT network events detected from Defender for Endpoint devices that are working in the same environment as a network proxy. For more information, see Discover apps via Defender for Endpoint when the endpoint is behind a network proxy (Preview).

Get ready to work in Microsoft 365 Defender exclusively, without the classic portal. Integrating Defender for Cloud Apps inside Microsoft 365 Defender streamlines the process of detecting, investigating, and mitigating threats to your users, apps, and data – so that you can review many alerts and incidents from a single pane of glass, in one XDR system.
Access all Defender for Cloud Apps features and functionalities from Microsoft 365 Defender for a unified and streamlined experience that saves you time and effort.
We’re excited to share the next significant milestone in our integration process: Starting November 2023, we’ll start gradually shifting all users to work in the unified, Microsoft 365 Defender portal exclusively.
This step is an integral part of our commitment to provide you with the best possible service and experience.
To help your transition from the classic Defender for Cloud Apps portal, we’ve documented and mapped changes between the classic portal and Microsoft 365 Defender. Dive in to understand more about the new experience.

Microsoft Defender for Office 365

	URL top-level domain blocking is available in the Tenant allow block list. Learn more.
	Test your team’s security readiness with the Gone Phishing Tournament. Microsoft has partnered with Fortra's Terranova Security to create the Gone Phishing Tournament 2023, from October 9-27, an annual online phishing initiative that uses real-world simulations to establish accurate phishing clickthrough rates and additional benchmarking statistics for user behaviors.

Microsoft Defender Vulnerability Management

Hardware & Firmware Assessment to identify devices with AMD processors. In certain cases, within the microarchitecture of "Zen 2" CPUs, a register may not be properly written to 0, potentially leading to the storage of data from another process or thread in the YMM register. This vulnerability could allow an attacker to access sensitive information. The severity is classified as "Medium" with the CVE identifier CVE-2023-20593. AMD suggests implementing a microcode patch for AMD EPYC™ 7002 Processors and applying BIOS updates with specific AGESA™ firmware versions for other impacted products to mitigate this issue. Microsoft Defender Vulnerability Management Hardware and firmware assessment capability provides an inventory of known hardware and firmware in your organization. This allows you to identify devices with AMD processors that are potentially exposed to this vulnerability.

Uncursing the ncurses: Memory corruption vulnerabilities found in library. Microsoft discovered a set of memory corruption vulnerabilities in a library called ncurses, which provides API that supports text-based user interfaces, and used commonly on POSIX operating systems, including Linux, macOS, and FreeBSD.

Blogs on Microsoft Security

	Malware distributor Storm-0324 facilitates ransomware access. Storm-0324 (DEV-0324) is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors. Beginning in July 2023, Storm-0324 was observed distributing payloads using an open-source tool for sending phishing lures through Microsoft Teams chats.
	Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets. Since February 2023, Microsoft has observed a high volume of password spray attacks attributed to Peach Sandstorm, an Iranian nation-state group. In a small number of cases, Peach Sandstorm successfully authenticated to an account and used a combination of publicly available and custom tools for persistence, lateral movement, and exfiltration.
	Uncursing the ncurses: Memory corruption vulnerabilities found in library. Microsoft discovered a set of memory corruption vulnerabilities in a library called ncurses, which provides API that supports text-based user interfaces, and used commonly on POSIX operating systems, including Linux, macOS, and FreeBSD.

Threat Analytics Reports / Actor, activity & technique profiles (Portal access needed)

	Activity profile: OAuth apps used in BEC and phishing. Microsoft Threat Intelligence has been monitoring the creation of suspicious OAuth applications by compromised users. This compromise involves initial access through phishing emails that leads to session cookie theft. Some of these applications were used for business email compromise (BEC) financial attacks and sent phishing emails, while other applications remained inactive. In certain cases, compromised users engaged in a BEC attack and create OAuth applications sustain persistence and evade defenses by creating an inbox rule to hide the emails sent by the OAuth application.
	Technique profile: Brute-force attacks. In an identity attack like brute-force, attackers can gain credentials to one account and access any sensitive resources that users can access, often evading scrutiny by masquerading as the compromised user. This creates a cyclical attack pattern, where one compromised account can provide access to resources for additional credential harvesting, and thus, even further resource access.
	Activity profile: Emerald Sleet conducts adversary-in-the-middle phishing attacks. On August 7, 2023, Emerald Sleet (THALLIUM) conducted a targeted phishing, also referred to as spear phishing, attack against an individual associated with an organization focused on foreign relations and public policy.
	CVE-2023-36802 Elevation of Privilege in Microsoft Streaming Service Proxy. Microsoft discovered limited exploitation of an Elevation of Privilege MSKSSRV.sys (the Microsoft Streaming Service Proxy) in the wild.
	Actor Profile: Emerald Sleet. The threat actor Microsoft tracks as Emerald Sleet (THALLIUM) is a nation-state actor based out of North Korea and has been active since at least 2013. The threat actor is known to primarily target individuals working in international affairs, with a special focus on those whose work relates to North-Eastern Asia, as well as non-government organizations, government agencies and services, and media in North America, South America, Europe, and East Asia.
	Actor profile: Onyx Sleet. The actor Microsoft tracks as Onyx Sleet (PLUTONIUM) is a North Korea-affiliated activity group, active since at least 2014. Onyx Sleet is known to primarily target military, defense, and technology industries, predominately in India, South Korea, and the United States.
	Activity profile: Malicious OAuth applications being used to automate spam. Microsoft Security Threat Intelligence has been tracking the abuse of OAuth applications that access organizational data and manipulate administrative settings to achieve an attacker’s intent. This large-scale campaign was uncovered when several malicious OAuth applications were created and abused to automate spam email delivery to targets. These malicious applications created by the actor typically have permissions to send emails in the context of the consenting user.
	Technique profile: QR code phishing with adversary-in-the-middle capability. The use of QR codes (quick-response codes) in phishing emails is a technique used by threat actors to circumvent phishing protections, such as multifactor authentication (MFA). This technique appears in phishing kits with adversary-in-the-middle (AiTM) capabilities.
	Technique profile: VM extension abuse. Microsoft Threat Intelligence researchers have identified threat actors abusing VM extensions to facilitate ransomware and extortion, cryptocurrency mining operations, and nation-state linked espionage gathering.
	Actor profile: Storm-0337. The actor that Microsoft tracks as Storm-0337 is a nation-state activity group based out of China. Storm-0337 has primarily targeted organizations in the United States and Southeast Asia. Storm-0337 has used several malware families, including Keyplug and Cobalt Strike.
	Technique profile: Pivoting from on-premises to cloud using Microsoft Entra Connect. In recent months, Microsoft Research identified numerous instances of attacks aimed at infiltrating targets' cloud environments by gaining a foothold in their Microsoft Entra Connect servers with the goal of deploying ransomware in the observed cases, causing destructive operations, and maintaining persistence in the target environments. Once inside the cloud, attackers employ a variety of malicious techniques, such as deploying backdoors, escalating privileges, and conducting destructive operations, such as deletion of cloud resources.
	Actor profile: Charcoal Typhoon. The actor Microsoft tracks as Charcoal Typhoon (CHROMIUM) is a nation-state sponsored group operating from China with a primary motive to perform espionage and collect intelligence on targets. While the group primarily targets entities in the Asia region, they have also impacted European and North American entities.
	Activity profile: Qakbot distributor Storm-0464 shifts to DarkGate and IcedID. Storm-0464 (DEV-0464) is a financially motivated access broker known for distributing Qakbot and facilitating access to hands-on-keyboard ransomware operators like Storm-0506, Storm-0216, and Storm-0826 who deploy Black Basta ransomware. Storm-0464 also distributed other malware, such as SquirrelWaffle and Pikabot. In September 2023, the group began leveraging DarkGate and IcedID in their initial access campaigns. Storm-0464 is tracked by other security companies as TA577.
	Actor profile: Sapphire Sleet. The actor that Microsoft tracks as Sapphire Sleet (formerly COPERNICIUM) is a nation-state sponsored group operating from North Korea since as early as March 2020. The group focuses primarily on organizations in the cryptocurrency sector, but has been observed expanding their targets to banks within the financial services sector since September 2022.
	Actor profile: Storm-0485. The actor Microsoft tracks as Storm-0485 is associated with prolific credential phishing activity that has been ongoing since Microsoft began tracking the actor in October 2021. Storm-0485 phishing attacks can circumvent multi-factor authentication (MFA) protections through adversary-in-the-middle (AiTM) capabilities.

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Monthly news - October 2023