Connect with experts and redefine what’s possible at work – join us at the Microsoft 365 Community Conference May 6-8. Learn more >

Defender Experts for XDR

25 Topics

Watch and learn from Microsoft security experts who reinforce your SecOps 24/7
In today’s evolving digital landscape, cybersecurity is more than technology, products, and platforms; it’s the people behind the scenes who work 24/7 to ensure organizations remain protected. At Microsoft, we are also defenders. We understand the challenges facing Security Operations Centers (SOCs). We created Microsoft Defender Experts for XDR, a comprehensive Managed Extended Detection and Response (MXDR) service, to reinforce our customer’s in-house SOC, help security teams focus on what matters most, and provide CISOs with more peace of mind. Microsoft Defender Experts for XDR combines industry-leading Microsoft Defender products with our team of Microsoft security experts and analysts. We created a video series that offers a behind-the-scenes look at Defender Experts for XDR through conversations with our security professionals. You will learn about their roles, their approaches to cybersecurity, and how they work to keep organizations safe 24/7. Microsoft Defender Experts for XDR Video Series - Let's get started with Season 1 In this video series, Sachin Kumar, a Senior Product Manager for Defender Experts for XDR and Edward Walton, a seasoned security expert from the Microsoft Global Black Belt security team, will be your hosts. They will introduce you to the people working behind the scenes and help you understand more about Defender Experts for XDR, which is Microsoft’s MXDR service. Each episode provides deeper insights into how the human expertise behind Defender Experts for XDR improves your organization's security outcomes and posture. Episode Guide Check out the latest episodes below and visit the YouTube playlist to see all the episodes in the series. Collaborative Interplay - TI, AI, and Defender Experts In this episode, Edward and Sachin are joined by Brian, a seasoned research lead from the Defender Experts for XDR team. He shares his insights into the collaborative interplay between threat intelligence, AI, and research within the Defender Experts for XDR team. This episode highlights how threat intelligence, AI, and research teams integrate and enrich a robust, adaptive, and proactive defense within Defender Experts for XDR. This collaboration empowers the experts to remain agile and deliver superior protection against advanced threats. A Conversation with Defender Experts Analyst Lead In this episode, Edward and Sachin are joined by Michael, a Principal Security Researcher and Defender Experts for XDR operations lead. Michael shares his journey into cybersecurity and his current role at Microsoft. He discusses his responsibilities within the Microsoft Defender Experts for XDR team, including leading the development of the investigation query platform and handling escalations. He also highlights the team's collaboration with the security research team and Microsoft Threat Intelligence Center (MSTIC) to improve threat detection and block malicious activities. He provides examples of common threats like phishing and malware. That includes describing a recent incident involving an exploited remote administration tool. Stay tuned for additional episodes and meet the people and technology behind Defender Experts for XDR.
Sachin-Kumar
Apr 11, 2025 Place Microsoft Security Experts Blog
306Views
0likes
0Comments
Enhancing Threat Hunting with Microsoft Defender Experts Plugin
In today's rapidly evolving digital landscape, cybersecurity threats are becoming increasingly sophisticated, requiring organizations to adopt proactive measures to safeguard their assets. Recognizing this need, Microsoft has introduced the Defender Experts Plugin—a powerful addition to Copilot for Security’s GitHub. This plugin is designed to elevate your cybersecurity defenses by integrating proactive threat hunting capabilities across your entire organization, including Office 365, cloud applications, and identity platforms. What is Defender Experts for Hunting? Defender Experts for Hunting is a specialized managed service from Microsoft that provides proactive, human-led threat hunting across a broad range of organizational environments. Unlike automated detection, this service involves active threat hunting by Microsoft’s seasoned security experts, who analyze activities across endpoints, cloud applications, email, and identity platforms. Defender Experts for Hunting focuses on detecting advanced threats and human adversary behaviors, particularly those involving sophisticated or “hands-on-keyboard” attacks, and provides organizations with detailed alerts, expert guidance, and remediation recommendations. Overview of the Plugin Microsoft’s Defender Experts Plugin is a comprehensive threat hunting tool that expands traditional security boundaries. It goes beyond endpoints to investigate Office 365, cloud applications, and identity platforms, where Microsoft’s seasoned security professionals build detections to investigate these suspicious activities. The plugin specializes in tracking sophisticated threats, especially those posed by human adversaries and hands-on-keyboard attacks. The plugin is skills-based leaning on KQL for Advanced Hunting Queries (AHQs) to scan across Defender tables for risky behaviors and suspicious activities, with support for tables such as CloudAppEvents, EmailEvents, EmailAttachmentInfo, and AADSignIn. These queries are not a one-off, as Defender Experts will continue to contribute to the plugin in line with our normal research efforts.  Some of the threat detection “skills” included in this plugin are: Suspicious Use of AzureHound: Flags potentially unauthorized data gathering using AzureHound on devices. Reconnaissance Activity Using Network Logs: Detects reconnaissance behavior by analyzing network logs and identifying specific command-line activity. Cobalt Strike DNS Beaconing: Detects suspicious DNS queries associated with Cobalt Strike beacons. By leveraging Microsoft’s Defender Experts Plugin, organizations can benefit from the deep expertise and proactive approach of Microsoft’s security researchers. This tool ensures that potential threats are not only identified but also thoroughly investigated and addressed with the eventual addition of Promptbooks, thus enhancing the overall security posture of the organization. Furthermore, the integration of the Defender Experts Plugin with Copilot for Security’s GitHub allows for seamless collaboration and information sharing among the greater security community. Step-by-Step Guided Walkthrough Getting started with the Defender Experts Security Copilot Plugin is straightforward: 1 - Download the Defender Experts plugin (YAML) from GitHub. 2 - Access Security Copilot 3 - In the bottom-left corner, click the Plugins icon. 4 - Under Custom upload, select Upload plugin. 5 - Upload the Defender Experts Plugin. 6 - Click Add to finalize. 7 - Find the plugin under Custom. 8 - Your installation will now include specialized prompts in Defender Experts, with skills tailored for effective collaboration with Copilot for Security’s capabilities. Conclusion The Defender Experts Plugin is a vital addition to any organization’s cybersecurity arsenal. By incorporating proactive threat hunting and leveraging the expertise of Microsoft’s security analysts, this plugin helps organizations to stay ahead of potential threats and maintain a robust security posture. Embrace this powerful tool and take your cybersecurity defenses to the next level. Let’s get started securing your environment with Defender Experts for Hunting! If you’re interested in learning more about our Defender Experts services, visit the following resources: Microsoft Defender Experts for XDR web page Microsoft Defender Experts for XDR docs page Microsoft Defender Experts for Hunting web page Microsoft Defender Experts for Hunting docs page
Zophar
Dec 13, 2024 Place Microsoft Security Experts Blog
1.3KViews
1like
1Comment
Welcome to the Microsoft Defender Experts Ninja Hub
Bookmark this page for document guides, videos, and other resources focused on Defender Experts services.
Elisa_Lippincott
Nov 21, 2024 Place Microsoft Security Experts Blog
10KViews
7likes
0Comments
Phish, Click, Breach: Hunting for a Sophisticated Cyber Attack
Threat actors make problems for users and then offer to fix them. With an RMM tool and user clicks, they are in.
Zophar
Oct 22, 2024 Place Microsoft Security Experts Blog
6.9KViews
6likes
0Comments
Microsoft Defender Experts services are now HIPAA and ISO certified
Certifications demonstrate our commitment to protecting our customers data and privacy.
SharonXia
Sep 04, 2024 Place Microsoft Security Experts Blog
1.9KViews
1like
0Comments
Effective strategies for conducting Mass Password Resets during cybersecurity incidents
Learn about the challenges of performing a mass password reset and best practices for carrying one out.
DenizSezer
Jun 17, 2024 Place Microsoft Security Experts Blog
16KViews
5likes
0Comments
Microsoft Defender Experts Services Expanded Coverage Upcoming Preview
We are excited to announce our upcoming preview of our Defender Experts services expanded coverage.
Elisa_Lippincott
Jun 12, 2024 Place Microsoft Security Experts Blog
3.7KViews
1like
2Comments
Hunting for QR Code AiTM Phishing and User Compromise
Dig into the mechanics of QR code phishing, how the Defender Experts team hunts for these campaigns, and the mitigations needed to reduce their impact.
krithikar
Apr 29, 2024 Place Microsoft Security Experts Blog
23KViews
7likes
2Comments
Strategies to monitor and prevent vulnerable driver attacks
Delve into the intricate details of vulnerable driver attacks, and discover effective strategies to prevent them
stefanpuzderca
Apr 15, 2024 Place Microsoft Security Experts Blog
20KViews
7likes
4Comments
Defender Experts’ recommendations for impactful security posture management
Improve your security posture with impactful controls and configurations recommended by Defender Experts.
PhoebeRogers
Jan 26, 2024 Place Microsoft Security Experts Blog
20KViews
2likes
0Comments

"}},"componentScriptGroups({\"componentId\":\"custom.widget.MicrosoftFooter\"})":{"__typename":"ComponentScriptGroups","scriptGroups":{"__typename":"ComponentScriptGroupsDefinition","afterInteractive":{"__typename":"PageScriptGroupDefinition","group":"AFTER_INTERACTIVE","scriptIds":[]},"lazyOnLoad":{"__typename":"PageScriptGroupDefinition","group":"LAZY_ON_LOAD","scriptIds":[]}},"componentScripts":[]},"tagFollowsForNodes({\"nodeIds\":\"board:MicrosoftSecurityExperts\",\"tagText\":\"Defender Experts for XDR\"})":[{"__typename":"TagFollowForNodeResponse","coreNode":{"__ref":"Blog:board:MicrosoftSecurityExperts"},"follow":null}],"cachedText({\"lastModified\":\"1745487435975\",\"locale\":\"en-US\",\"namespaces\":[\"components/community/NavbarDropdownToggle\"]})":[{"__ref":"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1745487435975"}],"cachedText({\"lastModified\":\"1745487435975\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/common/OverflowNav\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/common/OverflowNav-1745487435975"}],"cachedText({\"lastModified\":\"1745487435975\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageView/MessageViewInline\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageView/MessageViewInline-1745487435975"}],"cachedText({\"lastModified\":\"1745487435975\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/common/Pager/PagerLoadMore\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/common/Pager/PagerLoadMore-1745487435975"}],"cachedText({\"lastModified\":\"1745487435975\",\"locale\":\"en-US\",\"namespaces\":[\"components/users/UserLink\"]})":[{"__ref":"CachedAsset:text:en_US-components/users/UserLink-1745487435975"}],"cachedText({\"lastModified\":\"1745487435975\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageSubject\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageSubject-1745487435975"}],"cachedText({\"lastModified\":\"1745487435975\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageBody\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageBody-1745487435975"}],"cachedText({\"lastModified\":\"1745487435975\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageTime\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageTime-1745487435975"}],"cachedText({\"lastModified\":\"1745487435975\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/nodes/NodeIcon\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeIcon-1745487435975"}],"cachedText({\"lastModified\":\"1745487435975\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageUnreadCount\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageUnreadCount-1745487435975"}],"cachedText({\"lastModified\":\"1745487435975\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageViewCount\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageViewCount-1745487435975"}],"cachedText({\"lastModified\":\"1745487435975\",\"locale\":\"en-US\",\"namespaces\":[\"components/kudos/KudosCount\"]})":[{"__ref":"CachedAsset:text:en_US-components/kudos/KudosCount-1745487435975"}],"cachedText({\"lastModified\":\"1745487435975\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageRepliesCount\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageRepliesCount-1745487435975"}],"cachedText({\"lastModified\":\"1745487435975\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/users/UserAvatar\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1745487435975"}]},"CachedAsset:pages-1745487429177":{"__typename":"CachedAsset","id":"pages-1745487429177","value":[{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"BlogViewAllPostsPage","type":"BLOG","urlPath":"/category/:categoryId/blog/:boardId/all-posts/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"CasePortalPage","type":"CASE_PORTAL","urlPath":"/caseportal","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"CreateGroupHubPage","type":"GROUP_HUB","urlPath":"/groups/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"CaseViewPage","type":"CASE_DETAILS","urlPath":"/case/:caseId/:caseNumber","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"InboxPage","type":"COMMUNITY","urlPath":"/inbox","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"HelpFAQPage","type":"COMMUNITY","urlPath":"/help","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"IdeaMessagePage","type":"IDEA_POST","urlPath":"/idea/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"IdeaViewAllIdeasPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId/all-ideas/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"LoginPage","type":"USER","urlPath":"/signin","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"BlogPostPage","type":"BLOG","urlPath":"/category/:categoryId/blogs/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"UserBlogPermissions.Page","type":"COMMUNITY","urlPath":"/c/user-blog-permissions/page","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"ThemeEditorPage","type":"COMMUNITY","urlPath":"/designer/themes","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"TkbViewAllArticlesPage","type":"TKB","urlPath":"/category/:categoryId/kb/:boardId/all-articles/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1730142000000,"localOverride":null,"page":{"id":"AllEvents","type":"CUSTOM","urlPath":"/Events","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"OccasionEditPage","type":"EVENT","urlPath":"/event/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"OAuthAuthorizationAllowPage","type":"USER","urlPath":"/auth/authorize/allow","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"PageEditorPage","type":"COMMUNITY","urlPath":"/designer/pages","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"PostPage","type":"COMMUNITY","urlPath":"/category/:categoryId/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"ForumBoardPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"TkbBoardPage","type":"TKB","urlPath":"/category/:categoryId/kb/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"EventPostPage","type":"EVENT","urlPath":"/category/:categoryId/events/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"UserBadgesPage","type":"COMMUNITY","urlPath":"/users/:login/:userId/badges","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"GroupHubMembershipAction","type":"GROUP_HUB","urlPath":"/membership/join/:nodeId/:membershipType","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"MaintenancePage","type":"COMMUNITY","urlPath":"/maintenance","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"IdeaReplyPage","type":"IDEA_REPLY","urlPath":"/idea/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"UserSettingsPage","type":"USER","urlPath":"/mysettings/:userSettingsTab","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"GroupHubsPage","type":"GROUP_HUB","urlPath":"/groups","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"ForumPostPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"OccasionRsvpActionPage","type":"OCCASION","urlPath":"/event/:boardId/:messageSubject/:messageId/rsvp/:responseType","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"VerifyUserEmailPage","type":"USER","urlPath":"/verifyemail/:userId/:verifyEmailToken","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"AllOccasionsPage","type":"OCCASION","urlPath":"/category/:categoryId/events/:boardId/all-events/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"EventBoardPage","type":"EVENT","urlPath":"/category/:categoryId/events/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"TkbReplyPage","type":"TKB_REPLY","urlPath":"/kb/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"IdeaBoardPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"CommunityGuideLinesPage","type":"COMMUNITY","urlPath":"/communityguidelines","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"CaseCreatePage","type":"SALESFORCE_CASE_CREATION","urlPath":"/caseportal/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"TkbEditPage","type":"TKB","urlPath":"/kb/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"ForgotPasswordPage","type":"USER","urlPath":"/forgotpassword","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"IdeaEditPage","type":"IDEA","urlPath":"/idea/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"TagPage","type":"COMMUNITY","urlPath":"/tag/:tagName","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"BlogBoardPage","type":"BLOG","urlPath":"/category/:categoryId/blog/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"OccasionMessagePage","type":"OCCASION_TOPIC","urlPath":"/event/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"ManageContentPage","type":"COMMUNITY","urlPath":"/managecontent","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"ClosedMembershipNodeNonMembersPage","type":"GROUP_HUB","urlPath":"/closedgroup/:groupHubId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"CommunityPage","type":"COMMUNITY","urlPath":"/","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"ForumMessagePage","type":"FORUM_TOPIC","urlPath":"/discussions/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"IdeaPostPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1730142000000,"localOverride":null,"page":{"id":"CommunityHub.Page","type":"CUSTOM","urlPath":"/Directory","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"BlogMessagePage","type":"BLOG_ARTICLE","urlPath":"/blog/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"RegistrationPage","type":"USER","urlPath":"/register","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"EditGroupHubPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"ForumEditPage","type":"FORUM","urlPath":"/discussions/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"ResetPasswordPage","type":"USER","urlPath":"/resetpassword/:userId/:resetPasswordToken","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1730142000000,"localOverride":null,"page":{"id":"AllBlogs.Page","type":"CUSTOM","urlPath":"/blogs","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"TkbMessagePage","type":"TKB_ARTICLE","urlPath":"/kb/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"BlogEditPage","type":"BLOG","urlPath":"/blog/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"ManageUsersPage","type":"USER","urlPath":"/users/manage/:tab?/:manageUsersTab?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"ForumReplyPage","type":"FORUM_REPLY","urlPath":"/discussions/:boardId/:messageSubject/:messageId/replies/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"PrivacyPolicyPage","type":"COMMUNITY","urlPath":"/privacypolicy","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"NotificationPage","type":"COMMUNITY","urlPath":"/notifications","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"UserPage","type":"USER","urlPath":"/users/:login/:userId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"OccasionReplyPage","type":"OCCASION_REPLY","urlPath":"/event/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"ManageMembersPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/manage/:tab?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"SearchResultsPage","type":"COMMUNITY","urlPath":"/search","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"BlogReplyPage","type":"BLOG_REPLY","urlPath":"/blog/:boardId/:messageSubject/:messageId/replies/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"GroupHubPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"TermsOfServicePage","type":"COMMUNITY","urlPath":"/termsofservice","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"CategoryPage","type":"CATEGORY","urlPath":"/category/:categoryId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"ForumViewAllTopicsPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId/all-topics/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"TkbPostPage","type":"TKB","urlPath":"/category/:categoryId/kbs/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1745487429177,"localOverride":null,"page":{"id":"GroupHubPostPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"}],"localOverride":false},"CachedAsset:text:en_US-components/context/AppContext/AppContextProvider-0":{"__typename":"CachedAsset","id":"text:en_US-components/context/AppContext/AppContextProvider-0","value":{"noCommunity":"Cannot find community","noUser":"Cannot find current user","noNode":"Cannot find node with id {nodeId}","noMessage":"Cannot find message with id {messageId}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/Loading/LoadingDot-0":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Loading/LoadingDot-0","value":{"title":"Loading..."},"localOverride":false},"User:user:-1":{"__typename":"User","id":"user:-1","uid":-1,"login":"Deleted","email":"","avatar":null,"rank":null,"kudosWeight":1,"registrationData":{"__typename":"RegistrationData","status":"ANONYMOUS","registrationTime":null,"confirmEmailStatus":false,"registrationAccessLevel":"VIEW","ssoRegistrationFields":[]},"ssoId":null,"profileSettings":{"__typename":"ProfileSettings","dateDisplayStyle":{"__typename":"InheritableStringSettingWithPossibleValues","key":"layout.friendly_dates_enabled","value":"false","localValue":"true","possibleValues":["true","false"]},"dateDisplayFormat":{"__typename":"InheritableStringSetting","key":"layout.format_pattern_date","value":"MMM dd yyyy","localValue":"MM-dd-yyyy"},"language":{"__typename":"InheritableStringSettingWithPossibleValues","key":"profile.language","value":"en-US","localValue":"en","possibleValues":["en-US"]}},"deleted":false},"Theme:customTheme1":{"__typename":"Theme","id":"customTheme1"},"CachedAsset:theme:customTheme1-1744326567546":{"__typename":"CachedAsset","id":"theme:customTheme1-1744326567546","value":{"id":"customTheme1","animation":{"fast":"150ms","normal":"250ms","slow":"500ms","slowest":"750ms","function":"cubic-bezier(0.07, 0.91, 0.51, 1)","__typename":"AnimationThemeSettings"},"avatar":{"borderRadius":"50%","collections":["default"],"__typename":"AvatarThemeSettings"},"basics":{"browserIcon":{"imageAssetName":"favicon-1730836283320.png","imageLastModified":"1730836286415","__typename":"ThemeAsset"},"customerLogo":{"imageAssetName":"favicon-1730836271365.png","imageLastModified":"1730836274203","__typename":"ThemeAsset"},"maximumWidthOfPageContent":"1300px","oneColumnNarrowWidth":"800px","gridGutterWidthMd":"30px","gridGutterWidthXs":"10px","pageWidthStyle":"WIDTH_OF_BROWSER","__typename":"BasicsThemeSettings"},"buttons":{"borderRadiusSm":"3px","borderRadius":"3px","borderRadiusLg":"5px","paddingY":"5px","paddingYLg":"7px","paddingYHero":"var(--lia-bs-btn-padding-y-lg)","paddingX":"12px","paddingXLg":"16px","paddingXHero":"60px","fontStyle":"NORMAL","fontWeight":"700","textTransform":"NONE","disabledOpacity":0.5,"primaryTextColor":"var(--lia-bs-white)","primaryTextHoverColor":"var(--lia-bs-white)","primaryTextActiveColor":"var(--lia-bs-white)","primaryBgColor":"var(--lia-bs-primary)","primaryBgHoverColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.85))","primaryBgActiveColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.7))","primaryBorder":"1px solid transparent","primaryBorderHover":"1px solid transparent","primaryBorderActive":"1px solid transparent","primaryBorderFocus":"1px solid var(--lia-bs-white)","primaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","secondaryTextColor":"var(--lia-bs-gray-900)","secondaryTextHoverColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.95))","secondaryTextActiveColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.9))","secondaryBgColor":"var(--lia-bs-gray-200)","secondaryBgHoverColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.96))","secondaryBgActiveColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.92))","secondaryBorder":"1px solid transparent","secondaryBorderHover":"1px solid transparent","secondaryBorderActive":"1px solid transparent","secondaryBorderFocus":"1px solid transparent","secondaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","tertiaryTextColor":"var(--lia-bs-gray-900)","tertiaryTextHoverColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.95))","tertiaryTextActiveColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.9))","tertiaryBgColor":"transparent","tertiaryBgHoverColor":"transparent","tertiaryBgActiveColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.04)","tertiaryBorder":"1px solid transparent","tertiaryBorderHover":"1px solid hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","tertiaryBorderActive":"1px solid transparent","tertiaryBorderFocus":"1px solid transparent","tertiaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","destructiveTextColor":"var(--lia-bs-danger)","destructiveTextHoverColor":"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) * 0.95))","destructiveTextActiveColor":"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) * 0.9))","destructiveBgColor":"var(--lia-bs-gray-200)","destructiveBgHoverColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.96))","destructiveBgActiveColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.92))","destructiveBorder":"1px solid transparent","destructiveBorderHover":"1px solid transparent","destructiveBorderActive":"1px solid transparent","destructiveBorderFocus":"1px solid transparent","destructiveBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","__typename":"ButtonsThemeSettings"},"border":{"color":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","mainContent":"NONE","sideContent":"LIGHT","radiusSm":"3px","radius":"5px","radiusLg":"9px","radius50":"100vw","__typename":"BorderThemeSettings"},"boxShadow":{"xs":"0 0 0 1px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.08), 0 3px 0 -1px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.16)","sm":"0 2px 4px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.12)","md":"0 5px 15px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.3)","lg":"0 10px 30px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.3)","__typename":"BoxShadowThemeSettings"},"cards":{"bgColor":"var(--lia-panel-bg-color)","borderRadius":"var(--lia-panel-border-radius)","boxShadow":"var(--lia-box-shadow-xs)","__typename":"CardsThemeSettings"},"chip":{"maxWidth":"300px","height":"30px","__typename":"ChipThemeSettings"},"coreTypes":{"defaultMessageLinkColor":"var(--lia-bs-link-color)","defaultMessageLinkDecoration":"none","defaultMessageLinkFontStyle":"NORMAL","defaultMessageLinkFontWeight":"400","defaultMessageFontStyle":"NORMAL","defaultMessageFontWeight":"400","forumColor":"#4099E2","forumFontFamily":"var(--lia-bs-font-family-base)","forumFontWeight":"var(--lia-default-message-font-weight)","forumLineHeight":"var(--lia-bs-line-height-base)","forumFontStyle":"var(--lia-default-message-font-style)","forumMessageLinkColor":"var(--lia-default-message-link-color)","forumMessageLinkDecoration":"var(--lia-default-message-link-decoration)","forumMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","forumMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","forumSolvedColor":"#148563","blogColor":"#1CBAA0","blogFontFamily":"var(--lia-bs-font-family-base)","blogFontWeight":"var(--lia-default-message-font-weight)","blogLineHeight":"1.75","blogFontStyle":"var(--lia-default-message-font-style)","blogMessageLinkColor":"var(--lia-default-message-link-color)","blogMessageLinkDecoration":"var(--lia-default-message-link-decoration)","blogMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","blogMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","tkbColor":"#4C6B90","tkbFontFamily":"var(--lia-bs-font-family-base)","tkbFontWeight":"var(--lia-default-message-font-weight)","tkbLineHeight":"1.75","tkbFontStyle":"var(--lia-default-message-font-style)","tkbMessageLinkColor":"var(--lia-default-message-link-color)","tkbMessageLinkDecoration":"var(--lia-default-message-link-decoration)","tkbMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","tkbMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","qandaColor":"#4099E2","qandaFontFamily":"var(--lia-bs-font-family-base)","qandaFontWeight":"var(--lia-default-message-font-weight)","qandaLineHeight":"var(--lia-bs-line-height-base)","qandaFontStyle":"var(--lia-default-message-link-font-style)","qandaMessageLinkColor":"var(--lia-default-message-link-color)","qandaMessageLinkDecoration":"var(--lia-default-message-link-decoration)","qandaMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","qandaMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","qandaSolvedColor":"#3FA023","ideaColor":"#FF8000","ideaFontFamily":"var(--lia-bs-font-family-base)","ideaFontWeight":"var(--lia-default-message-font-weight)","ideaLineHeight":"var(--lia-bs-line-height-base)","ideaFontStyle":"var(--lia-default-message-font-style)","ideaMessageLinkColor":"var(--lia-default-message-link-color)","ideaMessageLinkDecoration":"var(--lia-default-message-link-decoration)","ideaMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","ideaMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","contestColor":"#FCC845","contestFontFamily":"var(--lia-bs-font-family-base)","contestFontWeight":"var(--lia-default-message-font-weight)","contestLineHeight":"var(--lia-bs-line-height-base)","contestFontStyle":"var(--lia-default-message-link-font-style)","contestMessageLinkColor":"var(--lia-default-message-link-color)","contestMessageLinkDecoration":"var(--lia-default-message-link-decoration)","contestMessageLinkFontStyle":"ITALIC","contestMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","occasionColor":"#D13A1F","occasionFontFamily":"var(--lia-bs-font-family-base)","occasionFontWeight":"var(--lia-default-message-font-weight)","occasionLineHeight":"var(--lia-bs-line-height-base)","occasionFontStyle":"var(--lia-default-message-font-style)","occasionMessageLinkColor":"var(--lia-default-message-link-color)","occasionMessageLinkDecoration":"var(--lia-default-message-link-decoration)","occasionMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","occasionMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","grouphubColor":"#333333","categoryColor":"#949494","communityColor":"#FFFFFF","productColor":"#949494","__typename":"CoreTypesThemeSettings"},"colors":{"black":"#000000","white":"#FFFFFF","gray100":"#F7F7F7","gray200":"#F7F7F7","gray300":"#E8E8E8","gray400":"#D9D9D9","gray500":"#CCCCCC","gray600":"#717171","gray700":"#707070","gray800":"#545454","gray900":"#333333","dark":"#545454","light":"#F7F7F7","primary":"#0069D4","secondary":"#333333","bodyText":"#1E1E1E","bodyBg":"#FFFFFF","info":"#409AE2","success":"#41C5AE","warning":"#FCC844","danger":"#BC341B","alertSystem":"#FF6600","textMuted":"#707070","highlight":"#FFFCAD","outline":"var(--lia-bs-primary)","custom":["#D3F5A4","#243A5E"],"__typename":"ColorsThemeSettings"},"divider":{"size":"3px","marginLeft":"4px","marginRight":"4px","borderRadius":"50%","bgColor":"var(--lia-bs-gray-600)","bgColorActive":"var(--lia-bs-gray-600)","__typename":"DividerThemeSettings"},"dropdown":{"fontSize":"var(--lia-bs-font-size-sm)","borderColor":"var(--lia-bs-border-color)","borderRadius":"var(--lia-bs-border-radius-sm)","dividerBg":"var(--lia-bs-gray-300)","itemPaddingY":"5px","itemPaddingX":"20px","headerColor":"var(--lia-bs-gray-700)","__typename":"DropdownThemeSettings"},"email":{"link":{"color":"#0069D4","hoverColor":"#0061c2","decoration":"none","hoverDecoration":"underline","__typename":"EmailLinkSettings"},"border":{"color":"#e4e4e4","__typename":"EmailBorderSettings"},"buttons":{"borderRadiusLg":"5px","paddingXLg":"16px","paddingYLg":"7px","fontWeight":"700","primaryTextColor":"#ffffff","primaryTextHoverColor":"#ffffff","primaryBgColor":"#0069D4","primaryBgHoverColor":"#005cb8","primaryBorder":"1px solid transparent","primaryBorderHover":"1px solid transparent","__typename":"EmailButtonsSettings"},"panel":{"borderRadius":"5px","borderColor":"#e4e4e4","__typename":"EmailPanelSettings"},"__typename":"EmailThemeSettings"},"emoji":{"skinToneDefault":"#ffcd43","skinToneLight":"#fae3c5","skinToneMediumLight":"#e2cfa5","skinToneMedium":"#daa478","skinToneMediumDark":"#a78058","skinToneDark":"#5e4d43","__typename":"EmojiThemeSettings"},"heading":{"color":"var(--lia-bs-body-color)","fontFamily":"Segoe UI","fontStyle":"NORMAL","fontWeight":"400","h1FontSize":"34px","h2FontSize":"32px","h3FontSize":"28px","h4FontSize":"24px","h5FontSize":"20px","h6FontSize":"16px","lineHeight":"1.3","subHeaderFontSize":"11px","subHeaderFontWeight":"500","h1LetterSpacing":"normal","h2LetterSpacing":"normal","h3LetterSpacing":"normal","h4LetterSpacing":"normal","h5LetterSpacing":"normal","h6LetterSpacing":"normal","subHeaderLetterSpacing":"2px","h1FontWeight":"var(--lia-bs-headings-font-weight)","h2FontWeight":"var(--lia-bs-headings-font-weight)","h3FontWeight":"var(--lia-bs-headings-font-weight)","h4FontWeight":"var(--lia-bs-headings-font-weight)","h5FontWeight":"var(--lia-bs-headings-font-weight)","h6FontWeight":"var(--lia-bs-headings-font-weight)","__typename":"HeadingThemeSettings"},"icons":{"size10":"10px","size12":"12px","size14":"14px","size16":"16px","size20":"20px","size24":"24px","size30":"30px","size40":"40px","size50":"50px","size60":"60px","size80":"80px","size120":"120px","size160":"160px","__typename":"IconsThemeSettings"},"imagePreview":{"bgColor":"var(--lia-bs-gray-900)","titleColor":"var(--lia-bs-white)","controlColor":"var(--lia-bs-white)","controlBgColor":"var(--lia-bs-gray-800)","__typename":"ImagePreviewThemeSettings"},"input":{"borderColor":"var(--lia-bs-gray-600)","disabledColor":"var(--lia-bs-gray-600)","focusBorderColor":"var(--lia-bs-primary)","labelMarginBottom":"10px","btnFontSize":"var(--lia-bs-font-size-sm)","focusBoxShadow":"0 0 0 3px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","checkLabelMarginBottom":"2px","checkboxBorderRadius":"3px","borderRadiusSm":"var(--lia-bs-border-radius-sm)","borderRadius":"var(--lia-bs-border-radius)","borderRadiusLg":"var(--lia-bs-border-radius-lg)","formTextMarginTop":"4px","textAreaBorderRadius":"var(--lia-bs-border-radius)","activeFillColor":"var(--lia-bs-primary)","__typename":"InputThemeSettings"},"loading":{"dotDarkColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.2)","dotLightColor":"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l), 0.5)","barDarkColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.06)","barLightColor":"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l), 0.4)","__typename":"LoadingThemeSettings"},"link":{"color":"var(--lia-bs-primary)","hoverColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) - 10%))","decoration":"none","hoverDecoration":"underline","__typename":"LinkThemeSettings"},"listGroup":{"itemPaddingY":"15px","itemPaddingX":"15px","borderColor":"var(--lia-bs-gray-300)","__typename":"ListGroupThemeSettings"},"modal":{"contentTextColor":"var(--lia-bs-body-color)","contentBg":"var(--lia-bs-white)","backgroundBg":"var(--lia-bs-black)","smSize":"440px","mdSize":"760px","lgSize":"1080px","backdropOpacity":0.3,"contentBoxShadowXs":"var(--lia-bs-box-shadow-sm)","contentBoxShadow":"var(--lia-bs-box-shadow)","headerFontWeight":"700","__typename":"ModalThemeSettings"},"navbar":{"position":"FIXED","background":{"attachment":null,"clip":null,"color":"var(--lia-bs-white)","imageAssetName":"","imageLastModified":"0","origin":null,"position":"CENTER_CENTER","repeat":"NO_REPEAT","size":"COVER","__typename":"BackgroundProps"},"backgroundOpacity":0.8,"paddingTop":"15px","paddingBottom":"15px","borderBottom":"1px solid var(--lia-bs-border-color)","boxShadow":"var(--lia-bs-box-shadow-sm)","brandMarginRight":"30px","brandMarginRightSm":"10px","brandLogoHeight":"30px","linkGap":"10px","linkJustifyContent":"flex-start","linkPaddingY":"5px","linkPaddingX":"10px","linkDropdownPaddingY":"9px","linkDropdownPaddingX":"var(--lia-nav-link-px)","linkColor":"var(--lia-bs-body-color)","linkHoverColor":"var(--lia-bs-primary)","linkFontSize":"var(--lia-bs-font-size-sm)","linkFontStyle":"NORMAL","linkFontWeight":"400","linkTextTransform":"NONE","linkLetterSpacing":"normal","linkBorderRadius":"var(--lia-bs-border-radius-sm)","linkBgColor":"transparent","linkBgHoverColor":"transparent","linkBorder":"none","linkBorderHover":"none","linkBoxShadow":"none","linkBoxShadowHover":"none","linkTextBorderBottom":"none","linkTextBorderBottomHover":"none","dropdownPaddingTop":"10px","dropdownPaddingBottom":"15px","dropdownPaddingX":"10px","dropdownMenuOffset":"2px","dropdownDividerMarginTop":"10px","dropdownDividerMarginBottom":"10px","dropdownBorderColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","controllerBgHoverColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.1)","controllerIconColor":"var(--lia-bs-body-color)","controllerIconHoverColor":"var(--lia-bs-body-color)","controllerTextColor":"var(--lia-nav-controller-icon-color)","controllerTextHoverColor":"var(--lia-nav-controller-icon-hover-color)","controllerHighlightColor":"hsla(30, 100%, 50%)","controllerHighlightTextColor":"var(--lia-yiq-light)","controllerBorderRadius":"var(--lia-border-radius-50)","hamburgerColor":"var(--lia-nav-controller-icon-color)","hamburgerHoverColor":"var(--lia-nav-controller-icon-color)","hamburgerBgColor":"transparent","hamburgerBgHoverColor":"transparent","hamburgerBorder":"none","hamburgerBorderHover":"none","collapseMenuMarginLeft":"20px","collapseMenuDividerBg":"var(--lia-nav-link-color)","collapseMenuDividerOpacity":0.16,"__typename":"NavbarThemeSettings"},"pager":{"textColor":"var(--lia-bs-link-color)","textFontWeight":"var(--lia-font-weight-md)","textFontSize":"var(--lia-bs-font-size-sm)","__typename":"PagerThemeSettings"},"panel":{"bgColor":"var(--lia-bs-white)","borderRadius":"var(--lia-bs-border-radius)","borderColor":"var(--lia-bs-border-color)","boxShadow":"none","__typename":"PanelThemeSettings"},"popover":{"arrowHeight":"8px","arrowWidth":"16px","maxWidth":"300px","minWidth":"100px","headerBg":"var(--lia-bs-white)","borderColor":"var(--lia-bs-border-color)","borderRadius":"var(--lia-bs-border-radius)","boxShadow":"0 0.5rem 1rem hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.15)","__typename":"PopoverThemeSettings"},"prism":{"color":"#000000","bgColor":"#f5f2f0","fontFamily":"var(--font-family-monospace)","fontSize":"var(--lia-bs-font-size-base)","fontWeightBold":"var(--lia-bs-font-weight-bold)","fontStyleItalic":"italic","tabSize":2,"highlightColor":"#b3d4fc","commentColor":"#62707e","punctuationColor":"#6f6f6f","namespaceOpacity":"0.7","propColor":"#990055","selectorColor":"#517a00","operatorColor":"#906736","operatorBgColor":"hsla(0, 0%, 100%, 0.5)","keywordColor":"#0076a9","functionColor":"#d3284b","variableColor":"#c14700","__typename":"PrismThemeSettings"},"rte":{"bgColor":"var(--lia-bs-white)","borderRadius":"var(--lia-panel-border-radius)","boxShadow":" var(--lia-panel-box-shadow)","customColor1":"#bfedd2","customColor2":"#fbeeb8","customColor3":"#f8cac6","customColor4":"#eccafa","customColor5":"#c2e0f4","customColor6":"#2dc26b","customColor7":"#f1c40f","customColor8":"#e03e2d","customColor9":"#b96ad9","customColor10":"#3598db","customColor11":"#169179","customColor12":"#e67e23","customColor13":"#ba372a","customColor14":"#843fa1","customColor15":"#236fa1","customColor16":"#ecf0f1","customColor17":"#ced4d9","customColor18":"#95a5a6","customColor19":"#7e8c8d","customColor20":"#34495e","customColor21":"#000000","customColor22":"#ffffff","defaultMessageHeaderMarginTop":"40px","defaultMessageHeaderMarginBottom":"20px","defaultMessageItemMarginTop":"0","defaultMessageItemMarginBottom":"10px","diffAddedColor":"hsla(170, 53%, 51%, 0.4)","diffChangedColor":"hsla(43, 97%, 63%, 0.4)","diffNoneColor":"hsla(0, 0%, 80%, 0.4)","diffRemovedColor":"hsla(9, 74%, 47%, 0.4)","specialMessageHeaderMarginTop":"40px","specialMessageHeaderMarginBottom":"20px","specialMessageItemMarginTop":"0","specialMessageItemMarginBottom":"10px","__typename":"RteThemeSettings"},"tags":{"bgColor":"var(--lia-bs-gray-200)","bgHoverColor":"var(--lia-bs-gray-400)","borderRadius":"var(--lia-bs-border-radius-sm)","color":"var(--lia-bs-body-color)","hoverColor":"var(--lia-bs-body-color)","fontWeight":"var(--lia-font-weight-md)","fontSize":"var(--lia-font-size-xxs)","textTransform":"UPPERCASE","letterSpacing":"0.5px","__typename":"TagsThemeSettings"},"toasts":{"borderRadius":"var(--lia-bs-border-radius)","paddingX":"12px","__typename":"ToastsThemeSettings"},"typography":{"fontFamilyBase":"Segoe UI","fontStyleBase":"NORMAL","fontWeightBase":"400","fontWeightLight":"300","fontWeightNormal":"400","fontWeightMd":"500","fontWeightBold":"700","letterSpacingSm":"normal","letterSpacingXs":"normal","lineHeightBase":"1.5","fontSizeBase":"16px","fontSizeXxs":"11px","fontSizeXs":"12px","fontSizeSm":"14px","fontSizeLg":"20px","fontSizeXl":"24px","smallFontSize":"14px","customFonts":[{"source":"SERVER","name":"Segoe UI","styles":[{"style":"NORMAL","weight":"400","__typename":"FontStyleData"},{"style":"NORMAL","weight":"300","__typename":"FontStyleData"},{"style":"NORMAL","weight":"600","__typename":"FontStyleData"},{"style":"NORMAL","weight":"700","__typename":"FontStyleData"},{"style":"ITALIC","weight":"400","__typename":"FontStyleData"}],"assetNames":["SegoeUI-normal-400.woff2","SegoeUI-normal-300.woff2","SegoeUI-normal-600.woff2","SegoeUI-normal-700.woff2","SegoeUI-italic-400.woff2"],"__typename":"CustomFont"},{"source":"SERVER","name":"MWF Fluent Icons","styles":[{"style":"NORMAL","weight":"400","__typename":"FontStyleData"}],"assetNames":["MWFFluentIcons-normal-400.woff2"],"__typename":"CustomFont"}],"__typename":"TypographyThemeSettings"},"unstyledListItem":{"marginBottomSm":"5px","marginBottomMd":"10px","marginBottomLg":"15px","marginBottomXl":"20px","marginBottomXxl":"25px","__typename":"UnstyledListItemThemeSettings"},"yiq":{"light":"#ffffff","dark":"#000000","__typename":"YiqThemeSettings"},"colorLightness":{"primaryDark":0.36,"primaryLight":0.74,"primaryLighter":0.89,"primaryLightest":0.95,"infoDark":0.39,"infoLight":0.72,"infoLighter":0.85,"infoLightest":0.93,"successDark":0.24,"successLight":0.62,"successLighter":0.8,"successLightest":0.91,"warningDark":0.39,"warningLight":0.68,"warningLighter":0.84,"warningLightest":0.93,"dangerDark":0.41,"dangerLight":0.72,"dangerLighter":0.89,"dangerLightest":0.95,"__typename":"ColorLightnessThemeSettings"},"localOverride":false,"__typename":"Theme"},"localOverride":false},"CachedAsset:text:en_US-components/common/EmailVerification-1745487435975":{"__typename":"CachedAsset","id":"text:en_US-components/common/EmailVerification-1745487435975","value":{"email.verification.title":"Email Verification Required","email.verification.message.update.email":"To participate in the community, you must first verify your email address. The verification email was sent to {email}. To change your email, visit My Settings.","email.verification.message.resend.email":"To participate in the community, you must first verify your email address. The verification email was sent to {email}. Resend email."},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/Loading/LoadingDot-1745487435975":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Loading/LoadingDot-1745487435975","value":{"title":"Loading..."},"localOverride":false},"CachedAsset:text:en_US-pages/tags/TagPage-1745487435975":{"__typename":"CachedAsset","id":"text:en_US-pages/tags/TagPage-1745487435975","value":{"tagPageTitle":"Tag:\"{tagName}\" | {communityTitle}","tagPageForNodeTitle":"Tag:\"{tagName}\" in \"{title}\" | {communityTitle}","name":"Tags Page","tag":"Tag: {tagName}"},"localOverride":false},"Category:category:microsoft-security-product":{"__typename":"Category","id":"category:microsoft-security-product","entityType":"CATEGORY","displayId":"microsoft-security-product","nodeType":"category","depth":4,"title":"Microsoft Security","shortTitle":"Microsoft Security","parent":{"__ref":"Category:category:microsoft-security"}},"Category:category:top":{"__typename":"Category","id":"category:top","displayId":"top","nodeType":"category","depth":0,"title":"Top"},"Category:category:communities":{"__typename":"Category","id":"category:communities","displayId":"communities","nodeType":"category","depth":1,"parent":{"__ref":"Category:category:top"},"title":"Communities"},"Category:category:products-services":{"__typename":"Category","id":"category:products-services","displayId":"products-services","nodeType":"category","depth":2,"parent":{"__ref":"Category:category:communities"},"title":"Products"},"Category:category:microsoft-security":{"__typename":"Category","id":"category:microsoft-security","displayId":"microsoft-security","nodeType":"category","depth":3,"parent":{"__ref":"Category:category:products-services"},"title":"Microsoft Security","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Blog:board:MicrosoftSecurityExperts":{"__typename":"Blog","id":"board:MicrosoftSecurityExperts","entityType":"BLOG","displayId":"MicrosoftSecurityExperts","nodeType":"board","depth":5,"conversationStyle":"BLOG","title":"Microsoft Security Experts Blog","description":"","avatar":null,"profileSettings":{"__typename":"ProfileSettings","language":null},"parent":{"__ref":"Category:category:microsoft-security-product"},"ancestors":{"__typename":"CoreNodeConnection","edges":[{"__typename":"CoreNodeEdge","node":{"__ref":"Community:community:gxcuf89792"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:communities"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:products-services"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:microsoft-security"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:microsoft-security-product"}}]},"userContext":{"__typename":"NodeUserContext","canAddAttachments":false,"canUpdateNode":false,"canPostMessages":false,"isSubscribed":false},"boardPolicies":{"__typename":"BoardPolicies","canPublishArticleOnCreate":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.forums.policy_can_publish_on_create_workflow_action.accessDenied","key":"error.lithium.policies.forums.policy_can_publish_on_create_workflow_action.accessDenied","args":[]}}},"shortTitle":"Microsoft Security Experts Blog","tagPolicies":{"__typename":"TagPolicies","canSubscribeTagOnNode":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.labels.action.corenode.subscribe_labels.allow.accessDenied","key":"error.lithium.policies.labels.action.corenode.subscribe_labels.allow.accessDenied","args":[]}},"canManageTagDashboard":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.labels.action.corenode.admin_labels.allow.accessDenied","key":"error.lithium.policies.labels.action.corenode.admin_labels.allow.accessDenied","args":[]}}}},"CachedAsset:quilt:o365.prod:pages/tags/TagPage:board:MicrosoftSecurityExperts-1745487433264":{"__typename":"CachedAsset","id":"quilt:o365.prod:pages/tags/TagPage:board:MicrosoftSecurityExperts-1745487433264","value":{"id":"TagPage","container":{"id":"Common","headerProps":{"removeComponents":["community.widget.bannerWidget"],"__typename":"QuiltContainerSectionProps"},"items":[{"id":"tag-header-widget","layout":"ONE_COLUMN","bgColor":"var(--lia-bs-white)","showBorder":"BOTTOM","sectionEditLevel":"LOCKED","columnMap":{"main":[{"id":"tags.widget.TagsHeaderWidget","__typename":"QuiltComponent"}],"__typename":"OneSectionColumns"},"__typename":"OneColumnQuiltSection"},{"id":"messages-list-for-tag-widget","layout":"ONE_COLUMN","columnMap":{"main":[{"id":"messages.widget.messageListForNodeByRecentActivityWidget","props":{"viewVariant":{"type":"inline","props":{"useUnreadCount":true,"useViewCount":true,"useAuthorLogin":true,"clampBodyLines":3,"useAvatar":true,"useBoardIcon":false,"useKudosCount":true,"usePreviewMedia":true,"useTags":false,"useNode":true,"useNodeLink":true,"useTextBody":true,"truncateBodyLength":-1,"useBody":true,"useRepliesCount":true,"useSolvedBadge":true,"timeStampType":"conversation.lastPostingActivityTime","useMessageTimeLink":true,"clampSubjectLines":2}},"panelType":"divider","useTitle":false,"hideIfEmpty":false,"pagerVariant":{"type":"loadMore"},"style":"list","showTabs":true,"tabItemMap":{"default":{"mostRecent":true,"mostRecentUserContent":false,"newest":false},"additional":{"mostKudoed":true,"mostViewed":true,"mostReplies":false,"noReplies":false,"noSolutions":false,"solutions":false}}},"__typename":"QuiltComponent"}],"__typename":"OneSectionColumns"},"__typename":"OneColumnQuiltSection"}],"__typename":"QuiltContainer"},"__typename":"Quilt"},"localOverride":false},"CachedAsset:quiltWrapper:o365.prod:Common:1745487426928":{"__typename":"CachedAsset","id":"quiltWrapper:o365.prod:Common:1745487426928","value":{"id":"Common","header":{"backgroundImageProps":{"assetName":null,"backgroundSize":"COVER","backgroundRepeat":"NO_REPEAT","backgroundPosition":"CENTER_CENTER","lastModified":null,"__typename":"BackgroundImageProps"},"backgroundColor":"transparent","items":[{"id":"community.widget.navbarWidget","props":{"showUserName":true,"showRegisterLink":true,"useIconLanguagePicker":true,"useLabelLanguagePicker":true,"className":"QuiltComponent_lia-component-edit-mode__0nCcm","links":{"sideLinks":[],"mainLinks":[{"children":[],"linkType":"INTERNAL","id":"gxcuf89792","params":{},"routeName":"CommunityPage"},{"children":[],"linkType":"EXTERNAL","id":"external-link","url":"/Directory","target":"SELF"},{"children":[{"linkType":"INTERNAL","id":"microsoft365","params":{"categoryId":"microsoft365"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-teams","params":{"categoryId":"MicrosoftTeams"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"windows","params":{"categoryId":"Windows"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-securityand-compliance","params":{"categoryId":"microsoft-security"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"outlook","params":{"categoryId":"Outlook"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"planner","params":{"categoryId":"Planner"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"windows-server","params":{"categoryId":"Windows-Server"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"azure","params":{"categoryId":"Azure"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"exchange","params":{"categoryId":"Exchange"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-endpoint-manager","params":{"categoryId":"microsoft-endpoint-manager"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"s-q-l-server","params":{"categoryId":"SQL-Server"},"routeName":"CategoryPage"},{"linkType":"EXTERNAL","id":"external-link-2","url":"/Directory","target":"SELF"}],"linkType":"EXTERNAL","id":"communities","url":"/","target":"BLANK"},{"children":[{"linkType":"INTERNAL","id":"education-sector","params":{"categoryId":"EducationSector"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"a-i","params":{"categoryId":"AI"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"i-t-ops-talk","params":{"categoryId":"ITOpsTalk"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"partner-community","params":{"categoryId":"PartnerCommunity"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-mechanics","params":{"categoryId":"MicrosoftMechanics"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"healthcare-and-life-sciences","params":{"categoryId":"HealthcareAndLifeSciences"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"public-sector","params":{"categoryId":"PublicSector"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"io-t","params":{"categoryId":"IoT"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"driving-adoption","params":{"categoryId":"DrivingAdoption"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"s-m-b","params":{"categoryId":"SMB"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"startupsat-microsoft","params":{"categoryId":"StartupsatMicrosoft"},"routeName":"CategoryPage"},{"linkType":"EXTERNAL","id":"external-link-1","url":"/Directory","target":"SELF"}],"linkType":"EXTERNAL","id":"communities-1","url":"/","target":"SELF"},{"children":[],"linkType":"EXTERNAL","id":"external","url":"/Blogs","target":"SELF"},{"children":[],"linkType":"EXTERNAL","id":"external-1","url":"/Events","target":"SELF"},{"children":[{"linkType":"INTERNAL","id":"microsoft-learn-1","params":{"categoryId":"MicrosoftLearn"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-learn-blog","params":{"boardId":"MicrosoftLearnBlog","categoryId":"MicrosoftLearn"},"routeName":"BlogBoardPage"},{"linkType":"EXTERNAL","id":"external-10","url":"https://learningroomdirectory.microsoft.com/","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-3","url":"https://docs.microsoft.com/learn/dynamics365/?WT.mc_id=techcom_header-webpage-m365","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-4","url":"https://docs.microsoft.com/learn/m365/?wt.mc_id=techcom_header-webpage-m365","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-5","url":"https://docs.microsoft.com/learn/topics/sci/?wt.mc_id=techcom_header-webpage-m365","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-6","url":"https://docs.microsoft.com/learn/powerplatform/?wt.mc_id=techcom_header-webpage-powerplatform","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-7","url":"https://docs.microsoft.com/learn/github/?wt.mc_id=techcom_header-webpage-github","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-8","url":"https://docs.microsoft.com/learn/teams/?wt.mc_id=techcom_header-webpage-teams","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-9","url":"https://docs.microsoft.com/learn/dotnet/?wt.mc_id=techcom_header-webpage-dotnet","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-2","url":"https://docs.microsoft.com/learn/azure/?WT.mc_id=techcom_header-webpage-m365","target":"BLANK"}],"linkType":"INTERNAL","id":"microsoft-learn","params":{"categoryId":"MicrosoftLearn"},"routeName":"CategoryPage"},{"children":[],"linkType":"INTERNAL","id":"community-info-center","params":{"categoryId":"Community-Info-Center"},"routeName":"CategoryPage"}]},"style":{"boxShadow":"var(--lia-bs-box-shadow-sm)","controllerHighlightColor":"hsla(30, 100%, 50%)","linkFontWeight":"400","dropdownDividerMarginBottom":"10px","hamburgerBorderHover":"none","linkBoxShadowHover":"none","linkFontSize":"14px","backgroundOpacity":0.8,"controllerBorderRadius":"var(--lia-border-radius-50)","hamburgerBgColor":"transparent","hamburgerColor":"var(--lia-nav-controller-icon-color)","linkTextBorderBottom":"none","brandLogoHeight":"30px","linkBgHoverColor":"transparent","linkLetterSpacing":"normal","collapseMenuDividerOpacity":0.16,"dropdownPaddingBottom":"15px","paddingBottom":"15px","dropdownMenuOffset":"2px","hamburgerBgHoverColor":"transparent","borderBottom":"1px solid var(--lia-bs-border-color)","hamburgerBorder":"none","dropdownPaddingX":"10px","brandMarginRightSm":"10px","linkBoxShadow":"none","collapseMenuDividerBg":"var(--lia-nav-link-color)","linkColor":"var(--lia-bs-body-color)","linkJustifyContent":"flex-start","dropdownPaddingTop":"10px","controllerHighlightTextColor":"var(--lia-yiq-dark)","controllerTextColor":"var(--lia-nav-controller-icon-color)","background":{"imageAssetName":"","color":"var(--lia-bs-white)","size":"COVER","repeat":"NO_REPEAT","position":"CENTER_CENTER","imageLastModified":""},"linkBorderRadius":"var(--lia-bs-border-radius-sm)","linkHoverColor":"var(--lia-bs-body-color)","position":"FIXED","linkBorder":"none","linkTextBorderBottomHover":"2px solid var(--lia-bs-body-color)","brandMarginRight":"30px","hamburgerHoverColor":"var(--lia-nav-controller-icon-color)","linkBorderHover":"none","collapseMenuMarginLeft":"20px","linkFontStyle":"NORMAL","controllerTextHoverColor":"var(--lia-nav-controller-icon-hover-color)","linkPaddingX":"10px","linkPaddingY":"5px","paddingTop":"15px","linkTextTransform":"NONE","dropdownBorderColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","controllerBgHoverColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.1)","linkBgColor":"transparent","linkDropdownPaddingX":"var(--lia-nav-link-px)","linkDropdownPaddingY":"9px","controllerIconColor":"var(--lia-bs-body-color)","dropdownDividerMarginTop":"10px","linkGap":"10px","controllerIconHoverColor":"var(--lia-bs-body-color)"},"showSearchIcon":false,"languagePickerStyle":"iconAndLabel"},"__typename":"QuiltComponent"},{"id":"community.widget.breadcrumbWidget","props":{"backgroundColor":"transparent","linkHighlightColor":"var(--lia-bs-primary)","visualEffects":{"showBottomBorder":true},"linkTextColor":"var(--lia-bs-gray-700)"},"__typename":"QuiltComponent"},{"id":"custom.widget.community_banner","props":{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"usePageWidth":false,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"},{"id":"custom.widget.HeroBanner","props":{"widgetVisibility":"signedInOrAnonymous","usePageWidth":false,"useTitle":true,"cMax_items":3,"useBackground":false,"title":"","lazyLoad":false,"widgetChooser":"custom.widget.HeroBanner"},"__typename":"QuiltComponent"}],"__typename":"QuiltWrapperSection"},"footer":{"backgroundImageProps":{"assetName":null,"backgroundSize":"COVER","backgroundRepeat":"NO_REPEAT","backgroundPosition":"CENTER_CENTER","lastModified":null,"__typename":"BackgroundImageProps"},"backgroundColor":"transparent","items":[{"id":"custom.widget.MicrosoftFooter","props":{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"}],"__typename":"QuiltWrapperSection"},"__typename":"QuiltWrapper","localOverride":false},"localOverride":false},"CachedAsset:text:en_US-components/common/ActionFeedback-1745487435975":{"__typename":"CachedAsset","id":"text:en_US-components/common/ActionFeedback-1745487435975","value":{"joinedGroupHub.title":"Welcome","joinedGroupHub.message":"You are now a member of this group and are subscribed to updates.","groupHubInviteNotFound.title":"Invitation Not Found","groupHubInviteNotFound.message":"Sorry, we could not find your invitation to the group. The owner may have canceled the invite.","groupHubNotFound.title":"Group Not Found","groupHubNotFound.message":"The grouphub you tried to join does not exist. It may have been deleted.","existingGroupHubMember.title":"Already Joined","existingGroupHubMember.message":"You are already a member of this group.","accountLocked.title":"Account Locked","accountLocked.message":"Your account has been locked due to multiple failed attempts. Try again in {lockoutTime} minutes.","editedGroupHub.title":"Changes Saved","editedGroupHub.message":"Your group has been updated.","leftGroupHub.title":"Goodbye","leftGroupHub.message":"You are no longer a member of this group and will not receive future updates.","deletedGroupHub.title":"Deleted","deletedGroupHub.message":"The group has been deleted.","groupHubCreated.title":"Group Created","groupHubCreated.message":"{groupHubName} is ready to use","accountClosed.title":"Account Closed","accountClosed.message":"The account has been closed and you will now be redirected to the homepage","resetTokenExpired.title":"Reset Password Link has Expired","resetTokenExpired.message":"Try resetting your password again","invalidUrl.title":"Invalid URL","invalidUrl.message":"The URL you're using is not recognized. Verify your URL and try again.","accountClosedForUser.title":"Account Closed","accountClosedForUser.message":"{userName}'s account is closed","inviteTokenInvalid.title":"Invitation Invalid","inviteTokenInvalid.message":"Your invitation to the community has been canceled or expired.","inviteTokenError.title":"Invitation Verification Failed","inviteTokenError.message":"The url you are utilizing is not recognized. Verify your URL and try again","pageNotFound.title":"Access Denied","pageNotFound.message":"You do not have access to this area of the community or it doesn't exist","eventAttending.title":"Responded as Attending","eventAttending.message":"You'll be notified when there's new activity and reminded as the event approaches","eventInterested.title":"Responded as Interested","eventInterested.message":"You'll be notified when there's new activity and reminded as the event approaches","eventNotFound.title":"Event Not Found","eventNotFound.message":"The event you tried to respond to does not exist.","redirectToRelatedPage.title":"Showing Related Content","redirectToRelatedPageForBaseUsers.title":"Showing Related Content","redirectToRelatedPageForBaseUsers.message":"The content you are trying to access is archived","redirectToRelatedPage.message":"The content you are trying to access is archived","relatedUrl.archivalLink.flyoutMessage":"The content you are trying to access is archived View Archived Content"},"localOverride":false},"CachedAsset:component:custom.widget.community_banner-en-1744400828442":{"__typename":"CachedAsset","id":"component:custom.widget.community_banner-en-1744400828442","value":{"component":{"id":"custom.widget.community_banner","template":{"id":"community_banner","markupLanguage":"HANDLEBARS","style":".community-banner {\n a.top-bar.btn {\n top: 0px;\n width: 100%;\n z-index: 999;\n text-align: center;\n left: 0px;\n background: #0068b8;\n color: white;\n padding: 10px 0px;\n display: block;\n box-shadow: none !important;\n border: none !important;\n border-radius: none !important;\n margin: 0px !important;\n font-size: 14px;\n }\n}\n","texts":null,"defaults":{"config":{"applicablePages":[],"description":"community announcement text","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.community_banner","form":null,"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":"community announcement text","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":{"css":".custom_widget_community_banner_community-banner_1x9u2_1 {\n a.custom_widget_community_banner_top-bar_1x9u2_2.custom_widget_community_banner_btn_1x9u2_2 {\n top: 0;\n width: 100%;\n z-index: 999;\n text-align: center;\n left: 0;\n background: #0068b8;\n color: white;\n padding: 0.625rem 0;\n display: block;\n box-shadow: none !important;\n border: none !important;\n border-radius: none !important;\n margin: 0 !important;\n font-size: 0.875rem;\n }\n}\n","tokens":{"community-banner":"custom_widget_community_banner_community-banner_1x9u2_1","top-bar":"custom_widget_community_banner_top-bar_1x9u2_2","btn":"custom_widget_community_banner_btn_1x9u2_2"}},"form":null},"localOverride":false},"CachedAsset:component:custom.widget.HeroBanner-en-1744400828442":{"__typename":"CachedAsset","id":"component:custom.widget.HeroBanner-en-1744400828442","value":{"component":{"id":"custom.widget.HeroBanner","template":{"id":"HeroBanner","markupLanguage":"REACT","style":null,"texts":{"searchPlaceholderText":"Search this community","followActionText":"Follow","unfollowActionText":"Following","searchOnHoverText":"Please enter your search term(s) and then press return key to complete a search.","blogs.sidebar.pagetitle":"Latest Blogs | Microsoft Tech Community","followThisNode":"Follow this node","unfollowThisNode":"Unfollow this node"},"defaults":{"config":{"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[{"id":"max_items","dataType":"NUMBER","list":false,"defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"control":"INPUT","__typename":"PropDefinition"}],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.HeroBanner","form":{"fields":[{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows":[{"id":"widgetChooserGroup","type":"fieldset","as":null,"items":[{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"},{"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"useBackground","type":"fieldset","as":null,"items":[{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"widgetVisibility","type":"fieldset","as":null,"items":[{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"moreOptionsGroup","type":"fieldset","as":null,"items":[{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"componentPropsGroup","type":"fieldset","as":null,"items":[{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"}],"actionButtons":null,"className":"custom_widget_HeroBanner_form","formGroupFieldSeparator":"divider","__typename":"FormLayout"},"__typename":"Form"},"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[{"id":"max_items","dataType":"NUMBER","list":false,"defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"control":"INPUT","__typename":"PropDefinition"}],"__typename":"ComponentProperties"},"form":{"fields":[{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows":[{"id":"widgetChooserGroup","type":"fieldset","as":null,"items":[{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"},{"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"useBackground","type":"fieldset","as":null,"items":[{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"widgetVisibility","type":"fieldset","as":null,"items":[{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"moreOptionsGroup","type":"fieldset","as":null,"items":[{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"componentPropsGroup","type":"fieldset","as":null,"items":[{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"}],"actionButtons":null,"className":"custom_widget_HeroBanner_form","formGroupFieldSeparator":"divider","__typename":"FormLayout"},"__typename":"Form"},"__typename":"Component","localOverride":false},"globalCss":null,"form":{"fields":[{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows":[{"id":"widgetChooserGroup","type":"fieldset","as":null,"items":[{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"},{"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"useBackground","type":"fieldset","as":null,"items":[{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"widgetVisibility","type":"fieldset","as":null,"items":[{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"moreOptionsGroup","type":"fieldset","as":null,"items":[{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"componentPropsGroup","type":"fieldset","as":null,"items":[{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"}],"actionButtons":null,"className":"custom_widget_HeroBanner_form","formGroupFieldSeparator":"divider","__typename":"FormLayout"},"__typename":"Form"}},"localOverride":false},"CachedAsset:component:custom.widget.MicrosoftFooter-en-1744400828442":{"__typename":"CachedAsset","id":"component:custom.widget.MicrosoftFooter-en-1744400828442","value":{"component":{"id":"custom.widget.MicrosoftFooter","template":{"id":"MicrosoftFooter","markupLanguage":"HANDLEBARS","style":".context-uhf {\n min-width: 280px;\n font-size: 15px;\n box-sizing: border-box;\n -ms-text-size-adjust: 100%;\n -webkit-text-size-adjust: 100%;\n & *,\n & *:before,\n & *:after {\n box-sizing: inherit;\n }\n a.c-uhff-link {\n color: #616161;\n word-break: break-word;\n text-decoration: none;\n }\n &a:link,\n &a:focus,\n &a:hover,\n &a:active,\n &a:visited {\n text-decoration: none;\n color: inherit;\n }\n & div {\n font-family: 'Segoe UI', SegoeUI, 'Helvetica Neue', Helvetica, Arial, sans-serif;\n }\n}\n.c-uhff {\n background: #f2f2f2;\n margin: -1.5625;\n width: auto;\n height: auto;\n}\n.c-uhff-nav {\n margin: 0 auto;\n max-width: calc(1600px + 10%);\n padding: 0 5%;\n box-sizing: inherit;\n &:before,\n &:after {\n content: ' ';\n display: table;\n clear: left;\n }\n @media only screen and (max-width: 1083px) {\n padding-left: 12px;\n }\n .c-heading-4 {\n color: #616161;\n word-break: break-word;\n font-size: 15px;\n line-height: 20px;\n padding: 36px 0 4px;\n font-weight: 600;\n }\n .c-uhff-nav-row {\n .c-uhff-nav-group {\n display: block;\n float: left;\n min-height: 1px;\n vertical-align: text-top;\n padding: 0 12px;\n width: 100%;\n zoom: 1;\n &:first-child {\n padding-left: 0;\n @media only screen and (max-width: 1083px) {\n padding-left: 12px;\n }\n }\n @media only screen and (min-width: 540px) and (max-width: 1082px) {\n width: 33.33333%;\n }\n @media only screen and (min-width: 1083px) {\n width: 16.6666666667%;\n }\n ul.c-list.f-bare {\n font-size: 11px;\n line-height: 16px;\n margin-top: 0;\n margin-bottom: 0;\n padding-left: 0;\n list-style-type: none;\n li {\n word-break: break-word;\n padding: 8px 0;\n margin: 0;\n }\n }\n }\n }\n}\n.c-uhff-base {\n background: #f2f2f2;\n margin: 0 auto;\n max-width: calc(1600px + 10%);\n padding: 30px 5% 16px;\n &:before,\n &:after {\n content: ' ';\n display: table;\n }\n &:after {\n clear: both;\n }\n a.c-uhff-ccpa {\n font-size: 11px;\n line-height: 16px;\n float: left;\n margin: 3px 0;\n }\n a.c-uhff-ccpa:hover {\n text-decoration: underline;\n }\n ul.c-list {\n font-size: 11px;\n line-height: 16px;\n float: right;\n margin: 3px 0;\n color: #616161;\n li {\n padding: 0 24px 4px 0;\n display: inline-block;\n }\n }\n .c-list.f-bare {\n padding-left: 0;\n list-style-type: none;\n }\n @media only screen and (max-width: 1083px) {\n display: flex;\n flex-wrap: wrap;\n padding: 30px 24px 16px;\n }\n}\n\n.social-share {\n position: fixed;\n top: 60%;\n transform: translateY(-50%);\n left: 0;\n z-index: 1000;\n}\n\n.sharing-options {\n list-style: none;\n padding: 0;\n margin: 0;\n display: block;\n flex-direction: column;\n background-color: white;\n width: 43px;\n border-radius: 0px 7px 7px 0px;\n}\n.linkedin-icon {\n border-top-right-radius: 7px;\n}\n.linkedin-icon:hover {\n border-radius: 0;\n}\n.social-share-rss-image {\n border-bottom-right-radius: 7px;\n}\n.social-share-rss-image:hover {\n border-radius: 0;\n}\n\n.social-link-footer {\n position: relative;\n display: block;\n margin: -2px 0;\n transition: all 0.2s ease;\n}\n.social-link-footer:hover .linkedin-icon {\n border-radius: 0;\n}\n.social-link-footer:hover .social-share-rss-image {\n border-radius: 0;\n}\n\n.social-link-footer img {\n width: 40px;\n height: auto;\n transition: filter 0.3s ease;\n}\n\n.social-share-list {\n width: 40px;\n}\n.social-share-rss-image {\n width: 40px;\n}\n\n.share-icon {\n border: 2px solid transparent;\n display: inline-block;\n position: relative;\n}\n\n.share-icon:hover {\n opacity: 1;\n border: 2px solid white;\n box-sizing: border-box;\n}\n\n.share-icon:hover .label {\n opacity: 1;\n visibility: visible;\n border: 2px solid white;\n box-sizing: border-box;\n border-left: none;\n}\n\n.label {\n position: absolute;\n left: 100%;\n white-space: nowrap;\n opacity: 0;\n visibility: hidden;\n transition: all 0.2s ease;\n color: white;\n border-radius: 0 10 0 10px;\n top: 50%;\n transform: translateY(-50%);\n height: 40px;\n border-radius: 0 6px 6px 0;\n display: flex;\n align-items: center;\n justify-content: center;\n padding: 20px 5px 20px 8px;\n margin-left: -1px;\n}\n.linkedin {\n background-color: #0474b4;\n}\n.facebook {\n background-color: #3c5c9c;\n}\n.twitter {\n background-color: white;\n color: black;\n}\n.reddit {\n background-color: #fc4404;\n}\n.mail {\n background-color: #848484;\n}\n.bluesky {\n background-color: white;\n color: black;\n}\n.rss {\n background-color: #ec7b1c;\n}\n#RSS {\n width: 40px;\n height: 40px;\n}\n\n@media (max-width: 991px) {\n .social-share {\n display: none;\n }\n}\n","texts":{"New tab":"What's New","New 1":"Surface Laptop Studio 2","New 2":"Surface Laptop Go 3","New 3":"Surface Pro 9","New 4":"Surface Laptop 5","New 5":"Surface Studio 2+","New 6":"Copilot in Windows","New 7":"Microsoft 365","New 8":"Windows 11 apps","Store tab":"Microsoft Store","Store 1":"Account Profile","Store 2":"Download Center","Store 3":"Microsoft Store Support","Store 4":"Returns","Store 5":"Order tracking","Store 6":"Certified Refurbished","Store 7":"Microsoft Store Promise","Store 8":"Flexible Payments","Education tab":"Education","Edu 1":"Microsoft in education","Edu 2":"Devices for education","Edu 3":"Microsoft Teams for Education","Edu 4":"Microsoft 365 Education","Edu 5":"How to buy for your school","Edu 6":"Educator Training and development","Edu 7":"Deals for students and parents","Edu 8":"Azure for students","Business tab":"Business","Bus 1":"Microsoft Cloud","Bus 2":"Microsoft Security","Bus 3":"Dynamics 365","Bus 4":"Microsoft 365","Bus 5":"Microsoft Power Platform","Bus 6":"Microsoft Teams","Bus 7":"Microsoft Industry","Bus 8":"Small Business","Developer tab":"Developer & IT","Dev 1":"Azure","Dev 2":"Developer Center","Dev 3":"Documentation","Dev 4":"Microsoft Learn","Dev 5":"Microsoft Tech Community","Dev 6":"Azure Marketplace","Dev 7":"AppSource","Dev 8":"Visual Studio","Company tab":"Company","Com 1":"Careers","Com 2":"About Microsoft","Com 3":"Company News","Com 4":"Privacy at Microsoft","Com 5":"Investors","Com 6":"Diversity and inclusion","Com 7":"Accessiblity","Com 8":"Sustainibility"},"defaults":{"config":{"applicablePages":[],"description":"The Microsoft Footer","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.MicrosoftFooter","form":null,"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":"The Microsoft Footer","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":{"css":".custom_widget_MicrosoftFooter_context-uhf_105bp_1 {\n min-width: 17.5rem;\n font-size: 0.9375rem;\n box-sizing: border-box;\n -ms-text-size-adjust: 100%;\n -webkit-text-size-adjust: 100%;\n & *,\n & *:before,\n & *:after {\n box-sizing: inherit;\n }\n a.custom_widget_MicrosoftFooter_c-uhff-link_105bp_12 {\n color: #616161;\n word-break: break-word;\n text-decoration: none;\n }\n &a:link,\n &a:focus,\n &a:hover,\n &a:active,\n &a:visited {\n text-decoration: none;\n color: inherit;\n }\n & div {\n font-family: 'Segoe UI', SegoeUI, 'Helvetica Neue', Helvetica, Arial, sans-serif;\n }\n}\n.custom_widget_MicrosoftFooter_c-uhff_105bp_12 {\n background: #f2f2f2;\n margin: -1.5625;\n width: auto;\n height: auto;\n}\n.custom_widget_MicrosoftFooter_c-uhff-nav_105bp_35 {\n margin: 0 auto;\n max-width: calc(100rem + 10%);\n padding: 0 5%;\n box-sizing: inherit;\n &:before,\n &:after {\n content: ' ';\n display: table;\n clear: left;\n }\n @media only screen and (max-width: 1083px) {\n padding-left: 0.75rem;\n }\n .custom_widget_MicrosoftFooter_c-heading-4_105bp_49 {\n color: #616161;\n word-break: break-word;\n font-size: 0.9375rem;\n line-height: 1.25rem;\n padding: 2.25rem 0 0.25rem;\n font-weight: 600;\n }\n .custom_widget_MicrosoftFooter_c-uhff-nav-row_105bp_57 {\n .custom_widget_MicrosoftFooter_c-uhff-nav-group_105bp_58 {\n display: block;\n float: left;\n min-height: 0.0625rem;\n vertical-align: text-top;\n padding: 0 0.75rem;\n width: 100%;\n zoom: 1;\n &:first-child {\n padding-left: 0;\n @media only screen and (max-width: 1083px) {\n padding-left: 0.75rem;\n }\n }\n @media only screen and (min-width: 540px) and (max-width: 1082px) {\n width: 33.33333%;\n }\n @media only screen and (min-width: 1083px) {\n width: 16.6666666667%;\n }\n ul.custom_widget_MicrosoftFooter_c-list_105bp_78.custom_widget_MicrosoftFooter_f-bare_105bp_78 {\n font-size: 0.6875rem;\n line-height: 1rem;\n margin-top: 0;\n margin-bottom: 0;\n padding-left: 0;\n list-style-type: none;\n li {\n word-break: break-word;\n padding: 0.5rem 0;\n margin: 0;\n }\n }\n }\n }\n}\n.custom_widget_MicrosoftFooter_c-uhff-base_105bp_94 {\n background: #f2f2f2;\n margin: 0 auto;\n max-width: calc(100rem + 10%);\n padding: 1.875rem 5% 1rem;\n &:before,\n &:after {\n content: ' ';\n display: table;\n }\n &:after {\n clear: both;\n }\n a.custom_widget_MicrosoftFooter_c-uhff-ccpa_105bp_107 {\n font-size: 0.6875rem;\n line-height: 1rem;\n float: left;\n margin: 0.1875rem 0;\n }\n a.custom_widget_MicrosoftFooter_c-uhff-ccpa_105bp_107:hover {\n text-decoration: underline;\n }\n ul.custom_widget_MicrosoftFooter_c-list_105bp_78 {\n font-size: 0.6875rem;\n line-height: 1rem;\n float: right;\n margin: 0.1875rem 0;\n color: #616161;\n li {\n padding: 0 1.5rem 0.25rem 0;\n display: inline-block;\n }\n }\n .custom_widget_MicrosoftFooter_c-list_105bp_78.custom_widget_MicrosoftFooter_f-bare_105bp_78 {\n padding-left: 0;\n list-style-type: none;\n }\n @media only screen and (max-width: 1083px) {\n display: flex;\n flex-wrap: wrap;\n padding: 1.875rem 1.5rem 1rem;\n }\n}\n.custom_widget_MicrosoftFooter_social-share_105bp_138 {\n position: fixed;\n top: 60%;\n transform: translateY(-50%);\n left: 0;\n z-index: 1000;\n}\n.custom_widget_MicrosoftFooter_sharing-options_105bp_146 {\n list-style: none;\n padding: 0;\n margin: 0;\n display: block;\n flex-direction: column;\n background-color: white;\n width: 2.6875rem;\n border-radius: 0 0.4375rem 0.4375rem 0;\n}\n.custom_widget_MicrosoftFooter_linkedin-icon_105bp_156 {\n border-top-right-radius: 7px;\n}\n.custom_widget_MicrosoftFooter_linkedin-icon_105bp_156:hover {\n border-radius: 0;\n}\n.custom_widget_MicrosoftFooter_social-share-rss-image_105bp_162 {\n border-bottom-right-radius: 7px;\n}\n.custom_widget_MicrosoftFooter_social-share-rss-image_105bp_162:hover {\n border-radius: 0;\n}\n.custom_widget_MicrosoftFooter_social-link-footer_105bp_169 {\n position: relative;\n display: block;\n margin: -0.125rem 0;\n transition: all 0.2s ease;\n}\n.custom_widget_MicrosoftFooter_social-link-footer_105bp_169:hover .custom_widget_MicrosoftFooter_linkedin-icon_105bp_156 {\n border-radius: 0;\n}\n.custom_widget_MicrosoftFooter_social-link-footer_105bp_169:hover .custom_widget_MicrosoftFooter_social-share-rss-image_105bp_162 {\n border-radius: 0;\n}\n.custom_widget_MicrosoftFooter_social-link-footer_105bp_169 img {\n width: 2.5rem;\n height: auto;\n transition: filter 0.3s ease;\n}\n.custom_widget_MicrosoftFooter_social-share-list_105bp_188 {\n width: 2.5rem;\n}\n.custom_widget_MicrosoftFooter_social-share-rss-image_105bp_162 {\n width: 2.5rem;\n}\n.custom_widget_MicrosoftFooter_share-icon_105bp_195 {\n border: 2px solid transparent;\n display: inline-block;\n position: relative;\n}\n.custom_widget_MicrosoftFooter_share-icon_105bp_195:hover {\n opacity: 1;\n border: 2px solid white;\n box-sizing: border-box;\n}\n.custom_widget_MicrosoftFooter_share-icon_105bp_195:hover .custom_widget_MicrosoftFooter_label_105bp_207 {\n opacity: 1;\n visibility: visible;\n border: 2px solid white;\n box-sizing: border-box;\n border-left: none;\n}\n.custom_widget_MicrosoftFooter_label_105bp_207 {\n position: absolute;\n left: 100%;\n white-space: nowrap;\n opacity: 0;\n visibility: hidden;\n transition: all 0.2s ease;\n color: white;\n border-radius: 0 10 0 0.625rem;\n top: 50%;\n transform: translateY(-50%);\n height: 2.5rem;\n border-radius: 0 0.375rem 0.375rem 0;\n display: flex;\n align-items: center;\n justify-content: center;\n padding: 1.25rem 0.3125rem 1.25rem 0.5rem;\n margin-left: -0.0625rem;\n}\n.custom_widget_MicrosoftFooter_linkedin_105bp_156 {\n background-color: #0474b4;\n}\n.custom_widget_MicrosoftFooter_facebook_105bp_237 {\n background-color: #3c5c9c;\n}\n.custom_widget_MicrosoftFooter_twitter_105bp_240 {\n background-color: white;\n color: black;\n}\n.custom_widget_MicrosoftFooter_reddit_105bp_244 {\n background-color: #fc4404;\n}\n.custom_widget_MicrosoftFooter_mail_105bp_247 {\n background-color: #848484;\n}\n.custom_widget_MicrosoftFooter_bluesky_105bp_250 {\n background-color: white;\n color: black;\n}\n.custom_widget_MicrosoftFooter_rss_105bp_254 {\n background-color: #ec7b1c;\n}\n#custom_widget_MicrosoftFooter_RSS_105bp_1 {\n width: 2.5rem;\n height: 2.5rem;\n}\n@media (max-width: 991px) {\n .custom_widget_MicrosoftFooter_social-share_105bp_138 {\n display: none;\n }\n}\n","tokens":{"context-uhf":"custom_widget_MicrosoftFooter_context-uhf_105bp_1","c-uhff-link":"custom_widget_MicrosoftFooter_c-uhff-link_105bp_12","c-uhff":"custom_widget_MicrosoftFooter_c-uhff_105bp_12","c-uhff-nav":"custom_widget_MicrosoftFooter_c-uhff-nav_105bp_35","c-heading-4":"custom_widget_MicrosoftFooter_c-heading-4_105bp_49","c-uhff-nav-row":"custom_widget_MicrosoftFooter_c-uhff-nav-row_105bp_57","c-uhff-nav-group":"custom_widget_MicrosoftFooter_c-uhff-nav-group_105bp_58","c-list":"custom_widget_MicrosoftFooter_c-list_105bp_78","f-bare":"custom_widget_MicrosoftFooter_f-bare_105bp_78","c-uhff-base":"custom_widget_MicrosoftFooter_c-uhff-base_105bp_94","c-uhff-ccpa":"custom_widget_MicrosoftFooter_c-uhff-ccpa_105bp_107","social-share":"custom_widget_MicrosoftFooter_social-share_105bp_138","sharing-options":"custom_widget_MicrosoftFooter_sharing-options_105bp_146","linkedin-icon":"custom_widget_MicrosoftFooter_linkedin-icon_105bp_156","social-share-rss-image":"custom_widget_MicrosoftFooter_social-share-rss-image_105bp_162","social-link-footer":"custom_widget_MicrosoftFooter_social-link-footer_105bp_169","social-share-list":"custom_widget_MicrosoftFooter_social-share-list_105bp_188","share-icon":"custom_widget_MicrosoftFooter_share-icon_105bp_195","label":"custom_widget_MicrosoftFooter_label_105bp_207","linkedin":"custom_widget_MicrosoftFooter_linkedin_105bp_156","facebook":"custom_widget_MicrosoftFooter_facebook_105bp_237","twitter":"custom_widget_MicrosoftFooter_twitter_105bp_240","reddit":"custom_widget_MicrosoftFooter_reddit_105bp_244","mail":"custom_widget_MicrosoftFooter_mail_105bp_247","bluesky":"custom_widget_MicrosoftFooter_bluesky_105bp_250","rss":"custom_widget_MicrosoftFooter_rss_105bp_254","RSS":"custom_widget_MicrosoftFooter_RSS_105bp_1"}},"form":null},"localOverride":false},"CachedAsset:text:en_US-components/community/Breadcrumb-1745487435975":{"__typename":"CachedAsset","id":"text:en_US-components/community/Breadcrumb-1745487435975","value":{"navLabel":"Breadcrumbs","dropdown":"Additional parent page navigation"},"localOverride":false},"CachedAsset:text:en_US-components/tags/TagsHeaderWidget-1745487435975":{"__typename":"CachedAsset","id":"text:en_US-components/tags/TagsHeaderWidget-1745487435975","value":{"tag":"{tagName}","topicsCount":"{count} {count, plural, one {Topic} other {Topics}}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageListForNodeByRecentActivityWidget-1745487435975":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageListForNodeByRecentActivityWidget-1745487435975","value":{"title@userScope:other":"Recent Content","title@userScope:self":"Contributions","title@board:FORUM@userScope:other":"Recent Discussions","title@board:BLOG@userScope:other":"Recent Blogs","emptyDescription":"No content to show","MessageListForNodeByRecentActivityWidgetEditor.nodeScope.label":"Scope","title@instance:1722894000155":"Recent Discussions","title@instance:1727367112619":"Recent Blog Articles","title@instance:1727367069748":"Recent Discussions","title@instance:1727366213114":"Latest Discussions","title@instance:1727899609720":"","title@instance:1727363308925":"Latest Discussions","title@instance:1737115580352":"Latest Articles","title@instance:1720453418992":"Recent Discssions","title@instance:1727365950181":"Latest Blog Articles","title@instance:bmDPnI":"Latest Blog Articles","title@instance:IiDDJZ":"Latest Blog Articles","title@instance:1721244347979":"Latest blog posts","title@instance:1728383752171":"Related Content","title@instance:1722893956545":"Latest Skilling Resources","title@instance:dhcgCU":"Latest Discussions"},"localOverride":false},"Category:category:Exchange":{"__typename":"Category","id":"category:Exchange","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Planner":{"__typename":"Category","id":"category:Planner","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Outlook":{"__typename":"Category","id":"category:Outlook","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Community-Info-Center":{"__typename":"Category","id":"category:Community-Info-Center","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:EducationSector":{"__typename":"Category","id":"category:EducationSector","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:DrivingAdoption":{"__typename":"Category","id":"category:DrivingAdoption","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Azure":{"__typename":"Category","id":"category:Azure","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Windows-Server":{"__typename":"Category","id":"category:Windows-Server","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:SQL-Server":{"__typename":"Category","id":"category:SQL-Server","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftTeams":{"__typename":"Category","id":"category:MicrosoftTeams","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:PublicSector":{"__typename":"Category","id":"category:PublicSector","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:microsoft365":{"__typename":"Category","id":"category:microsoft365","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:IoT":{"__typename":"Category","id":"category:IoT","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:HealthcareAndLifeSciences":{"__typename":"Category","id":"category:HealthcareAndLifeSciences","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:SMB":{"__typename":"Category","id":"category:SMB","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:ITOpsTalk":{"__typename":"Category","id":"category:ITOpsTalk","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:microsoft-endpoint-manager":{"__typename":"Category","id":"category:microsoft-endpoint-manager","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftLearn":{"__typename":"Category","id":"category:MicrosoftLearn","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Blog:board:MicrosoftLearnBlog":{"__typename":"Blog","id":"board:MicrosoftLearnBlog","blogPolicies":{"__typename":"BlogPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:AI":{"__typename":"Category","id":"category:AI","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftMechanics":{"__typename":"Category","id":"category:MicrosoftMechanics","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:StartupsatMicrosoft":{"__typename":"Category","id":"category:StartupsatMicrosoft","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:PartnerCommunity":{"__typename":"Category","id":"category:PartnerCommunity","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Windows":{"__typename":"Category","id":"category:Windows","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Conversation:conversation:4402658":{"__typename":"Conversation","id":"conversation:4402658","topic":{"__typename":"BlogTopicMessage","uid":4402658},"lastPostingActivityTime":"2025-04-11T14:55:33.119-07:00","solved":false},"User:user:524152":{"__typename":"User","uid":524152,"login":"Sachin-Kumar","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/m_assets/avatars/default/avatar-3.svg?time=0"},"id":"user:524152"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00NDAyNjU4LWMyenhwQQ?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00NDAyNjU4LWMyenhwQQ?revision=12","title":"Sachin 2.jpg","associationType":"COVER","width":1280,"height":720,"altText":""},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00NDAyNjU4LTE0U2ZqMw?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00NDAyNjU4LTE0U2ZqMw?revision=12","title":"clipboard_image-1-1744238838033.png","associationType":"BODY","width":174,"height":99,"altText":""},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00NDAyNjU4LXlPN29Vdw?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00NDAyNjU4LXlPN29Vdw?revision=12","title":"clipboard_image-2-1744238938896.png","associationType":"BODY","width":183,"height":84,"altText":""},"BlogTopicMessage:message:4402658":{"__typename":"BlogTopicMessage","subject":"Watch and learn from Microsoft security experts who reinforce your SecOps 24/7","conversation":{"__ref":"Conversation:conversation:4402658"},"id":"message:4402658","revisionNum":12,"uid":4402658,"depth":0,"board":{"__ref":"Blog:board:MicrosoftSecurityExperts"},"author":{"__ref":"User:user:524152"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":"","introduction":"","metrics":{"__typename":"MessageMetrics","views":306},"postTime":"2025-04-09T16:21:12.233-07:00","lastPublishTime":"2025-04-11T14:55:33.119-07:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" In today’s evolving digital landscape, cybersecurity is more than technology, products, and platforms; it’s the people behind the scenes who work 24/7 to ensure organizations remain protected. \n At Microsoft, we are also defenders. We understand the challenges facing Security Operations Centers (SOCs). We created Microsoft Defender Experts for XDR, a comprehensive Managed Extended Detection and Response (MXDR) service, to reinforce our customer’s in-house SOC, help security teams focus on what matters most, and provide CISOs with more peace of mind. \n Microsoft Defender Experts for XDR combines industry-leading Microsoft Defender products with our team of Microsoft security experts and analysts. We created a video series that offers a behind-the-scenes look at Defender Experts for XDR through conversations with our security professionals. You will learn about their roles, their approaches to cybersecurity, and how they work to keep organizations safe 24/7. \n Microsoft Defender Experts for XDR Video Series - Let's get started with Season 1 \n In this video series, Sachin Kumar, a Senior Product Manager for Defender Experts for XDR and Edward Walton, a seasoned security expert from the Microsoft Global Black Belt security team, will be your hosts. They will introduce you to the people working behind the scenes and help you understand more about Defender Experts for XDR, which is Microsoft’s MXDR service. \n Each episode provides deeper insights into how the human expertise behind Defender Experts for XDR improves your organization's security outcomes and posture. \n Episode Guide \n Check out the latest episodes below and visit the YouTube playlist to see all the episodes in the series. \n \n Collaborative Interplay - TI, AI, and Defender Experts \n In this episode, Edward and Sachin are joined by Brian, a seasoned research lead from the Defender Experts for XDR team. He shares his insights into the collaborative interplay between threat intelligence, AI, and research within the Defender Experts for XDR team. This episode highlights how threat intelligence, AI, and research teams integrate and enrich a robust, adaptive, and proactive defense within Defender Experts for XDR. This collaboration empowers the experts to remain agile and deliver superior protection against advanced threats. \n \n \n A Conversation with Defender Experts Analyst Lead \n In this episode, Edward and Sachin are joined by Michael, a Principal Security Researcher and Defender Experts for XDR operations lead. Michael shares his journey into cybersecurity and his current role at Microsoft. He discusses his responsibilities within the Microsoft Defender Experts for XDR team, including leading the development of the investigation query platform and handling escalations. He also highlights the team's collaboration with the security research team and Microsoft Threat Intelligence Center (MSTIC) to improve threat detection and block malicious activities. He provides examples of common threats like phishing and malware. That includes describing a recent incident involving an exploited remote administration tool. \n \n Stay tuned for additional episodes and meet the people and technology behind Defender Experts for XDR. ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"3308","kudosSumWeight":0,"repliesCount":0,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00NDAyNjU4LWMyenhwQQ?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00NDAyNjU4LTE0U2ZqMw?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDM","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00NDAyNjU4LXlPN29Vdw?revision=12\"}"}}],"totalCount":3,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"coverImage":{"__typename":"UploadedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00NDAyNjU4LWMyenhwQQ?revision=12"},"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""}},"Conversation:conversation:4296085":{"__typename":"Conversation","id":"conversation:4296085","topic":{"__typename":"BlogTopicMessage","uid":4296085},"lastPostingActivityTime":"2024-12-13T04:56:35.299-08:00","solved":false},"User:user:2592816":{"__typename":"User","uid":2592816,"login":"Zophar","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/dS0yNTkyODE2LTYwNDYyM2k1QTM2MDU5ODBGRjBDMzcz"},"id":"user:2592816"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk2MDg1LVpwR0dCSw?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk2MDg1LVpwR0dCSw?revision=12","title":"Picture1.png","associationType":"COVER","width":672,"height":574,"altText":""},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk2MDg1LTRlWnN1UA?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk2MDg1LTRlWnN1UA?revision=12","title":"clipboard_image-1-1731545481199.png","associationType":"BODY","width":602,"height":336,"altText":""},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk2MDg1LVlJbVNpRw?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk2MDg1LVlJbVNpRw?revision=12","title":"clipboard_image-2-1731545481199.png","associationType":"BODY","width":602,"height":166,"altText":""},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk2MDg1LU1nUE45RQ?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk2MDg1LU1nUE45RQ?revision=12","title":"clipboard_image-3-1731545481202.png","associationType":"BODY","width":602,"height":591,"altText":""},"BlogTopicMessage:message:4296085":{"__typename":"BlogTopicMessage","subject":"Enhancing Threat Hunting with Microsoft Defender Experts Plugin","conversation":{"__ref":"Conversation:conversation:4296085"},"id":"message:4296085","revisionNum":12,"uid":4296085,"depth":0,"board":{"__ref":"Blog:board:MicrosoftSecurityExperts"},"author":{"__ref":"User:user:2592816"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":"","introduction":"A new addition to Copilot for Security - Proactive threat hunting across your entire organization","metrics":{"__typename":"MessageMetrics","views":1333},"postTime":"2024-11-13T16:59:47.846-08:00","lastPublishTime":"2024-12-12T12:20:05.359-08:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" In today's rapidly evolving digital landscape, cybersecurity threats are becoming increasingly sophisticated, requiring organizations to adopt proactive measures to safeguard their assets. Recognizing this need, Microsoft has introduced the Defender Experts Plugin—a powerful addition to Copilot for Security’s GitHub. This plugin is designed to elevate your cybersecurity defenses by integrating proactive threat hunting capabilities across your entire organization, including Office 365, cloud applications, and identity platforms. \n What is Defender Experts for Hunting? \n Defender Experts for Hunting is a specialized managed service from Microsoft that provides proactive, human-led threat hunting across a broad range of organizational environments. Unlike automated detection, this service involves active threat hunting by Microsoft’s seasoned security experts, who analyze activities across endpoints, cloud applications, email, and identity platforms. Defender Experts for Hunting focuses on detecting advanced threats and human adversary behaviors, particularly those involving sophisticated or “hands-on-keyboard” attacks, and provides organizations with detailed alerts, expert guidance, and remediation recommendations. \n Overview of the Plugin \n Microsoft’s Defender Experts Plugin is a comprehensive threat hunting tool that expands traditional security boundaries. It goes beyond endpoints to investigate Office 365, cloud applications, and identity platforms, where Microsoft’s seasoned security professionals build detections to investigate these suspicious activities. The plugin specializes in tracking sophisticated threats, especially those posed by human adversaries and hands-on-keyboard attacks. The plugin is skills-based leaning on KQL for Advanced Hunting Queries (AHQs) to scan across Defender tables for risky behaviors and suspicious activities, with support for tables such as CloudAppEvents, EmailEvents, EmailAttachmentInfo, and AADSignIn. These queries are not a one-off, as Defender Experts will continue to contribute to the plugin in line with our normal research efforts.  \n Some of the threat detection “skills” included in this plugin are: \n \n Suspicious Use of AzureHound: Flags potentially unauthorized data gathering using AzureHound on devices. \n \n \n Reconnaissance Activity Using Network Logs: Detects reconnaissance behavior by analyzing network logs and identifying specific command-line activity. \n \n \n Cobalt Strike DNS Beaconing: Detects suspicious DNS queries associated with Cobalt Strike beacons. \n \n By leveraging Microsoft’s Defender Experts Plugin, organizations can benefit from the deep expertise and proactive approach of Microsoft’s security researchers. This tool ensures that potential threats are not only identified but also thoroughly investigated and addressed with the eventual addition of Promptbooks, thus enhancing the overall security posture of the organization. \n Furthermore, the integration of the Defender Experts Plugin with Copilot for Security’s GitHub allows for seamless collaboration and information sharing among the greater security community. \n Step-by-Step Guided Walkthrough \n Getting started with the Defender Experts Security Copilot Plugin is straightforward: \n 1 - Download the Defender Experts plugin (YAML) from GitHub. \n 2 - Access Security Copilot \n 3 - In the bottom-left corner, click the Plugins icon. \n 4 - Under Custom upload, select Upload plugin. \n 5 - Upload the Defender Experts Plugin. \n \n \n \n 6 - Click Add to finalize. \n 7 - Find the plugin under Custom. \n \n \n \n 8 - Your installation will now include specialized prompts in Defender Experts, with skills tailored for effective collaboration with Copilot for Security’s capabilities. \n \n \n \n Conclusion \n The Defender Experts Plugin is a vital addition to any organization’s cybersecurity arsenal. By incorporating proactive threat hunting and leveraging the expertise of Microsoft’s security analysts, this plugin helps organizations to stay ahead of potential threats and maintain a robust security posture. Embrace this powerful tool and take your cybersecurity defenses to the next level. Let’s get started securing your environment with Defender Experts for Hunting! \n If you’re interested in learning more about our Defender Experts services, visit the following resources: \n \n Microsoft Defender Experts for XDR web page \n \n \n Microsoft Defender Experts for XDR docs page \n \n \n Microsoft Defender Experts for Hunting web page \n \n \n Microsoft Defender Experts for Hunting docs page \n \n ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"4789","kudosSumWeight":1,"repliesCount":1,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk2MDg1LVpwR0dCSw?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk2MDg1LTRlWnN1UA?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDM","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk2MDg1LVlJbVNpRw?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDQ","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk2MDg1LU1nUE45RQ?revision=12\"}"}}],"totalCount":4,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"coverImage":{"__typename":"UploadedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk2MDg1LVpwR0dCSw?revision=12"},"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""}},"Conversation:conversation:4061509":{"__typename":"Conversation","id":"conversation:4061509","topic":{"__typename":"BlogTopicMessage","uid":4061509},"lastPostingActivityTime":"2024-11-21T11:22:40.345-08:00","solved":false},"User:user:1473501":{"__typename":"User","uid":1473501,"login":"Elisa_Lippincott","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/dS0xNDczNTAxLTQwMjM0MWlDQjhCQjc0QjJBRUM3MTVF"},"id":"user:1473501"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDYxNTA5LTUwMTg3OGlEQzA0RjAyQUU3NzUxNTc2?revision=13\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDYxNTA5LTUwMTg3OGlEQzA0RjAyQUU3NzUxNTc2?revision=13","title":"DefenderExperts_TechComm 370x240.png","associationType":"TEASER","width":370,"height":240,"altText":"DefenderExperts_TechComm 370x240.png"},"BlogTopicMessage:message:4061509":{"__typename":"BlogTopicMessage","subject":"Welcome to the Microsoft Defender Experts Ninja Hub","conversation":{"__ref":"Conversation:conversation:4061509"},"id":"message:4061509","revisionNum":13,"uid":4061509,"depth":0,"board":{"__ref":"Blog:board:MicrosoftSecurityExperts"},"author":{"__ref":"User:user:1473501"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":" \n Bookmark this page for document guides, videos, and other resources focused on Defender Experts services. ","introduction":"","metrics":{"__typename":"MessageMetrics","views":10286},"postTime":"2024-02-20T07:20:00.028-08:00","lastPublishTime":"2024-11-21T11:22:40.345-08:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" Updated Oct 1, 2024 \n We’re excited to announce our Microsoft Defender Experts Ninja Hub. We have compiled document guides, videos, and other resources to help you get familiar with our Defender Experts services and stay up to date on the latest from the Defender Experts team. \n \n We’ll update this post as we add resources, so make sure to bookmark this page: https://aka.ms/DefenderExpertsNinjaHub \n \n Microsoft Defender Experts for XDR \n Microsoft Defender Experts for XDR is a managed extended detection and response (MXDR) service that triages, investigates, and responds to incidents for you to help stop cyberattackers and prevent future compromise. Defender Experts for XDR delivers human expertise to security teams quickly to help address coverage gaps and augment their overall security operations. The documentation links below provide more information on the service, requirements, and FAQs: \n \n \n What is Microsoft Defender Experts for XDR offering | Microsoft Learn \n Before you begin using Defender Experts for XDR | Microsoft Learn \n Get started with Microsoft Defender Experts for XDR | Microsoft Learn \n How to use the Microsoft Defender Experts for XDR service | Microsoft Learn \n Communicating with Microsoft Defender Experts | Microsoft Learn \n How to search the audit logs for actions performed by Defender Experts | Microsoft Learn \n Additional information related to Defender Experts for XDR | Microsoft Learn \n FAQs related to Microsoft Defender Experts for XDR | Microsoft Learn \n \n \n Microsoft Defender Experts for Hunting \n Microsoft Defender Experts for Hunting proactively looks for threats 24/7/365 using unparalleled visibility of cross-domain telemetry and leading threat intelligence to extend your team’s threat hunting capabilities and improve overall SOC response. The documentation links below provide more information on the service, requirements, and reporting: \n \n \n What is Microsoft Defender Experts for Hunting offering | Microsoft Learn \n Key infrastructure requirements for Microsoft Defender Experts for Hunting | Microsoft Learn \n How to subscribe to Microsoft Defender Experts for Hunting | Microsoft Learn \n Understand the Defender Experts for Hunting report in Microsoft Defender XDR | Microsoft Learn \n \n \n Ninja Show episodes featuring Defender Experts \n \n \n Season 7, Episode 8: Day in the life of a SOC analyst \n Season 5, Episode 5: Improve your security posture with Microsoft Defender Experts for XDR \n Season 3, Episode 4: Defender Experts for Hunting Overview \n \n \n On-demand event sessions and webinars featuring Defender Experts \n \n \n Webinar: MDR and Generative AI: Better Together - A conversation with guest speaker Jeff Pollard \n Microsoft Security Tech Accelerator 2023: Defender Experts in-depth: Running a Modern SOC in the age of LLMs \n Microsoft Ignite 2023: Jumpstart your SOC with Microsoft Defender Experts for XDR \n Microsoft Webinar: Revolutionize Managed XDR with Microsoft \n Microsoft Ignite 2022: Introducing Microsoft Defender Experts for Hunting \n \n \n Defender Experts videos \n \n \n Explainer Video: Microsoft Defender Experts for XDR \n Explainer Video: Microsoft Defender Experts for Hunting \n Video: Adversary in the Middle Hunting Story \n Video: Get started with onboarding | Microsoft Defender Experts for XDR \n Video: Get started with managed response | Microsoft Defender Experts for XDR \n Video: Get started with reporting | Microsoft Defender Experts for XDR \n \n \n Deep dives from the Microsoft Security blog featuring Defender Experts \n \n \n Microsoft Copilot for Security provides immediate impact for the Microsoft Defender Experts team \n Detecting and mitigating a multi-stage AiTM phishing and BEC campaign \n Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks \n One way Microsoft Defender Experts for Hunting prioritizes customer defense \n Phish, Click, Breach: Hunting for a Sophisticated Cyber Attack \n \n \n Podcasts \n \n \n Microsoft Security Insights Show Episode 218: Michael Melone \n Microsoft Security insights Show Episode 198: Raae Wolfram \n Microsoft Security Insights Show Episode 181: Brian Hooper and Phoebe Rogers: A day in the life of a Defender Experts for XDR analyst \n Microsoft Security Insights Show Episode 168: Steve Lee, Defender Experts \n \n \n To learn more about Defender Experts, click here. ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"4465","kudosSumWeight":7,"repliesCount":0,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDYxNTA5LTUwMTg3OGlEQzA0RjAyQUU3NzUxNTc2?revision=13\"}"}}],"totalCount":1,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"coverImage":null,"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""}},"Conversation:conversation:4267916":{"__typename":"Conversation","id":"conversation:4267916","topic":{"__typename":"BlogTopicMessage","uid":4267916},"lastPostingActivityTime":"2024-10-22T07:56:53.028-07:00","solved":false},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjY3OTE2LTYyOTAwNmk5OTE3RUI4ODM3NzkwM0M3?revision=16\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjY3OTE2LTYyOTAwNmk5OTE3RUI4ODM3NzkwM0M3?revision=16","title":"China SOC.png","associationType":"TEASER","width":993,"height":664,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjY3OTE2LTYyODIyM2kzQzk5OUEyNUU1QkE1NzhB?revision=16\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjY3OTE2LTYyODIyM2kzQzk5OUEyNUU1QkE1NzhB?revision=16","title":"Zophar_0-1728599612072.png","associationType":"BODY","width":1836,"height":453,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjY3OTE2LTYyODIyNGlENTVGRDQ5RDc0MkMyN0E0?revision=16\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjY3OTE2LTYyODIyNGlENTVGRDQ5RDc0MkMyN0E0?revision=16","title":"Zophar_1-1728599612081.png","associationType":"BODY","width":1249,"height":897,"altText":null},"BlogTopicMessage:message:4267916":{"__typename":"BlogTopicMessage","subject":"Phish, Click, Breach: Hunting for a Sophisticated Cyber Attack","conversation":{"__ref":"Conversation:conversation:4267916"},"id":"message:4267916","revisionNum":16,"uid":4267916,"depth":0,"board":{"__ref":"Blog:board:MicrosoftSecurityExperts"},"author":{"__ref":"User:user:2592816"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":" \n Threat actors make problems for users and then offer to fix them. With an RMM tool and user clicks, they are in. ","introduction":"","metrics":{"__typename":"MessageMetrics","views":6937},"postTime":"2024-10-15T05:00:00.029-07:00","lastPublishTime":"2024-10-22T07:56:53.028-07:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" Authors: \n -Gourav Khandelwal (@Gourav_Khandelwal) \n -Akash Chaudhuri (@AkashChaudhuri) \n -Matthew Mesa (@matthewmesa) \n -Sagar Patil (@Sagar256) \n -Uri Oren (@orenuri) \n -Krithika Ramakrishnan (@krithikar) \n \n Introduction \n \n Since April 2024, we have observed a significant increase in Teams phishing attacks, which have led to endpoint-related incidents, particularly through the abuse of Remote Monitoring and Management (RMM) tools such as Quick Assist (Ref : Threat actors misusing Quick Assist in social engineering attacks leading to ransomware | Microsoft Security Blog), and other tools such as Any Desk, and Team Viewer. \n \n Initially, the attack began with a spam flood, followed by the attacker impersonating the Help Desk on Teams. The attacker would contact the user via Teams, send a malicious link to start the RMM session, and deliver the harmful payload during the session. This would lead to hands-on keyboard activity, data exfiltration, and ultimately result in ransomware attacks. \n \n Over time, the attack method evolved. The attackers now directly reach out to users on Teams, impersonating the service desk. Once the user accepts the Teams invite, the attacker provides a SharePoint link containing malicious payloads, which could lead to critical security breaches. Recent trends in social engineering attacks highlight this adaptability, with attackers varying their tactics based on the target. For instance, they might use a SharePoint link for one victim while opting for a different hosting platform for another on the same day. Moreover, attackers are moving beyond traditional link-based strategies by persuading users to install remote access software like AnyDesk and TeamViewer or convincing them to initiate connections via Microsoft's Quick Assist, which is installed by default in the Windows Operating System. \n \n Microsoft continues to aggressively combat threats, such as halting notorious DarkGate, which is a very capable malware. Since December 2023, Microsoft Threat Intelligence has been tracking Storm-1674 attacker group misusing App Installers with Teams Phishing as the initial access vector (Ref : Intel Article - Microsoft Defender). In this scenario, the attacker convinces the user that they are interacting with the service desk, allowing the attacker to perform malicious activities on the device through Remote Monitoring and Management (RMM) tools. What makes this attack unique is that each attack kill chain is different, as every payload varies. \n \n The activity is attributed to Storm-1811 and Storm-1674 by Microsoft Threat Intelligence. \n In this blog, we will walk through one of the observed scenarios and discuss hunting approaches for detecting such attacks. \n \n Attack Flow \n \n \n Teams Phishing \n \n In the majority of the attacks observed, impersonation of the IT desk in a one-on-one Teams conversation from attacker owned tenants. Attackers also call the users on Teams, create meetings and send chat messages that contain malicious URLs or attachments to through the meeting's chat feature. \n The tenants were usually newly created in a span of less than 7 days. In a few scenarios, the Teams Phishing was preceded by a spam flood with more than 1000+ emails every hour. This was used to set the context for the attacker to call the user impersonating the help desk under the pretext of fixing the spam flood. \n The attacks were highly targeted, with attackers focusing on at least three users per tenant through Teams phishing. By aggregating the number of users targeted by an external user from a tenant every hour, we can identify these attacks more effectively. \n \n Hunting for Compromises \n \n Hunt for spam flood attack \n \n EmailEvents \n | where Timestamp > ago(1d) \n | where EmailDirection == \"Inbound\" \n | make-series Emailcount = count() \n on Timestamp step 1h by RecipientObjectId \n | extend (Anomalies, AnomalyScore, ExpectedEmails) = series_decompose_anomalies(Emailcount) \n | mv-expand Emailcount, Anomalies, AnomalyScore, ExpectedEmails to typeof(double), Timestamp \n | where Anomalies != 0 \n | where AnomalyScore >= 10 \n \n Hunt for Suspicious External Teams messages \n \n CloudAppEvents \n where Timestamp > ago(1d) \n |where ApplicationId == 28375 \n // This action type is recorded when a new chat is created with the user \n | where ActionType == \"ChatCreated\" \n // This field records the sender’s Account Object ID, since the sender is a third party, the field is expected to be empty \n | where isempty(AccountObjectId) \n // Validation for the message being sent from a Foreign tenant \n | where tobool(RawEventData.ParticipantInfo.HasForeignTenantUsers) == true \n | where RawEventData.CommunicationType == \"OneOnOne\" \n // Validation that the conversation is not initiated from a guest tenant \n | where tobool(RawEventData.ParticipantInfo.HasGuestUsers) == false \n | where tobool(RawEventData.ParticipantInfo.HasOtherGuestUsers) == false \n // Validation that the sender is not recognized. If the sender is not recognized, only the email address is populated here \n | where AccountId has \"@\" \n \n This query can also be appended with aggregation by sender tenant to identify targeted attempts: \n \n | extend TargetUserUPN = tolower(tostring(RawEventData.Members[1].UPN)) \n | extend TargetTenant = tostring(RawEventData.OrganizationId) \n | extend AttackerTenant = tostring(RawEventData.Members[0].OrganizationId) \n | extend AttackerUPN = tostring(RawEventData.Members[0].UPN) \n | extend AttackerName = tostring(RawEventData.Members[0].DisplayName) \n |summarize summarize UsersTargeted = dcount(TargetUserUPN ) by AttackerTenant, AttackerUPN, bin(Timestamp, 1h) \n |where UsersTargeted >= 2 \n \n \n RMM Tools Abuse \n \n In cases involving spam floods, the attacker will often call the user via Teams and persuade them to open the Quick Assist application (one of the most targeted RMM applications) and provide the access code. Once the user shares the code, the attacker gains access to the device. If the user also approves the \"Request control\" prompt, the attacker gains full control over the device. \n \n Hunting for Compromises \n \n Hunt for Teams Activity followed by suspicious RMM: \n \n let interestingUsers = DeviceProcessEvents \n | where Timestamp > ago(1h) \n | where isnotempty(InitiatingProcessAccountObjectId) \n |where FileName has_any (“quickassist.exe”, “anydesk.exe”, “teamviewer_service.exe”) // Multiple RMM tools can be abused here \n | project InitiatingProcessAccountUpn; \n CloudAppEvents \n | where Timestamp > ago(1d) \n | where Application == \"Microsoft Teams\" \n | where ActionType == \"ChatCreated\" \n | where isempty(AccountObjectId) \n | where RawEventData.ParticipantInfo.HasForeignTenantUsers == true \n | where RawEventData.CommunicationType == \"OneOnOne\" \n | where RawEventData.ParticipantInfo.HasGuestUsers == false \n | where RawEventData.ParticipantInfo.HasOtherGuestUsers == false \n | where AccountId has \"@\" \n | extend TargetUPN = tolower(tostring(RawEventData.Members[1].UPN)) \n | where TargetUPN in (interestingUsers ) \n | extend VictimTenant = tostring(RawEventData.OrganizationId) \n | extend AttackerTenant = RawEventData.Members[0].OrganizationId \n | extend AttackerUPN = RawEventData.Members[0].UPN \n | extend AttackerName = RawEventData.Members[0].DisplayName \n \n Initial Access \n \n The Storm-1811 actor calls users on Teams, then abuses RMM tools to deploy payloads and initiate credential theft for initial access. And, the Storm-1674 actor either calls users or uses Teams chat to deliver malicious payloads via phishing links hosted on file-sharing services usually like SharePoint. \n \n Hunting for Compromises \n \n In addition to the Teams phishing activities recorded in CloudAppEvents telemetry, clicks on SharePoint URLs are logged in the UrlClickEvents table. Correlating suspicious signals on devices with UrlClickEvents table can help identify and highlight this activity. \n \n Correlating URL click events on alerted devices \n \n let alertedDevices = AlertEvidence \n | where Timestamp > ago(1h) \n | where isnotempty(DeviceId) \n |distinct DeviceId; \n let interestedUsers = DeviceProcessEvents \n | where Timestamp > ago(1h) \n | where DeviceId in (alertedDevices) \n | where isnotempty(InitiatingProcessAccountUpn) \n | distinct InitiatingProcessAccountUpn; \n UrlClickEvents \n | where Timestamp > ago(1d) \n | where ActionType == \"ClickAllowed\" or IsClickedThrough !=\"0\" \n | where Workload has “Teams” \n | where AccountUpn in (interestedUsers) \n \n Credential Access \n \n After taking control of the target user’s device through RMM, the attacker executes a script under the pretext of fixing the spam flood activity. The name of the script also justifies the intent to convince the user for the next steps (Eg : Spam Filter Update). When the script is executed, it prompts the target user to provide the credentials, persuaded by the attacker. \n \n In a few other scenarios, the attacker also redirects the user to an AiTM phishing page to complete the sign-in with MFA to compromise the session token. \n \n Hunting for Compromises \n \n These compromises can be identified by correlating risky sign-in attempts with Teams phishing from external tenants. The below query can be used to identify identity compromises (Adversary-in-the-middle attack) through Teams messages with malicious links/attachments as well: \n \n let usersWithRiskySignIn = AADSignInEventsBeta \n |where Timestamp > ago(1h) \n |where RiskLevelDuringSignIn == 100 \n |project AccountUpn; \n CloudAppEvents \n | where Timestamp > ago(1d) \n | where Application == \"Microsoft Teams\" \n | where ActionType == \"ChatCreated\" \n | where isempty(AccountObjectId) \n | where RawEventData.ParticipantInfo.HasForeignTenantUsers == true \n | where RawEventData.CommunicationType == \"OneOnOne\" \n | where RawEventData.ParticipantInfo.HasGuestUsers == false \n | where RawEventData.ParticipantInfo.HasOtherGuestUsers == false \n | where AccountId has \"@\" \n | extend TargetUPN = tolower(tostring(RawEventData.Members[1].UPN)) \n | where TargetUPN in (interestingUsers ) \n | extend TargetTenant = tostring(RawEventData.OrganizationId) \n | extend AttackerTenant = RawEventData.Members[0].OrganizationId \n |where TargetTenant != AttackerTenant \n | extend AttackerUPN = RawEventData.Members[0].UPN \n | extend AttackerName = RawEventData.Members[0].DisplayName \n |project project-reorder Timestamp, AttackerTenant, AttackerUPN, AttackerName, TargetUPN \n \n Execution \n \n Using a scripted cURL command, the attacker downloads additional payloads in an RMM session, or shares a SharePoint link on Microsoft Teams with payloads and tools (like NetSupport RAT). In a few scenarios, an SSH connection was also setup with the attacker’s machine. \n \n \n \n \n In conjunction with RMM tools, attackers use various command-line utilities to manipulate Active Directory (AD) environments. One such utility is Csvde, a command-line tool that imports and exports data from Active Directory Domain Services (AD DS). Csvde can be exploited by threat actors to extract sensitive AD information or to introduce malicious entries into the directory, further compromising the security of the environment. \n \n Detect suspicious file downloads \n \n DeviceNetworkEvents \n | where InitiatingProcessFileName in~ (\"curl.exe\", \"powershell.exe\", \"certutil.exe\", \"bitsadmin.exe\") \n | where RemoteIPType == \"Public\" \n | where RemoteUrl endswith \".exe\" or RemoteUrl endswith \".dll\" or RemoteUrl endswith \".zip\" \n | project Timestamp, DeviceId, InitiatingProcessFileName, RemoteIP, RemoteUrl \n | extend AlertType = \"Suspicious file download from unknown IP address\" \n \n \n Detection of csvde.exe Download and AD Enumeration \n \n // Detect curl downloading csvde.exe \n let csvde_download = DeviceProcessEvents \n | where InitiatingProcessFileName =~\"cmd.exe\" \n | where ProcessCommandLine has_all (\"curl\",\"-o\",\"csvde.exe\",\"http:\") \n | project DeviceId,Timestamp,CurlCommandLine=ProcessCommandLine, CurlProcessId = ProcessId; \n // Detect execution of csvde.exe with specific parameters \n let csvde_execution = \n DeviceProcessEvents \n | where FileName =~ \"csvde.exe\" \n | where ProcessCommandLine has_all (\"-r\",\"objectClass=Computer\") \n and ProcessCommandLine has_all (\"-l\",\"samAccountName\",\"description\",\"info\",\"operatingSystem\") \n and ProcessCommandLine contains \"-f\" \n | project DeviceId,Timestamp, CsvdeCommandLine= ProcessCommandLine,CsvdeProcessId = ProcessId; \n Join the two events and look for them occurring within 5 minutes \n csvde_download \n | join kind=inner ( \n csvde_execution \n ) on DeviceId \n | where Timestamp between (Timestamp1 .. Timestamp1 + 5m) \n | extend AlertType = \"Potential Active Directory Enumeration\", Details = strcat(\"curl.exe was used to download csvde.exe, which was then executed to enumerate AD computers. \") \n \n \n // Detect potential data compression and exfiltration \n let compress_exfil = DeviceProcessEvents \n | where FileName =~ \"7z.exe\" \n | where ProcessCommandLine contains \"x -p\" \n | project Timestamp, DeviceId, FileName, ProcessCommandLine, ProcessId \n | join kind=inner ( \n DeviceNetworkEvents \n | where InitiatingProcessId != 0 \n ) on $left.ProcessId == $right.InitiatingProcessId \n | project Timestamp, DeviceId, FileName, ProcessCommandLine, RemoteIP, RemotePort \n | extend AlertType = \"Potential data compression and exfiltration\"; \n \n \n Reconnaissance \n \n This attack specifically involved high number of reconnaissance commands including ipconfig, systeminfo, geo location scans, user recons, EDR protection status. In a typical attack, this information is exfiltrated to an external C2 server. However, in these attacks, the attacker could have probably taken a screenshot through the RMM. \n \n Persistence \n \n The payloads downloaded by the attacker was used to create persistence either using scheduled tasks or by being added to the startup folder. \n \n // Persistence through Startup operations let regKeys = pack_array(@\"CurrentVersion\\Run\", @\"CurrentVersion\\RunOnce\", @\"CurrentVersion\\RunOnceEx\", @\"Programs\\Startup\", @\"CurrentVersion\\RunServicesOnce\", @\"CurrentVersion\\RunServices\", @\"CurrentVersion\\Policies\\Explorer\\Run\", @\"Windows NT\\CurrentVersion\\Windows\", @\"System\\CurrentControlSet\\Control\\Session Manager\"); let startUpOperations = DeviceFileEvents | where FolderPath has @\"Start Menu\\Programs\\Startup\\\" | where ActionType in (\"FileCreated\", \"FileModified\", \"FileRenamed\"); // Persistence through Registry Tampering let regOperations = DeviceRegistryEvents | where hasAlertDevices | where Timestamp between (startTime .. endTime) | where DeviceId in (alertedDevices) | where RegistryKey has_any (regKeys) | where ActionType in (\"SetValue\" ,\"CreateKey\" , \"RenameKey\"); // Persistence through Scheduled task creation let scheduledOperations = DeviceProcessEvents | where Timestamp between (startTime .. endTime) | where DeviceId in (alertedDevices) | where (InitiatingProcessCommandLine has \"schtasks\" and InitiatingProcessCommandLine has_any (\"run\", \"create\" , \"change\")); union startUpOperations, regOperations, scheduledOperations | summarize arg_min(Timestamp, *) by DeviceId \n \n Detections \n \n \n Suspicious activity using Quick Assist \n Possible remote access tool activity \n Suspicious usage of remote management software \n Suspicious location of remote management software \n Possible NetSupport Manager activity \n \n \n References \n \n NOTE: The following references are available for Microsoft Defender customers. \n \n Qakbot distributor Storm-0464 shifts to DarkGate and IcedID : Intel Article - Microsoft Defender - Shift to DarkGate and IcedID \n Financially motivated threat actors misusing App Installer : Intel Article - Microsoft Defender - App Installer misuse \n Threat actors misusing Quick Assist in social engineering attacks leading to ransomware : Intel Article - Microsoft Defender - Quick Assist misuse \n \n \n Recommendations \n \n \n Educate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities, be cautious about what they share, and never share their account information or authorize sign-in requests over chat. \n Administrators have an option to manage chats/Teams meetings with external users not managed by the Organization \n Apply Microsoft’s security best practices for Microsoft Teams to safeguard Teams users. \n Educate users about diligent use of RMM tools \n Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps. \n Enable investigation and remediation in full automated mode to allow Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. \n \n NOTE: The following is available for Microsoft Defender customers. \n \n Refer to Microsoft’s human-operated ransomware overview for general hardening recommendations against ransomware attacks. \n ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"18938","kudosSumWeight":6,"repliesCount":0,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjY3OTE2LTYyOTAwNmk5OTE3RUI4ODM3NzkwM0M3?revision=16\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjY3OTE2LTYyODIyM2kzQzk5OUEyNUU1QkE1NzhB?revision=16\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDM","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjY3OTE2LTYyODIyNGlENTVGRDQ5RDc0MkMyN0E0?revision=16\"}"}}],"totalCount":3,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"coverImage":null,"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""}},"Conversation:conversation:4236972":{"__typename":"Conversation","id":"conversation:4236972","topic":{"__typename":"BlogTopicMessage","uid":4236972},"lastPostingActivityTime":"2024-09-04T13:29:47.071-07:00","solved":false},"User:user:237437":{"__typename":"User","uid":237437,"login":"SharonXia","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/m_assets/avatars/default/avatar-10.svg?time=0"},"id":"user:237437"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjM2OTcyLTYxNzAyMGlGMTVGOEUxQ0Q2MkJGRDUw?revision=4\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjM2OTcyLTYxNzAyMGlGMTVGOEUxQ0Q2MkJGRDUw?revision=4","title":"SharonXia_0-1725478426963.png","associationType":"TEASER","width":467,"height":303,"altText":null},"BlogTopicMessage:message:4236972":{"__typename":"BlogTopicMessage","subject":"Microsoft Defender Experts services are now HIPAA and ISO certified","conversation":{"__ref":"Conversation:conversation:4236972"},"id":"message:4236972","revisionNum":4,"uid":4236972,"depth":0,"board":{"__ref":"Blog:board:MicrosoftSecurityExperts"},"author":{"__ref":"User:user:237437"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":" \n Certifications demonstrate our commitment to protecting our customers data and privacy. ","introduction":"","metrics":{"__typename":"MessageMetrics","views":1914},"postTime":"2024-09-04T13:29:47.071-07:00","lastPublishTime":"2024-09-04T13:29:47.071-07:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" We are pleased to announce that Microsoft Defender Experts for XDR and Microsoft Defender Experts for Hunting can help healthcare and life science customers in meeting their Health Insurance Portability and Accountability Act (HIPAA) obligations. To carry out proactive threat hunting and managed detection and response on behalf of our customers, our Defender Experts team needs access to their Microsoft Defender portal alerts, incidents, and advanced threat hunting data. We can now support our customers’ compliance with HIPAA when they utilize Defender Experts services through a Business Associate Agreement (BAA) to ensure that protected health information (PHI) is appropriately safeguarded. \n \n The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the regulations issued under HIPAA are a set of U.S. healthcare laws that establish requirements for the use, disclosure, and safeguarding of individually identifiable health information. HIPAA applies to covered entities (e.g., health care providers, health plans, etc.) that create, receive, maintain, transmit, or access patients' PHI. HIPAA further applies to business associates of covered entities that perform certain functions or activities involving PHI as part of providing services to the covered entity or on behalf of the covered entity. \n \n Microsoft services covered under the BAA have undergone audits conducted by accredited independent auditors for the Microsoft International Organization for Standardization (ISO)/ International Electrotechnical Commission (IEC) 27001 certification and the Health Information Technology for Economic and Clinical Health (HITRUST) Common Security Framework (CSF) certification. Both Defender Experts services are also ISO 27001, 27017, and 27018 certified: \n \n \n ISO 27001 provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system. \n ISO 27017 provides guidelines for information security controls applicable to the provision and use of cloud services by providing additional implementation guidance for relevant controls specified in ISO/IEC 27002 (access control, cryptography, human resource security, and incident response), as well as additional controls with implementation guidance that specifically relate to cloud services. \n ISO 27018 provides guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which can be applicable within the context of the information security risk environment(s) of a provider of public cloud services. \n \n To learn how Microsoft helps healthcare and life science customers demonstrate compliance, visit the Microsoft HIPAA compliance documentation page. \n \n Click here to discover more about our services or check out the Microsoft Defender Experts for XDR and Microsoft Defender Experts for Hunting documentation pages. Make sure you bookmark our Defender Experts Ninja Hub for the latest resources and videos. ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"3110","kudosSumWeight":1,"repliesCount":0,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjM2OTcyLTYxNzAyMGlGMTVGOEUxQ0Q2MkJGRDUw?revision=4\"}"}}],"totalCount":1,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"coverImage":null,"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""}},"Conversation:conversation:4159408":{"__typename":"Conversation","id":"conversation:4159408","topic":{"__typename":"BlogTopicMessage","uid":4159408},"lastPostingActivityTime":"2024-06-17T09:07:42.163-07:00","solved":false},"User:user:570320":{"__typename":"User","uid":570320,"login":"DenizSezer","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/m_assets/avatars/default/avatar-7.svg?time=0"},"id":"user:570320"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTU5NDA4LTU5MTIyM2kxODkxMEU1QzQ1RDkzMEI1?revision=10\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTU5NDA4LTU5MTIyM2kxODkxMEU1QzQ1RDkzMEI1?revision=10","title":"MSFT_SCI_Threat_Protection_01.jpg","associationType":"TEASER","width":539,"height":301,"altText":null},"BlogTopicMessage:message:4159408":{"__typename":"BlogTopicMessage","subject":"Effective strategies for conducting Mass Password Resets during cybersecurity incidents","conversation":{"__ref":"Conversation:conversation:4159408"},"id":"message:4159408","revisionNum":10,"uid":4159408,"depth":0,"board":{"__ref":"Blog:board:MicrosoftSecurityExperts"},"author":{"__ref":"User:user:570320"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":" Learn about the challenges of performing a mass password reset and best practices for carrying one out. \n ","introduction":"","metrics":{"__typename":"MessageMetrics","views":15698},"postTime":"2024-06-11T09:30:00.038-07:00","lastPublishTime":"2024-06-17T09:07:42.163-07:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" You're in the middle of a cyber incident, and you know certain accounts have been compromised, but you are not certain of the full extent of the Threat Actor’s impact. What do you do? Oftentimes, Microsoft Incident Response will recommend a mass password reset. This helps you regain control of your identity plane, deny other avenues of access, and disrupt any persistence the attacker may have established in your environment. However, and especially for larger organizations, navigating mass password resets can be a complex task. In this blog post, we'll discuss the practical challenges of performing a mass password reset, how to prepare to carry one out, and best practices in performing them. \n \n Identifying the need for a mass password reset \n \n A mass password reset is not always required, but it is important to identify the circumstances under which it is. Some considerations for when a mass password reset is the best course of action include: \n \n Active Directory database exfiltration: When there is evidence of Active Directory Domain Services (AD DS) database exfiltration by a suspected threat actor. \n Active Directory database staging: When there is evidence of AD DS database staging with intent to exfiltrate by a suspected threat actor. \n Compromised privileged identities: When a threat actor has compromised credentials belonging to one or more privileged groups such as Domain Admins, Enterprise Admins, or built-in Administrators. \n Attacker-in-the-Middle: When there is evidence of an Attacker-in-the-Middle (AiTM) attack or other threat-actor-introduced proxy services which may have gathered user credentials. \n Cloud or third-party identity platform compromise: When there is evidence of a compromise on an authoritative Identify platform such as Microsoft Entra Connect, AD FS, RADIUS (Remote Authentication Dial In User Service) Servers, or 3 rd party identity solutions. \n Ransomware deployment: When a threat actor has been able to successfully deploy ransomware by compromising accounts belonging to privileged Active Directory (AD) groups. \n Privileged credentials exposed in Business Email Compromise (BEC): When a BEC has exposed privileged credentials in emails. \n Privileged credentials exposed in exfiltrated data: When data exfiltrated from productivity and collaboration tools (such as OneDrive or SharePoint) has exposed privileged credentials. \n Privileged credentials exposed in code: When privileged credentials have been exposed in an online code or source control repository. \n Attribution to nation state or Advanced Persistent Threat (APT): When an attack has been attributed to an APT or nation state. \n \n \n Organizational challenges and scenarios \n \n Almost all organizations have remote users: many have hybrid users, and some have entirely remote workforces. This means that every organization has unique requirements and considerations for when a mass password reset is required. In this section, we will consider some of those requirements and how organizations can best prepare and respond if the need arises. Scenarios to consider include: \n \n Local users: Users primarily onsite with line of sight to a domain controller. \n Remote users: Users who primarily use VPN (virtual private networks) or have hybrid identities. \n Administrative controls: Whether password resets are driven by administrators or end-users. \n Service account management: Considerations for service accounts, which often have never-expiring passwords. \n Privileged identities: Special considerations for managing privileged cloud and on-premises accounts. \n \n \n Users onsite with direct access to domain controllers \n \n This scenario is the least complicated one: if all users are primarily onsite with line of sight to a domain controller, then a simple flag on every user account to require the user to change password at next logon can be used to enforce the password change. Users can be given a deadline and informed they are required to change their passwords by the deadline, and, if they fail to do so, their accounts will be disabled. Several PowerShell scripts are available online that allow for enumeration of users in specific organizational units (OUs) and manipulating the “User must change password at next logon” flag to facilitate a gradual password reset rollout so an organization’s helpdesk is not inundated. When the users arrive in the office and attempt to log on, a message will prompt them to change their passwords. \n \n Gradual, but expedited expiration of passwords using Fine Grained Password Policies (FGPP) and the progressive reduction of password age through domain policy modifications offer alternative methods for enforcing a mass password reset for domain users. However, a significant drawback to this approach is the potential for a threat actor to remain within an authenticated session until a logon event triggers the password reset. When considering this method, it's important to balance the urgency of credential changes with the need to provide users with a grace period. Since many organizations have a portion of their workforce operating remotely, this strategy is often employed as part of a broader series of steps designed to secure all user accounts across various scenarios. \n Remote users who use VPN to access the environment \n \n This scenario is more common when most users are primarily remote, or there is a mix of remote and onsite users. In this scenario, users rely on authentication mechanisms separate from their domain password; for example, certificate-based authentication. Once the users are authenticated using the VPN solution, they can be treated like the previous scenario since they will have line of sight to a domain controller. \n \n An important consideration for remote users is whether you will execute an administratively managed password reset (which is where an admin resets credentials for users and relies on users to use self-service password reset (SSPR) to regain access) or allow users to change their credentials gracefully on their own. \n This scenario becomes more challenging when the VPN solution relies on the domain password as one (or the primary) factor for authentication and the VPN solution does not support a password reset during the sign-in flow. In such a scenario, if the organization has been set up for SSPR before the incident occurs, it makes the password reset process much easier to handle. If an organization does not have SSPR capabilities, a mass password reset will require some manual intervention. This could take the form of users having to call in to the help desk or attend a centralized location that has been set up for this purpose, provide verification of their identity over voice, video, or in person, and then have their password manually reset. \n \n Alternatively, for VPN solutions that do not support a password reset during the authentication flow, you may wish to consider migrating the authentication source of your VPN solution to Microsoft Entra ID either temporarily to allow the session to be interrupted with a password reset, or permanently to gain the benefit of additional Microsoft Entra ID features like Conditional Access policies. \n \n Users primarily remote with hybrid (on-premises) identities \n \n With hybrid identities, an organization’s identities (users and computers) are already synchronized to Microsoft Entra ID. In this scenario, line of sight to a domain controller is not a requirement to orchestrate a mass password reset. Microsoft Entra ID supports flagging users to reset their credentials at next sign-in, similar to on-premises Active Directory. Admins can use Microsoft Graph to set the user attribute either to \"forceChangePasswordNextSignIn\" or \"forceChangePasswordNextSignInWithMfa\" on the desired users to interrupt their next sign-in and allow them to change their password gracefully. If the password writeback feature is enabled in Microsoft Entra ID and the organization’s users are enabled for SSPR, then a password reset via either the MyAccount portal or SSPR portal will ensure that the newly reset password is synchronized back on-premises. If password writeback and SSPR are already enabled, this is the scenario with the fastest route to threat actor removal and least amount of manual work. There are some scenarios where an organization may not want to use SSPR, which we will discuss later in this post. \n \n Considerations for service accounts \n \n Service accounts with their never-expiring passwords and traditionally overprivileged nature tend to be the bane of any Active Directory administrator’s existence. This is particularly problematic when a mass password reset must be performed and little-to-no inventory exists that maps applications to service accounts. An effort should be made to inventory all service accounts and their associated services and applications. Where possible, service accounts should be migrated to Group Managed Service Accounts (gMSA). This has the dual advantage of making service accounts more manageable and removing the manual overhead associated with service accounts. This is also a great opportunity to “right size” the service accounts that tend to be traditionally overprivileged. \n \n Considerations for privileged identities \n \n All privileged cloud accounts should have phishing-resistant MFA enforced. Also, it is strongly advised to use Just in Time (JIT) administration methods, for example Microsoft Entra ID Privileged Identity Management (PIM). In addition, there should exist a clear separation of on-premises and cloud administration with separate identities for each realm. Identities belonging to the privileged on-premises AD DS groups should not be synchronized to Microsoft Entra ID. Conversely, all privileged cloud roles should be held by cloud native identities and must not be synchronized from AD DS. Most organizations will choose to manually reset any privileged credentials for a high level of assurance and control. It is important to verify when passwords were reset with PowerShell or Microsoft Graph; otherwise, it is very likely that some accounts may be missed. \n \n Assurance and control considerations for a mass password reset \n \n As we’ve detailed, there are several different scenarios that necessitate a mass password reset. This means that there are different levels of control or assurance an organization might require while performing a mass password reset. When SSPR mechanisms can be reliably used to provide assurance, organizations can use that feature to accelerate a mass password reset. \n \n However, there are situations where an organization may not want to use the existing SSPR solution. For example, when an advanced threat actor has abused the organization’s SSPR system, or where there is actual evidence of AD DS database exfiltration. In such a scenario the organization would likely not choose to use that mechanism to enforce the mass password reset because the threat actor could re-establish initial access or persistence via SSPR. \n \n Where an organization seeks a high degree of control and assurance for a mass password reset there will, unfortunately, be an element of manual intervention. However, with preparedness ahead of time, Microsoft Entra ID features such as a Temporary Access Pass, when combined with Conditional Access policies, can be used to automate some aspects of assurance and control. In any event where a high degree of assurance and control is desired, some level of manual intervention to verify users’ physical identities and the issuance of such temporary access passes is inevitable. In a subsequent post we will examine different Microsoft Entra ID features that can be used to accomplish this. \n \n Conclusion and next steps \n \n There are several variables and considerations for a mass password reset, and there is no one-size-fits-all solution. However, we can, with adequate preparedness, make this process less onerous and more manageable for organizations. \n \n We recommend exploring other blogs from Microsoft Incident Response for expert guidance and tailored solutions to improve your incident response capabilities. Additionally, consider the benefits of Microsoft Entra ID for advanced identity and access management, which can strengthen your defenses against identity-related breaches. ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"12522","kudosSumWeight":5,"repliesCount":0,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTU5NDA4LTU5MTIyM2kxODkxMEU1QzQ1RDkzMEI1?revision=10\"}"}}],"totalCount":1,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"coverImage":null,"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""}},"Conversation:conversation:4132077":{"__typename":"Conversation","id":"conversation:4132077","topic":{"__typename":"BlogTopicMessage","uid":4132077},"lastPostingActivityTime":"2024-06-12T13:46:40.342-07:00","solved":false},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTMyMDc3LTUwMTg3OGlEQzA0RjAyQUU3NzUxNTc2?revision=8\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTMyMDc3LTUwMTg3OGlEQzA0RjAyQUU3NzUxNTc2?revision=8","title":"DefenderExperts_TechComm 370x240.png","associationType":"TEASER","width":370,"height":240,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTMyMDc3LTU3Nzg2N2kyM0IyNzY5MjEzRDJDOTQz?revision=8\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTMyMDc3LTU3Nzg2N2kyM0IyNzY5MjEzRDJDOTQz?revision=8","title":"Elisa_Lippincott_0-1714980502897.png","associationType":"BODY","width":1144,"height":445,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTMyMDc3LTU3Nzg2OGlEMDdFQUUxNzk1NzI4QTdF?revision=8\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTMyMDc3LTU3Nzg2OGlEMDdFQUUxNzk1NzI4QTdF?revision=8","title":"Elisa_Lippincott_1-1714980579808.png","associationType":"BODY","width":1144,"height":445,"altText":null},"BlogTopicMessage:message:4132077":{"__typename":"BlogTopicMessage","subject":"Microsoft Defender Experts Services Expanded Coverage Upcoming Preview","conversation":{"__ref":"Conversation:conversation:4132077"},"id":"message:4132077","revisionNum":8,"uid":4132077,"depth":0,"board":{"__ref":"Blog:board:MicrosoftSecurityExperts"},"author":{"__ref":"User:user:1473501"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":" \n We are excited to announce our upcoming preview of our Defender Experts services expanded coverage. ","introduction":"","metrics":{"__typename":"MessageMetrics","views":3693},"postTime":"2024-05-06T09:00:00.155-07:00","lastPublishTime":"2024-06-12T13:45:56.436-07:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" We’re pleased to announce the upcoming preview of our Defender Experts services expanded coverage scheduled for June 2024 that extends our capabilities to include customers’ cloud estates with servers and virtual machines (VMs) running in Microsoft Azure and on-premises via Defender for Servers in Microsoft Defender for Cloud. In addition, our coverage will utilize third-party network signals to enhance investigations, create more avenues to generate leads for comprehensive threat hunting, and accelerate response earlier in the attack chain. \n \n World-class security expertise now extends to Microsoft Defender for Cloud \n \n Despite growing cloud maturity, a staggering 95% of security professionals remain concerned about public cloud security. 1 Cloud security is top of mind for many organizations, but they face skills gaps and staffing challenges for this area of expertise. According to ISC2, 92% of organizations report having skills gaps in their organization – the most common being cloud computing security. 2 SOC teams are overwhelmed and understaffed, and organizations need quick access to security expertise to address their coverage gaps. With Defender Experts services now expanding coverage for Defender for Cloud (Defender for Servers), our customers can extend their Defender Experts service to their cloud assets with our field-tested team of experts for proactive threat hunting and managed detection and response. \n \n \n Figure 1. Screenshot of a list of incidents with one highlighted to show the service source as Microsoft Defender for Cloud and the detection source as Microsoft Defender for Servers \n \n Customers utilize servers and VMs in their cloud environments to run their business-critical applications; however, cloud computing also introduces new cybersecurity challenges and risks that require specialized skills and tools to address. Securing servers in the cloud requires threat detections that extend to cover connected, cloud-native components, management plane, lateral movement, the discovery of unmonitored machines, file integrity monitoring and more. With Defender for Servers coupled with Defender Experts services, customers can safeguard their servers with around-the-clock coverage and access to our team of experts who will augment your SOC team and help protect your environment across your hybrid environment. \n \n \n Figure 2. Screenshot of an attack story involving a multi-stage incident that includes alerts on virtual machines (VMs) \n \n Enhanced investigations through telemetry data enriched by third-party network signals \n \n Both Defender Experts for XDR and Defender Experts for Hunting services use Microsoft’s extensive and dynamic threat intelligence, and the Defender Experts team utilizes this data to inform their efforts and deliver insights into attackers and their attacks in a customer’s environment. A significant enhancement to this capacity is the ability to enrich Defender incidents with third-party network signals, which provide two key advantages for our customers: \n \n \n Deeper insights into incidents: Enriching Defender incidents with network signals from the following providers (Palo Alto Networks (PAN-OS firewall), Zscaler (ZIA and ZPA), Fortinet, and Cisco (ASA and Meraki firewalls) further enhances our threat telemetry and visibility and gives the Defender Experts team the ability to intensify their threat hunting efforts and investigations and further refine the timeline reconstruction of an incident across multiple vectors. \n \n \n \n Accelerated response times: Select network logs will enrich Defender incidents to provide a more comprehensive view of the attack path and additional pivot points for deeper threat hunting, which enables faster and more complete detection and response. \n \n \n Expanded coverage preview requirements \n \n As part of the expanded coverage preview, customers will be able to see what the Defender Experts team does for them in Microsoft’s new unified security operations platform. This streamlined platform provides you with deeper context into investigations and end-to-end visibility to investigate and respond to threats faster. \n \n For the Defender for Cloud expanded coverage preview requirements, a Defender Experts for XDR license or trial is required (both include the Defender Experts for Hunting service); a Defender for Cloud – Defender for Servers Plan 1 or Plan 2 license; and Defender for Endpoint agent running on the servers/VMs. Customers must be familiar with the Microsoft Defender XDR suite and Azure Lighthouse must be configured on the customer tenant to allow Defender Experts analysts to access the customer’s Defender for Cloud portal. \n \n For the third-party network signals expanded coverage preview requirements, a Defender Experts for XDR license or trial is required (both include the Defender Experts for Hunting service); a Sentinel instance within the unified security operations platform; at least one of the supported third-party network signals ingested into their Sentinel instance using the built-in data connectors; opt-in to the ASIM preview feature and Sentinel Research Data Access (RDA); and Azure Lighthouse must be configured on the customer tenant to allow Defender Experts analysts to access the customer’s Sentinel instance. \n \n Customers who are interested in our expanded coverage preview can contact their Microsoft representative for more information. \n \n We understand our customers have unique requirements when it comes to managed security services, so we frequently collaborate with our rich ecosystem of verified MXDR partners to choose from that best meets their needs. \n \n See Defender Experts in action \n \n We will be in attendance at the RSA Conference (RSAC) in San Francisco, California on May 6-9, 2024 and invite you to join us for an in-booth theater session featuring Defender Experts at booth 6044N on Monday, May 6, 2024 at 6:30pm. For more information about Microsoft’s overall participation at the conference, please visit our main RSAC blog. \n \n Click here to discover more about our services or check out the Microsoft Defender Experts for XDR and Microsoft Defender Experts for Hunting documentation pages. Make sure you bookmark our Defender Experts Ninja Hub for the latest resources and videos. \n \n \n \n All non-Microsoft product names and brands are property of their respective owners. \n ____________________________________________ \n 1 2023 Cloud Security Report | ISC2 and Cybersecurity Insiders \n 2 ISC2_Cybersecurity_Workforce_Study_2023 \n \n ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"6734","kudosSumWeight":1,"repliesCount":2,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTMyMDc3LTUwMTg3OGlEQzA0RjAyQUU3NzUxNTc2?revision=8\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTMyMDc3LTU3Nzg2N2kyM0IyNzY5MjEzRDJDOTQz?revision=8\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDM","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTMyMDc3LTU3Nzg2OGlEMDdFQUUxNzk1NzI4QTdF?revision=8\"}"}}],"totalCount":3,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"coverImage":null,"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""}},"Conversation:conversation:4053324":{"__typename":"Conversation","id":"conversation:4053324","topic":{"__typename":"BlogTopicMessage","uid":4053324},"lastPostingActivityTime":"2024-04-29T14:27:06.329-07:00","solved":false},"User:user:1680398":{"__typename":"User","uid":1680398,"login":"krithikar","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/dS0xNjgwMzk4LTU0NzUyMWk5NURBNEMwQUE4REVDQjVC"},"id":"user:1680398"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDUzMzI0LTUwMTg3OGlEQzA0RjAyQUU3NzUxNTc2?revision=14\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDUzMzI0LTUwMTg3OGlEQzA0RjAyQUU3NzUxNTc2?revision=14","title":"DefenderExperts_TechComm 370x240.png","associationType":"TEASER","width":370,"height":240,"altText":null},"BlogTopicMessage:message:4053324":{"__typename":"BlogTopicMessage","subject":"Hunting for QR Code AiTM Phishing and User Compromise","conversation":{"__ref":"Conversation:conversation:4053324"},"id":"message:4053324","revisionNum":14,"uid":4053324,"depth":0,"board":{"__ref":"Blog:board:MicrosoftSecurityExperts"},"author":{"__ref":"User:user:1680398"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":" \n Dig into the mechanics of QR code phishing, how the Defender Experts team hunts for these campaigns, and the mitigations needed to reduce their impact. ","introduction":"","metrics":{"__typename":"MessageMetrics","views":23261},"postTime":"2024-02-12T05:00:00.069-08:00","lastPublishTime":"2024-02-13T07:12:21.432-08:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" In the dynamic landscape of adversary-in-the-middle (AiTM) attacks, the Microsoft Defender Experts team has recently observed a notable trend – QR code-themed phishing campaigns. The attackers employ deceptive QR codes to manipulate users into accessing fraudulent websites or downloading harmful content. \n \n These attacks exploit the trust and curiosity of users who scan QR codes without verifying their source or content. Attackers can create QR codes that redirect users to phishing sites that mimic legitimate ones, such as banks, social media platforms, or online services. The targeted user scans the QR code, subsequently being redirected to a phishing page. Following user authentication, attackers steal the user's session token, enabling them to launch various malicious activities, including Business Email Compromise attacks and data exfiltration attempts. Alternatively, attackers can create QR codes that prompt users to download malware or spyware onto their devices. These attacks can result in identity theft, financial loss, data breach, or device compromise. \n \n This blog explains the mechanics of QR code phishing, and details how Defender Experts hunt for these phishing campaigns. Additionally, it outlines the procedures in place to notify customers about the unfolding attack narrative and its potential ramifications. \n \n Why is QR code phishing a critical threat? \n The Defender Experts team has observed that QR code campaigns are often massive and large-scale in nature. Before launching these campaigns, attackers typically conduct reconnaissance attempts to gather information on targeted users. The campaigns are then sent to large groups of people within an organization, often exceeding 1,000 users, with varying parameters across subject, sender, and body of the emails. \n \n The identity compromises and stolen session tokens resulting from these campaigns are proportional to their large scale. In recent months, Defender Experts have observed QR code campaigns growing from 10% to 30% of total phishing campaigns. Since the campaigns do not follow a template, it can be difficult to scope and evaluate the extent of compromise. It is crucial for organizations to be aware of this trend and take steps to protect their employees from falling victim to QR code phishing attacks. \n \n Understanding the intent of QR code phishing attacks \n The QR code phishing email can have one of the below intents: \n \n \n Credential theft: The majority of these campaigns are designed with the intent where the user is redirected to an AiTM phishing website for session token theft. The authentication method can be single factor authentication, where only the user’s password is compromised and the sign-in attempts are unsuccessful; in these scenarios, the attacker signs in later with the compromised password and bypasses multifactor authentication (MFA) through MFA fatigue attacks.Alternatively, the user can be redirected to an AiTM phishing page where the credentials, MFA parameters and session token are compromised in real-time. \n Malware distribution: In these scenarios, once the user scans the QR code, malware/spyware/adware is automatically downloaded on the mobile device. \n Financial theft: These campaigns use QR codes to trick the user into making a fake payment or giving away their banking credentials. The user may scan the QR code and be taken to a bogus payment gateway or a fake bank website. The attacker can then access the user’s account later and bypass the second factor authentication by contacting the user via email or phone. \n \n \n How Defender Experts approach QR code phishing \n In QR code phishing attempts, the targeted user scans the QR code on their personal non-managed mobile device, which falls outside the scope of the Microsoft Defender protected environment. This is one of the key challenges for detection. In addition to detections based on Image Recognition or Optical Character Recognition, a novel approach was necessary to detect the QR code phishing attempts. \n \n Defender Experts have researched identifying patterns across the QR code phishing campaigns and malicious sign-in attempts and devised the following detection approaches: \n \n \n Pre-cursor events: User activities \n Suspicious Senders \n Suspicious Subject \n Email Clustering \n User Signals \n Suspicious Sign-in attempts \n \n \n 1. Hunting for user behavior: \n This is one of the primary detections that helps Defender Experts surface suspicious sign-in attempts from QR code phishing campaigns. Although the user scans the QR code from an email on their personal mobile device, in the majority of the scenarios, the phishing email being accessed is recorded with MailItemsAccessed mail-box auditing action. \n \n The majority of the QR code campaigns have image (png/jpg/jpeg/gif) or document attachments (pdf/doc/xls) – Yes! QR codes are embedded in Excel attachments too! The campaigns can include a legitimate URL that redirects to a phishing page with malicious QR code as well. \n \n A malicious sign-in attempt with session token compromise that follows the QR code scan is always observed from non-trusted devices with medium/high risk score for the session. \n This detection approach correlates a user accessing an email with image/document attachments and a risky sign-in attempt from non-trusted devices in closer proximity and validates if the location from where the email item was accessed is different from the location of sign-in attempt. \n \n Advanced Hunting Query: \n let successfulRiskySignIn = materialize(AADSignInEventsBeta \n | where Timestamp > ago(1d) \n | where isempty(DeviceTrustType) \n | where IsManaged != 1 \n | where IsCompliant != 1 \n | where RiskLevelDuringSignIn in (50, 100) \n | project Timestamp, ReportId, IPAddress, AccountUpn, AccountObjectId, SessionId, Country, State, City \n ); \n let suspiciousSignInUsers = successfulRiskySignIn \n | distinct AccountObjectId; \n let suspiciousSignInIPs = successfulRiskySignIn \n | distinct IPAddress; \n let suspiciousSignInCities = successfulRiskySignIn \n | distinct City; \n CloudAppEvents \n | where Timestamp > ago(1d) \n | where ActionType == \"MailItemsAccessed\" \n | where AccountObjectId in (suspiciousSignInUsers) \n | where IPAddress !in (suspiciousSignInIPs) \n | where City !in (suspiciousSignInCities) \n | join kind=inner successfulRiskySignIn on AccountObjectId \n | where AccountObjectId in (suspiciousSignInUsers) \n | where (Timestamp - Timestamp1) between (-5min .. 5min) \n | extend folders = RawEventData.Folders \n | mv-expand folders \n | extend items = folders.FolderItems \n | mv-expand items \n | extend InternetMessageId = tostring(items.InternetMessageId) \n | project Timestamp, ReportId, IPAddress, InternetMessageId, AccountObjectId, SessionId, Country, State, City \n \n 2. Hunting for sender patterns: \n The sender attributes play a key role in the detection of QR code campaigns. Since the campaigns are typically large scale in nature, 95% of the campaigns do not involve phishing emails from compromised trusted vendors. Predominant emails are sent from newly-created domains or non-prevalent domains in the organization. \n \n Since the attack involves multiple user actions involving scanning the QR code from a mobile device and completing the authentication, unlike typical phishing with simple URL clicks, the attackers induce a sense of urgency by impersonating IT support, HR support, payroll, administrator team, or the display name indicates the email is sent on-behalf of a known high value target in the organization (e.g., “Lara Scott on-behalf of CEO”). \n \n In this detection approach, we correlate email from non-prevalent senders in the organization with impersonation intents. \n \n Advanced Hunting Query: \n let PhishingSenderDisplayNames = () \n { \n pack_array(\"IT\", \"support\", \"Payroll\", \"HR\", \"admin\", \"2FA\", \"notification\", \"sign\", \"reminder\", \"consent\", \"workplace\", \n \"administrator\", \"administration\", \"benefits\", \"employee\", \"update\", \"on behalf\"); \n }; \n let suspiciousEmails = EmailEvents \n | where Timestamp > ago(1d) \n | where isnotempty(RecipientObjectId) \n | where isnotempty(SenderFromAddress) \n | where EmailDirection == \"Inbound\" \n | where DeliveryAction == \"Delivered\" \n | join kind=inner (EmailAttachmentInfo \n | where Timestamp > ago(1d) \n | where isempty(SenderObjectId) \n | where FileType has_any (\"png\", \"jpg\", \"jpeg\", \"bmp\", \"gif\") \n ) on NetworkMessageId \n | where SenderDisplayName has_any (PhishingSenderDisplayNames()) \n | project Timestamp, Subject, FileName, SenderFromDomain, RecipientObjectId, NetworkMessageId; \n let suspiciousSenders = suspiciousEmails | distinct SenderFromDomain; \n let prevalentSenders = materialize(EmailEvents \n | where Timestamp between (ago(7d) .. ago(1d)) \n | where isnotempty(RecipientObjectId) \n | where isnotempty(SenderFromAddress) \n | where SenderFromDomain in (suspiciousSenders) \n | where EmailDirection == \"Inbound\" \n | where DeliveryAction == \"Delivered\" \n | distinct SenderFromDomain); \n suspiciousEmails \n | where SenderFromDomain !in (prevalentSenders) \n | project Timestamp, Subject, FileName, SenderFromDomain, RecipientObjectId, NetworkMessageId \n \n Correlating suspicious emails with image attachments from a new sender with risky sign-in attempts for the recipients can also surface the QR code phishing campaigns and user compromises. \n \n 3. Hunting for subject patterns: \n In addition to impersonating IT and HR teams, attackers also craft the campaigns with actionable subjects. (e.g., MFA completion required, Digitally sign documents). The targeted user is requested to complete the highlighted action by scanning the QR code in the email and providing credentials and MFA token. \n \n In most cases, these automated phishing campaigns also include a personalized element, where the user’s first name/last name/alias/email address is included in the subject. The email address of the targeted user is also embedded in the URL behind the QR code. This serves as a unique tracker for the attacker to identify emails successfully delivered and QR codes scanned. \n \n In this detection, we track emails with suspicious keywords in subjects or personalized subjects. To detect personalized subjects, we track campaigns where the first three words or last three words of the subject are the same, but the other values are personalized/unique. \n \n For example: \n Alex, you have an undelivered voice message \n Bob, you have an undelivered voice message \n Charlie, you have an undelivered voice message \n Your MFA update is pending, Alex \n Your MFA update is pending, Bob \n Your MFA update is pending, Charlie \n \n Advanced Hunting Query: \n \n Personalized campaigns based on the first few keywords: \n EmailEvents \n | where Timestamp > ago(1d) \n | where EmailDirection == \"Inbound\" \n | where DeliveryAction == \"Delivered\" \n | where isempty(SenderObjectId) \n | extend words = split(Subject,\" \") \n | project firstWord = tostring(words[0]), secondWord = tostring(words[1]), thirdWord = tostring(words[2]), Subject, SenderFromAddress, RecipientEmailAddress, NetworkMessageId \n | summarize SubjectsCount = dcount(Subject), RecipientsCount = dcount(RecipientEmailAddress), suspiciousEmails = make_set(NetworkMessageId, 10) by firstWord, secondWord, thirdWord \n , SenderFromAddress \n | where SubjectsCount >= 10 \n \n Personalized campaigns based on the last few keywords: \n EmailEvents \n | where Timestamp > ago(1d) \n | where EmailDirection == \"Inbound\" \n | where DeliveryAction == \"Delivered\" \n | where isempty(SenderObjectId) \n | extend words = split(Subject,\" \") \n | project firstLastWord = tostring(words[-1]), secondLastWord = tostring(words[-2]), thirdLastWord = tostring(words[-3]), Subject, SenderFromAddress, RecipientEmailAddress, NetworkMessageId \n | summarize SubjectsCount = dcount(Subject), RecipientsCount = dcount(RecipientEmailAddress), suspiciousEmails = make_set(NetworkMessageId, 10) by firstLastWord, secondLastWord, thirdLastWord \n , SenderFromAddress \n | where SubjectsCount >= 10 \n \n Campaign with suspicious keywords: \n let PhishingKeywords = () \n { \n pack_array(\"account\", \"alert\", \"bank\", \"billing\", \"card\", \"change\", \"confirmation\", \n \"login\", \"password\", \"mfa\", \"authorize\", \"authenticate\", \"payment\", \"urgent\", \"verify\", \"blocked\"); \n }; \n EmailEvents \n | where Timestamp > ago(1d) \n | where EmailDirection == \"Inbound\" \n | where DeliveryAction == \"Delivered\" \n | where isempty(SenderObjectId) \n | where Subject has_any (PhishingKeywords()) \n \n 4. Hunting for attachment name patterns: \n Based on the historical QR code campaigns investigations, Defender Experts have identified that the attachment names of the campaigns are usually randomized by the attackers, meaning every email has a different attachment name for the QR code with high levels of randomization. Emails with randomly named attachment names from the same sender to multiple recipients, typically more than 50, can potentially indicate a QR code phishing campaign. \n \n Campaign with randomly named attachments: \n EmailAttachmentInfo \n | where Timestamp > ago(7d) \n | where FileType in (\"png\", \"jpg\", \"jpeg\", \"gif\", \"svg\") \n | where isnotempty(FileName) \n | extend firstFourFileName = substring(FileName, 0, 4) \n | summarize RecipientsCount = dcount(RecipientEmailAddress), FirstFourFilesCount = dcount(firstFourFileName), suspiciousEmails = make_set(NetworkMessageId, 10) by SenderFromAddress \n | where FirstFourFilesCount >= 10 \n \n 5. Hunting for user signals/clusters \n In order to craft effective large scale QR code phishing attacks, the attackers perform reconnaissance across social media to gather target user email addresses, their preferences and much more. These campaigns are sent across to 1,000+ users in the organization with luring subjects and contents based on their preferences. However, Defender Experts have observed that, at least one user finds the campaign suspicious and reports the email, which generates this alert: “Email reported by user as malware or phish.” \n \n This alert can be another starting point for hunting activity to identify the scope of the campaign and compromises. Since the campaigns are specifically crafted for each group of users, scoping based on sender/subject/filename might not be an effective approach. Microsoft Defender for Office offers a heuristic based approach based on the email content as a solution for this problem. Emails with similar content that are likely to be from one attacker are clustered together and the cluster ID is populated in the EmailClusterId field in EmailEvents table. \n \n The clusters can include all phishing attempts from the attackers so far against the organization, it can aggregate emails with malicious URLs, attachments, and QR codes as one, based on the similarity. Hence, this is a powerful approach to explore the persistent phishing techniques of the attacker and the repeatedly targeted users. \n \n Below is a sample query on scoping a campaign from the email reported by the end user. The same scoping logic can be used on the previously discussed hunting hypotheses as well. \n \n let suspiciousClusters = EmailEvents \n | where Timestamp > ago(7d) \n | where EmailDirection == “Inbound” \n | where NetworkMessageId in (<List of suspicious Network Message Ids from Alerts>) \n | distinct EmailClusterId; \n EmailEvents \n | where Timestamp > ago(7d) \n | where EmailDirection == “Inbound” \n | where EmailClusterId in (suspiciousClusters) \n | summarize make_set(Subject), make_set(SenderFromDomain), dcount(RecipientObjectId), dcount(SenderDisplayName) by EmailClusterId \n \n 6. Hunting for suspicious sign-in attempts: \n In addition to detecting the campaigns, it is critical that we identify the compromised identities. To surface the identities compromised by AiTM, we can utilize the below approaches. \n \n \n Risky sign-in attempt from a non-managed device\n \n Any sign-in attempt from a non-managed, non-compliant, untrusted device should be taken into consideration, and a risk score for the sign-in attempt increases the anomalous nature of the activity. Monitoring these sign-in attempts can surface the identity compromises. \n \n \n \n AADSignInEventsBeta \n | where Timestamp > ago(7d) \n | where IsManaged != 1 \n | where IsCompliant != 1 \n //Filtering only for medium and high risk sign-in \n | where RiskLevelDuringSignIn in (50, 100) \n | where ClientAppUsed == \"Browser\" \n | where isempty(DeviceTrustType) \n | where isnotempty(State) or isnotempty(Country) or isnotempty(City) \n | where isnotempty(IPAddress) \n | where isnotempty(AccountObjectId) \n | where isempty(DeviceName) \n | where isempty(AadDeviceId) \n | project Timestamp,IPAddress, AccountObjectId, ApplicationId, SessionId, RiskLevelDuringSignIn \n \n \n Suspicious sign-in attributes\n \n Sign-in attempts from untrusted devices with empty user agent, operating system or anomalous BrowserId can also be an indication of identity compromises from AiTM. \n Defender Experts also recommend monitoring the sign-ins from known malicious IP addresses. Although the mode of delivery of the phishing campaigns differ (QR code, HTML attachment, URL), the sign-in infrastructure often remains the same. Monitoring the sign-in patterns of compromised users, and continuously scoping the sign-in attempts based on the known patterns can also surface the identity compromises from AiTM. \n \n \n \n Mitigations \n Apply these mitigations to reduce the impact of this threat: \n \n \n Educate users about the risks of QR code phishing emails. \n Implement Microsoft Defender for Endpoint - Mobile Threat Defense on mobile devices used to access enterprise assets. \n Enable Conditional Access policies in Microsoft Entra, especially risk-based access policies. Conditional access policies evaluate sign-in requests using additional identity-driven signals like user or group membership, IP address location information, and device status, among others, are enforced for suspicious sign-ins. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as compliant devices, Azuretrusted IP address requirements, or risk-based policies with proper access control. If you are still evaluating Conditional Access, use security defaults as an initial baseline set of policies to improve identity security posture. \n Implement continuous access evaluation. \n Leverage Microsoft Edge to automatically identify and block malicious websites, including those used in this phishing campaign, and Microsoft Defender for Office 365 to detect and block malicious emails, links, and files. \n Monitor suspicious or anomalous activities in Microsoft Entra ID Protection. Investigate sign-in attempts with suspicious characteristics (e.g., location, ISP, user agent, and use of anonymizer services). \n Implement Microsoft Entra passwordless sign-in with FIDO2 security keys. \n Turn on network protection in Microsoft Defender for Endpoint to block connections to malicious domains and IP addresses. \n \n Learn how Microsoft Defender for Office 365 protects your organizations against this recently growing email-based phishing attack. \n Protect your organizations against QR code phishing with Defender for Office 365 - Microsoft Community Hub \n \n If you’re interested in learning more about our Defender Experts services, visit the following resources: \n \n Microsoft Defender Experts for XDR web page \n Microsoft Defender Experts for XDR docs page \n Microsoft Defender Experts for Hunting web page \n Microsoft Defender Experts for Hunting docs page \n ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"24410","kudosSumWeight":7,"repliesCount":2,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDUzMzI0LTUwMTg3OGlEQzA0RjAyQUU3NzUxNTc2?revision=14\"}"}}],"totalCount":1,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"coverImage":null,"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""}},"Conversation:conversation:4103985":{"__typename":"Conversation","id":"conversation:4103985","topic":{"__typename":"BlogTopicMessage","uid":4103985},"lastPostingActivityTime":"2024-04-15T03:27:30.300-07:00","solved":false},"User:user:1755048":{"__typename":"User","uid":1755048,"login":"stefanpuzderca","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/dS0xNzU1MDQ4LTU2OTUyMGk1N0U0Q0QyRjNDRTE1NURF"},"id":"user:1755048"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTAzOTg1LTU2ODI4M2kwMUY1MDJCREE4QkVBMjQ5?revision=24\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTAzOTg1LTU2ODI4M2kwMUY1MDJCREE4QkVBMjQ5?revision=24","title":"Microsoft Security illustration metaphors_211101_illus-pillar-risk-management_DkBlue.png","associationType":"TEASER","width":2643,"height":1788,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTAzOTg1LTU2NzUzNWk0MDQ0MDc1QUU5RjU2RDg5?revision=24\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTAzOTg1LTU2NzUzNWk0MDQ0MDc1QUU5RjU2RDg5?revision=24","title":"stefanpuzderca_5-1712136425705.png","associationType":"BODY","width":1868,"height":535,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTAzOTg1LTU2NzUyNWlGMDVGNTlEMjc2NkNDOUQ5?revision=24\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTAzOTg1LTU2NzUyNWlGMDVGNTlEMjc2NkNDOUQ5?revision=24","title":"stefanpuzderca_1-1712135579985.png","associationType":"BODY","width":1893,"height":608,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTAzOTg1LTU2NzUyNmk4RjFBM0ZFMjM3MDIzMzQ4?revision=24\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTAzOTg1LTU2NzUyNmk4RjFBM0ZFMjM3MDIzMzQ4?revision=24","title":"stefanpuzderca_2-1712135618887.png","associationType":"BODY","width":1887,"height":547,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTAzOTg1LTU2NzUyN2lBNjhCMzg3NzlERTExNjZC?revision=24\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTAzOTg1LTU2NzUyN2lBNjhCMzg3NzlERTExNjZC?revision=24","title":"stefanpuzderca_3-1712135671681.png","associationType":"BODY","width":1888,"height":519,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTAzOTg1LTU2OTUxNGk1M0M5QTdFMzFCNzM1NTI2?revision=24\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTAzOTg1LTU2OTUxNGk1M0M5QTdFMzFCNzM1NTI2?revision=24","title":"stefanpuzderca_3-1712671905118.png","associationType":"BODY","width":1593,"height":399,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTAzOTg1LTU2NzUzOGk5QUMyMzMxMDg2OEI2RjU4?revision=24\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTAzOTg1LTU2NzUzOGk5QUMyMzMxMDg2OEI2RjU4?revision=24","title":"stefanpuzderca_6-1712136937021.png","associationType":"BODY","width":826,"height":497,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTAzOTg1LTU2NzUzOWlENzE3RTVFNDQ0QUU0QkY1?revision=24\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTAzOTg1LTU2NzUzOWlENzE3RTVFNDQ0QUU0QkY1?revision=24","title":"stefanpuzderca_7-1712137392092.png","associationType":"BODY","width":984,"height":589,"altText":null},"BlogTopicMessage:message:4103985":{"__typename":"BlogTopicMessage","subject":"Strategies to monitor and prevent vulnerable driver attacks","conversation":{"__ref":"Conversation:conversation:4103985"},"id":"message:4103985","revisionNum":24,"uid":4103985,"depth":0,"board":{"__ref":"Blog:board:MicrosoftSecurityExperts"},"author":{"__ref":"User:user:1755048"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":" Delve into the intricate details of vulnerable driver attacks, and discover effective strategies to prevent them \n \n \n \n ","introduction":"","metrics":{"__typename":"MessageMetrics","views":20251},"postTime":"2024-04-09T08:41:05.485-07:00","lastPublishTime":"2024-04-09T09:29:25.407-07:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":"\n Introduction and history \n \n In the ever-evolving landscape of technology, the history of vulnerable drivers in Windows operating systems stands as a testament to the constant battle between innovation and security. From its inception, Windows has been a prime target for malicious actors seeking to exploit vulnerabilities in its drivers. These vulnerabilities, often overlooked, have played a significant role in the history of Windows, shaping its security policies and prompting a continuous cycle of patches and updates. The technique known as Bring Your Own Vulnerable Driver (BYOVD) has become a favoured strategy among threat actors. This involves introducing a digitally signed and trusted vulnerable driver into the kernel and exploiting it to gain kernel-level access. With this access a threat actor can undermine security measures, extract sensitive credentials, or alter system behaviour to remain undetected. The exploitation of vulnerable drivers, which may have originated within the gaming community as a way to circumvent the anti-cheat engines, has evolved into a sophisticated technique that even echoes the methodologies of the infamous Stuxnet. Historically, the BYOVD gained notoriety in 2012 when it was used by the Shamoon wiper attack against Saudi Aramco. Multiple advanced persistence threats (APT) and nation-state groups have since utilized vulnerable drivers in their attacks over the last decade, leading to the proliferation of a well-known technique accessible to threat actors across various domains and interests. This technique gained an uptick in popularity in 2020 when ransomware gangs began incorporating it into their operations. DART has engaged with customers around the world who were affected by ransomware attacks where vulnerable drivers were used to circumvent or actively disrupt security solutions. Threat actors discover vulnerabilities in the drivers and exploit them to achieve privilege escalation, circumvent the Windows Driver Signature Enforcement (DSE) and install a self-developed driver as rootkit or unhook security and monitoring solutions. This presents a significant cybersecurity risk, as it can provide threat actors with complete control over a system, enabling them to hide processes, network communication, evade detection and so on. \n \n Hunting for vulnerable drivers \n From a threat hunting perspective, it is important to understand what data sources are available and what coverage they have. Baselining the driver activity in the environment can greatly reduce the number of false positives in the hunts. The challenges encountered when conducting threat hunting for vulnerable drivers include: their presence in various legitimate locations, their potential to possess file extensions other than .sys, and the fact that even vulnerable drivers can exhibit seemingly convincing metadata. The following questions can guide threat hunting in identifying the vulnerable drivers: \n \n Do old signed drivers correspond to any required business application \n When was the driver signed \n Where is the driver located \n What process installed the driver \n Is the driver metadata normal for the environment\n \n \n \n \n \n \n \n \n \n \n #MDE Advanced Hunting query for discovering drivers in the environment\n\nDeviceFileEvents\n| where ActionType == \"FileCreated\"\n| where FileName endswith \".sys\" \n| invoke FileProfile(SHA1,10000)\n| where GlobalPrevalence <= 500\n| join kind=leftouter\n (\n DeviceFileCertificateInfo ) on SHA1\n| project FileName, FolderPath, GlobalPrevalence, GlobalFirstSeen, GlobalLastSeen,\nSigner, Signer1, Issuer, Issuer1, CertificateCreationTime, CertificateExpirationTime, CertificateSerialNumber\n \n \n \n Similarly to the above query, the native Windows tool driverquery.exe provides a thorough list and csv output of drivers installed. This output can be ingested into a SIEM solution, aggregated, normalized and used in threat hunting. \n \n \n While conducting an incident response to a cybersecurity event involving an attack on a vulnerable driver, it is critical to understand the attack steps and follow the actions that led to it. These investigation leads will assist in understanding the source of the vulnerable driver, evaluating the changes on the system, and the impact. This approach allows for an in-depth investigation and an efficient response in this scenario. \n \n Typical investigations should take into account the following: \n \n \n \n \n File write events for driver in the environment \n \n \n The installation of a new service (type: kernel mode driver) on the endpoint \n \n \n The execution of a loader on the endpoint (it can be in memory) \n \n \n Changes to the certificate root store (self-signed certificate might have been installed before loading a custom driver) \n \n \n \n # MDE Advanced Hunting query for known vulnerable drivers using the community and Microsoft lists\n\n# creating a database of files from the OpenSource list\nlet LolDriverSHA1 = externaldata(SHA1: string)[@\"https://raw.githubusercontent.com/magicsword-io/LOLDrivers/main/detections/hashes/samples.sha1\"] with (format=\"txt\", ignoreFirstRecord=False);\n\n# creating a database of files from the Microsoft Vulnerable Driver List\nlet indicatorsFromMsft = materialize(\n externaldata(data:string)[\"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules#vulnerable-driver-blocklist-xml\"] with(format=\"raw\")\n | extend tempExtractedData = extract('(?sU)<pre><code class=\"lang-xml\">(.*)</code></pre>', 1 , tostring(data))\n | extend fix_xml = replace_strings(tempExtractedData,\n dynamic(['<','>', '"']),\n dynamic(['<','>','\"'])\n )\n | project-away data, tempExtractedData\n | extend parsed_xml = parse_xml(fix_xml)\n | project-away fix_xml\n | mv-apply x=['parsed_xml']['SiPolicy']['FileRules']['Deny'] on\n (\n extend _FriendlyName = x.['@FriendlyName']\n | extend _Hash = x.['@Hash']\n | extend _FileName1 = x.['@FileName']\n | summarize VulnDrivers_Sha1 = make_set_if(_Hash, _FriendlyName endswith 'Hash Sha1'),\n VulnDrivers_Sha256 = make_set_if(_Hash, _FriendlyName endswith 'Hash Sha256'),\n VulnDrivers_FileNames1 = make_set(_FileName1)\n )\n | mv-apply y=['parsed_xml']['SiPolicy']['FileRules']['FileAttrib'] on\n (\n extend _FileName2 = y.['@FileName']\n | summarize VulnDrivers_FileNames2 = make_set(_FileName2)\n )\n | extend VulnDrivers_FileNames = array_sort_asc(array_concat(VulnDrivers_FileNames1, VulnDrivers_FileNames2))\n | project-away VulnDrivers_FileNames1, VulnDrivers_FileNames2, parsed_xml\n );\n //let VulnDrivers_FileNames = toscalar(indicatorsFromMsft | project VulnDrivers_FileNames);\n let VulnDrivers_Sha1 = toscalar(indicatorsFromMsft | project VulnDrivers_Sha1);\n //let VulnDrivers_Sha256 = toscalar(indicatorsFromMsft | project VulnDrivers_Sha256);\n DeviceFileEvents | where SHA1 in~ (VulnDrivers_Sha1) or SHA1 in~ (LolDriverSHA1) \n \nFrom a hunting and investigation perspective, vulnerable driver lists from Microsoft and the community list from MagicSword in the above query, are simple external data sources. They can be incorporated into any SIEM solution, as well as integrated into periodic checks for detecting this attack behaviour.\n \n Another key indicator of vulnerable driver attacks is the creation of a kernel service. This event can be verified with: \n \n Microsoft Defender for Endpoint Advanced Hunting query \n \n \n # MDE Advanced Hunting - Kernel services registered on device \n\nDeviceEvents\n| where ActionType contains \"ServiceInstalled\"\n| extend ParsedFields=parse_json(AdditionalFields)\n| extend AttributeList = ParsedFields.ServiceType\n| where AttributeList == 1 \n \n System Event Log Event ID 7045 \n \n Figure 1: System Event Log, Event ID 7045 - New kernel service creation \n \n \n Sysmon Event ID 11 \n \n \n \n \n Figure 2: Sysmon Event Log, Event ID 11 - New file creation \n \n \n Sysmon Event ID 13 \n \n \n \n Figure 3: Sysmon Event Log, Event ID 13 - Service registry value set \n \n \n Sysmon Event ID 6 \n \n \n \n \n Figure 4: Sysmon Event Log, Event ID 6 - Driver loaded event \n \nIn the event the threat actor has full control of the system, a self-signed certificate can be introduced and installed in the environment. This will give the threat actor the possibility of installing a custom malicious driver(signed with the self-signed certificate) and gain persistent access to the system. A recommended hunting strategy would be to investigate the trusted certificates installed on a system during the incident timeframe. # MDE Advanced Hunting for new certificates added to Root store\n\nDeviceRegistryEvents\n| where ActionType contains \"RegistryKeyCreated\"\n| where RegistryKey contains \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\ROOT\\\\Certificates\\\\\"\n \n \n \n \n \n Strategies for monitoring and preventing vulnerable driver attacks \n \n Microsoft recommends a defense in depth strategy with multiple layers to prevent vulnerable driver attacks. Detecting the unauthorized access as close as possible to the initial access point is critical when dealing with determined threat actors. To abuse a vulnerable driver, a threat actor would need to perform multiple operations until gaining full access to the system. These steps would give the defenders a wealth of opportunities to detect and mitigate the intrusion early on. \n \n \n The Windows platform empowers organizations to realize their full potential in the manner they envision, but when it comes to securing the platform, a one-size-fits-all approach doesn't work. Each enterprise has its own set of vulnerabilities, risk acceptance, and security requirements. A well-rounded strategy for monitoring and preventing vulnerable driver attacks should be flexible, adaptable and tailored to the unique needs of each organization. It should strike the right balance between trust and operation, ensuring robust security without hindering the organization's activities. Microsoft continues to work closely with our independent hardware vendors (IHVs) and the security community to ensure the highest level of driver security for our customers. When driver vulnerabilities are found, we work with our driver partners to ensure they're quickly patched and rolled out to the ecosystem. \n \n The technologies listed below can help organizations secure their environments from the risk of vulnerable drivers attacks. \n \n \n Memory integrity or hypervisor-protected code integrity (HVCI) \n Memory integrity and virtualization-based security (VBS) improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows kernel. VBS uses the Windows hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. Memory integrity is a critical component that protects and hardens Windows by running kernel mode code integrity within the isolated virtual environment of VBS. \n \n \n Memory integrity can be configured using Windows security settings, Microsoft Intune or other MDM, Group Policy, Microsoft configuration manager or modifying the Windows registry settings. This is one of the most effective and recommended means to prevent vulnerable driver attacks on platforms that do not have any legacy dependencies such as old software in production environments. \n \n \n Supported platforms: \n Windows 10 Windows 11 Windows Server 2016 Windows Server 2019 Windows Server 2022 \n \n \n \n \n \n Smart App Control \nSmart App Control provides robust protection against current and emerging threats by blocking malicious or untrusted apps on Windows platform, effectively mitigating risks from novel and evolving threats. Smart App Control is only available on a clean installation of Windows 11 version 22H2 and can be enforced or in evaluation mode. Smart App Control blocks the vulnerable drivers defined in the Microsoft vulnerable driver list.\n \n \n \n \n \n Supported platforms: \n Windows 11 22H2 \n \n \n \n Microsoft Defender for Endpoint attack surface reduction rules (ASR) \n \n The block abuse of exploited vulnerable signed drivers ASR rule monitors and prevents an application from writing a signed vulnerable driver to the system. Vulnerable and exploited drivers are routinely identified and automatically added to the vulnerable driver ASR rule to protect Microsoft Defender for Endpoint users against driver malware campaigns. ASR rules are supported on most Windows versions beginning with Windows 2012 R2. Dependencies for planning and deploying the ASR rules are an important step in implementing this security strategy. \n \n \n \n \n \n \n \n ASR rules offer the following four settings: \n \n \n Not configured: disable the ASR rule. \n \n \n Block: enable the ASR rule. \n \n \n Audit: evaluate how the ASR rule would impact your organization if enabled. \n \n \n Warn: enable the ASR rule but allow the user to bypass the block. \n \n \n The vulnerable driver ASR rule GUID is 56a863a9-875e-4185-98a7-b882c64b5ce5. The Intune name is block abuse of exploited vulnerable signed drivers. \n \n In addition to the ASR reports in the Defender portal, the ASR logs can be queried using Microsoft Defender for Endpoint advanced hunting events, action type: \n \n \n \n AsrVulnerableSignedDriverAudited \n AsrVulnerableSignedDriverBlocked \n \n \n Alternatively, the Windows Event Logs Microsoft-Windows-Windows Defender Operational, can be ingested into your Sentinel SIEM or queried using built in Windows Event Viewer by navigating to Applications and Services Logs -> Microsoft -> Windows > Windows Defender -> Operational -> Event ID 1121 and Event ID 1122 \n \n Figure 5: Microsoft-Windows-Windows Defender Operational Event Log, Event ID 1121 - ASR Event Blocked \n \n \n \n \n \n \n The vulnerable driver ASR rule can be configured using Intune, mobile device management (MDM), Microsoft Endpoint Configuration Manager, Group Policy, and PowerShell. To enable the vulnerable driver ASR rule by each method, please refer to the Microsoft documentation. \n \n \n \n Windows Defender Application Control (WDAC) \n \n \n \n Compared to HVCI, Smart App Control and ASR rules, Windows Defender Application Control (WDAC) can be tailored for your own security strategy. WDAC operates alongside EDR products, however, its trust model differs from traditional antivirus solutions. Instead of assuming applications are trustworthy by default, WDAC requires applications to earn trust before they are allowed to run. Microsoft recommends using this list of drivers within your existing Windows Defender Application Control policy. The Vulnerable Driver Block List is a curated list of drivers that have vulnerabilities and have been used in the threat landscape. New drivers can be submitted for analysis to Vulnerable and malicous driver reporting. \n \n \n \n Blocking kernel drivers without sufficient testing can cause devices or software to malfunction, and in rare cases, cause the Operating System to stop responding. It's recommended to first validate this policy in audit mode and review the audit block events. \n \n \n \n \n For critical environments that are unable to utilize HVCI or Smart App Control, but still require a tailored security strategy, Microsoft recommends configuring the vulnerable driver list WDAC policy or a custom version of the list and turning on additional protection features using the Windows Defender App Control Policy Wizard based on the environment requirements. \n \n \n Figure 6: Windows Defender App Control Policy Wizard - Additional configuration options \n \n Supported platforms: \n \n \n Windows 10 Windows 11 Windows Server 2016 Windows Server 2019 Windows Server 2022 \n \n \n \n Conclusion \n \n \n \n In our exploration of inspecting vulnerable driver attacks, we have delved into their history, explored effective hunting methodologies, and dissected strategies for prevention and monitoring. We at Microsoft will continue to collaborate with the security community to defend against vulnerable drivers, and strive to fortify the security posture for all our valued customers. We strongly recommend all organizations actively leverage the technologies outlined in this blog to enhance their security and mitigate such attacks. \n \n \n \n \n \n \n \n \n \n \n \n \n ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"17062","kudosSumWeight":7,"repliesCount":4,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTAzOTg1LTU2ODI4M2kwMUY1MDJCREE4QkVBMjQ5?revision=24\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTAzOTg1LTU2NzUzNWk0MDQ0MDc1QUU5RjU2RDg5?revision=24\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDM","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTAzOTg1LTU2NzUyNWlGMDVGNTlEMjc2NkNDOUQ5?revision=24\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDQ","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTAzOTg1LTU2NzUyNmk4RjFBM0ZFMjM3MDIzMzQ4?revision=24\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDU","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTAzOTg1LTU2NzUyN2lBNjhCMzg3NzlERTExNjZC?revision=24\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDY","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTAzOTg1LTU2OTUxNGk1M0M5QTdFMzFCNzM1NTI2?revision=24\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDc","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTAzOTg1LTU2NzUzOGk5QUMyMzMxMDg2OEI2RjU4?revision=24\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDg","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTAzOTg1LTU2NzUzOWlENzE3RTVFNDQ0QUU0QkY1?revision=24\"}"}}],"totalCount":8,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"coverImage":null,"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""}},"Conversation:conversation:4040147":{"__typename":"Conversation","id":"conversation:4040147","topic":{"__typename":"BlogTopicMessage","uid":4040147},"lastPostingActivityTime":"2024-01-25T17:25:30.726-08:00","solved":false},"User:user:1990648":{"__typename":"User","uid":1990648,"login":"PhoebeRogers","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/dS0xOTkwNjQ4LTUwNTQ3NWkwMTE4OEY3RDc3QjI3RkRB"},"id":"user:1990648"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDQwMTQ3LTUwMTg3OGlEQzA0RjAyQUU3NzUxNTc2?revision=14\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDQwMTQ3LTUwMTg3OGlEQzA0RjAyQUU3NzUxNTc2?revision=14","title":"DefenderExperts_TechComm 370x240.png","associationType":"TEASER","width":370,"height":240,"altText":null},"BlogTopicMessage:message:4040147":{"__typename":"BlogTopicMessage","subject":"Defender Experts’ recommendations for impactful security posture management","conversation":{"__ref":"Conversation:conversation:4040147"},"id":"message:4040147","revisionNum":14,"uid":4040147,"depth":0,"board":{"__ref":"Blog:board:MicrosoftSecurityExperts"},"author":{"__ref":"User:user:1990648"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":" \n Improve your security posture with impactful controls and configurations recommended by Defender Experts. ","introduction":"","metrics":{"__typename":"MessageMetrics","views":19894},"postTime":"2024-01-25T17:23:08.629-08:00","lastPublishTime":"2024-01-25T17:25:30.726-08:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" Introduction \n The Microsoft Defender Experts for XDR service provides value to customers from both a proactive and reactive perspective. Proactively, we provide guidance to customers on overall security posture improvements and perform threat hunting to surface malicious activity in their environments. Simultaneously, our team reactively investigates and responds to incidents that occur in customer environments on their behalf. Working with both sides of the security equation, Defender Experts for XDR is uniquely positioned to understand the value of security controls and configurations in terms of their impact on the rate and severity of actual customer incidents. \n \n While the basics of security hygiene, such as patching, inventory, security baselining, and least privilege delegations are undeniably important, once those bases are covered there are many more specific controls that receive less attention but can be critical in mitigating the frequency and impact of future incidents. Leveraging our experience helping customers protect themselves, we’re thrilled to share some of the security controls and configurations we find most impactful in the real world. \n \n Top Configuration Recommendations \n Listed below, in no particular order, are the top configuration recommendations from Defender Experts for XDR. \n \n Microsoft Defender for Office \n -------------------------------------------------------------------------------------------------------- \n \n Restrict user ability to release emails from quarantine \n The Exchange Online Protection (EOP) quarantine is leveraged widely to prevent suspicious emails from being delivered to user inboxes without entirely deleting them. Emails that match the anti-malware, anti-phishing, and anti-spam policies configured within a given tenant will most often be sent to quarantine. This protection is significantly curtailed when end users have the capability to indiscriminately release their own emails from quarantine. Our team has investigated an unfortunate number of incidents resulting from users searching out phishing emails that were quarantined, releasing them, and promptly compromising their own account. A full access permissions group in a quarantine policy permits this to happen and is strongly discouraged. \n \n Fortunately, regardless of the quarantine policy applied, users can't release their own messages that were quarantined as malware or high confidence phishing - they can only request their release. But for all other emails detected as phishing, one of the following permissions groups must be applied in order to prevent unrestricted quarantine release. \n \n \n Limited access permissions group\n \n This is the recommended permissions group for most environments that are not highly restricted. Limited access permits the user to preview quarantined messages (with hyperlinks disabled), view their headers, and request their release (in addition to deleting the email or blocking the sender). \n \n \n No access permissions group\n \n No access is the most restrictive permissions group that can be applied to a quarantine policy. The default quarantine policy AdminOnlyAccessPolicy uses this permissions group. When this is configured, the most that a user could do with a quarantined message is view the email headers. \n \n \n \n \n Implementation \n Within the Microsoft Defender portal under Quarantine policy, create a new policy leveraging Limited access, No access, or Specific access with the action “Allow recipients to request a message to be released from quarantine.” Then apply this quarantine policy to your anti-phishing, anti-spam, and anti-malware policies. \n \n \n \n Quarantine policies | Step 1 Create quarantine policies | Microsoft Learn \n \n \n Quarantine policies | Anatomy of a quarantine policy | Microsoft Learn \n \n \n \n \n Microsoft Defender for Endpoint \n ------------------------------------------------------------------------------------------------------- \n \n Enable tamper protection \n Tamper protection is a critical feature of Defender for Endpoint that protects security settings from being changed. When enabled, tamper protection prevents other key components of Defender for Endpoint, including virus and threat protection, antivirus (AV), real-time protection, automatic remediation, and tamper protection itself, from being disabled. If these security features can be disabled by an attacker, then their value is nullified. Once an attacker has compromised a device, it is commonly part of their attack chain to disable any security services running on the device, thereby enabling more severe and destructive follow-on actions. This activity has been observed in Cypherpunk, DarkSide, and Ryuk ransomware operations among many others. Every supported device onboarded with Defender for Endpoint should have tamper protection enabled. It is also advisable to seriously investigate any incidents involving attempted tampering, as they often point to ongoing compromise. \n \n Implementation \n Enable tamper protection via the Defender Portal, Intune, or Configuration Manager. \n \n \n Protect security settings with tamper protection | Microsoft Learn \n \n \n Enable network protection in block mode \n Network protection is a Defender for Endpoint feature that leverages and extends Microsoft Edge SmartScreen to protect Windows, Linux, and macOs devices. SmartScreen, when in block mode, prevents network connections from the Edge browser to known malicious websites. When network protection is enabled in block mode, these malicious connections will also be blocked from all other supported browsers (Chrome, Firefox, Brave, and Opera, etc.) and non-browser applications. The default blocklist leverages Microsoft’s extensive threat intelligence resources to protect users across all customer environments from unintentionally visiting malicious websites. Furthermore, custom indicators can be configured within a given tenant to block network connections to additional undesired domains, Ips, and URLs. \n \n If network protection is not enabled, or not in block mode, users are vulnerable to visiting websites that are known to be malicious. This is a very common occurrence in Defender Experts for XDR investigations, resulting in malware infections, credential compromise, or other malicious activity. The Microsoft Threat Intelligence community has already done the work to provide the threat intel, so why not leverage it to protect your organization? \n \n Implementation \n Network protection can be enabled via PowerShell, MDM, Group Policy, or Microsoft Configuration Manager. \n \n \n Turn on network protection | Microsoft Learn \n \n \n Block untrusted and unsigned processes that run from USB \n This is an Attack Surface Reduction (ASR) rule that is prebuilt within Microsoft Defender Antivirus to help prevent USB malware. When enabled in block mode, this rule prevents the execution of unsigned or untrusted executables (.exe, .dll, .scr, .ps, .vbs, .js, etc.) that are either present on mounted removable media (e.g., USB or SD card) or that were copied to disk from removable media. For some organizations, USB malware is quite rare. But for organizations with a large, distributed set of end users, or organizations with a large quantity of bring your own device (BYOD) users, this can become a constant challenge. China-based nation-state group Twill Typhoon is known to utilize removable devices containing malicious executables to infect victims, and the LemonDuck and LemonCat mining malware also spread this using this technique, among others. Enabling this rule in block mode can be very effective at preventing these types of damaging USB malware. \n \n Implementation \n Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM. \n \n \n \n Block untrusted and unsigned processes that run from USB | Microsoft Learn \n \n \n \n Block JavaScript or VBScript from launching downloaded executable content \n This ASR rule detects attempts by JavaScript or VBScript to launch executables downloaded from the internet and blocks them from executing if enabled in block mode. This prevents a pattern of activity known to be utilized by multiple common types of malware. The FakeUpdates/SocGholish malware in particular leverages a JavaScript backdoor to download and/or launch its payload. FakeUpdates remains relatively prevalent (Manatee Tempest – from FakeUpdates to ransomware), infecting devices via drive-by downloads from malvertising (malicious advertising), SEO poisoning, and more. Russian state-sponsored threat actor Midnight Blizzard has also been observed utilizing phishing emails containing HTML attachments embedded with the EnvyScout JS dropper to compromise victims. \n \n Some organizations may utilize legitimate line-of-business applications that exhibit this same behavior, so it is recommended to test this rule in audit mode prior to fully enabling in block mode. Refer to the Demystifying attack surface reduction rules blog series for more information on the transition from auditing to blocking. \n \n Implementation \n Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM. \n \n \n \n Block JavaScript or VBScript from launching downloaded executable content | Microsoft Learn \n \n \n \n Block Office applications from creating executable content \n This ASR rule detects attempts by Office applications (Word, Excel, and PowerPoint) to execute files written to disk, and execution of untrusted files saved by Office macros. In block mode, this rule prevents these executions. Office files have long been utilized to deliver and/or run malicious code, and unfortunately this remains a successful initial access vector into many organizations with insufficient protections. Emotet, Trickbot, Hancitor, and ZLoader malware are all frequently delivered via phishing emails that either directly attach or link to these types of malicious Office files. Individual threat actors including Iran-based nation-state group Mint Sandstorm, China-based nation-state group Canary Typhoon, and Vietnam-based nation-state group Canvas Cyclone, among others, have been known to utilize these methods as well. \n \n Implementation \n Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM. \n \n \n \n Block Office applications from creating executable content | Microsoft Learn \n \n \n \n Block executable content from email client and webmail \n This ASR rule detects executable files and scripts attempting to run directly from Microsoft Outlook, outlook.com, or other common webmail services. When enabled in block mode, these executions will be prevented. More sophisticated threat actors and Phishing-as-a-Service (PhaaS) providers have pivoted away from this technique, but this control provides valuable protection against the low-sophistication phishing attacks that can be just as damaging. Given that phishing is one of the most prevalent initial access vectors we see today, any controls that can be applied to reduce the frequency or severity of successful phishing, without disrupting business, should be. \n \n Implementation \n Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM. \n \n \n \n Block executable content from email client and webmail | Microsoft Learn \n \n \n \n \n Microsoft Entra ID \n ------------------------------------------------------------------------------------------------------- \n \n Ensure multifactor authentication (MFA) is enabled for all users in administrative roles in Entra ID \n For a long time, MFA was heralded as the ultimate impenetrable line of defense against account compromise. While we know now that there are many ways to bypass it such as cookie/token theft, SIM swapping, social engineering, etc., MFA remains a valuable control for defense in depth. All administrative user accounts should require MFA, but there are a few critical roles in particular that should be prioritized for this control: \n \n \n Global administrator\n \n The global admin role has the most powerful overall permissions within a tenant and should be protected accordingly. \n \n \n Billing administrator\n \n The power of the billing admin is less widely known, but it can in fact take over a tenant from anyone, including the global admin! With the power to move subscriptions to an associated billing tenant, the billing admin could transfer subscriptions to a tenant where they hold global admin, giving them complete control. \n \n \n \n \n Implementation \n Within Entra ID, create a Conditional Access policy that applies to administrative roles requiring MFA on all cloud applications. \n \n \n \n Require MFA for administrators with Conditional Access - Microsoft Entra ID | Microsoft Learn \n \n \n \n Require MFA for self-service password reset (SSPR) \n Self-service password reset enables users to reset their own password without needing to go through a help desk. When performing a password reset, users should be required to robustly verify their identity in order to prevent potential account takeover. SSPR permits four types of authentication methods, which includes email and mobile phone. A determined attacker can typically gain access to one of these methods with relative ease. Octo Tempest has been known to take over accounts via SSPR using access to user phones acquired through SIM swapping, among other methods. Requiring two authentication methods in order to complete SSPR might not stop every attacker, but it does introduce an additional defensive layer to the process that could make all the difference. \n \n Implementation \n Within Entra ID under password reset, set authentication methods to two. \n \n \n \n Select authentication methods and registration options - Microsoft Entra ID | Microsoft Learn \n \n \n \n \n Microsoft Defender for Identity \n ------------------------------------------------------------------------------------------------------- \n \n Set a honeytoken account \n A honeytoken account works like a security alarm; it is a dormant account with no legitimate business purpose, so any activity that occurs on the account generates an alert. This facilitates the identification of attacker activity that may otherwise have gone unnoticed. A honeytoken is a very simple and effective detective control, and can be leveraged in multiple different ways as described in Deceptive defense: best practices for identity based honeytokens in Microsoft Defender for Identity. While attack prevention is preferable to retroactive detection, these days it is not reasonable to expect that an organization will avoid being breached. It is vital to be prepared to detect attacks that get past the outer layer of defense in order to mitigate their impact. \n \n Implementation \n Create or repurpose an account with no business purpose, and ensure its privileges are removed. Tag this account as a honeytoken within the Defender portal under Settings > Identities > Honeytoken. \n \n \n Entity tags in Microsoft Defender for Identity - Microsoft Defender for Identity | Microsoft Learn \n \n \n Conclusion \n Every organization can take actions to improve their security posture, but the sheer volume of control recommendations can sometimes overwhelm organizations into inaction. Through this blog post, the Defender Experts for XDR team has aimed to provide a discrete list of configurations and controls that we have observed to be impactful through our daily work with Microsoft customers. We hope that these recommendations will be implemented, or at least considered, for the protection of your organization as well. \n \n If you’re interested in learning more about Defender Experts for XDR, visit the Microsoft Defender Experts for XDR web page or the Defender Experts for XDR docs page. \n ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"16753","kudosSumWeight":2,"repliesCount":0,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDQwMTQ3LTUwMTg3OGlEQzA0RjAyQUU3NzUxNTc2?revision=14\"}"}}],"totalCount":1,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"coverImage":null,"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""}},"CachedAsset:text:en_US-components/community/Navbar-1745487435975":{"__typename":"CachedAsset","id":"text:en_US-components/community/Navbar-1745487435975","value":{"community":"Community Home","inbox":"Inbox","manageContent":"Manage Content","tos":"Terms of Service","forgotPassword":"Forgot Password","themeEditor":"Theme Editor","edit":"Edit Navigation Bar","skipContent":"Skip to content","gxcuf89792":"Tech Community","external-1":"Events","s-m-b":"Small and Medium Businesses","windows-server":"Windows Server","education-sector":"Education Sector","driving-adoption":"Driving Adoption","microsoft-learn":"Microsoft Learn","s-q-l-server":"SQL Server","partner-community":"Microsoft Partner Community","microsoft365":"Microsoft 365","external-9":".NET","external-8":"Teams","external-7":"Github","products-services":"Products","external-6":"Power Platform","communities-1":"Topics","external-5":"Microsoft Security","planner":"Planner","external-4":"Microsoft 365","external-3":"Dynamics 365","azure":"Azure","healthcare-and-life-sciences":"Healthcare and Life Sciences","external-2":"Azure","microsoft-mechanics":"Microsoft Mechanics","microsoft-learn-1":"Community","external-10":"Learning Room Directory","microsoft-learn-blog":"Blog","windows":"Windows","i-t-ops-talk":"ITOps Talk","external-link-1":"View All","microsoft-securityand-compliance":"Microsoft Security","public-sector":"Public Sector","community-info-center":"Lounge","external-link-2":"View All","microsoft-teams":"Microsoft Teams","external":"Blogs","microsoft-endpoint-manager":"Microsoft Intune and Configuration Manager","startupsat-microsoft":"Startups at Microsoft","exchange":"Exchange","a-i":"AI and Machine Learning","io-t":"Internet of Things (IoT)","outlook":"Outlook","external-link":"Community Hubs","communities":"Products"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarHamburgerDropdown-1745487435975":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarHamburgerDropdown-1745487435975","value":{"hamburgerLabel":"Side Menu"},"localOverride":false},"CachedAsset:text:en_US-components/community/BrandLogo-1745487435975":{"__typename":"CachedAsset","id":"text:en_US-components/community/BrandLogo-1745487435975","value":{"logoAlt":"Khoros","themeLogoAlt":"Brand Logo"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarTextLinks-1745487435975":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarTextLinks-1745487435975","value":{"more":"More"},"localOverride":false},"CachedAsset:text:en_US-components/authentication/AuthenticationLink-1745487435975":{"__typename":"CachedAsset","id":"text:en_US-components/authentication/AuthenticationLink-1745487435975","value":{"title.login":"Sign In","title.registration":"Register","title.forgotPassword":"Forgot Password","title.multiAuthLogin":"Sign In"},"localOverride":false},"CachedAsset:text:en_US-components/nodes/NodeLink-1745487435975":{"__typename":"CachedAsset","id":"text:en_US-components/nodes/NodeLink-1745487435975","value":{"place":"Place {name}"},"localOverride":false},"CachedAsset:text:en_US-components/tags/TagSubscriptionAction-1745487435975":{"__typename":"CachedAsset","id":"text:en_US-components/tags/TagSubscriptionAction-1745487435975","value":{"success.follow.title":"Following Tag","success.unfollow.title":"Unfollowed Tag","success.follow.message.followAcrossCommunity":"You will be notified when this tag is used anywhere across the community","success.unfollowtag.message":"You will no longer be notified when this tag is used anywhere in this place","success.unfollowtagAcrossCommunity.message":"You will no longer be notified when this tag is used anywhere across the community","unexpected.error.title":"Error - Action Failed","unexpected.error.message":"An unidentified problem occurred during the action you took. Please try again later.","buttonTitle":"{isSubscribed, select, true {Unfollow} false {Follow} other{}}","unfollow":"Unfollow"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageListTabs-1745487435975":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageListTabs-1745487435975","value":{"mostKudoed":"{value, select, IDEA {Most Votes} other {Most Likes}}","mostReplies":"Most Replies","mostViewed":"Most Viewed","newest":"{value, select, IDEA {Newest Ideas} OCCASION {Newest Events} other {Newest Topics}}","newestOccasions":"Newest Events","mostRecent":"Most Recent","noReplies":"No Replies Yet","noSolutions":"No Solutions Yet","solutions":"Solutions","mostRecentUserContent":"Most Recent","trending":"Trending","draft":"Drafts","spam":"Spam","abuse":"Abuse","moderation":"Moderation","tags":"Tags","PAST":"Past","UPCOMING":"Upcoming","sortBymostRecent":"Sort By Most Recent","sortBymostRecentUserContent":"Sort By Most Recent","sortBymostKudoed":"Sort By Most Likes","sortBymostReplies":"Sort By Most Replies","sortBymostViewed":"Sort By Most Viewed","sortBynewest":"Sort By Newest Topics","sortBynewestOccasions":"Sort By Newest Events","otherTabs":" Messages list in the {tab} for {conversationStyle}","guides":"Guides","archives":"Archives"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1745487435975":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/QueryHandler-1745487435975","value":{"title":"Query Handler"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1745487435975":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarDropdownToggle-1745487435975","value":{"ariaLabelClosed":"Press the down arrow to open the menu"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/OverflowNav-1745487435975":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/OverflowNav-1745487435975","value":{"toggleText":"More"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageView/MessageViewInline-1745487435975":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageView/MessageViewInline-1745487435975","value":{"bylineAuthor":"{bylineAuthor}","bylineBoard":"{bylineBoard}","anonymous":"Anonymous","place":"Place {bylineBoard}","gotoParent":"Go to parent {name}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/Pager/PagerLoadMore-1745487435975":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Pager/PagerLoadMore-1745487435975","value":{"loadMore":"Show More"},"localOverride":false},"CachedAsset:text:en_US-components/users/UserLink-1745487435975":{"__typename":"CachedAsset","id":"text:en_US-components/users/UserLink-1745487435975","value":{"authorName":"View Profile: {author}","anonymous":"Anonymous"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageSubject-1745487435975":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageSubject-1745487435975","value":{"noSubject":"(no subject)"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageBody-1745487435975":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageBody-1745487435975","value":{"showMessageBody":"Show More","mentionsErrorTitle":"{mentionsType, select, board {Board} user {User} message {Message} other {}} No Longer Available","mentionsErrorMessage":"The {mentionsType} you are trying to view has been removed from the community.","videoProcessing":"Video is being processed. Please try again in a few minutes.","bannerTitle":"Video provider requires cookies to play the video. Accept to continue or {url} it directly on the provider's site.","buttonTitle":"Accept","urlText":"watch"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageTime-1745487435975":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageTime-1745487435975","value":{"postTime":"Published: {time}","lastPublishTime":"Last Update: {time}","conversation.lastPostingActivityTime":"Last posting activity time: {time}","conversation.lastPostTime":"Last post time: {time}","moderationData.rejectTime":"Rejected time: {time}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeIcon-1745487435975":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeIcon-1745487435975","value":{"contentType":"Content Type {style, select, FORUM {Forum} BLOG {Blog} TKB {Knowledge Base} IDEA {Ideas} OCCASION {Events} other {}} icon"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageUnreadCount-1745487435975":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageUnreadCount-1745487435975","value":{"unread":"{count} unread","comments":"{count, plural, one { unread comment} other{ unread comments}}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageViewCount-1745487435975":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageViewCount-1745487435975","value":{"textTitle":"{count, plural,one {View} other{Views}}","views":"{count, plural, one{View} other{Views}}"},"localOverride":false},"CachedAsset:text:en_US-components/kudos/KudosCount-1745487435975":{"__typename":"CachedAsset","id":"text:en_US-components/kudos/KudosCount-1745487435975","value":{"textTitle":"{count, plural,one {{messageType, select, IDEA{Vote} other{Like}}} other{{messageType, select, IDEA{Votes} other{Likes}}}}","likes":"{count, plural, one{like} other{likes}}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageRepliesCount-1745487435975":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageRepliesCount-1745487435975","value":{"textTitle":"{count, plural,one {{conversationStyle, select, IDEA{Comment} OCCASION{Comment} other{Reply}}} other{{conversationStyle, select, IDEA{Comments} OCCASION{Comments} other{Replies}}}}","comments":"{count, plural, one{Comment} other{Comments}}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1745487435975":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/users/UserAvatar-1745487435975","value":{"altText":"{login}'s avatar","altTextGeneric":"User's avatar"},"localOverride":false}}}},"page":"/tags/TagPage/TagPage","query":{"nodeId":"board:MicrosoftSecurityExperts","tagName":"Defender Experts for XDR"},"buildId":"HEhyUrv5OXNBIbfCLaOrw","runtimeConfig":{"buildInformationVisible":false,"logLevelApp":"info","logLevelMetrics":"info","openTelemetryClientEnabled":false,"openTelemetryConfigName":"o365","openTelemetryServiceVersion":"25.1.0","openTelemetryUniverse":"prod","openTelemetryCollector":"http://localhost:4318","openTelemetryRouteChangeAllowedTime":"5000","apolloDevToolsEnabled":false,"inboxMuteWipFeatureEnabled":false},"isFallback":false,"isExperimentalCompile":false,"dynamicIds":["./components/community/Navbar/NavbarWidget.tsx","./components/community/Breadcrumb/BreadcrumbWidget.tsx","./components/customComponent/CustomComponent/CustomComponent.tsx","./components/tags/TagsHeaderWidget/TagsHeaderWidget.tsx","./components/messages/MessageListForNodeByRecentActivityWidget/MessageListForNodeByRecentActivityWidget.tsx","./components/tags/TagSubscriptionAction/TagSubscriptionAction.tsx","./components/external/components/ExternalComponent.tsx","../shared/client/components/common/List/ListGroup/ListGroup.tsx","./components/messages/MessageView/MessageView.tsx","./components/messages/MessageView/MessageViewInline/MessageViewInline.tsx","../shared/client/components/common/Pager/PagerLoadMore/PagerLoadMore.tsx"],"appGip":true,"scriptLoader":[{"id":"analytics","src":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/pagescripts/1730819800000/analytics.js?page.id=TagPage","strategy":"afterInteractive"}]}