Ninja Cat Giveaway: Episode 9 | Attack disruption
For this episode, your opportunity to win a plush ninja cat is the following – Explain what attack disruption means and one reason why it is critical to any organization. This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14 th , 2023, or until supplies are exhausted and is not redeemable for cash. Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.THE VIRTUAL NINJA SHOW SEASON 4 RECAP
Did you miss any of the Ninja Show this season? Not to worry! We have assembled a synopsis of each episode highlighting the central focus points established in our discussions. (However, reading the main points are never as good as the real thing... Watch any episode on demand here!) Overview: Episodes 1-5 of this season were part of our first mini-series! Focused on incident response cases, experts from several teams across the Microsoft 365 Defender suite shared their knowledge regarding incident investigations as well as the critical tools and capabilities available to help improve defense in any organization. Episodes 6-8 shifted gears and included content about Microsoft Defender for Cloud Apps, Near real-time custom detection rules in M365D, and new Microsoft Teams protections! Ep 1: Oren Saban kicked off our Incident Response series by sharing IR investigation capabilities in Microsoft 365 Defender. We introduce how to best use the attack story view in the Defender portal, dive into the benefits of alert insights, and provide a guided walkthrough of a specific incident investigation that demonstrates how to pivot on affected entities to confirm nothing is being missed – with a special segment unveiling the updated File Content page (coming soon)! Ep 2: Michael Melone shifts us into an IR investigation of malware. Here we learn the ABC’s (and D!) of IR – a simplistic approach to manage malware incidents effectively. Through Michael’s demo you will also find updated advanced hunting capabilities in Microsoft 365 Defender and get to know the process of connecting alerts to primary incidents, creating a comprehensive view of an attack. Ep 3: Pawel Partyka unveils the impacts of business email compromise incidents (cyberattacks with financial fraud motivation) through an in-depth attack investigation. Takeaways we found critical were: Understanding the complexities of AiTM (adversary in the middle) phishing and Identifying the various connections of an attack story through the threat factors uncovered in Microsoft 365 Defender portal Recommended actions tab in Microsoft 365 Defender to help prevent damage to your assets Pawel’s demo walks through each step of the process extremely diligently. Ep 4 & 5: Corina Feuerstein wraps up our IR focus with a two-part investigation of a ransomware incident. Part 1 defines human-operated ransomware and the numerous phases of impact on an organization. Using a multi-stage incident generated by Microsoft 365 Defender, she shares how attackers use automation and exhibits how automated attack disruption defends at an even faster speed - enabling isolation tactics that prevent them from gaining a larger foothold within the enterprise. We also follow a ransomware playbook to assist during the containment and incident response phase of the attack, showing how to investigate step-by-step, verifying the attack is disrupted and prevent future risks. Part 2 continues our ransomware investigation using advanced hunting KQL queries. We dig into the behaviors and processes of the attack, learn the benefit of adding indicator markers, and make note of the tagging capability to review and connect future incidents. Key takeaways also include learning about remediation procedures, prevention tactics, and professional recommendations to improve security posture. Ep 6: Keith Fleming brings us out of incident investigations and explains the latest updates in Microsoft Defender for Cloud Apps! He first shares the 4 simple steps to deploy this product in your environment to confidently secure your applications and protect your data. Then, our conversation leads into a demonstration of: Connecting SaaS applications to Defender for Cloud Apps and receiving additional insights from these connections Explaining the Activity Log where you can take part in advanced hunting without KQL expertise! Enabling Defender for Endpoint connection and gain rich insights without the use of a proxy. There are so many more valuable resources shared throughout this episode, only matching the constant progress happening in the Defender for Cloud Apps world. Ep 7: Microsoft 365 Defender launched near real-time (NRT) custom detection rules and Christos Ventouris expertly dives into the benefits of this public preview feature. Watch this episode to learn: What custom detection rules are How you can create and modify them to your needs using advanced hunting queries And recognize the positive impact these near real-time rulesets make when it comes to mitigating threats in your organization as quickly as possible Ep 8: Closing out our fourth season are Senior Product Managers Malvika Balaraj and Daniel Mozes! They unveil an added layer of security within the Defender for Office suite, the collaboration and security within Microsoft Teams. Topics of focus are the new features Defender for Office 365 brings to Microsoft Teams. We learn how Microsoft 365 Defender blocks and removes malicious links or files from Teams or SharePoint and the self-reporting capability of files that may be a security risk - allowing a more proactive approach to prevent phishing attacks by educating users on basic security measures. Et voilà! The end of another great season We are extremely grateful to have the opportunity to help minimize learning gaps in the Microsoft Security community through the Virtual Ninja Show – but please help us keep it relevant to your needs! Add a comment including any topics you would like to see us bring forth next season so we can deliver what is helpful to you. Until next time, ninjas!
User Reported Spam/Phishing Messages Not Showing in Submission Portal
This happens every so often, where users using the report message option in Outlook don't have their submissions ever show up on the User Reported Tab in the Submissions Portal. (or often time there are large delays of an hour or more before messages will show up). I have the report message button set to copy an internal mailbox as well, and I see submissions go there. I see in the message trace logs, messages are being sent to the equivalent office365.microsoft.com address (email address removed for privacy reasons for example). Last time I opened a case for this, and it was a very frustrating experience because we only have standard support, so they never would really look into the issue to far. Well, it's happening again since yesterday afternoon, and while it's not a total security issue, it's annoying because our end users have come to expect the responses on their submission, and it's easier to submit these to Microsoft if they show up in the submission portal than having to manually upload them from the internal mailbox these get sent to as well. No service health issues posted in our tenant, but last time we had this support said they don't post issues for things like this typically even if it's a known service side issue processing these. I don't know if that's true or not. Anyone else seeing this issue?
Microsoft Defender e-mail notification for user reported messages
Hi, I've configured, on Settings -> Email and Collaboration, on User Reported Settings, and Email notifications, some predefined message to be sent when we classify the reported emails, as Phishing, SPAM or No Threats Found. The problem is that even though I use empty lines to create the message, the email has all the text in the same paragraph, which has an horrible look when reaches a user inbox. According to MS support, this is by default like this, which I could not really believe, as from a User Experience point of view is really odd. Anyone using this feature that has the same pain and found some option to overcome this issue? ThanksStandard Security Policy flagging too many emails as "Potential Phishing"
We decided to enable the Standard Security Policy for Defender on our Microsoft 365 tenant, and immediately noticed that it was quarantining way too many emails that it flagged as either Phishing or High Confidence Phishing (mostly automated notices from cloud services like Asana, Klaviyo, etc.). These are emails that would easily be allowed through any other mail scanning firewall I've used in the past. I'm now concerned about using Defender's "Standard Security Policy" level for Defender, for fear that it's going to have my users missing emails that should easily be passing through, because Defender moved them to Quarantine or Junk. Is there a way to modify the aggressiveness levels for the Standard Security Policy?"Run Antivirus Scan" results in "Antivirus scan failed"
I'm responding to an alert and via the Microsoft 365 Security portal I've triggered off a full antivirus scan: However shortly after that when I double check the Action Center again it shows "Antivirus scan failed" When hovering over the info ( ) icon, next to the "Antivirus scan failed" text, a small tooltip comes up showing "AV Scan is already in progress". Because this happened yesterday (9/20) and again today (9/21) I'm frankly a little suspicious. Is Defender really already in the middle of an AV scan? If yes, how can I confirm that? If no, then why won't the AV Scan execute? Any advice is greatly appreciated!
Least privileged role for the "Suspend user in AAD" action
Hello, we try to find the least privileged role for our SOC members to be able to have the "Supend user in AAD" and "Require user to sign in again" action available in the user page of Microsoft 365 Defender. For now we've seen it available only to Global Administrators. We are using the new Defender RBAC for all three products (Endpoints, Email and Collaboration, Identity) The permissions and roles in the Microsoft 365 Defender RBAC are configured like this for our SOC group: Security operations -> All read and manage permissions -> All Scopes So far we tried adding the SOC members to the following Azure AD roles: - "Security Operator" does not show this actions for AAD users (but it shows the similar actions for Active Directory Users when you have MDI configured: "Disable user in AD", "Enable users in AD", "Force password reset") - "Authentication administrator" does not show this actions for AAD users, but if we go to the users page in Azure AD (via "Azure AD account settings" link), the options to disable or re-authenticate the users account are obviously available because of this role Is there a role except Global Admin for this feature to be visible? Or will this feature and AzureAD Identity Protection in general be better integrated in future enhancements of Microsoft 365 Defender RBAC?
restore 365 defender blocked files
Some users are unable to utilize the Application shortcuts on the Start menu and taskbar MO497128, Last updated: January 13, 2023 3:22 PM I've run the following query in defender portal advanced hunting to list all the shortcut lnk files that have been deleted following the defender update: DeviceEvents | where ActionType startswith "Asr" and FileName endswith ".lnk" and ActionType endswith "Blocked" Has anyone found a way to restore all the files? Thanks, Dan
