Scheduling attack simulations
I'm starting to use the Defender attack simulation feature. I have approx. 3000 users to target. Leadership don't want to send 3000 tests every month rather divide the people up across 12 months sending smaller monthly batches. The issue of not being enough tests for each individual is there a way to automate the sending of these to even batches of people across 12 months rather than having to set these up manually?
Is it possible to allow MFA registration only in a work profile on a managed phone
Hello, I'm currently rolling out MDM via Endpoint Manager and also enforcing compliance policies using conditional access. I would like to allow MFA registration only in work profiles, so that users can only register MFA (for Passwordless sign in) on the Microsoft Authenticator app in their work profile. Does anyone have experience with this, or is this currently even possible? BrS
User app registration - exploitable for BEC?
Hello. Recently dealt with a case of BEC. I'm not trained in forensics, but doing my best. Appears the hacker used an application called eM Client for their attack, getting access to a user's mailbox and hijacking a thread. I can see the login from two weeks ago (the incident was only noticed a couple days ago, however) - from a European country that SHOULD have been blocked by Conditional Access. Come to find out, the tenant conditional access was unassigned from everyone. We're not sure how - we re-enabled it, and audited changes, but the only change that appears was us re-enabling it. Which I thought indicates it was never configured right, except we've got a ticket documenting a change to Conditional Access a couple days after the hack that ALSO does not appear in the logs. So... it's likely it was changed, yet I have no record of that change (atleast, not through Entra > Monitoring > Auditing). If anyone knows any other ways of checking this, please advise - but I can't seem to even access our Diagnostic settings, the page tells me I need an Azure Active Directory subscription (I'm on Entra ID P1, which includes AAD.... this might be related to being global admin, and not Security Admin - we don't use that role in this relationship) ANYWAY, my amateur forensic skills have found that the attacker used an app called eM Client to get access. I'm not sure yet how they obtained the password, and got past MFA... But quick research shows this application (esp it's pro version) is known for use in BEC. The app was registered in Entra, and granted certain read permissions in Entra ID for shared mailboxes, presumably to find a decent thread to hijack. I'm not 100% sure yet there was any actual exploit done using this app, but it's popularity amongst hackers implies it does SOMETHING useful (i think remember that it authenticates using Exchange Web Services instead of Exchange Online, or something similar? Will update when I have the chance to check). We're in the process of improving our Secure Score, and this incident makes me think user's ability to register apps should be locked down. Checked Secure Score for this, and while there ARE recommendations around apps, disabling user app registration is NOT one of them. Just curious about people's thoughts. I just barely understand App Registration in Entra, but if this is a known attack vector, I would think disabling app registration would be a security recommendation?RSS feeds to security blogs?
Hello, After the update of blogs here i no longer see any RSS feeds or links. Where can those RSS feed be found now? It was the only newsfeed where blogs could be aggregated. perhaps im just blind :) but i cant find the new RSS feeds. Thank you! Previously (before this weeks update) the links to those RSS feed was as follows: https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftSecurityandCompliance https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=Identity https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=CoreInfrastructureandSecurityBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=AzureNetworkSecurityBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=IdentityStandards https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftThreatProtectionBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftDefenderCloudBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftDefenderATPBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftDefenderIoTBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=DefenderExternalAttackSurfaceMgmtBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=Vulnerability-Management https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=DefenderThreatIntelligence https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftSecurityExperts https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=Microsoft-Security-Baselines https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftSentinelBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftDefenderforOffice365Blog
Secure score Drops Down temporarily due MS set exclusion attribute to system
Hello, One of client encounter problem, when secure score drops down from ~85% to 64%. Last month there was one drop. Now its repeats two days in a row. Drop encounters at 3 AM (+3h time zone) when all our exclusion attributes automatically set to System. And restores ~ 11AM same day, when attributes were automatically set back to administrator which made exclusions. This is important to us and client because we have agreement to keep secure score at 80%+.
New Blog | eDiscovery launches a modern, intuitive user experience
By ninachen This month, we have launched a redesigned Microsoft Purview eDiscovery product experience in public preview. This improved user experience revolutionizes your data search, review and export tasks within eDiscovery. Our new user-friendly and feature-rich eDiscovery experience is not just about finding and preserving data, it's about doing it with unprecedented efficiency and ease. The modern user experience of eDiscovery addresses some long-standing customer requests, such as enhanced search capabilities with MessageID, Sensitive Information Types (SITs) and sensitivity labels. It also introduces innovative features like draft query with Copilot and search using audit log. These changes, driven by customer feedback and our commitment to innovation, offer tangible value by saving time and reducing costs in the eDiscovery process. The new eDiscovery experience is exclusively available in the Microsoft Purview portal. The new Microsoft Purview portal is a unified platform that streamlines data governance, data security, and data compliance across your entire data estate. It offers a more intuitive experience, allowing users to easily navigate and manage their compliance needs. Read the full post here: eDiscovery launches a modern, intuitive user experienceNew Blog | Bridging the On-premises to Cloud Security Gap: Cloud Credentials Detection
By Tamir Friedman Identities lie at the heart of cloud security. One of the most common tactics used to breach cloud environments is Credential Access. User credentials may be obtained using various techniques. Credentials may be cracked through brute force attempts, obtained in social engineering campaigns, or stolen from compromised resources, where they are stored and used. In this blog, we demonstrate that properly securing cloud environments requires securing credentials in the organization’s non-cloud environments. To this end, we dive into our innovative capability to detect cloud credentials in on-premises environments and user devices. By integrating it with Microsoft Security Exposure Management, customers are able to identify attack paths starting in non-cloud environments and reaching critical cloud assets using cloud credentials. Customers are then able to effectively prioritize and mitigate those attack paths, thereby improving their enterprise and cloud security posture. Read the full post here: Bridging the On-premises to Cloud Security Gap: Cloud Credentials Detection
ERP decommissioning
Hello, We have the problem of decommissioning unmaintained ERPs from the acquisition. We replaced them with the group's standards. Details : - IFS version 8.0 on WS 2008 - DB Server 2012 on AWS Finance asks us to keep them accessible for the next 10 years on isolated servers. Guaranteeing access for the next 10 years to software that no one in IT knows anymore with older technologies seems impossible to me or at least very difficult. Do you have similar issues and if so how do you respond? Thank you for your return.New Blog | Best practices to architect secure generative AI applications
By Roee Oz As development of applications powered by these advanced generative AI (Gen AI) tools surges, offering unprecedented capabilities in processing and generating human-like content, so does the rise of security and privacy concerns. One of the biggest security risks is exploiting those tools for leaking sensitive data or performing unauthorized actions. A critical aspect that must be addressed in your application is the prevention of information leaks and unauthorized API access due to weaknesses in your Gen AI app. This blog post delves into the best practices to securely architect Gen AI applications, ensuring they operate within the bounds of authorized access and maintain the integrity and confidentiality of sensitive data. Understanding the risks Gen AI applications inherently require access to diverse data sets to process requests and generate responses. This access requirement spans from generally accessible to highly sensitive data, contingent on the application's purpose and scope. Without careful architectural planning, these applications could inadvertently facilitate unauthorized access to confidential information or privileged operations. The primary risks involve: Information Leaks: Unauthorized access to sensitive data through the exploitation of the application's features. Escalated Privileges: Unauthorized elevated access, enabling attackers or unauthorized users to perform actions beyond their standard permissions by assuming the Gen AI application identity. Mitigating these risks necessitates a security-first mindset in the design and deployment of Gen AI-based applications. Best practices for granting permissions Limit Application Permissions Developers should operate under the assumption that any data or functionality accessible to the application can potentially be exploited by users through carefully crafted prompts. This includes reading fine-tunning data or grounding data and performing API invocations. Recognizing this, it is crucial to meticulously manage permissions and access controls around the Gen AI application, ensuring that only authorized actions are possible. A fundamental design principle involves strictly limiting application permissions to data and APIs. Applications should not inherently access segregated data or execute sensitive operations. By constraining application capabilities, developers can markedly decrease the risk of unintended information disclosure or unauthorized activities. Instead of granting broad permission to applications, developers should utilize user identity for data access and operations. Read the full post here: Best practices to architect secure generative AI applications
