From prevention to recovery: Microsoft Unified’s holistic cybersecurity approach
Author - Paul Saigar The latest Microsoft Digital Defense Report states that 80 percent of organizations have attack paths that expose critical assets. Furthermore, Microsoft has observed a 2.75x increase year over year in ransomware attacks among our customers. Cyber-enabled financial fraud is also rising globally. According to our report, the daily traffic volume for Tech scams – a type of fraud that tricks users by impersonating legitimate services or using fake tech support and ads – has skyrocketed by 400 per cent since 2022. This is a stark contrast to the 180 per cent increase in malware and 30 per cent in phishing over the same period. Microsoft is committed to helping organizations meet this growing challenge with a suite of integrated technologies and services designed to let customers operate with confidence. Microsoft Unified services and the role of Microsoft IR (incident response) Microsoft IR is backed by our elite Detection and Response Team (DART) and is an essential component of Microsoft’s overall cybersecurity offering for customers. This team consists of highly skilled cybersecurity professionals with extensive backgrounds in threat hunting and intelligence, digital forensics and tactical recovery, with experience in handling both proactive and reactive incident response. DART’s approach is twofold: it focuses on immediate incident response and pre-emptive measures to prevent security breaches before they occur. Proactive measures: Microsoft IR, backed by DART, conducts comprehensive assessments of organizational security infrastructures, seeking out vulnerabilities and potential threats. By evaluating the security readiness of identity and endpoint management systems, our DART experts provide customized recommendations to enhance security measures. Reactive strategies: In the event of a cybersecurity incident, DART’s response is swift and effective. The team engages directly with the threat, isolating affected systems to prevent further damage while conducting a thorough analysis to identify the source and nature of the attack. Recovery processes are implemented to restore integrity to the systems and data affected. Throughout the cybersecurity response, our DART experts provide continuous support and updates to ensure stakeholders are informed and prepared for necessary actions. This comprehensive approach is supported by Microsoft’s vast threat intelligence, which analyses 78 trillion security signals daily, and state-of-the-art technologies. That includes proprietary tools and widely recognized solutions such as the Microsoft Defender suite and Microsoft Sentinel. The depth of expertise within DART ensures it is equipped to manage complex cyber threats efficiently, making the team a trusted and vital component of our cybersecurity offering. Expanding Microsoft Unified’s cybersecurity offering Recognizing the critical need for rapid and robust incident management, Microsoft IR, our Cybersecurity Incident Response (CIR) service, is being offered through Microsoft Unified. This offering provides access to our global network of cybersecurity experts, who offer onsite and remote support, ensuring comprehensive coverage and swift action. Our CIR offering also integrates seamlessly with our broader Microsoft Unified framework. Initial contact: Our Unified team serves as the first line of contact for triage and validation of suspected cybersecurity incidents, providing timely and efficient incident isolation and remediation. Escalated response: When an incident escalates beyond initial containment, our CIR team takes comprehensive control, ensuring extensive investigation, containment, and recovery. The suite of services that make up CIR includes prioritized response times, with DART experts available within two hours to address security incidents. It also includes comprehensive services ranging from threat investigation, digital forensics, and malware analysis to complete recovery and remediation efforts. Organizations can also access proactive compromise assessments that delve deep into their environments to unearth vulnerabilities, potential indicators of compromise, potential attack vectors, and inform roadmaps to bolster their defenses. These services are complemented by regular threat intelligence briefings tailored to specific industry and geographical threats to keep organizations informed and prepared. Engage with Microsoft Unified Microsoft Unified provides an indispensable resource for organizations aiming to enhance their cybersecurity readiness. We integrate proactive assessments with rapid, effective incident response capabilities to equip businesses with the necessary tools and expertise to confront and mitigate cyber threats. To learn more about how Microsoft can help protect your organization from cyber threats, visit our Microsoft Unified page. To learn more about Microsoft IR (incident response), please visit Microsoft Incident Response page.From social engineering to rogue VMs: The emerging tradecraft in human-directed ransomware attacks
Co-authors - Ateesh Rajak - Balaji Venkatesh Overview: What if an attacker didn’t need malware, phishing kits, or exploits to break into your environment—just a convincing voice and a tool you already trust? That’s exactly the play we’re seeing. Ransomware operators and hands-on-keyboard intruders are skipping traditional phishing lures and going straight to the human. By impersonating IT support over phone or Microsoft Teams, they convince users to launch Microsoft Quick Assist, handing over remote access under the guise of troubleshooting. There’s no payload at this point— only manipulation. Once access is established, the attacker downloads and executes a VBScript that launches a QEMU-based rogue virtual machine on the target system. This VM provides an isolated, persistent environment where the attacker can perform internal reconnaissance, collect credentials, move laterally, and lay the groundwork for ransomware deployment—all while staying outside the visibility of host-based security tools. These aren’t opportunistic intrusions. This is calculated tradecraft—a multi-stage operation that begins with trust, escalates with virtualization-based stealth, and often culminates in data exfiltration, lateral movement, or ransomware deployment. The real risk? Attackers are no longer just bypassing —they’re building infrastructure within enterprise environments. Read this blog to learn about this emerging attack technique as well as how Defender Experts can help protect your organization. Attack Flow: Social Engineering Meets Hypervisor Abuse This attack chain combines psychological manipulation with technical evasion, enabling attackers to quietly establish footholds in victim environments. Recent incidents observed by Defender Experts highlight the use of this tradecraft against organizations in the pharmaceutical and consumer goods sectors. Stage One: Distraction and Deception The intrusion begins with an email bombing campaign, flooding the target’s inbox with hundreds of nuisance messages. Shortly afterward, the user receives a Microsoft Teams message or PSTN call from someone impersonating IT support. “We noticed issues with your mailbox. Let me help you fix it.” The victim is guided to launch Microsoft Quick Assist, granting the attacker remote access to the device without raising suspicion. Stage Two: Remote Execution and Rogue VM Deployment With remote access established, the attacker executes initial reconnaissance to enumerate host, network, and domain details. They then download and execute a VBScript, often hosted on cloud storage platforms such as Google Drive, which spins up a QEMU-based virtual machine on the endpoint. This VM becomes an isolated operational enclave—fully controlled by the attacker and invisible to traditional EDR and host-based telemetry. Note: Defender Experts have observed attackers leveraging QEMU’s flexible command line options to evade detection. By frequently changing parameters like RAM size, network setup (e.g., -netdev/-device vs. -nic), and using configuration files instead of inline arguments, attackers bypass static detection rules based on command signatures. Stage Three: Persistence and Expansion Within the rogue VM, the attacker performs the following actions: Executes internal network scans Establishes command-and-control (C2) communication through the VM’s virtual NIC Initiates lateral movement Stores payloads and tools within disk images (.qcow2, .iso, .img) to maintain persistence Because all post-compromise activity takes place within the guest VM, most host monitoring solutions are unable to observe these behaviors—allowing attackers to operate undetected. Why This Technique Matters The use of rogue virtual machines in active intrusions represents a significant evolution in attacker tradecraft. This method enables: Host-level evasion: Traditional endpoint agents cannot monitor activities inside virtual machines, reducing detection coverage. Persistent access: VMs can survive reboots and maintain remote shell capabilities. Stealth infrastructure: Malicious traffic originating from within the VM often blends into normal network activity. Reduced forensic artifacts: Since activity is isolated to the guest OS, forensic artifacts on the host are minimal—making incident reconstruction difficult. Organizations lacking behavioral monitoring and layered defense strategies may miss early indicators of compromise until after significant impact. How Defender Experts Adds Defense-in-Depth Value Defender Experts goes beyond Defender detections to surface rogue VM–based intrusions, especially when attackers rely on trusted tools and human manipulation instead of malware. Defender Experts bridges this gap by delivering expert-led detection and response at every critical phase of the intrusion: Teams Phishing Detection: Defender Experts monitors for suspicious Microsoft Teams messages sent from anomalous or newly created identities—flagging potential social engineering activity early. Quick Assist Misuse Monitoring: When a Teams phishing message leads to remote access via Quick Assist, Defender Experts identifies and correlates this as part of an active intrusion, even in the absence of malware. QEMU Execution Detection: Defender Experts hunting queries spotlight scripted QEMU launches—detecting virtual machine deployment before lateral movement begins. AnyDesk and Persistence Tooling: Defender Experts observes signs of persistence via unauthorized tools like AnyDesk and correlates these with pre-compromise behavior. By connecting these discrete signals—Teams phishing, Quick Assist abuse, QEMU execution, and persistence setup—Defender Experts offers a unified picture of emerging tradecraft. Customers benefit from: Early human-led detection before ransomware or data exfiltration occurs Tailored hunting queries and response guidance mapped to real-world threats Defender Experts doesn’t just detect individual behaviors—it maps the entire intrusion kill chain and guides customers through containment and recovery. Detection Guidance Although visibility is limited inside the rogue VM, defenders can detect the setup process. The following advanced hunting query can help identify suspicious VM launches initiated via scripting engines: DeviceProcessEvents | where InitiatingProcessFileName in~ ("powershell.exe", "wscript.exe", "cscript.exe") | where ProcessVersionInfoInternalFileName has "qemu" and ProcessCommandLine !has "qemu" //Renamed execution of the QEMU emulator This query focuses on scripted invocations of QEMU with memory and network flags—signs of programmatic VM deployment via Windows scripting engines. Recommendations To reduce exposure to this emerging technique, Defender Experts recommends the following actions: User awareness training: Educate employees on recognizing vishing and social engineering tactics. Disable or control remote access tools: Block or uninstall Microsoft Quick Assist if unused. Organizations using Microsoft Intune can adopt Remote Help, which offers enhanced security and authentication controls. Enable behavioural network monitoring: Unusual internal scan activity or unexpected outbound traffic may signal VM-based operations. Proactively hunt for rogue VM activity: o Use the hunting query above to identify scripted QEMU executions o Isolate affected hosts to prevent further C2 or lateral movement o Remove VBScript files, QEMU executables, and disk images (.qcow2, .img, .iso) o Rebuild compromised systems using trusted images and rotate credentials Submit samples to Microsoft for analysis: Upload suspicious scripts and binaries to the Microsoft Defender Security Intelligence (WDSI) portal for deep inspection. Conclusion This technique represents more than just a clever evasion strategy—it marks a significant shift in adversary tradecraft. Attackers are no longer solely focused on bypassing antivirus or executing malware payloads. Instead, they are building persistent infrastructure within enterprise environments by abusing trusted tools and user workflows. By combining social engineering with virtualization-based stealth, these intrusions enable threat actors to extend dwell time, reduce detection surface, and operate below the radar of traditional response mechanisms. This activity underscores the importance of behavioural monitoring, layered defenses, and user awareness. What appears to be a routine IT interaction may, in reality, be the entry point for a full-fledged rogue virtual machine—and a persistent threat operating in plain sight. To learn more about how our human-led managed security services can help you stay ahead of similar emerging threats, please visit Microsoft Defender Experts for XDR, our managed extended detection and response (MXDR) service, and Microsoft Defender Experts for Hunting (included in Defender Experts for XDR), our managed threat hunting service.Enhancing Threat Hunting with Microsoft Defender Experts Plugin
In today's rapidly evolving digital landscape, cybersecurity threats are becoming increasingly sophisticated, requiring organizations to adopt proactive measures to safeguard their assets. Recognizing this need, Microsoft has introduced the Defender Experts Plugin—a powerful addition to Copilot for Security’s GitHub. This plugin is designed to elevate your cybersecurity defenses by integrating proactive threat hunting capabilities across your entire organization, including Office 365, cloud applications, and identity platforms. What is Defender Experts for Hunting? Defender Experts for Hunting is a specialized managed service from Microsoft that provides proactive, human-led threat hunting across a broad range of organizational environments. Unlike automated detection, this service involves active threat hunting by Microsoft’s seasoned security experts, who analyze activities across endpoints, cloud applications, email, and identity platforms. Defender Experts for Hunting focuses on detecting advanced threats and human adversary behaviors, particularly those involving sophisticated or “hands-on-keyboard” attacks, and provides organizations with detailed alerts, expert guidance, and remediation recommendations. Overview of the Plugin Microsoft’s Defender Experts Plugin is a comprehensive threat hunting tool that expands traditional security boundaries. It goes beyond endpoints to investigate Office 365, cloud applications, and identity platforms, where Microsoft’s seasoned security professionals build detections to investigate these suspicious activities. The plugin specializes in tracking sophisticated threats, especially those posed by human adversaries and hands-on-keyboard attacks. The plugin is skills-based leaning on KQL for Advanced Hunting Queries (AHQs) to scan across Defender tables for risky behaviors and suspicious activities, with support for tables such as CloudAppEvents, EmailEvents, EmailAttachmentInfo, and AADSignIn. These queries are not a one-off, as Defender Experts will continue to contribute to the plugin in line with our normal research efforts. Some of the threat detection “skills” included in this plugin are: Suspicious Use of AzureHound: Flags potentially unauthorized data gathering using AzureHound on devices. Reconnaissance Activity Using Network Logs: Detects reconnaissance behavior by analyzing network logs and identifying specific command-line activity. Cobalt Strike DNS Beaconing: Detects suspicious DNS queries associated with Cobalt Strike beacons. By leveraging Microsoft’s Defender Experts Plugin, organizations can benefit from the deep expertise and proactive approach of Microsoft’s security researchers. This tool ensures that potential threats are not only identified but also thoroughly investigated and addressed with the eventual addition of Promptbooks, thus enhancing the overall security posture of the organization. Furthermore, the integration of the Defender Experts Plugin with Copilot for Security’s GitHub allows for seamless collaboration and information sharing among the greater security community. Step-by-Step Guided Walkthrough Getting started with the Defender Experts Security Copilot Plugin is straightforward: 1 - Download the Defender Experts plugin (YAML) from GitHub. 2 - Access Security Copilot 3 - In the bottom-left corner, click the Plugins icon. 4 - Under Custom upload, select Upload plugin. 5 - Upload the Defender Experts Plugin. 6 - Click Add to finalize. 7 - Find the plugin under Custom. 8 - Your installation will now include specialized prompts in Defender Experts, with skills tailored for effective collaboration with Copilot for Security’s capabilities. Conclusion The Defender Experts Plugin is a vital addition to any organization’s cybersecurity arsenal. By incorporating proactive threat hunting and leveraging the expertise of Microsoft’s security analysts, this plugin helps organizations to stay ahead of potential threats and maintain a robust security posture. Embrace this powerful tool and take your cybersecurity defenses to the next level. Let’s get started securing your environment with Defender Experts for Hunting! If you’re interested in learning more about our Defender Experts services, visit the following resources: Microsoft Defender Experts for XDR web page Microsoft Defender Experts for XDR docs page Microsoft Defender Experts for Hunting web page Microsoft Defender Experts for Hunting docs page
