Resources for Automatic attack disruption
Hi all, because this topic is really HOT, I thought I am sharing a collection of resources with you. Recordings: Microsoft Secure (free registration required): - How XDR defends against ransomware across the entire kill chain with Corina Feuerstein - Ask the Experts: How XDR defends against ransomware across the entire kill chain Ninja Show episode Attack disruption, with Hadar Feldman Ignite announcement: What’s new in SIEM and XDR: Attack disruption and SOC empowerment - Events | Microsoft Learn Blogs: Automatic disruption of Ransomware and BEC attacks with Microsoft 365 Defender XDR attack disruption in action – Defending against a recent BEC attack Documentation: Configure automatic attack disruption capabilities in Microsoft 365 Defender | Microsoft Learn What do you think about this new and exciting capability? Do you have any questions on how it works that we didn't refer to? If so feel free to start a conversation here! 🙂 Oh and if I missed another resource, let me know too! HeikeNinja Cat Giveaway: Episode 9 | Attack disruption
For this episode, your opportunity to win a plush ninja cat is the following – Explain what attack disruption means and one reason why it is critical to any organization. This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14 th , 2023, or until supplies are exhausted and is not redeemable for cash. Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.
New blog post | Part 2: Uncovering Trackers Using the Defender EASM API
Thanks for joining me for the second installment on leveraging Trackers in Microsoft Defender External Attack Surface Management (Defender EASM) to find and manage risk in your organization. This blog post is part two of this series, building on the concepts introduced in part one about discovering your attack surface and applying this valuable inventory data to inform your security efforts at scale. As a quick refresher, in part one, we defined Trackers in Defender EASM and learned how to search for them in the User Interface (UI). This blog post will closely examine the Defender EASM Application Program Interface (API). Part 2: Uncovering Trackers Using the Defender EASM API - Microsoft Community HubJoin our Attack Disruption in Microsoft 365 Defender AMA on May 3rd!
Join us on Wednesday 5/3 at 9:00AM PST for an AMA (Ask Microsoft Anything) with the Attack Disruption team! This will be a text-based live hour of answering all your questions relating to the product. This January we announced the public preview of automatic attack disruption in Microsoft 365 Defender. The built-in attack disruption capabilities in Microsoft 365 Defender help stop the progression of advanced attacks like ransomware and business email campaigns (BEC) with advanced AI capabilities that automatically isolate compromised devices and user accounts. If you have any questions about this, come ask us! Note: If you are unable to attend the live hour, you can ask your question at any time on the event page below and the team will get to it during the event. Join here: aka.ms/AttackDisruptionAMA
Recieving increasing number of phishing attempts mimicking Microsoft MFA QR Codes
Even though we are MS 365 defender customers for all our users (EMS + E3) we are receiving an increasing number of phishing attempts based on good looking MFA connection requests. Furthermore these are based on QR Codes, which can be used on a smartphone where the security rules will be helpless against such attacks. And these attempts are absolutely not filtered.
M365 Defender - Recently seen by?
Does anyone know what "Recently seen by" under network activity actually means? We have a number of unusual device names keep popping up in our Defender inventory list, which are showing as running Windows 10. We usually get this when we reimage machines, but this is different. Firstly, all newly imaged machines present a variation of the same name, whereas these are all completely different and not in keeping with the expected naming convention. Also, when you click the Defender device page, under network activity the 'Recently seen by' section keeps showing different, genuine Windows 10 machines in our environment. The IP and MAC address however stay constant. Does anyone know what this might be? I'm thinking perhaps an issue with SCCM, or our task sequence when reimaging laptops, but don't know much for sure.Standard Security Policy flagging too many emails as "Potential Phishing"
We decided to enable the Standard Security Policy for Defender on our Microsoft 365 tenant, and immediately noticed that it was quarantining way too many emails that it flagged as either Phishing or High Confidence Phishing (mostly automated notices from cloud services like Asana, Klaviyo, etc.). These are emails that would easily be allowed through any other mail scanning firewall I've used in the past. I'm now concerned about using Defender's "Standard Security Policy" level for Defender, for fear that it's going to have my users missing emails that should easily be passing through, because Defender moved them to Quarantine or Junk. Is there a way to modify the aggressiveness levels for the Standard Security Policy?
