Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Monthly news - February 2023
Published Feb 06 2023 03:53 AM 8,148 Views
Microsoft

Microsoft 365 Defender
Monthly news
February 2023 Edition

OFT header v4.png

This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from January 2023. NEW: At the end we now include a list of the latest threat analytics reports, as well as other Microsoft security blogs for you. 

Legend:
Product videos.png Product videos webcast recordings.png Webcast (recordings) Docs on MS.png Docs on Microsoft Blogs on MS.png Blogs on Microsoft
GitHub.png GitHub External.png External Product improvements.png Product improvements Public Preview sign-up.png Previews / Announcements
Microsoft 365 Defender
Blogs on MS.png Build custom incident response actions with Microsoft 365 Defender APIs. Use the Microsoft 365 Defender APIs to perform custom actions in bulk.
Public Preview sign-up.png Use Microsoft 365 Defender role-based access control (RBAC) to centrally manage user permissions. The new Microsoft 365 Defender role-based access control (RBAC) capability, currently in public preview, enables customers to centrally control permissions across different security solutions within one single system with greater efficiency and consistency. More information on docs: Microsoft 365 Defender role-based access control (RBAC).
Public Preview sign-up.png Alert evidence now shows in the alert side panel. 
See all related alert evidence from the alert side panel at a glance - and click on each evidence to get more information. You can open the alert side panel from the incident queue, alerts in incident, device and user page, or any other experience where you investigate alerts in the portal.
Public Preview sign-up.png The new Microsoft Defender Experts for Hunting report is now available. The report's new interface now lets customers have more contextual details about the suspicious activities Defender Experts have observed in their environments. It also shows which suspicious activities have been continuously trending from month to month. 
Public Preview sign-up.png Support for searching the schema in Advanced hunting. Search across the schema, queries, functions and custom detection rules is now available in Advanced hunting page. You can search for names of tables, columns, queries and rules to easily locate what you are looking for.
Product improvements.png Guided mode improvements in Advanced hunting. 
Using the guided mode in Advanced hunting you can craft queries using a friendly query builder. As we are improving the experience, you can now:
1. Customize the sample size of the results from your query (set the number of results you wish to get back)
2. Add conditions from the results set to the query
Product improvements.png Supporting "all device groups" and "all organization" scoping in Custom detection rule and Alert suppression. 
When configuring a custom detection or alert suppression rule, the "all device groups" and "all organization" scoping was an ability saved only for the Admin users. M365D is now supporting the same capability for users exposed to all the existing device groups, saving time to select all separately
Public Preview sign-up.png The new Identity page including Identity timeline is now in public preview!
Identity timeline is now available as part of the new Identity page in Microsoft 365 Defender!
The updated User page in M365 Defender now has a new look and feel, with an expanded view of related
assets and a new dedicated timeline tab.
The timeline represents activities and alerts from the last 30 days, and it unifies the user’s identity entries across all available workloads (Defender for Identity/Defender for Cloud Apps/Defender for Endpoint).
By using the timeline, you can easily focus on activities that the user performed (or were performed on them), in specific timeframes.

Microsoft Defender for Endpoint
Public Preview sign-up.png

Introducing tamper protection for exclusionsOne of the most requested features for tamper protection is protection of antivirus exclusions. With that in mind, the Microsoft Defender team has implemented new functionality that allows (path, process, and extension) to be protected when deployed with Intune.

Blogs on MS.png Recovering from Attack Surface Reduction rule shortcut deletions. This blog contains information on how to recover from Attack Surface Reduction rule shortcut deletions and is being updated on a regular basis when new information becomes available.  
Microsoft Defender for Identity
Product improvements.png

New health alert for verifying that Directory Services Object Auditing is configured correctly. If the Directory Services Object Auditing configuration does not include all the object types and permissions as required it can limit the sensors' ability to detect suspicious activities.

Product improvements.png New health alert for verifying that the sensor’s power settings are configured for optimal performance. If the operating system's power mode is not configured to the optimal processor performance it can impact the server's performance and the sensors' ability to detect suspicious activities.
Public Preview sign-up.png Redirecting accounts from Microsoft Defender for Identity to Microsoft 365 Defender. Starting January 31, 2023, the portal redirection setting will be automatically enabled for each tenant. Once the redirection setting is enabled, any requests to the standalone Defender for Identity portal (portal.atp.azure.com) will be redirected to Microsoft 365 Defender (https://security.microsoft.com) along with any direct links to its functionality. Accounts accessing the former Microsoft Defender for Identity portal will be automatically routed to the Microsoft 365 Defender portal.
Microsoft Defender for Office 365
Public Preview sign-up.png

Automatic Tenant Allow/Block List Expiration Management is now available in Defender for Office 365!

Microsoft Defender Vulnerability Management
Blogs on MS.png

Leverage authenticated scans to prevent attacks on your Windows devices. Authenticated scans for Windows provide the ability to remotely target by IP\range or hostname and scan Windows services by equipping the tool with credentials to remotely access the machines. 

Microsoft 365 Defender Threat Analytics Reports
 

Threat Insights: OAuth consent phishing trust abuse. As detection and protection controls for traditional credential phishing increase, attackers are adopting OAuth consent phishing, a technique that tricks a user into allowing a malicious application to perform actions on behalf of their account without the need for credentials.

 

SystemBC tool used in human-operated ransomware intrusions. SystemBC is a post-compromise commodity remote access trojan (RAT) and proxy tool that Microsoft researchers have observed multiple adversaries use in a diverse array of seemingly opportunistic ransomware attacks on targets across various sectors and geographies. These adversaries use SystemBC infections to deliver additional malware and maintain persistence in a compromised environment. To this end, multiple groups including DEV-0237, DEV-0832, and DEV-0882, continue to use SystemBC with, or as a substitute for, Cobalt Strike in compromises that ultimately result in the deployment of payloads like Play, Black Basta, and Zeppelin.

  DEV-1039 mass SQL server exploitation continues to deliver Mallox ransomware. Since at least mid-2022, the threat group that Microsoft tracks as DEV-1039, has deployed both Mallox (also known as Fargo) and GlobeImposter ransomware in mass opportunistic Microsoft SQL server vulnerability exploitation attacks. After initial exploitation, DEV-1039 delivers commodity malware like Remcos, and deploys Mallox, GlobeImposter, or BlueSky ransomware.
  CVE-2022-47966: Zoho ManageEngine unauthenticated SAML XML RCE vulnerability. A proof of concept (POC) for CVE-2022-47966 was released on Github on January 18, 2022. Microsoft observed an increase in ManagedEngine exploitation in our endpoint telemetry in the past seven days. Microsoft recommends patching this vulnerability as soon as possible.
  DEV-0300 ransomware activity. The group Microsoft tracks as DEV-0300 represents unattributed activity associated with ransomware attacks, including both pre-ransomware activities and ransomware deployment. As multiple cybercrime actors customize and reuse a range of common tools and techniques deployed in ransomware attacks and the relationships between actors change very rapidly, Microsoft labels observed ransomware-related activity that has not yet been associated with a known tracked group as DEV-0300. As more patterns are identified from this activity, it is often merged into existing Activity Groups or split into new, well-defined clusters. 
Co-Authors
Version history
Last update:
‎Apr 20 2023 03:27 AM
Updated by: