Monthly news - January 2023

Heike Ritter · ‎Jan 11 2023

Microsoft 365 Defender
Monthly news
January 2023 Edition

This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this January edition, we are looking at all the goodness from December 2022. NEW: At the end we now include a list of the latest threat analytics reports, as well as other Microsoft security blogs for you.

Legend:
	Product videos	Webcast (recordings)	Docs on Microsoft	Blogs on Microsoft
	GitHub	External	Product improvements	Previews / Announcements

Microsoft 365 Defender

	Optimize your hunting performance with the new query resources report. Visibility into how query resources are being used across the SOC team is critical to optimize performance, ensure queries are executed efficiently, and allow team to operate in the most effective way possible. The new query resources report now enables you to view how hunting resources are consumed in your organization and provides insights into your consumption of CPU resources for hunting activities.
	Use Microsoft 365 Defender role-based access control (RBAC) to centrally manage user permissions. The new Microsoft 365 Defender role-based access control (RBAC) capability, currently in public preview, enables customers to centrally control permissions across different security solutions within one single system with greater efficiency and consistency. More information on docs: Microsoft 365 Defender role-based access control (RBAC).
	What was your 2022 like? See some cool year highlights with Defender boxed! Defender Boxed shows you your year highlights in numbers. Just go to your incidents queue and clicks on the Defender Boxed icon (top right of the page).

Microsoft Defender for Cloud Apps

Protecting apps that use non-standard ports with Microsoft Defender for Cloud Apps. We are happy to announce that applications that use ports other than 443 can now be protected in real-time using Defender for Cloud Apps.

Azure AD identity protection. Azure AD identity protection alerts will arrive directly to Microsoft 365 Defender. The Microsoft Defender for Cloud Apps policies won't affect the alerts in the Microsoft 365 Defender portal. Azure AD identity protection policies will be removed gradually from the cloud apps policies list in the Microsoft 365 Defender portal. To configure alerts from these policies, see Configure Azure AD IP alert service.

Microsoft Defender for Endpoint

	Microsoft Defender for Endpoint Device control Removable storage access control updates. 1. Released Microsoft Endpoint Manager UX support for Removable storage access control. 2. The Default Enforcement policy of Removable storage access control is design for all Device control features, recently we released Printer Protection, so this policy will cover printer as well. If you create Default Deny policy, and now printer will be blocked in your organization. - Intune: ./Vendor/MSFT/Defender/Configuration/DefaultEnforcement, documentation here. - Group policy: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Features > Device Control > Select Device Control Default Enforcement, documentation here. Use Microsoft Defender for Endpoint Device control New Printer Protection solution to manage printers.
	Disconnected environments, proxies and Microsoft Defender for Endpoint. In this blog, Brian Badock provides recommendations and guidance for those looking to deploy Microsoft Defender for Endpoint in disconnected or air-gapped environments.
	Live Response is now generally available for macOS and Linux. For more information, see: Investigate entities on devices using live response.
	Linux isolation in public preview. For more information, see: Take response actions on a device in Microsoft Defender for Endpoint.

Microsoft Defender for Identity

Defender for Identity data centers are now also deployed in the Australia East region. For the most current list of regional deployment, see Defender for Identity components.

Microsoft Defender for Office 365

Meet Microsoft’s Most Valuable Professional Security experts in this Security MVP Spotlight!

Or check out on how you can get started as a Security MVP.

The new Microsoft 365 Defender role-based access control (RBAC) model, with support for Microsoft Defender for Office, is now available in public preview. For more information, see Microsoft 365 Defender role-based access control (RBAC).

Use the built-in Report button in Outlook on the web: Use the built-in Report button in Outlook on the web to report messages as phish, junk, and not junk.

Microsoft Defender Vulnerability Management

	Leverage advanced hunting to better understand your discovered devices. In this blog post, we will show a few queries you can use to address various use cases to find devices as well as the ability to create custom alerts in your network.
	Vulnerability assessment of apps on iOS devices is now generally available. To configure the feature, read the documentation.

Microsoft 365 Defender Threat Analytics Reports

	Actor profile: China-based DEV-0401, lone wolf turned LockBit 2.0 affiliate. The threat actor that Microsoft tracks as DEV-0401 (also known as Bronze Starlight and Emperor Dragonfly) is a China-based cybercriminal group that’s been active since at least July 2021. It is an opportunistic threat actor, relying on unpatched vulnerabilities to gain elevated credentials and obtain initial access.
	IRIDIUM uses TOR hidden services on targets for persistence and evasion. Microsoft has identified a post-compromise persistence mechanism attributed to IRIDIUM that involves installing TOR hidden services on target devices for persistent access and network boundary protection evasion. This activity is being tracked as ShadowLink.
	Threat Insights: Microsoft signed drivers being used maliciously. Microsoft was recently informed that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity.
	DEV-0882 exploits web-facing assets to deploy Play ransomware. Microsoft has observed deployments of a ransomware family self-identified as “Play” beginning in August 2022. Based on visibility to date, Microsoft has attributed all Play ransomware deployments to an actor we track as DEV-0882.
	DEV-0846 offers “Royal” successor to Conti ransomware. Microsoft has identified the DEV-0846 threat group as the likely developer and initial deployer of Royal, a new ransomware offering that launched in September 2022.
	DEV-0867 provides Caffeine phishing as a service platform. Microsoft has identified DEV-0867 as the actor behind the Caffeine phishing as a service (PhaaS) platform.

Microsoft Security blogs

	DEV-0139 launches targeted attacks against the cryptocurrency industry. Microsoft identified an attack that targeted crypto investment companies and took advantage of Telegram cryptocurrencies groups to identify the targets.
	Mitigate threats with the new threat matrix for Kubernetes. Third update to the threat matrix for Kubernetes.
	IIS modules: The evolution of web shells and how to detect them.
	MCCrash: Cross-platform DDoS botnet targets private Minecraft servers. Botnet propagating through SSH bruteforce, utilizing both Windows and IoT devices with goal of DDoS Minecraft private servers
	Gatekeeper’s Achilles heel: Unearthing a macOS vulnerability. Microsoft discovered a vulnerability in macOS that can allow attackers to bypass application execution restrictions imposed by the Gatekeeper security mechanism.
	Microsoft research uncovers new Zerobot capabilities. The Microsoft Defender for IoT research team details information on the recent version of a Go-based botnet, known as Zerobot, that spreads primarily through IoT and web-application vulnerabilities.

Products (52)

Special Topics (28)

Video Hub (447)

Most Active Hubs

Most Active Hubs

Video Hub

Monthly news - January 2023