Microsoft Security Intelligence Report Volume 22 is now available

The latest volume of the Microsoft Security Intelligence Report is now available for free download at

This new volume of the report includes threat data from the first quarter of 2017. The report also provides specific threat data for over 100 countries/regions. As mentioned in a recent blog, using the tremendous breadth and depth of signal and intelligence from our various cloud and on-premises solutions deployed globally, we investigate threats and vulnerabilities and regularly publish this report to educate enterprise organizations on the current state of threats and recommended best practices and solutions.

In this 22nd volume, we’ve made two significant changes:

  • We have organized the data sets into two categories, cloud and endpoint. Today, most enterprises now have hybrid environments and it’s important to provide more holistic visibility.
  • We are sharing data from a shorter time period, one quarter (January 2017 – March 2017), instead of the typical six months, as we shift our focus to delivering improved and more frequent updates in the future.

The threat landscape is constantly changing. Going forward, we plan to improve how we share the insights, and plan to share data on a more frequent basis – so that you can have more timely visibility into the latest threat insights. We are committed to continuing our investment in researching and sharing the latest security intelligence with you, as we have for over a decade. This shift in our approach is rooted in a principle that guides Microsoft technology investments: to leverage vast data and unique intelligence to help our customers respond to threats faster.

Here are 3 key findings from the report:

As organizations migrate more and more to the cloud, the frequency and sophistication of attacks on consumer and enterprise accounts in the cloud is growing.

  • There was a 300 percent increase in Microsoft cloud-based user accounts attacked year-over-year (Q1-2016 to Q1-2017).
  • The number of account sign-ins attempted from malicious IP addresses has increased by 44 percent year over year in Q1-2017.

Cloud services such as Microsoft Azure are perennial targets for attackers seeking to compromise and weaponize virtual machines and other services, and these attacks are taking place across the globe.

  • Over two-thirds of incoming attacks on Azure services in Q1-2017 came from IP addresses in China and the United States, at 35.1 percent and 32.5 percent, respectively. Korea was third at 3.1 percent, followed by 116 other countries and regions.

Ransomware is affecting different parts of the world to varying degrees.

  • Ransomware encounter rates are the lowest in Japan (0.012 percent in March 2017), China (0.014 percent), and the United States (0.02 percent).
  • Ransomware encounter rates are the highest in Europe vs. the rest of the world in Q1-2017.
    • Multiple European countries, including the Czech Republic (0.17 percent), Italy (0.14 percent), Hungary (0.14 percent), Spain (0.14 percent), Romania (0.13 percent), Croatia (0.13 percent), and Greece (0.12 percent) had much higher ransomware encounter rates than the worldwide average in March 2017.

Download Volume 22 of the Microsoft Security Intelligence Report today to access additional insights:

from Microsoft Secure Blog Staff

[SANS ISC] Maldoc with auto-updated link

I published the following diary on “Maldoc with auto-updated link“.

Yesterday, while hunting, I found another malicious document that (ab)used a Microsoft Word feature: auto-update of links. This feature is enabled by default for any newly created document (that was the case for my Word 2016 version). If you add links to external resources like URLs, Word will automatically update them without any warning or prompt… [Read more]

[The post [SANS ISC] Maldoc with auto-updated link has been first published on /dev/random]

from Xavier

[SANS ISC] Analysis of a Paypal phishing kit

I published the following diary on “Analysis of a Paypal phishing kit“.

They are plenty of phishing kits in the wild that try to lure victims to provide their credentials. Services like Paypal are nice targets and we can find new fake pages almost daily. Sometimes, the web server isn’t properly configured and the source code is publicly available. A few days ago, I was lucky to find a ZIP archive containing a very nice phishing kit targeting Paypal. I took some time to have a look at it… [Read more]

[The post [SANS ISC] Analysis of a Paypal phishing kit has been first published on /dev/random]

from Xavier

“The 2017 NCSAM Planning Kit – Your October Awaits”

This October is the 14th National Cyber Security Awareness Month, otherwise known as #NCSAM or #CyberAware month. Organized by the National Cyber Security Alliance (NCSA), this is aglobal eventfocusingon cyber security. This is also a great opportunity for organizations to promote security awareness throughout their organization, regardless of size, location or industry. As the 2017 … Continue reading The 2017 NCSAM Planning Kit – Your October Awaits

from lspitzner

The world of eroding privacy: tips on how to stay secure

At the intersection of limes, teenagers, and privacy

This post is authored by Ann Johnson, Vice President, Enterprise Cybersecurity Group.

We will come to limes later in this blog, and they are relevant. But let me begin with one defining statement: I am the parent of a teenager, and the year is 2017.

As the parent of an age group that is best described as unpredictable on good days, one thing is consistent. Research has shown us that this generation does not have the same expectation of privacy as my generation. I remember vigorously debating in a college class my inherent right to privacy as protected by the 4th Amendment. Regardless of whether my argument was flawed or simply not factual, my fundamental belief was I had a legal privacy right, and no institution or government could impede upon it.

My teenager and his friends appear to have a different belief, illustrated by their vigorous use of social media to publish their photos, food, routine life events, even to share their entire belief systems. Bruce Schneier, a fellow at Harvard’s Berkman Klein Center for Internet & Society, has covered the topic of teens, social media, and privacy in the past. His conclusion is that teens desire privacy, but they also have a need to safely share with each other using their own language and coding. In 2014, Fast Company compiled and commented on varied research regarding teenagers, young adults and expectations of privacy. Whilst one study concluded “online privacy is dead,” other studies determined it truly depends on how you define privacy. Teenagers may not care if their Facebook friends or Twitter followers know their religion or gender identity, but they certainly care if their parents monitor their social feeds. Teenagers and young adults have grown up in the digital age, so they are much more likely to understand how to set and control privacy settings on their devices and accounts – and they do so to segment their audiences. When I conducted my own informal study and asked my teen if a government agency, that suspected him of wrong doing or associated him with an unlawful activity, could search his phone or computer, the reply was “get a warrant.” So is this generation really any different from prior generations on expectations of privacy? Or, do the differences lie in the complexity of the information sharing platforms to which they feel dependent and entitled? And, how do these beliefs and values shape privacy regulation and laws, and intersect with security in the modern digital era? Are there learnings we can adopt from the next generation’s implementation of technology and privacy controls?

Now about those limes…I have a Twitter account (@ajohnsocyber). I opine about cybersecurity, post about my beloved Chicago Blackhawks and Dallas Cowboys, engage in animated communication with coworkers and friends and advocate for animal fostering and LGBTQ rights. I also have a Facebook account – mainly to catch up with far away family and share pictures. I have a LinkedIn profile too, but it’s for work and I am a purist about my posts there. So, I have an on-line footprint. That online footprint will tell you the names of my dogs, things about my belief system, expose my awful attempts at humor, and my preference for seedless Persian Limes on the occasions when I need something to accompany a cocktail. The Persian limes were a recent addition based on a Twitter conversation with two people I haven’t actually met IRL, so you can say my social interactions are fruitful. The point of all of this is that I share enough for someone to assemble a fairly detailed profile of me from my social media footprint and with it, attempt to social engineer or password hack me. Yet I willingly give up some of my privacy to interact with other humans in cyber space. As a security professional, I should know better, right? Well, not necessarily. All social media use does not lead to a path of hacker victim, and I am fully aware of which information to share and which to protect and how.

My social sharing is guided by some core principles:

  • The Internet is perpetuity. My digital footprint is unlikely to go away in the foreseeable future.
  • Hackers will keep hacking, and even the best defenses can’t always prevent persistent and sophisticated attempts. Think back to the relentless attempts on Brian Krebs in 2016.
  • Multi-factor authentication  (MFA) on my personal and professional accounts is a must.
  • Most of the information I choose to disclose is already available in some way either via public record or through friends with no special instruction for secrecy.
  • I can concurrently assert my right to privacy, and my privilege to waive that right.
  • I encrypt sensitive personal data.
  • I have provisioned defense in depth controls and alerts for critical information.

Because in reality, our hyper-connected world of powerful search engines, and abundant compute and storage, make it possible for reams of data about your entire life to be mined by anyone with a strong desire and a credit card. Oddly though, the majority of breaches still start with a phish rather than a targeted social engineering attack. In fact, phishing is the number one delivery method of malicious software. Compromises of sensitive data are most often tracked back to: weak authentication, poor data classification/encryption policies, lax privilege management, absent or weak admin controls and lack of user education on phishing. We can opine all day about privacy and the need to hold sensitive information close to increase security, but in today’s society, from our youth to the millions of adults using social media, including many of the top cyber professionals in the world, very little is truly private.

Add to this a climate of perpetual information sharing and consumption and you can pretty much throw privacy expectations out the window. What you can and should do – personally and professionally – is make certain you distinguish the personal and private from that which is critically important and know your options to protect each. For technology, consumers deploy basic security hygiene, strong passwords and regular updating. Organizations have additional responsibilities to educate users, patch, use all available access controls and invest in proven detection solutions as well as human hunters so that the now. This way, all but inevitable breaches can be detected quickly.

Because, guess what, notwithstanding the controls required by regulations, the right to be forgotten or have data forgotten in our ever-connected world maybe a right, but it needs your active participation if there is to be anything left to debate.

from Microsoft Secure Blog Staff