Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Microsoft Threat Intelligence Profile picture
@MsftSecIntel
Mar 21, 2019 8 tweets 3 min read Read on X
The first three months of 2019 are not even over yet, and we have already added so many important enhancements to Microsoft Threat Protection. The journey to providing organizations seamless, integrated, and comprehensive security continues. microsoft.com/security/blog/… Image
At #RSAC, we announced the launch of Microsoft Azure Sentinel, which adds the benefits of next-gen SIEM to Microsoft Threat Protection. Azure Sentinel is a cloud-native solution, providing intelligent security analytics for the entire organization. azure.microsoft.com/en-us/blog/int…
We also announced Microsoft Threat Experts, a new managed threat hunting service in Windows Defender ATP that provides proactive hunting, prioritization, and context-rich intelligence and data-driven insights to augment customers’ SOC capabilities. microsoft.com/security/blog/…
In addition, Microsoft Threat Protection now combines signals from cloud and on-premises sources, providing security analysts a more comprehensive view of identity and user information in a unified SecOps experience. techcommunity.microsoft.com/t5/Enterprise-…
Microsoft Cloud App Security is introducing malware detonation capabilities for API-connected cloud storage apps. Intelligent heuristics identify and detonate only potentially malicious files, minimizing impact to productivity and reducing false positives. microsoft.com/security/blog/…
The first elements of the automated incident response in Office 365 ATP, which will help reduce security complexity for Office 365 security admins, will go live the next few weeks with launch of User Reported Phish Playbook and Weaponized URL Playbook. techcommunity.microsoft.com/t5/Security-Pr…
To get a preview of the impressive security experience we’ll be providing you in the coming months, watch Rob Lefferts walk through the story of a threat and demonstrate how Microsoft Threat Protection helps eliminate its adverse impact.
We have many more game-changing innovations to share soon! Very soon.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Microsoft Threat Intelligence

Microsoft Threat Intelligence Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @MsftSecIntel

Microsoft Threat Intelligence Profile picture
Dec 21, 2023
Microsoft has observed the Iranian nation-state actor Peach Sandstorm attempting to deliver a newly developed backdoor named FalseFont to individuals working for organizations in the Defense Industrial Base (DIB) sector.
FalseFont is a custom backdoor with a wide range of functionalities that allow operators to remotely access an infected system, launch additional files, and send information to its C2 servers. It was first observed being used against targets in early November 2023.
The development and use of FalseFont is consistent with Peach Sandstorm activity observed by Microsoft over the past year, suggesting that Peach Sandstorm is continuing to improve their tradecraft.
Read 6 tweets
Microsoft Threat Intelligence Profile picture
Dec 16, 2023
Microsoft has identified new Qakbot phishing campaigns following the August 2023 law enforcement disruption operation. The campaign began on December 11, was low in volume, and targeted the hospitality industry. Targets received a PDF from a user masquerading as an IRS employee. Screenshot of email from a user masquerading as an IRS employee
The PDF contained a URL that downloads a digitally signed Windows Installer (.msi). Executing the MSI led to Qakbot being invoked using export “hvsi” execution of an embedded DLL. The MSI package was signed with the SignerSha1/Thumbprint 50e22aa4b3b145fe1193ebbabed0637fa381fac3.
Screenshot of PDF document used in Qakbot campaign
Screnshot of properties of the MSI used in Qakbot campaign
An embedded configuration EPOCH timestamp indicates the payload was generated on December 11. The campaign code was tchk06. Most notably, the delivered Qakbot payload was configured with the previously unseen version 0x500.
Observed Qakbot C2:
45[.]138.74.191
65[.]108.218.24
Read 4 tweets
Microsoft Threat Intelligence Profile picture
Dec 13, 2023
Microsoft has taken steps to disrupt and mitigate a widespread campaign by the Russian nation-state threat actor Midnight Blizzard targeting TeamCity servers using the publicly available exploit for CVE-2023-42793.
Following exploitation, Midnight Blizzard uses scheduled tasks to keep a variant of VaporRage malware persistent. The VaporRage variant, which is similar to malware deployed by the threat actor in recent phishing campaigns, abuses Microsoft OneDrive and Dropbox for C2.
Post-compromise activity includes credential theft using Mimikatz, Active Directory enumeration using DSinternals, deployment of tunneling tool rsockstun, and turning off antivirus and EDR capabilities.
Read 7 tweets
Microsoft Threat Intelligence Profile picture
Dec 4, 2023
Microsoft has identified a Russian-based nation-state threat actor tracked as Forest Blizzard (STRONTIUM, APT28, FANCYBEAR) actively exploiting CVE-2023-23397 to provide secret, unauthorized access to email accounts within Exchange servers: msft.it/6018iPOLm
Forest Blizzard primarily targets government, energy, transportation, and non-governmental orgs in the US, Europe, and the Middle East. The threat actor also commonly employs other known public exploits in their attacks, such as CVE-2023-38831 or CVE-2021-40444, among others.
The Polish Cyber Command (DKWOC) partnered with Microsoft to take action against Forest Blizzard actors, and to identify and mitigate techniques used by the actor. We thank DKWOC for their partnership and collaboration on this effort. msft.it/6019iPOLW
Read 4 tweets
Microsoft Threat Intelligence Profile picture
Dec 1, 2023
Microsoft has detected Danabot (Storm-1044) infections leading to hands-on-keyboard activity by ransomware operator Storm-0216 (Twisted Spider, UNC2198), culminating in the deployment of Cactus ransomware. In this campaign, Danabot is distributed via malvertising.
Storm-0216 has historically received handoffs from Qakbot operators but has since pivoted to leveraging different malware for initial access, likely a consequence of the Qakbot infrastructure takedown.
The current Danabot campaign, first observed in November, appears to be using a private version of the info-stealing malware instead of the malware-as-a-service offering.
Read 5 tweets
Microsoft Threat Intelligence Profile picture
Nov 9, 2023
Microsoft has discovered exploitation of a 0-day vulnerability in the SysAid IT support software in limited attacks by Lace Tempest, a threat actor that distributes Clop ransomware. Microsoft notified SysAid about the issue (CVE-2023-47246), which they immediately patched.
Organizations using SysAid should apply the patch and look for any signs of exploitation prior to patching, as Lace Tempest will likely use their access to exfiltrate data and deploy Clop ransomware. msft.it/60129CIJy
After exploiting the vulnerability, Lace Tempest issued commands via the SysAid software to deliver a malware loader for the Gracewire malware. This is typically followed by human-operated activity, including lateral movement, data theft, and ransomware deployment.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(