Microsoft rolls out Protection to kitty critical accounts

Microsoft has launched Office 365 priority protection for accounts of high-profile employees such as executive-level managers who are most often targeted by threat actors.

The new feature was added to MS defender ATP which provides enterprise accounts with email threat protection from advanced threats including business email compromise and credential phishing, as well as automated remediation of detected attacks.

ADPriority Account Protection enables an organization’s security team to provide critical accounts with custom-tailored protection measures to block targeted attacks such as phishing that could lead to severe security breaches due to their access to highly sensitive company data.

It allows prioritizing alerts and threat investigations involving an organization’s most targeted or visible executive-level users.

Priority account tags

Enterprise security teams can also identify attacks targeting critical Office 365 accounts easier and quickly switch their efforts to campaign investigations involving C-suite users.

“These Priority account tags and filters will surface throughout the product, including in alerts, Threat Explorer, Campaign Views, and reports,” Microsoft previously said last month, when the feature was still in development.

Customers are required to have Defender for Office 365 Plan 2 subscriptions to get access to this new feature, including those with Office 365 E5, Microsoft 365 E5, or Microsoft 365 E5 Security.

Priority account alert

Microsoft has also announced the general availability of Office 365 Consent Phishing, including OAuth app publisher verification and app consent policies.

Redmond is also planning to add SMTP Strict Transport Security to secure Office 365 customers’ email communication integrity and security starting next month.

Once launched,MTA-STS support will help protect users’ Exchange Online emails against email interception and downgrade or man-in-the-middle attacks.

Microsoft adds new feature to it’s Linux defender

In June, Microsoft released Microsoft Defender Advanced Threat Protection (ATP) for Linux for general use. Now, Microsoft has improved the Linux version of Defender, by adding a public preview of EDR capabilities.

This is still not a version of Microsoft Defender you can run on a standalone Linux desktop. Its primary job remains to protect Linux servers from server and network threats. If you want protection for your standalone desktop, use such programs

With these new EDR capabilities, Linux Defender users can detect advanced attacks that involve Linux servers, utilize rich experiences, and quickly remediate threats. This builds on the existing preventive antivirus capabilities and centralized reporting available via the Microsoft Defender Security Center.

Rich investigation experience, which includes machine timeline, process creation, file creation, network connections, login events, and advanced hunting.Optimized performance-enhanced CPU utilization in compilation procedures and large software deployments.In-context AV detection. Just like with the Windows edition, you’ll get insight into where a threat came from and how the malicious process or activity was created.

To run the updated program, you’ll need one of the following Linux servers: RHEL 7.2+; CentOS Linux 7.2+; Ubuntu 16.04 or higher LTS; SLES 12+; Debian or higher; or Oracle Linux 7.2.

Make sure you’re running version 101.12.99 or higher. You can find out which version you’re running with the command: 

mdatp health

You shouldn’t switch all your servers running Microsoft Defender for Endpoint on Linux to the preview in any case. Instead, Microsoft recommends you configure only some of your Linux servers to Preview mode, with the following command:

$ sudo mdatp edr early-preview enable 

Once that’s done, if you’re feeling brave and want to see for yourself if it works, Microsoft is offering a way to run a simulated attack. To do this, follow the steps below to simulate a detection on your Linux server and investigate the case. 

Verify that the onboarded Linux server appears in Microsoft Defender Security Center. If this is the first onboarding of the machine, it can take up to 20 minutes until it appears.

Download and extract the script file from here aka.ms/LinuxDIY to an onboarded Linux server and run the following command:

./mde_linux_edr_diy.sh

After a few minutes, it should be raised in Microsoft Defender Security Center.

Microsoft adds new reporting feature to Defender

The new built-in report complements existing Microsoft Defender for Endpoint threat and vulnerability management capabilities and is catered for those looking to gain insights on devices that pose potential risks due to unpatched vulnerabilities. The feature is currently in preview version.

“The Vulnerable devices report provides extensive insights into your organization’s vulnerable devices with summaries of the current status and customizable trends over time,” Microsoft explains.

Within the report, organizations can access information on the vulnerability security levels of devices, availability of exploits for devices with vulnerabilities, and the age of unpatched security flaws, as well as a list of vulnerable devices, organized by operating system or by Windows 10 version.

Both graphs and bar charts are available in the report, to deliver information on device trends .

Data can be filtered based on vulnerability severity or age, availability of exploits, device group, or platform. Additional information can be accessed through selecting a specific bar chart.

“This preview version is provided without a service level agreement, and it’s not recommended for production workloads. Certain features might not be supported or might have constrained capabilities,” Microsoft notes.

Defender ATP triggered false positives

Microsoft rushed to take action on Wednesday after Defender Advanced Threat Protection (ATP) users reported getting Cobalt Strike and Mimikatz alerts that turned out to be false positives.

Cobalt Strike is a commercial penetration testing tool. However, it has often been abused by malicious actors for its advanced capabilities, including in Ryuk, Sodinokibi and other ransomware attacks.

Mimikatz is a post-exploitation tool designed for harvesting passwords from compromised systems. It too has been used by many profit-driven and state-sponsored threat groups.

It’s not surprising that some Microsoft Defender ATP users had a small heart attack on Wednesday when they saw multiple high-severity alerts for Cobalt Strike. Others reported seeing Mimikatz alerts. In both cases they turned out to be false positives.

Cobalt Strike false positive in Defender ATP - Credits: @ffforward

I too unfazed with the alert bombarded mails.. in my inbox… Scratched head and felt like what I need to do further 🙄

The issue was likely caused by a bad rule pushed to Defender ATP and Microsoft addressed the issue within hours. Not to ignore the alert , might me something phishy remains inside