Microsoft Security Saturday – 12/12/2020

Widespread malware campaign seeks to silently inject ads into search results, affects multiple browsersA persistent malware campaign has been actively distributing an evolved browser modifier malware at scale since at least May 2020. At its peak in August, the threat was observed on over 30,000 devices every day. The malware is designed to inject ads into search engine results pages. The threat affects multiple browsers—Microsoft Edge, Google Chrome, Yandex Browser, and Mozilla Firefox—exposing the attackers’ intent to reach as many Internet users as possible.

New cloud-native breadth threat protection capabilities in Azure DefenderToday we are excited to announce we are adding two new protections with the preview of Azure Defender for Resource Manager and Azure Defender for DNS, cloud-native breadth threat protection solutions. These new protections continue to improve your resiliency against attacks from bad actors and increase the number of Azure resources protected by Azure Defender significantly.

Digital Defense integrates with Microsoft to detect attacks missed by traditional endpoint securityCybercriminals have ramped up their initial compromises through phishing and pharming attacks using a variety of tools and tactics that, while numerous, are simple and often go undetected. One technique that attackers continue to leverage to obfuscate their activity and remain undetected is dwell time.

Microsoft Defender for Endpoint on iOS is generally availableToday, we’re excited to announce that Microsoft has reached a new milestone in our cross-platform security commitment with the general availability of our iOS offering for Microsoft Defender for Endpoint, which adds to the already existing Defender offerings on macOS, Linux, and Android.

Map your data estate with Azure PurviewAzure Purview enables organizations of all sizes to manage and govern their hybrid data estate. The Azure Purview Data Map enables customers to establish the foundation for effective data governance. Customers create a knowledge graph of data coming in from a range of sources including Azure SQL database, AWS S3 bucket or an on-premises SQL server. Purview makes it easy to register, and automatically scan and classify data at scale.

Classify your data using Azure PurviewThe Azure Purview Data Map is an intelligent graph that describes all the data across your data estate. You can start creating this intelligent graph by extracting metadata from hybrid data stores. But, typically, this metadata as discovered from the individual data stores is defined in isolation and hence, inconsistent and not complete. This is where classifications and classification rules within the Azure Purview Data Map comes in. 

Microsoft Information Protection and Microsoft Azure Purview: Better TogetherWe are excited to announce that with the new Microsoft Azure Purview, you can now extend the reach of your MIP sensitivity labels and the value from built-in sensitive information types to a much broader set of data locations and data types. With Azure Purview, your ability to know your data expands to cover operational and analytical data, and more data locations like SQL Server, Azure SQL, and Azure Storage

Mission Security: Enabling Secure Remote Work by Embracing Zero TrustEnabling secure remote work has never been as vital as it is today. This past year, the Microsoft Teams Engineering team, helped customers with a record number of net new deployments in the Microsoft Cloud. With the inevitable need to have end-users collaborate with agencies, partners, and customers remotely, security became paramount.

Announcing EDR in block mode general availabilityEDR in block mode is a feature in Microsoft Defender for Endpoint that turns EDR detections into blocking and containment of malicious behaviors. This capability uses Microsoft Defender for Endpoint’s industry-leading visibility and detection capabilities and Microsoft Defender Antivirus’s built-in blocking function to provide an additional layer of post-breach blocking of malicious behavior, malware, and other artifacts that your primary antivirus (AV) solution might miss.

Building a Zero Trust business planWe’re excited to share the release of our Zero Trust Business Plan. This document captures lessons learned from leaders who sponsored, guided, and oversaw the adoption of Zero Trust within customers’ organizations. This document will provide guidance across the full lifecycle of your Zero Trust initiative.

Providing secure access to Desktop and Mobile Helpdesk admins using Role-Based Access Control in MEMThis article talks about using Role-based Access Control (RBAC) in Microsoft Intune to setup separate helpdesk roles for Desktop teams who manage Windows device estate and for Mobile teams who manage mobile device estate. RBAC in Intune helps you manage who has access to your organization’s resources and what they can do with those resources.

Bring threat intelligence from Sixgill using TAXII Data ConnectorAs discussed in the blog Bring your threat intelligence to Azure Sentinel, Azure Sentinel provides various ways to import threat intelligence into the ThreatIntelligenceIndicator log analytics table from where it can be used in various parts of the product like hunting, investigation, analytics, workbooks etc.

Using Azure Firewall as a Network Virtual Appliance (NVA)The purpose of this post is to demonstrate using Azure Firewall to control network traffic routing between Hub and Spoke networks in a Hub and Spoke Network Architecture.  The Hub & Spoke Azure Architecture has become a common network topology for Azure deployments.  The Cloud Adoption Framework describes this architecture in great depth.

Always Encrypted Data Displayed in SSRS with a gMSAAlways Encrypted protects our data both at rest and in transit. To accomplish that, SQL only stores the encrypted data and cannot decrypt it; all the work is done by the client. In our case the client is SSRS and it is the account running the SSRS service that will need the certificate to decrypt data. Note that it is not the account running the report.

How to setup a Canarytoken and receive incident alerts on Azure Sentinel In the below example you will walk through creating a free Canarytoken (honey token as described) but through a Canary service and use it to update Azure Sentinel when it is triggered.

Picture courtesy of