Microsoft Security Saturday – 12/26/2020

CVP Tom Burt: Cyber mercenaries don’t deserve immunityA growing industry of companies called private-sector offensive actors – or PSOAs – is creating and selling cyberweapons that enable their customers to break into people’s computers, phones and internet-connected devices. Now, one of these 21st-century mercenaries, called the NSO Group, is attempting to cloak itself in the legal immunity afforded its government customers, which would shield it from accountability when its weapons inflict harm on innocent people and businesses.

Azure AD workbook to help you assess Solorigate riskIn the interest of helping customers concerned about the Solorigate attacks we are publishing a new workbook in the Azure AD admin portal to assist investigations into the Identity Indicators of Compromise related to the attacks. The information in this workbook is available in Azure AD audit and sign in logs, but the workbook helps you collect and visualize the information in one view.

Understanding “Solorigate”‘s Identity IOCs – for Identity Vendors and their customers.As part of our ongoing security processes, we leverage threat intelligence and monitor for new indicators that could signal attacker activity. There are two anomalies pertinent to this report, and discussed at

Advice for incident responders on recovery from systemic identity compromisesThis blog will outline lessons learned from this and other incident response to date in on-premises and cloud environments. This latest guidance is for customers looking to re-establish trusted identities for credentials that are suspected of compromise by Solorigate malware.

MCAS Data Protection Blog Series: Do I use MCAS or MIP?Overview: At a high level, AIP is a cloud-based solution that enables organizations to discover, classify, and protect documents and emails by applying labels to content. AIP is part of the Microsoft Information Protection (MIP) solution, and extends the labeling and classification functionality provided by Microsoft 365. MIP is the common information protection stack that’s leveraged by AIP’s unified labeling client. For more information, see the Microsoft 365 documentation. For information on AIP versus MIP, please check out our documentation.

Get email notifications on new incidents from Microsoft 365 DefenderA new Microsoft 365 Defender feature now lets you receive notification emails directly to your mailbox for each new incident or incident update, this will help you to stay on top of the incident queue. Get notifications based on incident severity or by device group. You can also choose to only be notified on the first update for each incident.

Learn Azure Sentinel on Microsoft LearnWhy not use some of the upcoming days to learn something new? Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response. To get started and learn more about Azure Sentinel, we now have a full learning path on Microsoft Learn.

The Mysterious Case of the Self-Moving FSMO RolesThis is Chris Cartwright from Directory Services.  I had a coworker, Eric Jansen, reach out to me from the field and ask about an incident on site he was looking into a scenario where “the PDCE (Primary Domain Controller Emulator) and DNM (Domain Naming Master) mysteriously moved…” to a DC in another site.  He said what was weird was who the logs said performed it.  He also said that the other site used their own procedures to build their DCs, which apparently included using Windows Servers Essentials for the base OS.  Now, I have never heard of anyone doing that in an enterprise environment, but it got us curious… 

Microsoft Defender for Endpoint Upgrade Readiness MacOS Big SurToday we discuss about preparing our MD for Endpoint on Organization’s MacOS Systems and make them ready for “Big Sur”, the greatest and latest version of Mac operating system which is released by Apple on the 12th of November, 2020.  Big Sur enhance MDM (Mobile Device Management) protocol as key for automated device enrollment, content caching and managing apps.