Microsoft Security Saturday – 09/18/2021

Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability In August, Microsoft Threat Intelligence Center (MSTIC) identified a small number of attacks (less than 10) that attempted to exploit a remote code execution vulnerability in MSHTML using specially crafted Microsoft Office documents. These attacks used the vulnerability, tracked as CVE-2021-40444, as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders. These loaders communicated with an infrastructure that Microsoft associates with multiple cybercriminal campaigns, including human-operated ransomware.

Unusual MIRAI variant looks for mining infrastructureMIRAI is a botnet usually seen brute forcing credentials for IoT and IoT like devices and is mainly focused on protocols like SSH and Telnet. The bot in question which we’ve named MinerFinder starts by dropping an SSH key. This can be used to later gain access to the infected system in case the password is reset.

Announcing Enhanced Malicious OAuth Activity Detection Capabilities in App GovernanceApp governance is a security and policy management capability that customers can use to monitor and govern app behaviors and quickly identify, alert, and protect from risky app behaviors. App governance is designed for OAuth-enabled apps that access Microsoft 365 data via Microsoft Graph APIs.  

Azure Sentinel Information Model Fall Release: Speed and EaseLast quarter we focused on Azure Sentinel Information Model (ASIM) foundations and defined schemas. This quarter we focused on making ASIM more useful to you

Azure Sentinel Notebooks – Azure cloud support, new visualizationsThe 1.4.2 release of MSTICPy includes three major features/updates. We have also consolidated our visualizations into a single pandas accessor to make them easier to invoke from any DataFrame.

Azure Sentinel Notebooks Ninja Part 2: Getting Started with Azure Sentinel NotebooksThis installment is part of a broader learning series to help you become a Jupyter Notebook ninja in Azure Sentinel. The installments will be bite-sized to enable you to easily digest the new content. 

Co-authoring on Microsoft Information Protection encrypted documents is now generally available With hybrid work here to stay, organizations are increasingly looking for ways to facilitate seamless collaboration among workgroups and across organizations while keeping their data secure and compliant. Today, we’re announcing a unique capability from Microsoft Information Protection in Microsoft 365 that empowers you to do just that. Co-authoring on Word, Excel, and PowerPoint documents encrypted with sensitivity labels is now generally available for Windows and Mac. This feature is already available on Office on the web.

Announcing Microsoft 365 Endpoint Data Loss Prevention public preview to US government customersProtecting sensitive data from risky or inappropriate copying, sharing, transfer, or use is a top priority for government organizations. Remote delivery of public services and data sharing across devices have created renewed emphasis on providing strong and coordinated protection on the endpoints government employees use every day. To help government organizations accelerate their deployment of a comprehensive information protection strategy, we are announcing the public preview of Microsoft Endpoint Data Loss Prevention (DLP) to GCC, GCC High and DoD customers. 

Microsoft Continues to Enhance DLP Customer Value with New CapabilitiesIn the past few months, Microsoft has introduced a wide range of new capabilities in General Availability and Public Preview that are designed to provide new ways of protecting data across a wider breadth of use cases and workloads and provide greater visibility into how sensitive content is used, stored and shared.

Announcing General Availability of Azure AD-joined VMs supportWe’re pleased to announce that you can now join your Azure Virtual Desktop virtual machines directly to Azure Active Directory (Azure AD) and connect to the virtual machine from any device with basic credentials. You’ll also be able to automatically enroll the virtual machines with Microsoft Endpoint Manager.