Microsoft Security Saturday – 09/25/2021

Basic Authentication and Exchange Online – September 2021 UpdateToday, we are announcing that, effective October 1, 2022, we will begin to permanently disable Basic Auth in all tenants, regardless of usage (with the exception of SMTP Auth, which can still be re-enabled after that).

Catching the big fish: Analyzing a large-scale phishing-as-a-service operation – In researching phishing attacks, we came across a campaign that used a rather high volume of newly created and unique subdomains—over 300,000 in a single run. This investigation led us down a rabbit hole as we unearthed one of the operations that enabled the campaign: a large-scale phishing-as-a-service operation called BulletProofLink, which sells phishing kits, email templates, hosting, and automated services at a relatively low cost.

3 trends shaping identity as the center of modern securityGiven that identity has become the focal point of our digital society. Identity enabled us to rapidly shift to remote models when the pandemic first hit, and identity will help sustain the trend toward more permanent remote and hybrid models moving forward. But other emerging trends will also have a major impact on our digital society.

Announcing Improved Identity Protection Signal Quality and VisibilityI’m excited to share our recent improvements in risk evaluation and reporting visibility for Identity Protection. These changes are a step forward in our ability to detect emerging attack vectors and help you focus on the most critical alerts. We improved signal quality and reduced alert volume for low-risk sign-ins by more than 60%, introduced unfamiliar sign-in properties for refresh tokens and session cookies, and added visibility into non-interactive risky sign-ins. 

Microsoft Defender for Identity – new exclusion settings now in Public PreviewAs part of ongoing efforts to make all experiences and features from Microsoft Defender for Identity available in Microsoft 365 Defender, the product group took the opportunity to not just lift and shift the exclusion configuration page, but to revamp the experience and make some new functionality available for security teams. This announcement confirms that these features are now available in public preview and will be made generally available soon.

The Attack Simulation Training landing page is now customizable Attack Simulation Training is an intelligent phish risk reduction tool that measures behavior change and automates design and deployment of an integrated security awareness training program across an organization. The landing page, where targeted users are notified that they fell prey to a phishing simulation, is a key learning moment.

New security feature in September 2021 Cumulative Update for Exchange ServerAs part of our continued work to help you protect your Exchange Servers, in the September 2021 Cumulative Update (CU) we have added a new feature called the Microsoft Exchange Emergency Mitigation service. This new service is not a replacement for installing Exchange Server Security Updates (SUs), but it is the fastest and easiest way to mitigate the highest risks to Internet-connected, on-premises Exchange servers prior to installing applicable SUs.

Introducing the Network Security Dashboard for Azure Security CenterThe new Network Security Dashboard for Security Center provides a unified view and deep visibility into the configuration of your overall networking, and network security services in Azure.  If you have been actively using Security Center and Network Security features in Azure, this dashboard is for you!

Hunting for OMI Vulnerability Exploitation with Azure SentinelIn this blog, we have some things to share about current attacks in the wild, agents and software involved, indicators for defenders to look for on host machines, and to share new detections in Azure Sentinel.

Using ASC to find machines affected by OMI vulnerabilities in Azure VM Management ExtensionsThe vulnerability scanner included with Azure Security Center is powered by Qualys. Qualys’ scanner is one of the leading tools for real-time identification of vulnerabilities. Learn more in Azure Defender’s integrated vulnerability assessment solution for Azure and hybrid machines. Using Security Center’s asset inventory page, you can quickly find all machines affected by any CVE with the fast-filtering tools, as shown in the video below.

Azure Defender PoC Series – Azure Defender for ServersAzure Defender is the Cloud Workload Protection Platform (CWPP) built into Azure Security Center, which provides security alerts and advanced threat protection for virtual machines, SQL databases, containers, web applications, your network, and more.

Azure Sentinel Notebooks Ninja Part 3: Overview of the Pre-built Notebooks – the Grand ListThis installment is part of a broader learning series to help you become a Jupyter Notebook ninja in Azure Sentinel. The installments will be bite-sized to enable you to easily digest the new content. 

Azure Sentinel To-Go! A Linux 🐧 Lab with AUOMS Set Up to Learn About the OMI VulnerabilityThe following resources have already been shared by Microsoft to provide guidance on updating vulnerable extensions for Cloud and On-Premises deployments, and indicators to detect the exploitation of the vulnerability

Security concept: Audit TrailPrecisely speaking, an Audit Trail per se is not a principle, but rather a concept. Still, I think everyone halfway serious about learning about security principles must know about this and what it can be used for. And it is absolutely relevant for working with Separation of Duties as well as we shall later see, similarly as Delegation, which is also covered within this article-series.