Monthly news – September 2023

Posted by

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

Microsoft 365 Defender
Monthly news
September 2023 Edition

OFT header v4.png

This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from August 2023.  

Product videos.png Product videos webcast recordings.png Webcast (recordings) Docs on MS.png Docs on Microsoft Blogs on MS.png Blogs on Microsoft
GitHub.png GitHub External.png External Product improvements.png Product improvements Public Preview sign-up.png Previews / Announcements
Microsoft 365 Defender
Public Preview sign-up.png

Asset rule management feature (public preview). Asset rule management - Dynamic rules for devices is now in public preview. Dynamic rules can help manage device context by assigning tags and device values automatically based on certain criteria. In tandem, the DeviceInfo table in advanced hunting now also includes the columns DeviceManualTags and DeviceDynamicTags in public preview to surface both manually and dynamically assigned tags related to the device you are investigating. Learn more

Public Preview sign-up.png

Unified RBAC has expanded its coverage to support more Microsoft 365 Defender experiences (public preview). Unified RBAC now supports Secure Score, allowing customer granting granular access based on custom roles with dedicated permissions without the need to elevate users with Entra ID global roles. This important new capability allows admins to achieve the least privileges approach also for Secure Score access.

In addition, unified RBAC now supports Defender for Vulnerability Management standalone SKU, so customers can control access via unified RBAC custom roles. A new MDE permission has been added to the Unified RBAC permissions model unser "Security operations" set of permissions - "File collection". Based on customers' ask, we have isolated the ability to download executable and non-executable files for further investigation to a separate granular permission so now it can be granted to SecOps analysts independently from the broader permission - "Advanced Live-Response".

Docs on MS.png

Guides using the Microsoft 365 Defender portal in responding to your first incident. This set of guides aims to help first time users of the Microsoft 365 Defender portal to know the features and actions they can use in investigation and response. The documentation links to tutorials and videos showing features specific to investigation and remediation capabilities. The guides focus on incidents, analysis of specific threats and attacks, and remediation actions available in the portal.

webcast recordings.png

Season 5 of the Virtual Ninja Show is coming this September!! :stareyes: First episode is on the new Security settings management feature, streaming September 11th 9AM PT. We’ve got some exciting updates this time around :cool: Visit the site to see additional details and to add the episodes to your calendars >

Microsoft Security Experts
Blogs on MS.png

Defender Experts Chronicles: A Deep Dive into Storm-0867. Learn how the Defender Experts for XDR team tracked, investigated and remediated incidents involving adversary-in-the-middle (AiTM) cases tied to Storm-0867.

Product improvements.png

New FAQ for Defender Experts for XDR incident notifications. The "Guided response" feature in Microsoft Defender Experts for XDR has been renamed to "Managed response". We have also added a new FAQ section on incident updates.

Microsoft Defender for Endpoint
Public Preview sign-up.png

Microsoft Defender data can now be hosted locally in Australia. We are pleased to announce that Microsoft Defender for Endpoint, Microsoft 365 Defender and Microsoft Defender for Identity now support data residency in Australia. 

Public Preview sign-up.png

Mobile device tagging for iOS and Android is not in Public Preview. Defender for Endpoint is helping decentralized SOC teams improve their approach to security and privacy across mobile devices by making it easier to tag iOS and Android devices – giving security admins more control over who has access to specific groups and device data. Mukta_Agarwal_0-1691748810906.png

Public Preview sign-up.png

Device isolation and AV scanning for Linux and macOS. Respond more effectively with device isolation and antivirus scanning now available as response actions for macOS and Linux in Defender for Endpoint. 

Public Preview sign-up.png

Optimizing endpoint security with Defender for Endpoint's flexible licensing options. To accommodate scenarios where customers are consuming a mix of SKUs, such as Defender for Endpoint P1 and P2, Defender for Endpoint customers can now control how licenses are applied with minimal friction and management overhead.

Microsoft Defender for Identity
Public Preview sign-up.png

Defender for Identity expands its coverage with new AD CS sensorA new Defender for Identity sensor that can be deployed on Active Directory Certificate Services (AD CS) servers. This new sensor builds on the existing detections for suspicious certificate usage available today and extends Defender for Identities capabilities and coverage more comprehensively across identity environments.

Microsoft Defender for IoT
Blogs on MS.png

Multiple high severity vulnerabilities in CODESYS V3 SDK could lead to RCE or DoS. Microsoft identified 15 vulnerabilities in the CODESYS V3 software development kit (SDK), a software development environment widely used to program and engineer programmable logic controllers (PLCs).

Microsoft Defender for Office 365
Public Preview sign-up.png

Send "How-to guides" to your organization from Attack Simulation training. Attack Simulation Training now includes an exciting new feature: "How-to Guides" that can be sent to users to provide instructions to recipient on how to complete important security tasks!

Public Preview sign-up.png

Announcing the availability of in-product guidance! Learn more about the latest in product improvements to supercharge your adoption and understanding of Defender for Office 365.


Docs on MS.png

Order and precedence of email protection. Learn article "Order and precedence of email protection" updated in August to coincide with MC668259 (Microsoft Defender for Office 365: Updates to Precedence of User and Organizational Email Allows and Blocks) and Microsoft 365 Roadmap feature ID 115505.

Microsoft Defender Vulnerability Management
Public Preview sign-up.png

Availability of Defender Vulnerability Management Standalone and Container vulnerability assessments. Defender Vulnerability Management is now available as standalone offer and extending vulnerability assessments to container. 

Blogs on Microsoft Security
Blogs on MS.png

Midnight Blizzard conducts targeted social engineering over Microsoft Teams. MSTIC has observed Midnight Blizzard's continued targeting of Ukraine supporters in spearphishing activity, as the threat actor's tools, tactics, and themes continue to evolve. Midnight Blizzard's more recent phishing campaigns have increased focus on Ukrainian allies than previous activities that had wider-spread global diplomatic focus. 

Blogs on MS.png Flax Typhoon using legitimate software to quietly access Taiwanese organizations. Flax Typhoon uses legitimate software to quietly accumulate access to Taiwanese organizations
Threat Analytics Reports / Actor profiles (Portal access needed)


Activity profile: Midnight Blizzard conducts targeted social engineering over Microsoft Teams. Microsoft Threat Intelligence has identified highly targeted social engineering attacks using credential theft lures sent as Microsoft Teams chats by the threat actor that Microsoft tracks as Midnight Blizzard (previously tracked as NOBELIUM). 

Activity profile: Secret Blizzard targets defense sector in Ukraine and Eastern Europe. Since February 2023, Microsoft has identified ongoing targeted attacks against the defense sector in Ukraine and Eastern Europe by the threat actor Secret Blizzard (KRYPTON, UAC-0003) leveraging DeliveryCheck, a novel .NET backdoor used to deliver a variety of second stage payloads.
  Activity profile: Midnight Blizzard targets diplomatic, NGOs, and humanitarian organizations in global spear phishing activity. Midnight Blizzard shifted the focus of spear phishing activities in early May 2023 to targeting the diplomatic missions of governments, non-governmental organizations (NGOs), and humanitarian organizations that support Ukraine and/or took part in other aspects of the conflict, such as aiding refugees, investigating human rights, or providing financial support. 
  Threat overview: Adversary-in-the-middle credential phishingAdversary-in-the-middle (AiTM) attacks have long been used by threat actors to steal credentials and personal data or to deliver malware. Open source, free to use phishing kits with AiTM capabilities have been available since 2017, but AiTM capabilities were not commonly paired with large-scale phishing campaigns until 2021. In 2022 the technique became common, replacing more traditional forms of credential phishing. Cybercriminals currently use AiTM phishing techniques to bypass multifactor authentication (MFA) protections at scale. These advanced techniques are democratized and proliferated through the phishing-as-a-service (PhaaS) cybercrime economic model, which has spawned several service offerings since 2021.
  Peach Sandstorm password sprays targets. Since February 2023, Microsoft has observed a high volume of password spray attacks attributed to Peach Sandstorm (HOLMIUM), an Iranian nation-state group known to target organizations with ties to the United States or Saudi Arabia. 
  Actor profile: Mustard Tempest. The actor that Microsoft tracks as Mustard Tempest (DEV-0206) is a financially motivated cybercriminal group that provides initial access to ransomware operators, such as Manatee Tempest (DEV-0243). Mustard Tempest infects its targets through drive-by scenarios using FakeUpdates (also known as SocGholish) malware.
  Actor profile: Periwinkle Tempest. The actor Microsoft tracks as Periwinkle Tempest (DEV-0193, also known as Trickbot LLC or Conti LLC) is a prolific criminal group that encompasses multiple subgroups including operators, tooling, development, and management of several of the most impactful ransomware as a service (RaaS) and backdoor ecosystems.
  Actor profile: Storm-1285. Microsoft tracks Storm-1285 as the actor group responsible for the development, support, and sale of the Hades phishing kit. Hades has adversary-in-the-middle (AiTM) capabilities, which can bypass multifactor authentication (MFA) protections. 
  Actor profile: Twill Typhoon. The threat actor Microsoft tracks as Twill Typhoon (TANTALUM) is a nation-state activity group based out of China. Twill Typhoon is known to primarily target government-related organizations in Europe, East Asia, and Africa. Twill Typhoon focuses on espionage. 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.