Threat analytics is Microsoft 365 Defender’s in-product threat intelligence (TI) solution designed to help defenders like you to efficiently understand, prevent, identify, and stop emerging threats. It provides a unique combination of in-depth TI analysis and reports from expert Microsoft security researchers, and consolidated data showing your organization’s security posture relative to the threats. Threat analytics helps you respond to and minimize the impact of active attacks.
As part of a unified extended detection and response (XDR) experience in Microsoft 365 Defender, threat analytics is now available for public preview. It includes better data coverage, incident management across security pillars, automatic investigation and remediation, and cross-domain hunting capabilities. Microsoft 365 Defender threat analytics is available for Microsoft Defender for Office 365 and Microsoft Defender for Endpoint users.
If you’re familiar with threat analytics in Microsoft Defender for Endpoint, you’ll be excited to know that the integrated experience you’ll see in Microsoft 365 Defender threat analytics takes your report consumption to another level.
Threat analytics for Microsoft 365 Defender introduces:
What’s in each report?
With each threat analytics report, you’ll find:
How do I get there?
Ready to check it out? Explore these threat analytics reports.
Microsoft continues to work with partners and customers to expand our knowledge of the threat actor behind the nation-state cyberattacks that compromised the supply chain of SolarWinds and impacted multiple other organizations. Microsoft previously used ‘Solorigate’ as the primary designation for the actor, but moving forward, we want to place appropriate focus on the actors behind the sophisticated attacks, rather than one of the examples of malware used by the actors. Microsoft Threat Intelligence Center (MSTIC) has named the actor behind the attack against SolarWinds, the SUNBURST backdoor, TEARDROP malware, and related components as NOBELIUM. As we release new content and analysis, we will use NOBELIUM to refer to the actor and the campaign of attacks.
This report about the sophisticated attack details how NOBELIUM inserted malicious code into a supply chain development process. A malicious software class was included among many other legitimate classes and then signed with a legitimate certificate. The resulting binary included a backdoor and was then discreetly distributed into targeted organizations. This attack was discovered as part of an ongoing investigation.
Understand how Emotet operators have started to ramp up activity starting July 2020. Notable for their involvement in Ryuk ransomware distribution, Emotet operators are back with basically the same goals, utilizing similar lure themes and macro-enabled documents. Despite the recent take-down which has interrupted Emotet, your security operation centers should continuously monitor Emotet-related alerts in your antivirus and EDR solutions. Secondary payloads delivered by Emotet prior to the take-down remain a serious and real threat to your network.
Possibly tied to the same cybercriminals leveraging Trickbot infrastructure, these campaigns appear to be part of ongoing attempts to shift to other entry vectors. Started in late October 2020, these campaigns use phishing emails that take recipients through link chains to implant BazaLoader. Unsurprisingly, the new implant brings in potent tools like Cobalt Strike, which make persistent, direct human attack activity possible. Microsoft's security solutions remain effective against this threat, regardless of the recent BazaLoader activities that we've observed this month. Use advanced hunting to proactively hunt for this threat in your Microsoft 365 security portal (Microsoft 365 Defender) or Microsoft Security Center portal (Microsoft Defender for Endpoint).
Get your shields up by learning about this modular banking trojan’s modus operandi and how Microsoft 365 Defender can help detect and stop IcedID campaigns at multiple points along the attack chain and across domains, including the very start.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.