Skip to content

Microsoft Secure

Poisoned peer-to-peer app kicked off Dofoil coin miner outbreak

On March 7, we reported that a massive Dofoil campaign attempted to install malicious cryptocurrency miners on hundreds of thousands of computers. Windows Defender Antivirus, with its behavior monitoring, machine learning technologies, and layered approach to security detected and blocked the attack within milliseconds. Windows 10 S, a special configuration of Windows 10 providing Microsoft-verified security,...

Read more


Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign

Update: Further analysis of this campaign points to a poisoned update for a peer-to-peer (P2P) application. For more information, read Poisoned peer-to-peer app kicked off Dofoil coin miner outbreak. Just before noon on March 6 (PST), Windows Defender Antivirus blocked more than 80,000 instances of several sophisticated trojans that exhibited advanced cross-process injection techniques, persistence...

Read more

Detecting reflective DLL loading with Windows Defender ATP

Today’s attacks put emphasis on leaving little, if any, forensic evidence to maintain stealth and achieve persistence. Attackers use methods that allow exploits to stay resident within an exploited process or migrate to a long-lived process without ever creating or relying on a file on disk. In recent blogs we described how attackers use basic...

Read more

Microsoft Data Center in Quincy

Advanced Threat Analytics security research network technical analysis: NotPetya

This post is authored by Igal Gofman, Security Researcher, Advanced Threat Analytics.  On June 27, 2017 reports on a new variant of Petya (which was later referred to as NotPetya) malware infection began spreading across the globe. It seems the malware’s initial infection delivered via the “M.E.doc” update service, a Ukrainian finance application. Based on...

Read more

Exploit for CVE-2017-8759 detected and neutralized

The September 12, 2017 security updates from Microsoft include the patch for a previously unknown vulnerability exploited through Microsoft Word as an entry vector. Customers using Microsoft advanced threat solutions were already protected against this threat. The vulnerability, classified as CVE-2017-8759, was used in limited targeted attacks and reported to us by our partner, FireEye....

Read more

Global,Abstract geometric shape with spherical severed,Global communication

Microsoft’s perspective on cyber resilience

In the wake of recent ransomware outbreaks, I wanted to understand how impacted firms have evolved their thinking on cyber resilience planning and implementation. I asked the Detection and Response Team at Microsoft, who help our customers proactively and in real time to respond and recover from cyberattacks, to share their experiences....

Read more


Windows 10 platform resilience against the Petya ransomware attack

The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack vectors, makes older platforms so much more susceptible to ransomware attacks. From June to November 2017, Windows 7 devices were 3.4 times more likely to encounter ransomware compared to Windows 10 devices. Read our latest report: A worthy upgrade:...

Read more


New ransomware, old techniques: Petya adds worm capabilities

On June 27, 2017 reports of a ransomware infection began spreading across Europe. We saw the first infections in Ukraine, where more than 12,500 machines encountered the threat. We then observed infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States. The trend towards increasingly sophisticated malware behavior, highlighted by the...

Read more

Strategies to build your cybersecurity posture

This post is authored by Michael Montoya, Executive Advisor, Enterprise Cybersecurity Group Asia Region. “You clicked on an infected message…” In my prior life of managing an enterprise email environment, I started thousands of messages with that response to the victims of the infamous “love bug” email. Looking back, this was a simple task compared...

Read more

The two-pronged approach to detecting persistent adversaries

Advanced Persistent Threats use two primary methods of persistence: compromised endpoints and compromised credentials. It is critical that you use tools to detect both simultaneously. With only one or the other in place, you give adversaries more opportunities to remain on your network. There are many attack vectors within these two main categories, including the...

Read more