Microsoft teams up with law enforcement and other partners to disrupt Gamarue (Andromeda)

Today, with help from Microsoft security researchers, law enforcement agencies around the globe, in cooperation with Microsoft Digital Crimes Unit (DCU), announced the disruption of Gamarue, a widely distributed malware that has been used in networks of infected computers collectively called the Andromeda botnet. The disruption is the culmination of a journey that started in…


Windows Defender ATP machine learning and AMSI: Unearthing script-based attacks that ‘live off the land’

Scripts are becoming the weapon of choice of sophisticated activity groups responsible for targeted attacks as well as malware authors who indiscriminately deploy commodity threats. Scripting engines such as JavaScript, VBScript, and PowerShell offer tremendous benefits to attackers. They run through legitimate processes and are perfect tools for “living off the land”—staying away from the…


Detecting reflective DLL loading with Windows Defender ATP

Today’s attacks put emphasis on leaving little, if any, forensic evidence to maintain stealth and achieve persistence. Attackers use methods that allow exploits to stay resident within an exploited process or migrate to a long-lived process without ever creating or relying on a file on disk. In recent blogs we described how attackers use basic…


Mitigating and eliminating info-stealing Qakbot and Emotet in corporate networks

The threat to sensitive financial information is greater than ever. Data breaches, phishing attacks, and other forms of information theft are all too common in today’s threat landscape. Point-of-sale systems and ATMs have been targeted by hackers. Information-stealing trojans pose a risk to data and can lead to significant financial loss. Qakbot and Emotet are…


Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware

Windows Defender Exploit Guard is a new set of intrusion prevention capabilities that ships with the Windows 10 Fall Creators Update. The four components of Windows Defender Exploit Guard are designed to lock down the device against a wide variety of attack vectors and block behaviors commonly used in malware attacks, while enabling enterprises to balance their…


Making Microsoft Edge the most secure browser with Windows Defender Application Guard

Innovation in the attack space is constant as adversaries increase in both determination and sophistication. In response to increased investments in defense, attackers are adapting and improving tactics at breakneck speed. The good news is that defenders are also innovating and disrupting long reliable attack methods with new technologies. In Windows 10 we’re not just…


Introducing Windows Defender Application Control

Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control flips the model from one where all applications are assumed trustworthy by default to one where applications must earn trust in order to run. Many organizations, like…


Stopping ransomware where it counts: Protecting your data with Controlled folder access

Windows Defender Exploit Guard is a new set of host intrusion prevention capabilities included with Windows 10 Fall Creators Update. One of its features, Controlled folder access, stops ransomware in its tracks by preventing unauthorized access to your important files. Encryption should protect your data and files. Ransomware twists the power of encryption against you…


Announcing the Windows Defender Advanced Threat Protection ISO 27001 audit assessment report

The security and privacy of customer data are our top priority. Our goals are simple: to operate our services with the security and privacy you expect from Microsoft, and to give you accurate assurances about our security and privacy practices. In line with our commitment to provide customers the utmost transparency, we have enhanced auditing…


Exploit for CVE-2017-8759 detected and neutralized

The September 12, 2017 security updates from Microsoft include the patch for a previously unknown vulnerability exploited through Microsoft Word as an entry vector. Customers using Microsoft advanced threat solutions were already protected against this threat. The vulnerability, classified as CVE-2017-8759, was used in limited targeted attacks and reported to us by our partner, FireEye. Microsoft would like…