Microsoft 365 Managed Defense Trial Surprise
At the end of June we did a “first” for SWC – offer free trial services of Microsoft 365 Managed Defense to ten of our customers. This isn’t as trivial as a “first month free” gym membership – in the consulting world time is quite literally money, and giving anything away for free is quite a paradigm shift. Due to a limited number of trial customers and endpoints we monitored (only about 2% of these customers’ total endpoints) my unspoken fear was that we would turn the service on and find nothing. What we found instead was quite a surprise…
But before I begin – a few words about the service itself. Microsoft 365 Managed Defense is a service we developed to monitor for and respond to security events in our customers’ “front line” systems – Cloud, Office 365, and users’ endpoints. We configure our customers’ environments to make sure the security features are deployed correctly, leverage the powerful security tools built into the family of Microsoft 365 products (powered and interconnected by Microsoft’s Intelligent Security Graph) to bubble to the surface events that matter, and provide 24x7x365 monitoring and response service to our customers. Now – on to the surprise…
The surprise was both how much we found during the first two weeks of our free trials, as well as what we found. Note that the numbers below are only from the ten “Free Trial” customers – customers, where we are covering their entire environment, are not included here.
The compromised Azure AD accounts were the result of “Credential Harvesting”/Phishing attacks that, unfortunately, are all too common. The number 10 represents the number of confirmed compromised accounts and excludes the false positives we received from folks checking their work email during their vacation trip to Europe or the Great Coral Reef.
To catch 9 pieces of malware on 100 machines in 2 weeks is a bit high – but Windows Defender did a great job there and prevented the malware from executing and doing any damage. One interesting malware detection method (responsible for 3 out of the 9 malware samples stopped) is detection via integration with Office 365:
A malicious file was detected based on an indication provided by Office 365
This intelligence source, unique to Microsoft, picked up 33% of malicious files. The much-advertised “global scale threat intelligence” in action – neat!
For full disclosure – we did get a couple of “false positives”. One of them was an administrator running a scan of the environment which, deservingly, triggered all sorts of alarms as a reconnaissance activity. The second was a macro built into a corporate template document that behaved strangely enough to cause it, the document it was embedded in, and Word.exe itself to be killed by Windows Defender (using Exploit Guard). Upon review – the template was not doing anything malicious, it was just – uh – strange…
These are perhaps the most interesting finds – and highlight the additional capabilities Windows Defender ATP brings when compared to traditional Anti-Virus products. Two of the “trial” machines started setting off alerts the minute we onboarded them to Defender ATP. They were compromised before we got there and the 3rd party AV product that was on those machines has done nothing. To be fair, at least one of the threats was specifically designed to be stealthy and avoid detection by traditional AV products. “Process Hollowing” is something I’ve read about, but I didn’t expect to see it in our small sample of computers from mid-size Midwestern companies. And yet – there it was – RegSvr32.exe process running on a machine and continuously communicating with IP addresses all over the world. The activity of process compromise was invisible enough, but the code the bad guys ran inside the legitimate process was quite noisy once you knew what to look for.
The second threat that was rather interesting was a piece of custom credential stealing malware disguised to look like Microsoft Malicious Software Removal Tool. If you were to look in the process tree – you’d see Windows Update client launch a file that looks like legitimate Microsoft update/install:
Closer examination of the file showed that it had an invalid Microsoft signature on it – good effort by the bad guys here. If we weren’t sufficiently convinced by the strange file behavior, strange location, and an invalid signature, Microsoft global threat intel also told us that it has only seen this file 6 times globally, which is a bit low for something that’s trying to pretend to be a Windows 10 OS component.
My panic of the first few days where the flood of alerts was constant has subsided as some of these “pre-existing” conditions were addressed, and the frequency and severity of alerts dropped into a normal range. The panic has been replaced by a nagging anxiety – what would we find if we were monitoring all machines in these ten trial organizations, rather than less than 2% of those machines? Unlike abstract global threat intel reports – most of the trials are from organizations with 150-4,000 employees in the Midwest with representation from financial, services, manufacturing, and other industries. Contact us if you are curious what we would find in your organization or reach out to me directly – firstname.lastname@example.org.