Microsoft is making the threat intelligence it’s collected on coronavirus-related hacking campaigns public, the company announced Thursday.
“As a security intelligence community, we are stronger when we share information that offers a more complete view of attackers’ shifting techniques,” the Microsoft Threat Intelligence team said in a blog post. “This more complete view enables us all to be more proactive in protecting, detecting, and defending against attacks.”
Microsoft decided to open up its feed in order to boost awareness about attackers’ changing techniques during the pandemic — especially for those who may not have the expansive visibility the company possesses.
“Microsoft processes trillions of signals each day across identities, endpoint, cloud, applications, and email, which provides visibility into a broad range of COVID-19-themed attacks, allowing us to detect, protect, and respond to them across our entire security stack,” the security team wrote.
Michael Daniel, president and CEO of the Cyber Threat Alliance, a 26 member-strong cybersecurity threat-sharing nonprofit, said the shift in criminal activity during the pandemic has targeted people using new platforms for the first time.
“Overall, the security industry has not seen an increase in the volume of malicious activity; however, we have seen a rapid and dramatic shift in the focus of that criminal activity,” Daniel, a former White House cybersecurity coordinator, told CyberScoop. “The bad guys have shifted their focus to COVID-19 related themes, trying to capitalize on people’s fears, the overall lack of information, and the increase in first-time users of many on-line platforms.”
Microsoft’s move comes months after cybercriminals and nation-state actors began targeting victims around the world with coronavirus– and healthcare-themed spearphishing emails or bogus mobile applications. Chinese-backed hackers have also been targeting health researchers in the U.S. working to develop vaccines and treatments for COVID-19, according to the FBI and Department of Homeland Security.
The information that Microsoft is making available includes file hash indicators that have been used in malicious attachments in pandemic-related spearphishing email campaigns. Many of the email lures included in the feed have imitated World Health Organization and Red Cross branding, while other lures appear to be sharing information about COVID-19 with targets.
The 283 threat indicators Microsoft has shared are available through Microsoft’s Graph Security API or Azure Sentinel’s GitHub page.
Mandiant Threat Intelligence Senior Principal Analyst Sarah Jones told CyberScoop this kind of public sharing would likely be helpful for small- and medium-sized businesses working to combat coronavirus-related threats.
“We haven’t had a chance to observe this Microsoft feature, however, having multiple ways of integrating and querying outside intel feeds is always helpful for network defenders,” Jones said. “Further, releasing a high quality [and] vetted feed of Indicators of Compromise to customers can be a force multiplier for small and medium sized businesses.”
Cofense CTO Aaron Higbee welcomed the move, but added that spearphishing emails abusing Microsoft’s Office 365 are rampant for his customers.
“We applaud all efforts to keep people protected from the onslaught of phishing attacks that capitalize on pandemic fears and concerns,” Higbee told CyberScoop. “Cofense customers are voicing increasing frustration with Microsoft’s inability to filter out phishing emails. They become particularly irritated when they learn that the phish originated from an Office 365 account and the phishing kit is hosted on Office 365. I’m curious, of the 283 phishing indicators that Microsoft chose to share, how many of them are hosted within Office 365.”
Multiple groups of volunteer cybersecurity professionals banded together weeks ago to help healthcare entities combat burgeoning cybersecurity threats during the pandemic. Other companies have previously made announcements they are making their services more widely available.