Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

Microsoft Open-Sources COVID-19 Threat Intelligence

Microsoft this week announced that it has made some of its COVID-19 threat intelligence available to the public. 

Microsoft this week announced that it has made some of its COVID-19 threat intelligence available to the public. 

The number of attacks targeting organizations and individuals worldwide using coronavirus lures has increased dramatically over the past several months, and Microsoft says it wants to help even those who do not use its threat protection solutions.

The company says it processes “trillions of signals each day across identities, endpoint, cloud, applications, and email,” thus having broad visibility into a variety of COVID-19-themed attacks.  

Microsoft has been sharing examples of malicious lures and has provided guided hunting of COVID-themed threats through Azure Sentinel Notebooks, but has decided to take things one step further.

For that, the tech company is making some of its threat indicators available publicly. Microsoft Threat Protection (MTP) can already keep customers safe from the threats identified by these indicators, but those who do not use the solution are not protected. 

By publishing these indicators, Microsoft aims to raise awareness of the shift in attackers’ techniques and help detect them.

The indicators were made available both in the Azure Sentinel GitHub repo, and through the Microsoft Graph Security API. Enterprise customers that use MISP for storing and sharing threat intelligence can leverage these indicators via a MISP feed.

“This threat intelligence is provided for use by the wider security community, as well as customers who would like to perform additional hunting, as we all defend against malicious actors seeking to exploit the COVID crisis,” Microsoft says. 

The company says this is only the beginning of its sharing of COVID-related IOCs, but underlines that this is a time-limited feed, maintained “through the peak of the outbreak to help organizations focus on recovery.”

What the company released today includes file hash indicators related to email attachments that were deemed malicious. 

Azure Sentinel customers can import these indicators using a Playbook or access them directly from queries. Both Office 365 ATP and Microsoft Defender ATP block attacks that employ these indicators, Microsoft says.

Related: US and UK Warn of Adversaries Targeting COVID-19 Responders

Related: Healthcare, Government Organizations Targeted in BEC Attacks With COVID-19

Related: Beware of Sick Behavior Masquerading as Coronavirus

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Threat Intelligence

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.


Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...

Incident Response

A new Mississippi Cyber Unit will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.