Connect with us

Hi, what are you looking for?


Incident Response

Microsoft Open-Sources COVID-19 Threat Intelligence

Microsoft this week announced that it has made some of its COVID-19 threat intelligence available to the public. 

Microsoft this week announced that it has made some of its COVID-19 threat intelligence available to the public. 

The number of attacks targeting organizations and individuals worldwide using coronavirus lures has increased dramatically over the past several months, and Microsoft says it wants to help even those who do not use its threat protection solutions.

The company says it processes “trillions of signals each day across identities, endpoint, cloud, applications, and email,” thus having broad visibility into a variety of COVID-19-themed attacks.  

Microsoft has been sharing examples of malicious lures and has provided guided hunting of COVID-themed threats through Azure Sentinel Notebooks, but has decided to take things one step further.

For that, the tech company is making some of its threat indicators available publicly. Microsoft Threat Protection (MTP) can already keep customers safe from the threats identified by these indicators, but those who do not use the solution are not protected. 

By publishing these indicators, Microsoft aims to raise awareness of the shift in attackers’ techniques and help detect them.

The indicators were made available both in the Azure Sentinel GitHub repo, and through the Microsoft Graph Security API. Enterprise customers that use MISP for storing and sharing threat intelligence can leverage these indicators via a MISP feed.

“This threat intelligence is provided for use by the wider security community, as well as customers who would like to perform additional hunting, as we all defend against malicious actors seeking to exploit the COVID crisis,” Microsoft says. 

Advertisement. Scroll to continue reading.

The company says this is only the beginning of its sharing of COVID-related IOCs, but underlines that this is a time-limited feed, maintained “through the peak of the outbreak to help organizations focus on recovery.”

What the company released today includes file hash indicators related to email attachments that were deemed malicious. 

Azure Sentinel customers can import these indicators using a Playbook or access them directly from queries. Both Office 365 ATP and Microsoft Defender ATP block attacks that employ these indicators, Microsoft says.

Related: US and UK Warn of Adversaries Targeting COVID-19 Responders

Related: Healthcare, Government Organizations Targeted in BEC Attacks With COVID-19

Related: Beware of Sick Behavior Masquerading as Coronavirus

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.