Security Experts:

Microsoft Open-Sources COVID-19 Threat Intelligence

Microsoft this week announced that it has made some of its COVID-19 threat intelligence available to the public. 

The number of attacks targeting organizations and individuals worldwide using coronavirus lures has increased dramatically over the past several months, and Microsoft says it wants to help even those who do not use its threat protection solutions.

The company says it processes “trillions of signals each day across identities, endpoint, cloud, applications, and email,” thus having broad visibility into a variety of COVID-19-themed attacks.  

Microsoft has been sharing examples of malicious lures and has provided guided hunting of COVID-themed threats through Azure Sentinel Notebooks, but has decided to take things one step further.

For that, the tech company is making some of its threat indicators available publicly. Microsoft Threat Protection (MTP) can already keep customers safe from the threats identified by these indicators, but those who do not use the solution are not protected. 

By publishing these indicators, Microsoft aims to raise awareness of the shift in attackers’ techniques and help detect them.

The indicators were made available both in the Azure Sentinel GitHub repo, and through the Microsoft Graph Security API. Enterprise customers that use MISP for storing and sharing threat intelligence can leverage these indicators via a MISP feed.

“This threat intelligence is provided for use by the wider security community, as well as customers who would like to perform additional hunting, as we all defend against malicious actors seeking to exploit the COVID crisis,” Microsoft says. 

The company says this is only the beginning of its sharing of COVID-related IOCs, but underlines that this is a time-limited feed, maintained “through the peak of the outbreak to help organizations focus on recovery.”

What the company released today includes file hash indicators related to email attachments that were deemed malicious. 

Azure Sentinel customers can import these indicators using a Playbook or access them directly from queries. Both Office 365 ATP and Microsoft Defender ATP block attacks that employ these indicators, Microsoft says.

Related: US and UK Warn of Adversaries Targeting COVID-19 Responders

Related: Healthcare, Government Organizations Targeted in BEC Attacks With COVID-19

Related: Beware of Sick Behavior Masquerading as Coronavirus

view counter