A global threat requires a global response. As the world faces the common threat of COVID-19, advocates are working overtime to protect users around the world from cybercriminals using COVID-19 as bait for their attacks. As a community of security experts, we are stronger when we share information that provides a more complete picture of how attackers are changing their methods. This broader vision enables all of us to be more proactive in protecting, detecting and defending against attacks.
Microsoft’s security products provide integrated protection against these and other threats, and we’ve published a detailed guide to help organizations combat today’s threats (Collaborative Response to COVID-19). Our threat experts provide examples of malicious bait and we have facilitated the hunt for COVID using Azure Sentinel laptops. Microsoft processes trillions of signals every day to identify terminals, the cloud, applications and email. Microsoft processes trillions of signals every day to identify terminals, the cloud, applications and email. This gives us insight into a wide range of COVID 19 attacks and enables us to detect, protect and respond to them through our security stack. Today, we are taking another step forward in sharing information about the KOVID-19 threats by making some of our own indicators available to those who are not yet protected by our solutions. Microsoft Threat Protection (MTP) clients are already protected against the threats identified by this data with Microsoft Defender Advanced Threat Protection (ATP) and Office 365 ATP emails at endpoints.
In addition, we publish these indicators for those not protected by Microsoft Threat Protection to make attackers aware of the evolution of techniques, how to detect them and enable their own hunting. These indicators are now available in two ways. They are available through the GitHub Azure Sentinel and the Microsoft Graph Security API. For business customers who use the MISP to store and exchange threat information, this data can easily be used via the MISP channel.
This threat information is intended for the wider security community, but also for customers who want to hunt more, because we are all protected against attackers trying to exploit the COVID crisis.
This channel for COVID threat information marks the beginning of sharing some of Microsoft’s COVIDs. We will continue to look for ways to improve data during the crisis. Although some threats and actors are still better protected in a more invisible way, we are working towards more transparency and public feedback on the types of information that are most useful to protect defenders against COVID-related threats. It’s a time limit. We support this food at the peak of the epidemic to help organizations focus on recovery.
Protection by Azure Sentinel and Microsoft threat protection
Today’s version includes hash indicators for files linked to email attachments that have been identified as malicious and attempted to deceive users with COVID-19 or Coronavirus bait. Below you will find instructions on how to access this tape and how to integrate it into your own environment.
For Azure Sentinel customers, this data can be imported directly into Azure Sentinel via Playbook or retrieved directly.
Azure Sentinel Playbook, sponsored by Microsoft, will continuously monitor these indicators and import them directly into your Azure Sentinel ThreatIntelligenceIndicator table. This guide compares your event data and generates security incidents when the built-in threat analysis models detect the activity associated with these indicators.
These indicators are also directly accessible through the applications of the Sentinelle d’azur, as follows:
that the covid indicators = (external data (TimeGenerated:datetime, FileHashValue:string, FileHashType: string)
The GitHub Sentinel Azure also includes a request to discover a sample. With the above table definition it is as simple as this:
- Connect the following indicators to the logs recorded by the watch:
| join ( CommonSecurityLog | where TimeGenerated >= ago(7d)
| where isotempty(FileHashValue)
) for $left.FileHashValue == $right.FileHash.
- Then select New Alarm Rule to configure the Azure Sentinel to recall incidents based on this request and return the results.
You should start seeing alerts in the Azure Sentinel for any discoveries related to these COVID threat indicators.
Microsoft Threat Protection provides protection against the threats associated with these indicators. Attacks against these Covid 19 indicators are blocked by Office 365 ATP and Microsoft Defender ATP.
Although TPM customers are already protected, they can also use these indicators for additional hunting scenarios by using the advanced hunting features of the TPM.
Here is a query to see if a process has created a file that matches the hash in the list.
let covidIndicators = (external data(TimeGenerated:datetime, FileHashValue:string, FileHashType : string)
| where FileHashType == ‘sha256’ and TimeGenerated > ago(1d) ;
| join (DeviceFileEvents
| where Timestamp > ago(1d)
| where ActionType == ‘FileCreated’
| take 100) to $left.FileHashValue == $right.SHA256.
This is an advanced MTP hunt request that searches and checks for recent abnormal connections on your machine for each recipient of an attachment in the indicator list. Although COVID threats are blocked by TPM, users who target these threats may be exposed to non-COVID attacks and TPM has the ability to combine data between devices and email for research purposes.
let covidIndicators = (external data(TimeGenerated:datetime, FileHashValue:string, FileHashType : string ) [@https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv] with (format=csv))
| where FileHashType == ‘sha256’ and TimeGenerated > ago(1d) ;
| join ( EmailAttachmentInfo | where Timestamp > ago(1d)
| project NetworkMessageId , SHA256
) to $left.FileHashValue == $right.SHA256
| join (
| where time stamp > ago(1d)
) to the NetworkMessageId
| project TimeEmail = time stamp, subject, senderFromAddress, AccountName = tostring(split(RecipientEmailAddress, @)).
| join (
| project LogonTime = time stamp, AccountName, DeviceName
) to AccountName
| where (LogonTime – TimeEmail) between (0 min… 90 min.)
| take 10.
Connect the MISP authority to the Azure Sentinel
Indicators published on the Azure Sentinel GitHub website can be consumed directly through the power function of the DMU. We have published the data at this address: https://aka.ms/msft-covid19-misp. See Azure Sentinel’s documentation on connecting data from the Threat Data Provider.
Use the indicators if you are not an Azure Sentinel orMTP client.
Yes, Azure Sentinel GitHub is public: https://aka.ms/msft-covid19-Indicators.
Examples of Phishing campaigns in this threat assessment
Below is a small selection of COVID phishing bait species with attachments to the emails in this feed. Beneath each screenshot are the hashes and associated metadata.
Figure 1 : Manipulation of the WHO brand with a treatment message and a vaccine with a malignant .gz file.
Name: COURSE FOR KORONAVIRUS_pdf.gz
Figure 2 : False Red Cross security instructions with a malicious .docm file.
Name: SAFETY INSTRUCTIONS COVID-19.docm
Figure 3 : A South African banker that uses malicious .html files to promote financial support for COVID-19.
Name: SBSA-COVID-19 – Financial support.
Figure 4 : Fake French WHO correspondence with the malicious XLS macro file.
Name: -✉-Covid-19 Land plan5558-23636sd.htm
If you have any questions or comments about this COVID 19 channel, please write to [email protected]