Category: Microsoft news

Microsoft news, features, events, and press materials

Posted on by Leave a comment

How AI can support social interaction between children who are blind and their peers

A young boy wearing the PeopleLens sits on the floor of a playroom holding a blind tennis ball in his hands. His attention is directed toward a woman sitting on the floor in front of him holding her hands out. The PeopleLens looks like small goggles that sit on the forehead. The image is marked with visual annotations to indicate what the PeopleLens is seeing and what sounds are being heard.
The PeopleLens is a new research technology designed to help people who are blind or have low vision better understand their immediate social environments by locating and identifying people in the space. Coupled with a scheme of work based on research and practices from psychology and speech and language therapy, the system can help children and young people who are blind more easily forge social connections with their peers.

For children born blind, social interaction can be particularly challenging. A child may have difficulty aiming their voice at the person they’re talking to and put their head on their desk instead. Linguistically advanced young people may struggle with maintaining a topic of conversation, talking only about something of interest to them. Most noticeably, many children and young people who are blind struggle with engaging and befriending those in their age group despite a strong desire to do so. This is often deeply frustrating for the child or young person and can be equally so for their support network of family members and teachers who want to help them forge these important connections.

  • PUBLICATION PeopleLens The PeopleLens is an open-ended AI system that offers people who are blind or who have low vision further resources to make sense of and engage with their immediate social surroundings.

The PeopleLens is a new research technology that we’ve created to help young people who are blind (referred to as learners in our work) and their peers interact more easily. A head-worn device, the PeopleLens reads aloud in spatialized audio the names of known individuals when the learner looks at them. That means the sound comes from the direction of the person, assisting the learner in understanding both the relative position and distance of their peers. The PeopleLens helps learners build a People Map, a mental map of those around them needed to effectively signal communicative intent. The technology, in turn, indicates to the learner’s peers when the peers have been “seen” and can interact—a replacement for the eye contact that usually initiates interaction between people.

For children and young people who are blind, the PeopleLens is a way to find their friends; however, for teachers and parents, it’s a way for these children and young people to develop competence and confidence in social interaction. An accompanying scheme of work aims to guide the development of spatial attention skills believed to underpin social interaction through a series of games that learners using the PeopleLens can play with peers. It also sets up situations in which learners can experience agency in social interaction. A child’s realization that they can choose to initiate a conversation because they spot someone first or that they can stop a talkative brother from speaking by looking away is a powerful moment, motivating them to delve deeper into directing their own and others’ attention.

The PeopleLens is an advanced research prototype that works on Nreal Light augmented reality glasses tethered to a phone. While it’s not available for purchase, we are recruiting learners in the United Kingdom aged 5 to 11 who have the support of a teacher to explore the technology as part of a multistage research study. For the study, led by the University of Bristol, learners will be asked to use the PeopleLens for a three-month period beginning in September 2022. For more information, visit the research study information page

Research foundation 

The scheme of work, coauthored by collaborators Professor Linda Pring and Dr. Vasiliki Kladouchou, draws on research and practice from psychology and speech and language therapy in providing activities to do with the technology. The PeopleLens builds on the hypothesis that many social interaction difficulties for children who are blind stem from differences in the ways children with and without vision acquire fundamental attentional processes as babies and young children. For example, growing up, children with vision learn to internalize a joint visual dialogue of attention. A young child points at something in the sky, and the parent says, “Bird.” Through these dialogues, young children learn how to direct the attention of others. However, there isn’t enough research to understand how joint attention manifests in children who are blind. A review of the literature suggests that most research doesn’t account for a missing sense and that research specific to visual impairment doesn’t provide a framework for joint attention beyond the age of 3. We’re carrying out research to better understand how the development of joint attention can be improved in early education and augmented with technology.

How does the PeopleLens work? 

The PeopleLens is a sophisticated AI prototype system that is intended to provide people who are blind or have low vision with a better understanding of their immediate social environment. It uses a head-mounted augmented reality device in combination with four state-of-the-art computer vision algorithms to continuously locate, identify, track, and capture the gaze directions of people in the vicinity. It then presents this information to the wearer through spatialized audio—sound that comes from the direction of the person. The real-time nature of the system gives a sense of immersion in the People Map.

A graphic overview of the PeopleLens system describes its functionality and experience features with accompanying icons.
The PeopleLens helps the child wearing it build a mental map of those in their immediate social environment. Because the PeopleLens reads aloud the names of identified people in spatialized audio, the child is able to get a sense of the respective positions and distances of their peers. The system receives images and processes them with computer vision algorithms, as shown by the overlays on the top images in this screenshot of the PeopleLens development environment. The system then stiches together a world map that’s used to drive the experiences, as shown at the bottom right.

The PeopleLens is a ground-breaking technology that has also been designed to protect privacy. Among the algorithms underpinning the system is facial recognition of people who’ve been registered in the system. A person registers by taking several photographs of themselves with the phone attached to the PeopleLens. Photographs aren’t stored, instead converted into a vector of numbers that represent a face. These differ from any vectors used in other systems, so recognition by the PeopleLens doesn’t lead to recognition by any other system. No video or identifying information is captured by the system, ensuring that the images can’t be maliciously used.

The system employs a series of sounds to assist the wearer in placing people in the surrounding space: A percussive bump indicates when their gaze has crossed a person up to 10 meters away. The bump is followed by the person’s name if the person is registered in the system, is within 4 meters of the wearer, and both the person’s ears can be detected. The sound of woodblocks guides the wearer in finding and centering the face of a person the system has seen for 1 second but hasn’t identified, changing in pitch to help the wearer adjust their gaze accordingly. (Those people who are unregistered are acknowledged with a click sound.) Gaze notification can alert the wearer to when they’re being looked at. 

A graphic overview of the PeopleLens system describes its functionality and experience features with accompanying icons.
The functionality of the PeopleLens system includes experience features such as recognizing a person in front of the wearer; attention notifications from the direction of those who look at the wearer; the ability to follow someone; and an orientation guide to help wearers find people and faces.

Community collaboration

The success of the PeopleLens, as well as systems like it, is dependent on a prototyping process that includes close collaboration with the people it is intended to serve. Our work with children who are blind and their support systems has put us on a path toward building a tool that can have practical value and empower those using it. We encourage those interested in the PeopleLens to reach out about participating in our study and help us further evolve the technology. 

To learn more about the PeopleLens and its development, check out the Innovation Stories blog about the technology.

Posted on by Leave a comment

Scaling cloud solutions to new heights with Microsoft’s partner ecosystem

Companies building cloud solutions (such as independent software vendors (ISVs), SaaS providers, app builders, and more)—have never been more important to the world today.

With the continued acceleration of digital transformation, every organization, small or large, in every industry across the globe, will require cloud infrastructure and services to power their business. As customers’ needs for cloud solutions exponentially increase, so do the opportunities for ISVs to connect with partners and customers across the Microsoft Cloud and the commercial marketplace. To help our ecosystem harness these opportunities, we are announcing:

  • Private offers with margin sharing to motivate 90,000-plus cloud partners: Now generally available, ISVs can use the private offer capability in the commercial marketplace to create and share margins to partners in the Cloud Solution Provider program—creating new sales channels instantly.
  • Increased agility with private offers for customers: With enhancements to private offers in the commercial marketplace, ISVs can now create a unique private offer per customer in less than 15 minutes. This helps ISVs unlock enterprise customers for seven-digit deals and sell directly to customers with a cloud consumption commitment (if the ISV solution is eligible for Azure IP co-sell).

For Microsoft, the commercial marketplace is the connector between ISVs and customers—it’s an engine dedicated to accelerating growth. By selling through the commercial marketplace, ISVs get instant access to global reach: 1 billion people that use Microsoft technology, 95 percent of Fortune 500 companies who use Microsoft Azure, and 270M monthly active users on Microsoft Teams. 

Shifts in business-to-business (B2B) buying

Before COVID-19, customers in both B2C and B2B environments already expressed a preference for digital commerce experiences, COVID-19 only accelerated digital adoption—digital-first selling is here to stay.

Harvard Business Review1 recently surveyed 1,000 B2B buyers. 43 percent of those surveyed would prefer a purely digital experience for all sales. When the data was cut by generation, 29 percent of Baby Boomers preferred digital experiences in B2B buying and 54 percent of millennials had the same sentiment. Considering ten years from now, the channels we use for B2B buying today will be obsolete or a least forever transformed. Commercial marketplaces deliver on digital-first. Through B2B marketplaces, customers get a trusted buying experience that simplifies the purchase and deployment while helping customers optimize costs with pre-committed cloud spend.

Private offers to scale and motivate 90K-plus cloud partners

The ISV margin sharing to partners in the Cloud Solution Provider program (CSPs) became generally available on February 14, 2022. With margin-sharing, ISVs can directly incentivize CSPs to sell their solutions, this delivers on the promise of partner-to-partner marketing.  

Collaborating with CSPs, ISVs can lower customer acquisition costs and scale business to new customers globally. We are seeing pairings of ISV and CSP partners having tremendous success. Just two months into partnering with Pax8 (the CSP) and LawToolBox (the ISV) has seen a 105% increase in licenses transacted through marketplace.  

Another partner pairing, Sherweb (the CSP) and Nimble (the ISV), were able to work together and scale without adding any overhead. 

“The outcome of becoming a P2P co-seller with Microsoft has enabled Nimble to scale our simple serum for Microsoft 365 to over 22 countries around the world without hiring one person. That’s amazing.”

Jon Ferrara, CEO Nimble

ISVs can offer margin to 400 eligible partners at once to open new sales channels, mobilizing a global ecosystem of partners. This also helps ISVs lower acquisition costs and simplify the sales process while increasing customer retention. And finally, when CSPs sell an ISV solution, they can bundle it with Microsoft Cloud solutions and their own value-add services to drive scale and recurring revenue.

Guidance on how to create a private offer and extend a margin to partners in the Cloud Solution Provider program.

Increased agility with private offers—accelerating seven-digit sales

To meet the needs of customers with agility, ISVs often use private offers. Private offers are the key to enterprise deal-making in the marketplace delivering flexibility like negotiated pricing, private terms and conditions, and specialized configurations. Microsoft has recently made substantial improvements to this functionality—ISVs can now create unique private offers per customer in less than 15 minutes.

Additional improvements include:

  • Create an unlimited number of private offers.
  • Ability to time-bound the private offer.
  • Offer custom terms and conditions.
  • Bundle multiple products in the same private offer.

One of the main motivators for customers to buy through B2B marketplaces is to decrement pre-committed cloud spend. Microsoft offers 100 percent of sales through the Azure Marketplace for Azure IP co-sell eligible solutions to count towards a customer’s Microsoft Azure Consumption Commitment (MACC). These deals are often in the millions and commonly transacted via private offers—the large deal sizes often need customized terms and conditions, special pricing considerations, and so on.

The recent improvements in private offers help ISVs connect with MACC-eligible customers. According to tackle.io’s annual State of Cloud Marketplaces report2, 82 percent of ISVs listed unlocking pre-committed cloud spend as their number one reason to sell through commercial marketplaces, and 43 percent of customers listed spending pre-committed cloud spend as their number one reason to buy through commercial marketplaces. Microsoft has a rich set of enterprise customers that require private offers, and we are seeing the acceleration. Year-over-year we have seen a 300 percent increase in customers buying Azure IP co-sell solutions through the commercial marketplace and we expect those numbers to continue to grow.

For agility and speed, ISVs can leverage APIs to create private offers and can view all private offers in a centralized dashboard with the flexibility to copy, withdraw, and upgrade offers as appropriate. As customers accept private offers, or when private offers are set to expire, the ISV will be notified in Partner Center. For the customer, they will see all the private offers associated with their account and when they purchase, they simply accept the offer with a click. No need to re-deploy their virtual machines—the solution deploys right from the Azure portal and is configured to work in the customer’s tenant.

Embracing the marketplace as a sales channel

With the proliferation of cloud solutions, commercial marketplaces simplify selling and offer customers convenience and a trusted environment to buy and deploy solutions to run their business. ISVs can accelerate their growth by embracing a third-party marketplace as a major sales channel. The improvements to private offers give ISVs the agility they need whether selling to customers with cloud consumption commitments or scaling through our 90,000-plus partners in the CSP program.

As the most trusted and comprehensive cloud—the commercial marketplace is how we are helping deliver tech intensity at scale—connecting over 30,000 solutions from partners to the 1 billion customers who use Microsoft products. Activate this channel by becoming a Microsoft partner and by publishing a transactable offer to the commercial marketplace.

Resources

1 Harvard Business Review
2 tackle.io State of Cloud Marketplaces report

Posted on by Leave a comment

Microsoft AI model surpasses human performance on benchmark test for natural language understanding

Natural language understanding (NLU) is one of the longest running goals in AI, and SuperGLUE is currently among the most challenging benchmarks for evaluating NLU models. The benchmark consists of a wide range of NLU tasks, including question answering, natural language inference, co-reference resolution, word sense disambiguation, and others. Take the causal reasoning task (COPA in Figure 1) as an example. Given the premise “the child became immune to the disease” and the question “what’s the cause for this?,” the model is asked to choose an answer from two plausible candidates: 1) “he avoided exposure to the disease” and 2) “he received the vaccine for the disease.” While it is easy for a human to choose the right answer, it is challenging for an AI model. To get the right answer, the model needs to understand the causal relationship between the premise and those plausible options.

Since its release in 2019, top research teams around the world have been developing large-scale pretrained language models (PLMs) that have driven striking performance improvement on the SuperGLUE benchmark. Microsoft recently updated the DeBERTa model by training a larger version that consists of 48 Transformer layers with 1.5 billion parameters. The significant performance boost makes the single DeBERTa model surpass the human performance on SuperGLUE for the first time in terms of macro-average score (89.9 versus 89.8), and the ensemble DeBERTa model sits atop the SuperGLUE benchmark rankings, outperforming the human baseline by a decent margin (90.3 versus 89.8). The model also sits at the top of the GLUE benchmark rankings with a macro-average score of 90.8.

Microsoft will release the 1.5-billion-parameter DeBERTa model and the source code to the public. In addition, DeBERTa is being integrated into the next version of the Microsoft Turing natural language representation model (Turing NLRv4). Our Turing models converge all language innovation across Microsoft, and they are then trained at large scale to support products like Bing, Office, Dynamics, and Azure Cognitive Services, powering a wide range of scenarios involving human-machine and human-human interactions via natural language (such as chatbot, recommendation, question answering, search, personal assist, customer support automation, content generation, and others) to benefit hundreds of millions of users through the Microsoft AI at Scale initiative.

Figure 1: The SuperGLUE leaderboard as of January 6th, 2021.

DeBERTa (Decoding-enhanced BERT with disentangled attention) is a Transformer-based neural language model pretrained on large amounts of raw text corpora using self-supervised learning. Like other PLMs, DeBERTa is intended to learn universal language representations that can be adapted to various downstream NLU tasks. DeBERTa improves previous state-of-the-art PLMs (for example, BERT, RoBERTa, UniLM) using three novel techniques (illustrated in Figure 2): a disentangled attention mechanism, an enhanced mask decoder, and a virtual adversarial training method for fine-tuning.

Figure 2: The architecture of DeBERTa. DeBERTa improves the BERT and RoBERTa models by 1) using a disentangled attention mechanism where each word is represented using two vectors that encode its content and relative position, respectively, and 2) an enhanced mask decoder.

Disentangled attention: a two-vector approach to content and position embedding

Unlike BERT, where each word in the input layer is represented using a vector that sums its word (content) embedding and position embedding, each word in DeBERTa is represented using two vectors that encode its content and position, respectively, and the attention weights among words are computed using disentangled matrices based on their contents and relative positions, respectively. This is motivated by the observation that the attention weight (which measures the strength of word-word dependency) of a word pair depends on not only their contents but also their relative positions. For example, the dependency between the words “deep” and “learning” is much stronger when they occur next to each other than when they occur in different sentences.

Enhanced mask decoder accounts for absolute word positions

Like BERT, DeBERTa is pretrained using masked language modeling (MLM). MLM is a fill-in-the-blank task, where a model is taught to use the words surrounding a mask token to predict what the masked word should be. DeBERTa uses the content and position information of the context words for MLM. The disentangled attention mechanism already considers the contents and relative positions of the context words, but not the absolute positions of these words, which in many cases are crucial for the prediction.

Consider the sentence “a new store opened beside the new mall” with the italicized words “store” and “mall” masked for prediction. Although the local contexts of the two words are similar, they play different syntactic roles in the sentence. (Here, the subject of the sentence is “store” not “mall,” for example.) These syntactical nuances depend, to a large degree, upon the words’ absolute positions in the sentence, and so it is important to account for a word’s absolute position in the language modeling process. DeBERTa incorporates absolute word position embeddings right before the softmax layer where the model decodes the masked words based on the aggregated contextual embeddings of word contents and positions.

Scale Invariant Fine-Tuning improves training stability

Virtual adversarial training is a regularization method for improving models’ generalization. It does so by improving a model’s robustness to adversarial examples, which are created by making small perturbations to the input. The model is regularized so that when given a task-specific example, the model produces the same output distribution as it produces on an adversarial perturbation of that example. For NLU tasks, the perturbation is applied to the word embedding instead of the original word sequence. However, the value ranges (norms) of the embedding vectors vary among different words and models. The variance gets larger for bigger models with billions of parameters, leading to some instability of adversarial training. Inspired by layer normalization, to improve the training stability, we developed a Scale-Invariant-Fine-Tuning (SiFT) method where the perturbations are applied to the normalized word embeddings.

Conclusion and looking forward

As shown in the SuperGLUE leaderboard (Figure 1), DeBERTa sets new state of the art on a wide range of NLU tasks by combining the three techniques detailed above. Compared to Google’s T5 model, which consists of 11 billion parameters, the 1.5-billion-parameter DeBERTa is much more energy efficient to train and maintain, and it is easier to compress and deploy to apps of various settings.

DeBERTa surpassing human performance on SuperGLUE marks an important milestone toward general AI. Despite its promising results on SuperGLUE, the model is by no means reaching the human-level intelligence of NLU. Humans are extremely good at leveraging the knowledge learned from different tasks to solve a new task with no or little task-specific demonstration. This is referred to as compositional generalization, the ability to generalize to novel compositions (new tasks) of familiar constituents (subtasks or basic problem-solving skills). Moving forward, it is worth exploring how to make DeBERTa incorporate compositional structures in a more explicit manner, which could allow combining neural and symbolic computation of natural language similar to what humans do.

Acknowledgments

This research was conducted by Pengcheng He, Xiaodong Liu, Jianfeng Gao, and Weizhu Chen. We thank our collaborators from Bing, Dynamics 365 AI, and Microsoft Research for providing compute resources for large-scale modeling and insightful discussions.

Posted on by Leave a comment

Introducing Azure Health Bot—evolution of Microsoft Healthcare Bot brings new functionality

This post was co-authored by Gregory Moore, M.D., Ph.D., CVP for Microsoft Health Next.

Since the start of the pandemic, Microsoft Healthcare Bot has been at the leading edge of helping organizations be more agile with patient engagement. The U.S. Centers for Disease Control (CDC), Walgreens, Premera, and Providence are just a few of the many organizations that are leveraging Microsoft Healthcare Bot to create bots to triage symptoms, answer lab and COVID-related questions, locate nearby clinics, and more. Over the last year, the Healthcare Bot has been used to build thousands of bots and deliver close to 1 billion messages to over 80 million people worldwide, spanning 25 countries.

Today we are announcing that the Microsoft Healthcare Bot service is moving to Azure, further empowering organizations to benefit from Azure’s enhanced tooling, security, and compliance offerings. Customers will be able to seamlessly migrate from Microsoft Healthcare Bot to Azure Health Bot with a few simple steps and no downtime. Additionally, we continue to bring new capabilities to Azure Health Bot, such as new templates for checking eligibility for COVID-19 vaccines and providing answers to related questions.

Azure Health Bot empowers developers in healthcare organizations to build and deploy AI-powered, compliant, conversational healthcare experiences at scale. It combines built-in medical databases with natural language capabilities to understand clinical terminology and can be easily customized to support clinical and operational use cases. The service enables customers’ compliance with industry requirements including HIPAA.

As a native Azure service, Azure Health Bot benefits from Azure’s security investments as well as the most comprehensive compliance coverage of any cloud service provider. Now customers can use standard Azure management tools that they are familiar with and rely on the 99.9 percent SLA commitment. While currently available in two regions (East US and West Europe), it will expand availability to eight regions over the coming months.

Azure Health Bot templates to easily get started.

With this move to Azure, we are making it easier than ever before to build bots for healthcare-specific scenarios. Our customers have been using Microsoft Healthcare Bot to drive patient engagement in a variety of use cases and we are excited to see further innovation.

“As part of our Well-Being Initiative, we created the Stress Self-Assessment tool using the Azure Health Bot.This tool offers an anonymous way for nurses to check on themselves and receive guidance to safeguard their well-being. The bot helps nurses discover and make use of a variety of evidence-based ways to build strength and maintain health, like peer support, guided relaxation, apps with well-being tools, and webinars.” —Kate Judge, Executive Director, American Nurses Foundation

“We did not want to build from scratch, but we wanted a robust, scalable platform, that was highly secure. The health bot, built in partnership with Microsoft, started handling 30,000 enquiries a day within a few weeks of first getting up and running.” —Fran Thompson, Interim Chief Information Officer, Health Service Executive (HSE) Ireland

If you are an existing customer of Microsoft Healthcare Bot, you can easily migrate to Azure Health Bot in a few minutes with no downtime. While we highly encourage you to migrate to Azure Health Bot for the best experience, we will continue to support your existing service at least for the coming 12 months.

Get started today

Posted on by Leave a comment

Retailers: 4 ways to make the most of this year’s virtual NRF

WIN21_HOL_Dell_XPS_13_7390_1740WIN21_HOL_Dell_XPS_13_7390_1740

NRF 2021 is going to be a first for all of us. I know I’m going to miss seeing many old colleagues and friends this month. NRF BIG Shows for me are just as much family reunion as they are industry conference. But as we’re all discovering, virtual conferences have some real advantages. And, in a way, it’s fitting that NRF is virtual—digital if you will. That’s because digital transformation is accelerating as it impacts the industry.

So, what does Microsoft have in store for you at NRF 2021? Here are four things to put on your “must-do” list:

  1. Catch my session “Retail 2020: A year to never forget.” You’ll learn how Microsoft is helping retailers build more intelligent, resilient, and sustainable retail operations with some amazing retailers across the world.
  2. Visit Microsoft’s virtual booth. You’ll have a chance to see how Microsoft is helping retailers to reimagine their operations and find ways to stand out in today’s new world.
  3. Attend the interactive discussion room where we will talk about what data and artificial intelligence (AI) mean to your organization. AI can be a catalyst for real change in retail, taking massive volumes of data and sifting through it to find actionable insight on customer behavior and store operations.
  4. Take a virtual tour of our Microsoft store and learn more about how we have pivoted our business model over the past nine months. Driven in part by COVID-19, we’ve taken our retail stores completely online, giving us new ways to connect with consumers and respond quickly to changing market conditions.

NRF is also a great place to learn about the newest trends in retail. Here are four trends to keep an eye on during 2021:

1. Data explosion and monetization

  • A whopping 40 petabytes of data an hour is generated in retail. To put that into context, 1 petabyte is the equivalent of 500 billion pages of typed text or 10 billion photos on Instagram. But that 40 petabytes an hour is not just any data—it’s the demand signal for the world. Now is the time for retailers to break down their silos of data, take control of their data estate, and turn it into a strategic asset.

2. New partnerships and ecosystems

  • Retailers have come to the realization that nobody can win on their own. 2020 was the year where we saw unlikely coalitions of the willing—just take the last mile delivery space as an example. We’re even seeing competitors working together in the distribution of the COVID-19 vaccine.

3. Sustainability

  • Transparency, values, and ethics have never been more important to shoppers. 71 percent of consumers prefer buying from brands that align with their values, according to 5W Public Relations. Indeed, 67 percent of customers consider sustainable materials when making purchase decisions, and 63 percent feel a brand promoting itself as sustainable is attractive, according to McKinsey. It’s no surprise then that we’re seeing more and more retailers making major commitments in this space. Take Walmart, which made a commitment to achieve zero emissions by 2040, or H&M which has committed to all materials used in production being sustainably sourced or recycled by 2030. There’s more of the same to come in 2021.

4. Customer loyalty shocks

  • Consumers globally have reacted to the crisis and the ensuing disruption by trying out new shopping behaviors.
  • 50 percent of consumers shopped a new brand
  • Two-thirds of European shoppers say they have recently tried a new brand, retailer, or shopping method.

And don’t forget, this year’s NRF is so big that there will be two of them. The online event is January 12-14, 19, and 21-22; and the live event is June 6-8, in New York City. We’re hoping that by then it will be safe for everyone to attend and enjoy things in person!

Until then, follow us on social and visit our website to get the latest on our engagement at the NRF virtual event over the next two weeks.

Posted on by Leave a comment

What’s new in Microsoft Teams for education

By Abby Schilbach Posted on
January 5, 2021 at 8:00 am

Happy 2021! We’re excited to share the latest updates in December to the Teams experience:

  1. See the latest features available in Teams, including Breakout Rooms
  2. Apply policies with the Microsoft Teams for Education policy wizard, available on January 7
  3. Allow school leaders, substitutes, and other approved individuals to join a class with the Classroom Drop-in app
  4. Join Public preview to get early access to some of the latest Teams features
  5. Use Moodle and Teams together with the mConnect app
  6. Sign up for the live Microsoft Teams for Education event to get ready and learn the best practices for hybrid learning

Let’s dive in!

1) See the latest features available in Teams, including Breakout Rooms
Virtual Breakout Rooms
As the meeting organizer, you can divide your online class into smaller groups to facilitate discussions, brainstorming, and more. A breakout room can be created in a Teams meeting or a Teams channel meeting, giving you greater flexibility depending on how you and your class meet. As the organizer you can easily jump in between breakout rooms, deliver announcements to all breakout rooms at once, and bring everyone back to the main meeting at any time. Any files from the breakout rooms can be shared in the main meeting and are available afterwards in the meeting chat.

If you’re looking for helpful resources to learn more and get started:

  1. Check out the main breakout rooms blog
  2. Get the breakout rooms quick start guide for educators (PDF)
  3. Watch the Tips from the Team breakout rooms video
  4. Visit the breakout rooms support page to learn more

New languages supported for real-time translation in live events
Translate Japanese, Korean, French, French-Canadian, Spanish, Spanish-Mexican, Traditional Chinese, Swedish, Dutch, Italian, Hindi-Indian, Portuguese-Brazilian, and Russian into up to 50 different languages. Learn more

Check out all the latest features available in Teams here.

2) Apply policies with the Microsoft Teams for Education policy wizard, available on January 7
With remote and hybrid learning on online platforms, it’s more important than ever to help keep your school community safe. With the new Microsoft Teams for Education policy wizard, available school IT admins can now easily apply education tailored policies for a safe learning environment.

The policy wizard allows the IT admin to quickly and easily apply the most relevant set of policies for students at a global (Org-wide default) level and apply a custom policy set to a group of educators and staff tailored to their needs. Expected availability, along with more details, will be available on January 7th.

3) Allow school leaders, substitutes, and other approved individuals to join a class with the Classroom Drop-in app
Often times school leaders, substitute instructors, evaluators, TAs, and more individuals need to check in on or become a temporary teacher for a class. With the new Classroom Drop-in app template for Microsoft Teams, school leaders can set up “drop ins” to add a user to a Team without the need to bother IT or the instructor. The dropped in user can then check in on conversation, assignments, grades, class meetings and more!

IT administrators can setup and install the Classroom Drop-in app from GitHub and then make it available to leaders within their organization. Once installed and configured, leaders can begin setting up drop-ins right away.

To learn more, join us for a webinar on January 12 at 8am PST. Sign up at https://aka.ms/DropInWebinar

Install and use the Classroom Drop-in app to allow school leaders, substitute instructors, evaluators, TAs, to check in on or become a temporary teacher for a class

Install and use the Classroom Drop-in app to allow school leaders, substitute instructors, evaluators, TAs, to check in on or become a temporary teacher for a classInstall and use the Classroom Drop-in app to allow school leaders, substitute instructors, evaluators, TAs, to check in on or become a temporary teacher for a class

4) Join Public Preview to get early access to the latest Teams features
Microsoft Teams Public Preview is now available to help you and your school get early access to the latest Teams features. After an IT Admin enabled policy via a policy setting, individuals in the school can set your Teams client to switch on the public preview mode and try Together mode and Large Gallery (7×7) on the web and live reactions in Teams meetings. Watch how to join in this quick tip video.

5) Use Moodle and Teams together with the mConnect app
Now with the mConnect app by Skooler, you can bring all the richness of Moodle inside Teams to organize your courses and use Teams to learn and work together. The mConnect app allows you to:

  • Have one workspace with access to Moodle courses, topics, assignments, and calendar in Teams
  • Stay organized with collaborative Learning tabs in Teams channels
  • Save time and be more in control with automated team and membership creation

Learn more about the mConnect app here.

6) Sign up for the live Microsoft Teams for Education event to get ready and learn the best practices for hybrid learning
Join us and get ready for hybrid learning and teaching with Microsoft Teams. Microsoft Teams for Education experts will share common scenarios, use cases, and answer your questions live. Topics include how to use your favorite apps in Teams, driving student engagement, inclusion, and accessibility, Microsoft Teams with your LMS, and more:

  1. Tuesday Jan 26, 8am-12pm PST – IT Pro & Leaders
  2. Wednesday Jan 27, 8am-12pm PST – Teaching & Learning

Join us and sign up at https://aka.ms/TeamsEduEvent.

This post was originally published on this site.

Posted on by Leave a comment

Affordable Windows 10 devices help students learn from anywhere

As schools around the world work to reimagine education, it’s become more important than ever to make technology accessible, safe, and engaging so that educators and students can focus on what matters most: teaching, learning, and connecting with one another. Windows 10 devices and powerful tools like Office 365 for Education and Microsoft Teams work together to help teachers create personalized experiences to support students learning from anywhere.

One example of an institution embracing technology is Frenship Independent School District (ISD). The district, which offers professional certifications and language learning programs, used both Windows 10 devices and Microsoft Teams to manage the shift to remote learning this fall. Before the shift, Frenship ISD had provided student access through a combination of individual devices, computer labs, and “device carts” where devices could be checked in and out to give students access to technology.

Learn how Windows 10 devices can meet your education needs.

Learn more

When Superintendent Dr. Michelle McCord understood that Frenship ISD would be fully remote this fall, she wanted to keep the technology check-out system at the Texas district alive on a larger scale. She worked with the district’s tech department to create a library system for their devices, which were primarily Dell Latitude 3190 computers but also included other Windows 10 devices. Students in the district could select a device that fit their learning needs, use it for the semester and check it back in when they completed their program.

“We fulfilled everyone’s requests. Everybody that needed a device or support for accessing Microsoft systems got it,” said Dr. McCord. The district paired the devices with Microsoft Teams to facilitate collaboration, maintaining a supportive learning environment for students.

With Windows 10 devices and Microsoft Teams connecting students and educators, Frenship ISD is prepared to handle whatever happens in the spring semester and beyond. “We’re ready at any time for a short-term closure, virtual learning, or face-to-face learning,” said Joe Barnett, the district’s Chief Technology Officer. “Blended learning is more of what I think is going to occur. I anticipate students transitioning from one instructional model to the other, and that’s what we really wanted to be prepared for.”

McCord expects the device check-out system will be lasting. “We’re never going to go back to the way it was before,” she explains. “We’re going to keep using this technology so we can be even more productive and stay connected. This will allow us to continue to remain committed to our core beliefs and serve every learner, no matter the circumstance.”

Though we don’t know what this semester will bring for education, we do know that having the right technology is critical as school systems transition to different learning environments. Windows 10 devices and tools like Teams are built to support the success of your school system.

Learn more about affordable Windows 10 devices and find the right fit for your school’s unique technology needs.

Posted on by Leave a comment

Chief Data Analytics Officer John Kahan: Thanks to Congress, the FCC can now update America’s broadband maps

Just over a year and a half ago, I wrote about the broadband gap, calling attention to the urgent need for the Federal Communications Commission (FCC) to update their approach to gathering and reporting broadband mapping data. At the time, we knew very clearly that the FCC was vastly undercounting the number of Americans without access to broadband. And because of new research – including our own – we knew the problem to be much larger than previously thought: According to Microsoft’s own data, 157.3 million people in the U.S. do not use the internet at broadband speeds and, according to BroadbandNow, at least 42 million people do not have broadband access at all.

But, today, we know its impacts better than ever. As a result of the Covid-19 crisis, millions of people today aren’t just being left behind, they’re being left out of everyday life. While many can work from home, use telehealth or educate their kids remotely, huge swaths of the country are forced to drive long distances to pick up schoolwork or camp out in public library parking lots to access Wi-Fi. It doesn’t have to be this way.

We often say that we can’t solve a problem we don’t fully understand. Accurate maps are absolutely necessary to help regulators effectively target funding where it is most needed and understand how effectively their funding is being applied to connect those without broadband access.

Fortunately, Congress passed the Broadband DATA Act earlier this year, which would improve the FCC’s mapping data. And we commend Congress for providing broadband funding in the latest Covid-19 stimulus bill signed into law this week, which would begin setting up the new mapping solution. We particularly want to thank Senators Wicker, Thune, Cantwell, Klobuchar and Peters, as well as Representatives Pallone, Loebsack, McEachin, Walden, Latta and Long for their work in including this vital funding in the bill.

But the work doesn’t end there. The FCC must now move forward with standing up the new mapping solution as soon as possible. If they fail to rapidly implement this new accurate mapping solution, rural America will be left in the digital dust. We can’t let that happen. But if they move with the urgency the issue deserves, the FCC can change millions of lives for the better.

Tags: , , ,

Posted on by Leave a comment

Home Cooked: Microsoft employees share some of their favorite recipes

Is it breakfast or cookies? Either way, Roxie (@RoxStarBakes on YouTube) has us chomping at the bit for these adorable creations!

Breakfast-shaped sugar cookies

1 c unsalted butter, at room temperature
1 c sifted powdered sugar
1 egg, at room temperature
1 Tbsp vanilla extract
3 c sifted flour
1 tsp baking powder
1/4 tsp salt
Gel food coloring: yellow and red (white is optional)

1. Preheat the oven to 325 degrees Fahrenheit.

2. Using a mixer on medium speed, cream the butter and powdered sugar until they are fluffy and white. Scrape down the sides of the mixing bowl at least twice during this process. Switch the mixer to low speed, and add the egg and the vanilla.

3. In a separate bowl, combine the sifted flour, the baking powder, and the salt.

4. Gradually add the dry ingredients to the wet ingredients one-half at a time, using the mixer on low speed. Mix until everything is combined.

5. Divide the dough into four portions. Leave two portions white (plain), and color the other portions yellow and red. Roll out each portion on a cutting board to about 1/4 inch thickness. Cover with plastic wrap, and refrigerate for 30 minutes. Remove the dough from the refrigerator. Let’s start assembling!

6. To make an egg, use a large circle cookie cutter to cut a circle from the white portion of dough. Use a smaller circle cookie cutter to cut a smaller circle from the yellow portion of dough. Place the small circle on top of the large circle, and you have an egg!

7. To make bacon, place the white portion of dough on top of the red portion. Use a knife to cut the dough into three pieces, and stack them on top of each other with the colors alternating. Slice down through the stack of dough, making bacon strips. Press your fingers on alternating sides of the bacon strips to make the edges squiggly.

8. Continue making cookies, and place them at least 1-inch apart on a baking sheet that is lined with parchment paper. Cover with plastic wrap, and refrigerate for another 30 minutes.

9. Remove the cookies from the refrigerator, and bake them for 8-10 minutes. Let them cool before serving.

Posted on by Leave a comment

Using Microsoft 365 Defender to protect against Solorigate

Microsoft security researchers continue to investigate and respond to the sophisticated cyberattack known as Solorigate (also referred to as Sunburst by FireEye) involving a supply chain compromise and the subsequent compromise of cloud assets. While the related investigations and impact assessments are ongoing, Microsoft is providing visibility into the attack chains and related threat intelligence to the defender community as early as possible so organizations can identify and take action to stop this attack, understand the potential scope of its impact, and begin the recovery process from this active threat. We have established a resource center that is constantly updated as more information becomes available at https://aka.ms/solorigate.

This blog is a comprehensive guide for security operations and incident response teams using Microsoft 365 Defender to identify, investigate, and respond to the Solorigate attack if it’s found in your environment. The description of the attack in this blog is based on current analysis and investigations by researchers across Microsoft, our partners, and the intelligence community who are actively collaborating to respond to the attack. This is an active threat that continues to evolve, and the findings included here represent what we know at the time of publishing. We continue to publish and update intelligence, indicators, tactics, techniques, and procedures (TTPs), and related details as we discover them. The report from the Microsoft Security Response Center (MSRC) includes the latest analysis of this threat, known indicators of compromise (IOCs), and initial recommended defenses, and will be updated as new data becomes available.

This blog covers:

Tracking the cross-domain Solorigate attack from endpoint to the cloud

The Solorigate attack is an example of a modern cross-domain compromise. Since these kinds of attacks span multiple domains, having visibility into the entire scope of the attack is key to stopping and preventing its spread.

This attack features a sophisticated technique involving a software supply chain compromise that allowed attackers to introduce malicious code into signed binaries on the SolarWinds Orion Platform, a popular IT management software. The compromised application grants attackers “free” and easy deployment across a wide range of organizations who use and regularly update the application, with little risk of detection because the signed application and binaries are common and are considered trusted. With this initial widespread foothold, the attackers can then pick and choose the specific organizations they want to continue operating within (while others remain an option at any point as long as the backdoor is installed and undetected). Based on our investigations, the next stages of the attack involve on-premises activity with the goal of off-premises access to cloud resources through the following steps:

  1. Using the compromised SolarWinds DLL to activate a backdoor that enables attackers to remotely control and operate on a device
  2. Using the backdoor access to steal credentials, escalate privileges, and move laterally to gain the ability to create valid SAML tokens using any of two methods:
    1. Stealing the SAML signing certificate (Path 1)
    2. Adding to or modifying existing federation trust (Path 2)
  3. Using attacker-created SAML tokens to access cloud resources and perform actions leading to the exfiltration of emails and persistence in the cloud

Diagram of the high-level Solorigate attack chain

Figure 1. High-level end-to-end Solorigate attack chain

This attack is an advanced and stealthy campaign with the ability to blend in, which could allow attackers to stay under the radar for long periods of time before being detected. The deeply integrated cross-domain security capabilities in Microsoft 365 Defender can empower organizations and their security operations (SOC) teams to uncover this attack, scope out the end-to-end breach from endpoint to the cloud, and take action to block and remediate it. This blog will offer step-by-step guidance to do this by outlining:

  • How indicators of attack show up across endpoints, identity, and the cloud
  • How Microsoft 365 Defender automatically combines alerts across these different domains into a comprehensive end-to-end story
  • How to leverage the powerful toolset available for deep investigation, hunting, and response to enable SOCs to battle the attackers and evict these attackers from both on-premises and cloud environments

Threat analytics: Understanding and responding to active attacks

As soon as this attack was discovered, Microsoft researchers published two threat analytics reports to help organizations determine if they are affected, assess the impact of the attack, and identify actions to contain it.

The reports are published in Microsoft 365 security center, available to all Microsoft Defender for Endpoint customers and Microsoft 365 Defender early adopters. In addition to detailed descriptions of the attack, TTPs, and indicators of compromise (IoCs), the reports provide real-time data aggregated from signals across Microsoft 365 Defender, indicating the all-up impact of the threat to the organization, as well as details about relevant incidents and alerts to initiate investigation on. These reports continue to be updated as additional information becomes available.

Given the significance of this threat, we are making similar relevant Microsoft threat intelligence data, including the updated list of IOCs, available to everyone publicly.  A comprehensive list of guidance and insights is available at https://aka.ms/solorigate.

Screenshot of threat analytics report on Soloriage in Microsoft Defender Security Center

Figure 2. Threat analytics report on Solorigate attack

We recommend Microsoft 365 Defender customers to start their investigations here. After gaining deep understanding of the threat and getting the latest research findings, you can take the following recommended steps:

Find devices with the compromised SolarWinds Orion application

The threat analytics report uses insights from threat and vulnerability management to identify devices that have the compromised SolarWinds Orion Platform binaries or are exposed to the attack due to misconfiguration.

From the Vulnerability patching status chart in threat analytics, you can view the mitigation details to see a list of devices with the vulnerability ID TVM-2020-0002, which was added specifically to help with Solorigate investigations:

Threat and vulnerability management insights on impact of Solorigate

Figure 3. Threat and vulnerability management data shows data on exposed devices

Threat and vulnerability management provides more info about the vulnerability ID TVM-2020-0002, as well as all relevant applications, via the Software inventory view. There are also multiple security recommendations to address this specific threat, including instructions to update the software versions installed on exposed devices.

Screenshot of security recommendations for Solorigate in Microsoft Defender Security Center

Figure 4. Security recommendations from threat and vulnerability management

Investigate related alerts and incidents

From the threat analytics report, you can quickly locate devices with alerts related to the attack. The Devices with alerts chart identifies devices with malicious components or activities known to be directly related to Solorigate. Click through to get the list of alerts and investigate.

Some Solorigate activities may not be directly tied to this specific threat but will trigger alerts due to generally suspicious or malicious behaviors. All alerts in Microsoft 365 Defender provided by different Microsoft 365 products are correlated into incidents. Incidents help you see the relationship between detected activities, better understand the end-to-end picture of the attack, and investigate, contain, and remediate the threat in a consolidated manner.

Review incidents in the Incidents queue and look for those with alerts relevant to this attacker’s TTPs, as described in the threat analytics report (also listed at the end of this blog).

Screenshot of Microsoft Defender Security Center incidents view for Solorigate

Figure 5. Consolidated Incident view for Solorigate

Some alerts are specially tagged with Microsoft Threat Experts to indicate malicious activities that Microsoft researchers found in customer environments during hunting. As part of the Microsoft Threat Experts service, researchers investigated this attack as it unfolded, hunting for associated attacker behaviors, and sent targeted attack notifications. If you see an alert tagged with Microsoft Threat Experts, we strongly recommend that you give it immediate attention.

Screenshot of Microsoft Defender Security Center showing Microsoft Threat Experts detections

Figure 6. Microsoft Threat Experts targeted attack notification

Additionally, Microsoft Threat Experts customers with Experts on demand subscriptions can reach out directly to our on-demand hunters for additional help in understanding the Solorigate threat and the scope of its impact in their environments.

Hunt for related attacker activity

The threat analytics report also provides advanced hunting queries that can help analysts locate additional related or similar activities across endpoint, identity, and cloud. Advanced hunting uses a rich set of data sources, but in response to Solorigate, Microsoft has enabled streaming of Azure Active Directory (Azure AD) audit logs into advanced hunting, available for all customers in public preview. These logs provide traceability for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD, such as adding or removing users, apps, groups, roles, and policies.  Customers who do not have Microsoft Defender for Endpoint or are not early adopters for Microsoft 365 Defender can see our recommended advanced hunting queries.

Currently, this data is available to customers who have Microsoft Cloud App Security with the Office365 connector. Our intent is to expand availability to more Microsoft 365 Defender customers. The new log data is available in the CloudAppEvents table:

CloudAppEvents
| where Application == “Office 365”

The log data contains activity logs useful for investigating and finding Azure AD-related activities. This data further enriches the CloudAppEvents table, which also has Exchange Online and Microsoft Teams activities.

As part of making this new data available, we also published a handful of relevant advanced hunting queries, identified by the suffix [Solorigate], to the GitHub repo.

Here’s an example query that helps you see when credentials are added to an Azure AD application after ‘Admin Consent’ permissions were granted:

CloudAppEvents
| where Application == “Office 365”
| where ActionType == “Consent to application.”
| where RawEventData.ModifiedProperties[0].Name == “ConsentContext.IsAdminConsent” and RawEventData.ModifiedProperties[0].NewValue == “True”
| extend spnID = tostring(RawEventData.Target[3].ID)
| parse RawEventData.ModifiedProperties[4].NewValue with * “=> [[” dummpy “Scope: ” After “]]” *
| extend PermissionsGranted = split(After, “]”,0)
| project ConsentTime = Timestamp , AccountDisplayName , spnID , PermissionsGranted
| join (
CloudAppEvents
| where Application == “Office 365”
| where ActionType == “Add service principal credentials.” or ActionType == “Update application – Certificates and secrets management “
| extend spnID = tostring(RawEventData.Target[3].ID)
| project AddSecretTime = Timestamp, AccountDisplayName , spnID
) on spnID
| where ConsentTime < AddSecretTime and AccountDisplayName <> AccountDisplayName1

Microsoft 356 Defender advanced hunting can also assist in many of the recommended incident investigation tasks outlined in the blog, Advice for incident responders on recovery from systemic identity compromises.

In the remaining sections, we will discuss select examples of alerts raised by Microsoft 365 solutions that monitor and detect Solorigate activities across the attack chain on endpoint, identity, and the cloud. These are alerts you may encounter when investigating incidents in Microsoft 365 security center if your organization is affected by this threat. We will also indicate activities which are now blocked by Microsoft 365 Defender. Lastly, each section contains examples of hunting queries you will find useful for hunting for various attacker activities in your environment.

Detecting and blocking malware and malicious behavior on endpoints

Diagram showing attack chain on endpoints involving the Solorigate malware

Figure 7. Solorigate attack chain: Initial access and command-and-control

Discovering and blocking backdoor activity

When the compromised SolarWinds binary SolarWinds.Orion.Core.BusinessLayer.dll gets loaded on a device through normal update channels, the backdoor goes through an extensive list of checks to ensure it’s running in an actual enterprise network and not on an analyst’s machine. It then contacts a command-and-control (C2) server using a subdomain that is generated partly with information gathered from the affected device, which means a unique subdomain is generated for each affected domain. The backdoor allows the attackers to remotely run commands on the device and move to the next stages of the attack. For more information, read our in-depth analysis of the Solorigate malware.

Microsoft Defender for Endpoint delivers comprehensive protection against this threat (see full list of detection and protection alerts at the end of this blog). Microsoft Defender Antivirus, the default antimalware solution on Windows 10, detects and blocks the malicious DLL and its behaviors. It quarantines the malware, even if the process is running.

Screenshot of Microsoft Defender Security Center showing alert for blocking of Solorigate malware

Figure 8. Microsoft Defender for Endpoint blocks malicious binaries

If the malicious code is successfully deployed, the backdoor lies dormant for up to two weeks. It then attempts to contact numerous C2 domains, with the primary domain being *.avsvmcloud[.]com. The backdoor uses a domain generation algorithm to evade detection. Microsoft 365 Defender detects and blocks this behavior.

Screenshot of Microsoft Defender Security Center showing alert for malicious network connection

Figure 9. Microsoft Defender for Endpoint prevented malicious C2 callback

Discovering potentially tampered devices

To evade security software and analyst tools, the Solorigate malware enumerates the target system looking for certain running processes, loaded drivers, and registry keys, with the goal of disabling them.

The Microsoft Defender for Endpoint sensor is one of the processes the malware attempts to disable. Microsoft Defender for Endpoint has built-in protections against many techniques attackers use to disable endpoint sensors ranging from hardened OS protection, anti-tampering policies, and detections for a variety of tampering attempts, including “Attempt to stop Microsoft Defender for Endpoint sensor”, “Tampering with Microsoft Defender for Endpoint sensor settings”, or “Possible sensor tampering in memory”.

Successfully disabling Microsoft Defender for Endpoint can prevent the system from reporting observed activities. However, the multitude of signals reported into Microsoft 365 Defender provides a unique opportunity to hunt for systems where the tampering technique used might have been successful. The following advanced hunting query can be used to locate devices that should be reporting but aren’t:

// Times to be modified as appropriate
let timeAgo=1d;
let silenceTime=8h;
// Get all silent devices and IPs from network events
let allNetwork=materialize(DeviceNetworkEvents
| where Timestamp > ago(timeAgo)
and isnotempty(LocalIP)
and isnotempty(RemoteIP)
and ActionType in (“ConnectionSuccess”, “InboundConnectionAccepted”)
and LocalIP !in (“127.0.0.1”, “::1”)
| project DeviceId, Timestamp, LocalIP, RemoteIP, ReportId);
let nonSilentDevices=allNetwork
| where Timestamp > ago(silenceTime)
| union (DeviceProcessEvents | where Timestamp > ago(silenceTime))
| summarize by DeviceId;
let nonSilentIPs=allNetwork
| where Timestamp > ago(silenceTime)
| summarize by LocalIP;
let silentDevices=allNetwork
| where DeviceId !in (nonSilentDevices)
and LocalIP !in (nonSilentIPs)
| project DeviceId, LocalIP, Timestamp, ReportId;
// Get all remote IPs that were recently active
let addressesDuringSilence=allNetwork
| where Timestamp > ago(silenceTime)
| summarize by RemoteIP;
// Potentially disconnected devices were connected but are silent
silentDevices
| where LocalIP in (addressesDuringSilence)
| summarize ReportId=arg_max(Timestamp, ReportId), Timestamp=max(Timestamp), LocalIP=arg_max(Timestamp, LocalIP) by DeviceId
| project DeviceId, ReportId=ReportId1, Timestamp, LocalIP=LocalIP1

Microsoft is continuously developing additional measures to both block and alert on these types of tampering activities.

Detecting hands-on-keyboard activity within an on-premises environment

Diagram showing Solorigate hands-on-keyboard attack on premises

Figure 10. Solorigate attack chain: Hands-on-keyboard attack on premises

After establishing a backdoor connection on an affected device, the attacker’s next goal is to achieve off-premises access to the organization’s cloud services. To do this, they must find a way to gain permissions to those services. One technique we have seen the attackers use is to go after the organization’s Active Directory Federation Services (AD FS) server to obtain the proverbial “keys” to the identity kingdom. AD FS enables federated identity and access management by securely sharing digital identity and entitlement rights across security and enterprise boundaries; effectively, it is the “LSASS for the cloud.” Among other things, AD FS stores the Security Assertion Markup Language (SAML) token signing certificate, which is used to create authorization tokens for users or services in the organization so they can access cloud applications and resources after authentication.

To attack the AD FS infrastructure, the attackers must first obtain appropriate domain permissions through on-premises intelligence gathering, lateral movement, and credential theft. Building from the backdoor described above, the attackers leverage fileless techniques for privilege escalation, persistence, and lateral movement, including evading analysis by using system binaries and exploration tools that masquerade as other benign binaries. The attackers also carefully chose organization-specific command-and-control (C2) domains and use custom organization-specific tool naming and locations.

Microsoft Defender for Endpoint detects a wide array of these attack techniques, allowing SOC teams to track the attacker’s actions in the environment and take actions to contain the attack. The following section covers detections for the techniques used by the attackers to compromise the AD FS infrastructure.

Identifying attacker reconnaissance

Attackers collect data from Active Directory using a renamed version of the utility ADFind, running queries against Domain Controllers as part of the reconnaissance stage of the attack. Microsoft Defender for Endpoint detects this behavior and allows the SOC analyst to track compromised devices at this stage to gain visibility into the information the attacker is looking for.

Screenshot of Microsoft Defender Security Center alert for detection of exploration tools

Figure 11. Microsoft Defender for Endpoint detects usage of masquerading exploration tools

Screenshot of Microsoft Defender Security Center alert for detection of LDAP queries

Figure 12. Microsoft Defender for Endpoint detects usage LDAP query for reconnaissance.

Stopping lateral movement and credential theft

To gain access to a highly privileged account needed for later steps in the kill chain, the attackers move laterally between devices and dump credentials until an account with the needed privileges is compromised, all while remaining as stealthy as possible.

A variety of credential theft methods, such as dumping LSASS memory, are detected and blocked by Microsoft Defender for Endpoint. The example below shows the detection of lateral movement using Windows Management Instrumentation (WMI) to run the attacker’s payload using the Rundll32.exe process.

Screenshot of Microsoft Defender Security Center alert for detection of remote WMI execution

Figure 13. Microsoft Defender for Endpoint alert for suspicious remote WMI execution highlighting the attacker’s device and payload

Microsoft Defender for Identity also detects and raises alerts on a variety of credential theft techniques. In addition to watching for alerts, security analysts can hunt across identity data in Microsoft 365 Defender for signs of identity compromise. Here are a couple of example Microsoft Defender for Identity queries looking for such patterns:

Enumeration of high-value DC assets followed by logon attempts to validate stolen credentials in time proximity

let MaxTime = 1d;
let MinNumberLogon = 5;
//devices attempting enumeration of high-value DC
IdentityQueryEvents
| where Timestamp > ago(30d)
| where Application == “Active Directory”
| where QueryTarget in (“Read-only Domain Controllers”)
//high-value RODC assets
| project Timestamp, Protocol, Query, DeviceName, AccountUpn
| join kind = innerunique (
//devices trying to logon {MaxTime} after enumeration
IdentityLogonEvents
| where Timestamp > ago(30d)
| where ActionType == “LogonSuccess”
| project LogonTime = Timestamp, DeviceName, DestinationDeviceName) on DeviceName
| where LogonTime between (Timestamp .. (Timestamp + MaxTime))
| summarize n=dcount(DestinationDeviceName), TargetedDC = makeset(DestinationDeviceName) by Timestamp, Protocol, DeviceName
| where n >= MinNumberLogon

High-volume of LDAP queries in short time filtering for non-DC devices

let Threshold = 12;
let BinTime = 1m;
//approximate list of DC
let listDC=IdentityDirectoryEvents
| where Application == “Active Directory”
| where ActionType == “Directory Services replication”
| summarize by DestinationDeviceName;
IdentityQueryEvents
| where Timestamp > ago(30d)
//filter out LDAP traffic across DC
| where DeviceName !in (listDC)
| where ActionType == “LDAP query”
| parse Query with * “Search Scope: ” SearchScope “, Base Object:” BaseObject “, Search Filter: ” SearchFilter
| summarize NumberOfDistinctLdapQueries = dcount(SearchFilter) by DeviceName, bin(Timestamp, BinTime)
| where NumberOfDistinctLdapQueries > Threshold

At this point, SOC teams can take containment measures within the Microsoft 365 security center, for example, using indicators to isolate the devices involved and block the remotely executed payload across the environment, as well as mark suspect users as compromised.

Detecting and remediating persistence

Microsoft Defender for Endpoint also detects the advanced defense evasion and masquerading techniques used by the attackers to make their actions as close to normal as possible, such as binding a WMI event filter with a logical consumer to remain persistent. Follow the recommended actions in the alert to remove persistence and prevent the attacker’s payload from loading after reboot.

Screenshot of Microsoft Defender Security Center alert for detection of WMI event filter bound to suspicious consumer

Figure 14. Microsoft Defender for Endpoint alert for WMI event filter bound to a suspicious consumer showing the persistence and the scheduled command line

Catching AD FS compromise and the attacker’s ability to impersonate users in the cloud

The next step in the attack focuses on the AD FS infrastructure and can unfold in two separate paths that lead to the same outcome—the ability to create valid SAML tokens allowing impersonation of users in the cloud:

  • Path 1 – Stealing the SAML signing certificate: After gaining administrative privileges in the organization’s on-premises network, and with access to the AD FS server itself, the attackers access and extract the SAML signing certificate. With this signing certificate, the attackers create valid SAML tokens to access various desired cloud resources as the identity of their choosing.
  • Path 2 – Adding to or modifying existing federation trust: After gaining administrative Azure Active Directory (Azure AD) privileges using compromised credentials, the attackers add their own certificate as a trusted entity in the domain either by adding a new federation trust to an existing tenant or modifying the properties of an existing federation trust. As a result, any SAML token they create and sign will be valid for the identity of their choosing.

In the first path, obtaining the SAML signing certificate normally entails first querying the private encryption key that resides on the AD FS container and then using that key to decrypt the signing certificate. The certificate can then be used to create illicit but valid SAML tokens that allow the actor to impersonate users, enabling them to access enterprise cloud applications and services.

Microsoft Defender for Endpoint and Microsoft Defender for Identity detect the actions that attackers take to steal the encryption key needed to decrypt the SAML signing certificate. Both solutions leverage unique LDAP telemetry to raise high-severity alerts highlighting the attacker’s progress towards creating illicit SAML tokens.

Screenshot of Microsoft Defender Security Center alert for LDAP query and AD FS private key extraction 

Figure 15. Microsoft Defender for Endpoint detects a suspicious LDAP query being launched and an attempted AD FS private key extraction

Figure 16. Microsoft Defender for Identity detects private key extraction via malicious LDAP requests

For the second path, the attackers create their own SAML signing certificate outside of the organization’s environment. With Azure AD administrative permissions, they then add the new certificate as a trusted object. The following advanced hunting query over Azure AD audit logs shows when domain federation settings are changed, helping to discover where the attackers configured the domain to accept authorization tokens signed by their own signing certificate. As these are rare actions, we advise verifying that any instances identified are the result of legitimate administrative activity.

ADFSDomainTrustMods

let auditLookback = 1d; CloudAppEvents
| where Timestamp > ago(auditLookback)
| where ActionType =~ “Set federation settings on domain.”
| extend targetDetails = parse_json(ActivityObjects[1])
| extend targetDisplayName = targetDetails.Name
| extend resultStatus = extractjson(“$.ResultStatus”, tostring(RawEventData), typeof(string))
| project Timestamp, ActionType, InitiatingUserOrApp=AccountDisplayName, targetDisplayName, resultStatus, InitiatingIPAddress=IPAddress, UserAgent

If the SAML signing certificate is confirmed to be compromised or the attacker has added a new one, follow the best practices for invalidating through certificate rotation to prevent further use and creation of SAML tokens by the attacker. Additionally, affected AD FS servers may need to be isolated and remediated to ensure no remaining attacker control or persistence.

If the attackers accomplish either path, they gain the ability to create illicit SAML tokens for the identities of their choosing and bypass multifactor authentication (MFA), since the service or application accepting the token assumes MFA is a necessary previous step in creating a properly signed token. To prevent attackers from progressing to the next stage, which is to access cloud resources, the attack should be discovered and remediated at this stage.

Detecting the hands-on-keyboard activity in the cloud environment

Diagram of hands-on-keyboard attacks in the cloud

Figure 17. Solorigate attack chain: Hands-on-keyboard attack in the cloud

With the ability to create illicit SAML tokens, the attackers can access sensitive data without having to originate from a compromised device or be confined to on-premises persistence. By abusing API access via existing OAuth applications or service principals, they can attempt to blend into the normal pattern of activity, most notably apps or service principals with existing Mail.Read or Mail.ReadWrite permissions to read email content via Microsoft Graph from Exchange Online. If the application does not already have read permissions for emails, then the app may be modified to grant those permissions.

Identifying unusual addition of credentials to an OAuth app

Microsoft Cloud App Security (MCAS) has added new automatic detection of unusual credential additions to an OAuth application to alert SOCs about apps that have been compromised to extract data from the organization. This detection logic is built on an anomaly detection engine that learns from each user in the environment, filtering out normal usage patterns to ensure alerts highlight real attacks and not false positives. If you see this alert in your environment and confirm malicious activity, you should take immediate action to suspend the user, mark the user as compromised, reset the user’s password, and remove the credential additions. You may consider disabling the application during investigation and remediation.

Figure 18. Microsoft Defender Cloud App Security alert for unusual addition of credentials to an OAuth app

SOCs can use the following Microsoft 365 Defender advanced hunting query over Azure AD audit logs to examine when new credentials have been added to a service principle or application. In general, credential changes may be rare depending on the type and use of the service principal or application. SOCs should verify unusual changes with their respective owners to ensure they are the result of legitimate administrative actions.

NewAppOrServicePrincipalCredential

let auditLookback = 1d; CloudAppEvents
| where Timestamp > ago(auditLookback)
| where ActionType in (“Add service principal.”, “Add service principal credentials.”, “Update application – Certificates and secrets management “)
| extend RawEventData = parse_json(RawEventData)
| where RawEventData.ResultStatus =~ “success”
| where AccountDisplayName has “@”
| extend targetDetails = parse_json(ActivityObjects[1])
| extend targetId = targetDetails.Id
| extend targetType = targetDetails.Type
| extend targetDisplayName = targetDetails.Name
| extend keyEvents = RawEventData.ModifiedProperties
| where keyEvents has “KeyIdentifier=” and keyEvents has “KeyUsage=Verify”
| mvexpand keyEvents
| where keyEvents.Name =~ “KeyDescription”
| parse keyEvents.NewValue with * “KeyIdentifier=” keyIdentifier:string “,KeyType=” keyType:string “,KeyUsage=” keyUsage:string “,DisplayName=” keyDisplayName:string “]” *
| parse keyEvents.OldValue with * “KeyIdentifier=” keyIdentifierOld:string “,KeyType” *
| where keyEvents.OldValue == “[]” or keyIdentifier != keyIdentifierOld
| where keyUsage == “Verify”
| project-away keyEvents
| project Timestamp, ActionType, InitiatingUserOrApp=AccountDisplayName, InitiatingIPAddress=IPAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier

Discovering malicious access to mail items

OAuth applications or service principals with Mail.Read or Mail.ReadWrite permissions can read email content from Exchange Online via the Microsoft Graph. To help increase visibility on these behaviors, the MailItemsAccessed action is now available via the new Exchange mailbox advanced audit functionality. See if this feature is enabled by default for you. Important note for customers: If you have customized the list of audit events you are collecting, you may need to manually enable this telemetry.

If more than 1,000 MailItemsAccessed audit records are generated in less than 24 hours, Exchange Online stops generating auditing records for MailItemsAccessed activity for 24 hours and then resumes logging after this period. This throttling behavior is a good starting point for SOCs to discover potentially compromised mailboxes.

MailItemsAccessedThrottling

let starttime = 2d;
let endtime = 1d;
CloudAppEvents
| where Timestamp between (startofday(ago(starttime))..startofday(ago(endtime)))
| where ActionType == “MailItemsAccessed”
| where isnotempty(RawEventData[‘ClientAppId’]) and RawEventData[‘OperationProperties’][1] has “True”
| project Timestamp, RawEventData[‘OrganizationId’],AccountObjectId,UserAgent

In addition to looking for throttled telemetry, you can also hunt for OAuth applications reading mail via the Microsoft Graph API whose behavior has changed prior to a baseline period.

OAuthGraphAPIAnomalies

//Look for OAuth App reading mail via GraphAPI — that did not read mail via graph API in prior week
let appMailReadActivity = (timeframeStart:datetime, timeframeEnd:datetime) {
CloudAppEvents
| where Timestamp between (timeframeStart .. timeframeEnd)
| where ActionType == “MailItemsAccessed”
| where RawEventData has “00000003-0000-0000-c000-000000000000” // performance check
| extend rawData = parse_json(RawEventData)
| extend AppId = tostring(parse_json(rawData.AppId))
| extend OAuthAppId = tostring(parse_json(rawData.ClientAppId)) // extract OAuthAppId
| summarize by OAuthAppId
};
appMailReadActivity(ago(1d),now()) // detection period
| join kind = leftanti appMailReadActivity(ago(7d),ago(2d)) // baseline period
on OAuthAppId

Microsoft 365 Defender’s cross-domain XDR correlation enables stronger response to critical security incidents

Like the rest of the security industry, Microsoft continues to track the Solorigate attack, an active threat that continues to unfold as well as evolve. As part of empowering our customers and the larger security community to respond to this attack through sharing intelligence and providing advice, this blog serves to guide Microsoft 365 customers to take full advantage of the comprehensive visibility and the rich investigation tools available in Microsoft 365 Defender. This blog shows that many of the existing capabilities in Microsoft 365 Defender help address this attack, but the unique scenarios created by the threat resulted in some Solorigate-specific detections and other innovative protections, including ones that are made possible by deeply integrated cross-domain threat defense.

For additional information and further guidance, refer to these Microsoft resources:

Microsoft will continue to provide public information about the patterns and techniques of this attack and related intelligence for customers to defend themselves, in addition to enhancing the protection capabilities of Microsoft security solutions.

Appendix: Additional details for detection and hunting

Detection details

Attack stage Microsoft 365 Defender detection or alert
Initial access Microsoft Defender for Endpoint:

  • ‘Solorigate’ high-severity malware was detected/blocked/prevented (Trojan:MSIL/Solorigate.BR!dha)
  • SolarWinds Malicious binaries associated with a supply chain attack
Execution and persistence Microsoft Defender for Endpoint:
Command and Control Microsoft Defender for Endpoint:
Defense evasion Microsoft Defender for Endpoint:

  • Suspicious audit policy tampering
Reconnaissance Microsoft Defender for Endpoint:

  • Masquerading Active Directory exploration tool
  • Suspicious sequence of exploration activities
  • Execution of suspicious known LDAP query fragments
Credential access Microsoft Defender for Endpoint:

  • Suspicious access to LSASS (credential access)
  • AD FS private key extraction attempt
  • Possible attempt to access ADFS key material
  • Suspicious ADFS adapter process created

Microsoft Defender for Identity:

  • Unusual addition of permissions to an OAuth app
  • Active Directory attributes Reconnaissance using LDAP

Microsoft Cloud App Security:

  • Unusual addition of credentials to an OAuth app
Lateral movement Microsoft Defender for Endpoint

  • Suspicious file creation initiated remotely (lateral movement)
  • Suspicious Remote WMI Execution (lateral movement)
Exfiltration Microsoft Defender for Endpoint

  • Suspicious mailbox export or access modification
  • Suspicious archive creation

Advanced hunting queries