The Microsoft partner ecosystem plays a central role in our joint customers’ success and allows us to scale more quickly. Our partners develop innovative solutions across a range of industries and lead customers on their digital imperatives journey. I am looking forward to our biggest partner event, Microsoft Inspire, where you will learn how Microsoft enables you, the partners, to scale your solutions to help customers in every industry transform. Join me and my colleagues live from July 19 to 20 (or on-demand) to hear from Microsoft leaders on industry products, partner opportunities, and successes, and have the chance to put questions to our team of experts.
Our promise to partners
To help our partners benefit from the tremendous growth that we are seeing across industries, we have developed four primary value propositions:
Build. Our partners build on the Microsoft Cloud for industries (Manufacturing, Retail, Financial Services, Healthcare, Nonprofit) as a platform, using their capabilities to enrich solutions already in the market—either for a specific customer or at scale. The Microsoft Industry Cloud Platform helps industries transform with speed and agility, with solutions that address customer business needs.
Enrich. Partners make more of the Microsoft Cloud for Industry by building or updating software as a service (SaaS) or platform as a service (PaaS) solutions that take advantage of unmet customer needs. With unified data and analytics, partners can now remove traditional data siloes for customers and extend the core capabilities of the Cloud for Industry.
Unlock. Partners can unlock new revenue and high-value service opportunities, including adapting the Microsoft Cloud for Industry to each customer’s environment and business processes. Partners are empowered to start new conversations and solve new customer scenarios by leveraging our go-to-market (GTM) offers and incentives.
Scale. We facilitate strong partner-to-partner connections so they can bring the best value to our customers. They also can work with Microsoft to provide the best solutions for customers, and co-sell with Microsoft to understand customer needs and leverage the Microsoft sales team to advance customer opportunities.
Make the most of your Microsoft Inspire journey
Microsft Inspire has a lot to offer; here are a few recommendations for you:
Join Judson Althoff, Microsoft EVP and Chief Commercial Officer, as he kicks off day two of Microsoft Inspire. You will hear about the outsized opportunities partners have as we bring the unique value of the Microsoft Cloud to more customers than ever, together. Judson will also share the importance of digital perseverance in navigating uncertainty and why leaning into innovation is the only path forward.
Join Nick Parker, President, Industry and Partner Sales, and Alysa Taylor, Corporate Vice President, Industry, Apps and Data Marketing, to discuss how to put Microsoft Industry Clouds and opportunities into perspective.
Join us for a panel discussion and gain key insights into Microsoft’s industry innovation and investments. Learn about the opportunity this creates for your business, investments we are making to enable partner solutions, and how we can help you scale through our GTM engines.
Through a series of in-depth discussions, you’ll discover details of Microsoft’s commitment to sustainability, the business opportunities that can come from adopting a comprehensive sustainability strategy, and how your organization can partner with Microsoft to implement sustainability solutions.
Attend industry-focused sessions:
On-demand sessions. We also have a wide array of sessions on-demand, so you can watch when convenient—even after Microsoft Inspire. These include:
Networking with friends. Even though Microsoft Inspire is virtual, there will be plenty of opportunities to network with peers or just see old friends. Start now with our Connection Zone and build your profile and make a contact list.
Time to get inspired!
I hope you’re looking forward to Microsoft Inspire as much as I am. It’s a chance for us to celebrate you, our partners, reaffirm our commitment to serving our customers across all industries, and demonstrate our commitment to equipping our partners with the most innovative tools and technologies in the industry.
Congratulations to our Partner of the Year winners! You exemplify what’s possible when we connect the potential of technology to the challenges of our customers – and the world.
Two years into our sustained commitment to address racial inequity both inside and outside Microsoft, it’s inspiring to see how entrepreneurs like Gilbert Campbell, Ryan Johnson, Christopher Peay, and Charisse Bremond Weaver are creating new opportunity in their communities.
We’re expanding our employee experience platform Microsoft Viva to include new capabilities to meet the needs of specific roles, with the introduction of Viva Sales.
Microsoft is reimagining the selling experience and empowering every salesperson with Viva Sales, a new application where sellers use Microsoft 365 and Teams to automatically capture data in any #CRM system. Viva Sales empowers sellers to stay in the flow of their work, where they are moving deals along using Teams and Office while enriching their CRM system with new customer data. https://lnkd.in/dKei9Rkj
With Azure Arc, we’re bringing the power of Azure anywhere, helping customers in every industry innovate across their datacenter, multi-cloud, and edge environments.
One of the things I hear most often from our customers is how new #cloud-based applications are imperative for driving business forward – which is why I’m excited to announce the general availability of #Azure Machine Learning for hybrid and multicloud deployments with Azure Arc! Our Microsoft team is committed to meeting customers where they’re at so they can efficiently and securely bring new solutions to life. I’m amazing by the ways customers have used Azure and Azure Arc to create innovative solutions. View today’s on-demand sessions to learn how you can use Azure Arc to extend Azure platform capabilities to datacenters, edge, and multicloud environments.
People with disabilities continue to be underrepresented in part because their needs and demographics aren’t widely counted. We’re working with The World Bank and other partners to help address this critical data challenge.
Understanding #disability around the world is key to tackling the disability divide. Yet data on disability remains fragmented around the world. Proud to partner with The World Bank, Charlotte McClain-Nhlapo and her incredible colleagues on a new Disability Data Hub to help tackle this.
Read more below: https://lnkd.in/geTZKx99
Xbox is on a mission to bring the joy of gaming to everyone on the planet. Over the next 12 months, fans will experience our most creative and diverse line up of back-to-back game launches yet.
Gaming is for everyone, everywhere, and we’re committed to bringing the joy and community of gaming to billions of players around the world on Xbox, PC, and other devices, with the power of Xbox Cloud Gaming.
As we make Microsoft Cloud for Sustainability generally available today, see how Grupo Bimbo, the world’s largest baking company, is already using the platform to help achieve net zero carbon emissions, one of its key sustainability goals.
We’re honoring #Pride this month with inclusive product releases, new donations, and by sharing powerful stories of colleagues who are making a difference around the world.
We’re thrilled Netflix has selected Microsoft as its advertising technology and sales partner. We want publishers to have more long-term viable ad monetization platforms, so more people can access the content they love wherever they are.
Two years into our sustained commitment to address racial inequity both inside and outside Microsoft, it’s inspiring to see how entrepreneurs like Gilbert Campbell, Ryan Johnson, Christopher Peay, and Charisse Bremond Weaver are creating new opportunity in their communities.
We’re expanding our employee experience platform Microsoft Viva to include new capabilities to meet the needs of specific roles, with the introduction of Viva Sales.
Microsoft is reimagining the selling experience and empowering every salesperson with Viva Sales, a new application where sellers use Microsoft 365 and Teams to automatically capture data in any #CRM system. Viva Sales empowers sellers to stay in the flow of their work, where they are moving deals along using Teams and Office while enriching their CRM system with new customer data. https://lnkd.in/dKei9Rkj
With Azure Arc, we’re bringing the power of Azure anywhere, helping customers in every industry innovate across their datacenter, multi-cloud, and edge environments.
One of the things I hear most often from our customers is how new #cloud-based applications are imperative for driving business forward – which is why I’m excited to announce the general availability of #Azure Machine Learning for hybrid and multicloud deployments with Azure Arc! Our Microsoft team is committed to meeting customers where they’re at so they can efficiently and securely bring new solutions to life. I’m amazing by the ways customers have used Azure and Azure Arc to create innovative solutions. View today’s on-demand sessions to learn how you can use Azure Arc to extend Azure platform capabilities to datacenters, edge, and multicloud environments.
People with disabilities continue to be underrepresented in part because their needs and demographics aren’t widely counted. We’re working with The World Bank and other partners to help address this critical data challenge.
Understanding #disability around the world is key to tackling the disability divide. Yet data on disability remains fragmented around the world. Proud to partner with The World Bank, Charlotte McClain-Nhlapo and her incredible colleagues on a new Disability Data Hub to help tackle this.
Read more below: https://lnkd.in/geTZKx99
Xbox is on a mission to bring the joy of gaming to everyone on the planet. Over the next 12 months, fans will experience our most creative and diverse line up of back-to-back game launches yet.
Gaming is for everyone, everywhere, and we’re committed to bringing the joy and community of gaming to billions of players around the world on Xbox, PC, and other devices, with the power of Xbox Cloud Gaming.
As we make Microsoft Cloud for Sustainability generally available today, see how Grupo Bimbo, the world’s largest baking company, is already using the platform to help achieve net zero carbon emissions, one of its key sustainability goals.
We’re honoring #Pride this month with inclusive product releases, new donations, and by sharing powerful stories of colleagues who are making a difference around the world.
We’re thrilled to be named Netflix’s technology and sales partner to help power their first ad-supported subscription offering.
At launch, consumers will have more options to access Netflix’s award-winning content. Marketers looking to Microsoft for their advertising needs will have access to the Netflix audience and premium connected TV inventory. All ads served on Netflix will be exclusively available through the Microsoft platform. Today’s announcement also endorses Microsoft’s approach to privacy, which is built on protecting customers’ information.
This is a big day for Netflix and Microsoft. We’re excited to offer new premium value to our ecosystem of marketers and partners while helping Netflix deliver more choice to their customers.
“In April we announced that we will introduce a new lower priced ad-supported subscription plan for consumers, in addition to our existing ads-free basic, standard, and premium plans. Today we are pleased to announce that we have selected Microsoft as our global advertising technology and sales partner.
“Microsoft has the proven ability to support all our advertising needs as we together build a new ad-supported offering. More importantly, Microsoft offered the flexibility to innovate over time on both the technology and sales side, as well as strong privacy protections for our members.
“It’s very early days and we have much to work through. But our long-term goal is clear: More choice for consumers and a premium, better-than-linear TV brand experience for advertisers. We’re excited to work with Microsoft as we bring this new service to life.”
Building great relationships requires trust, honesty, mutual support, and appreciation. From our first conversation with designer and creative powerhouse Gavin Mathieu, there was an immediate sense of connection—one that was rooted in mutual respect and a shared goal: creating something together that uplifts others. This is why we’re proud to announce the launch of Hardwear, our first capsule collection of clothing and merchandise under the Microsoft brand and in partnership with Gavin.
Raised in South Central LA, Gavin spent years fostering community among creators like himself, including Jerry Lorenzo and Nipsey Hussle, before starting his own successful brand, Supervsn. When you spend any amount of time with Gavin, you’re immediately struck by his ability to make everyone in the room feel like family. The warmth and acceptance people feel in his presence is exactly what all of us look for in a community.
Cocreating with Gavin began with a shared philosophy. At Microsoft we often say, ‘You don’t work here to look cool, you work at Microsoft to make others cool.’ And Gavin’s thinking and history is right in line with that. With a focus on people rather than products, Gavin creates to uplift and empower others—a guiding principle and mission that drives everything we do at Microsoft. Therefore, the collection is reflective of the Normcore style, a lifestyle aesthetic that puts the focus on individuals and not on the clothing they wear.
What Gavin has designed for this collection captures the spirit of our discussions on enabling people to move and create in a way that helps them make the most impact. Gavin believes, “humans are at their highest level of self when they create.” And we believe that expression should be effortless. This is why Hardwear is simple and designed to reduce any distractions to creativity: it’s a nine-piece collection of tees, hats, sweats, jackets, and pants. Every piece is intentional, and there is meaning behind each item in Hardwear. Here, Gavin explains why he chose MS Paint as a design element for one of the pieces in this collection: Gavin Mathieu explains how Microsoft inspired him to be a designer.
While cocreation can be messy, this partnership brought with it a sense of ease. Maybe it was because we all leaned into the often complex and sometimes challenging process that happens when creating with passionate individuals, who all have unique suggestions and differing opinions. This collaboration was fueled by openness, vulnerability, and the belief that often the most resonant ideas are built from the inclusion of diverse perspectives.
For Hardwear, our community was a team of people who made strides daily, building each other’s confidence by having honest conversations and creating space for suggestions and improvements. This campaign tested our comfortability and challenged us at times, but what pushed us forward was seeing the inclusion of diverse voices throughout the process and the unique perspectives on what drives those who want to improve themselves and the world around them, as well as what can distract people from progressing toward their goals.
It’s important for us to work with creators who are focused on inspiring communities and making a positive impact in the world, because enabling and empowering people to achieve more is what drives everything we do at Microsoft. And with Hardwear, it’s as much of the how as it is the what. From the talent of our people to the capsule collection launch, to the diversity of those behind and in front of the camera and our agency partners, cultural nuance and perspective are the key ingredients that make this a collection we’re proud to share with our own communities.
As we worked on this, Gavin encouraged us to broaden the aperture for who we define as a creator. All of us create. So, check out the collection, but don’t stop at the clothes. Understand and carry the message that creativity is not on you, it’s in you, and it knows no bounds.
A large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites stole passwords, hijacked a user’s sign-in session, and skipped the authentication process even if the user had enabled multifactor authentication (MFA). The attackers then used the stolen credentials and session cookies to access affected users’ mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets. Based on our threat data, the AiTM phishing campaign attempted to target more than 10,000 organizations since September 2021.
Figure 1. Overview of AiTM phishing campaign and follow-on BEC
Phishing remains to be one of the most common techniques attackers use in their attempts to gain initial access to organizations. According to the 2021 Microsoft Digital Defense Report, reports of phishing attacks doubled in 2020, and phishing is the most common type of malicious email observed in our threat signals. MFA provides an added security layer against credential theft, and it is expected that more organizations will adopt it, especially in countries and regions where even governments are mandating it. Unfortunately, attackers are also finding new ways to circumvent this security measure.
In AiTM phishing, attackers deploy a proxy server between a target user and the website the user wishes to visit (that is, the site the attacker wishes to impersonate). Such a setup allows the attacker to steal and intercept the target’s password and the session cookie that proves their ongoing and authenticated session with the website. Note that this is not a vulnerability in MFA; since AiTM phishing steals the session cookie, the attacker gets authenticated to a session on the user’s behalf, regardless of the sign-in method the latter uses.
Microsoft 365 Defender detects suspicious activities related to AiTM phishing attacks and their follow-on activities,such as session cookie theft and attempts to use the stolen cookie to sign into Exchange Online. However, to further protect themselves from similar attacks, organizations should also consider complementing MFA with conditional access policies, where sign-in requests are evaluated using additional identity-driven signals like user or group membership, IP location information, and device status, among others.
While AiTM phishing isn’t new, our investigation allowed us to observe and analyze the follow-on activities stemming from the campaign—including cloud-based attack attempts—through cross-domain threat data from Microsoft 365 Defender. These observations also let us improve and enrich our solutions’ protection capabilities. This campaign thus also highlights the importance of building a comprehensive defense strategy. As the threat landscape evolves, organizations need to assume breach and understand their network and threat data to gain complete visibility and insight into complex end-to-end attack chains.
In this blog, we’ll share our technical analysis of this phishing campaign and the succeeding payment fraud attempted by the attackers. We’ll also provide guidance for defenders on protecting organizations from this threat and how Microsoft security technologies detect it.
How AiTM phishing works
Every modern web service implements a session with a user after successful authentication so that the user doesn’t have to be authenticated at every new page they visit. This session functionality is implemented through a session cookie provided by an authentication service after initial authentication. The session cookie is proof for the web server that the user has been authenticated and has an ongoing session on the website. In AiTM phishing, an attacker attempts to obtain a target user’s session cookie so they can skip the whole authentication process and act on the latter’s behalf.
To do this, the attacker deploys a webserver that proxies HTTP packets from the user that visits the phishing site to the target server the attacker wishes to impersonate and the other way around. This way, the phishing site is visually identical to the original website (as every HTTP is proxied to and from the original website). The attacker also doesn’t need to craft their own phishing site like how it’s done in conventional phishing campaigns. The URL is the only visible difference between the phishing site and the actual one.
Figure 2 below illustrates the AiTM phishing process:
Figure 2. AiTM phishing website intercepting the authentication process
The phishing page has two different Transport Layer Security (TLS) sessions—one with the target and another with the actual website the target wants to access. These sessions mean that the phishing page practically functions as an AiTM agent, intercepting the whole authentication process and extracting valuable data from the HTTP requests such as passwords and, more importantly, session cookies. Once the attacker obtains the session cookie, they can inject it into their browser to skip the authentication process, even if the target’s MFA is enabled.
The AiTM phishing process can currently be automated using open-source phishing toolkits and other online resources. Among the widely-used kits include Evilginx2, Modlishka, and Muraena.
Tracking an AiTM phishing campaign
Using Microsoft 365 Defender threat data, we detected multiple iterations of an AiTM phishing campaign that attempted to target more than 10,000 organizations since September 2021. These runs appear to be linked together and target Office 365 users by spoofing the Office online authentication page.
Based on our analysis, these campaign iterations use the Evilginx2 phishing kit as their AiTM infrastructure. We also uncovered similarities in their post-breach activities, including sensitive data enumeration in the target’s mailbox and payment frauds.
Initial access
In one of the runs we’ve observed, the attacker sent emails with an HTML file attachment to multiple recipients in different organizations. The email message informed the target recipients that they had a voice message.
Figure 3. Sample phishing email with HTML file attachment
When a recipient opened the attached HTML file, it was loaded in the user’s browser and displayed a page informing the user that the voice message was being downloaded. Note, however, that the download progress bar was hardcoded in the HTML file, so no MP3 file was being fetched.
Figure 4. HTML file attachment loaded in the target’s browserFigure 5. Source code of the HTML attachment
Instead, the page redirected the user to a redirector site:
Figure 6. Screenshot of the redirector site
This redirector acted as a gatekeeper to ensure the target user was coming from the original HTML attachment. To do this, it first validated if the expected fragment value in the URL—in this case, the user’s email address encoded in Base64—exists. If the said value existed, this page concatenated the value on the phishing site’s landing page, which was also encoded in Base64 and saved in the “link” variable (see Figure 7 below).
Figure 7. A redirection logic included in the <script> tag of the redirector site
By combining the two values, the succeeding phishing landing page automatically filled out the sign-in page with the user’s email address, thus enhancing its social engineering lure. This technique was also the campaign’s attempt to prevent conventional anti-phishing solutions from directly accessing phishing URLs.
Note that on other instances, we observed that the redirector page used the following URL format:
hxxp://[username].[wildcard domain].[tld]/#[user email encoded in Base64]
The phishing site proxied the organization’s Azure Active Directory (Azure AD) sign-in page, which is typically login.microsoftonline.com. If the organization had configured their Azure AD to include their branding, the phishing site’s landing page also contained the same branding elements.
Figure 10. A mockup of a phishing landing page that retrieves the Azure AD branding of an organization
Once the target entered their credentials and got authenticated, they were redirected to the legitimate office.com page. However, in the background, the attacker intercepted the said credentials and got authenticated on the user’s behalf. This allowed the attacker to perform follow-on activities—in this case, payment fraud—from within the organization.
Post-breach BEC
Payment fraud is a scheme wherein an attacker tricks a fraud target into transferring payments to attacker-owned accounts. It can be achieved by hijacking and replying to ongoing finance-related email threads in the compromised account’s mailbox and luring the fraud target to send money through fake invoices, among others.
Based on our analysis of Microsoft 365 Defender threat data and our investigation of related threat alerts from our customers, we discovered that it took as little time as five minutes after credential and session theft for an attacker to launch their follow-on payment fraud. From our observation, after a compromised account signed into the phishing site for the first time, the attacker used the stolen session cookie to authenticate to Outlook online (outlook.office.com). In multiple cases, the cookies had an MFA claim, which means that even if the organization had an MFA policy, the attacker used the session cookie to gain access on behalf of the compromised account.
Finding a target
The following days after the cookie theft, the attacker accessed finance-related emails and file attachments files every few hours. They also searched for ongoing email threads where payment fraud would be feasible. In addition, the attacker deleted from the compromised account’s Inbox folder the original phishing email they sent to hide traces of their initial access.
These activities suggest the attacker attempted to commit payment fraud manually. They also did this in the cloud—they used Outlook Web Access (OWA) on a Chrome browser and performed the abovementioned activities while using the compromised account’s stolen session cookie.
Once the attacker found a relevant email thread, they proceeded with their evasion techniques. Because they didn’t want the compromised account’s user to notice any suspicious mailbox activities, the attacker created an Inbox rule with the following logic to hide any future replies from the fraud target:
“For every incoming email where sender address contains [domain name of the fraud target], move the mail to “Archive” folder and mark it as read.”
Conducting payment fraud
Right after the rule was set, the attacker proceeded to reply to ongoing email threads related to payments and invoices between the target and employees from other organizations, as indicated in the created Inbox rule. The attacker then deleted their replies from the compromised account’s Sent Items and Deleted Items folders.
Several hours after the initial fraud attempt was performed, the attacker signed in once every few hours to check if the fraud target replied to their email. In multiple instances, the attacker communicated with the target through emails for a few days. After sending back responses, they deleted the target’s replies from the Archive folder. They also deleted their emails from the Sent Items folder.
On one occasion, the attacker conducted multiple fraud attempts simultaneously from the same compromised mailbox. Every time the attacker found a new fraud target, they updated the Inbox rule they created to include these new targets’ organization domains.
Below is a summary of the campaign’s end-to-end attack chain based on threat data from Microsoft 365 Defender:
Figure 11. AiTM phishing campaign and follow-on BEC in the context of Microsoft 365 Defender threat data
Defending against AiTM phishing and BEC
This AiTM phishing campaign is another example of how threats continue to evolve in response to the security measures and policies organizations put in place to defend themselves against potential attacks. And since credential phishing was leveraged in many of the most damaging attacks last year, we expect similar attempts to grow in scale and sophistication.
While AiTM phishing attempts to circumvent MFA, it’s important to underscore that MFA implementation remains an essential pillar in identity security. MFA is still very effective at stopping a wide variety of threats; its effectiveness is why AiTM phishing emerged in the first place. Organizations can thus make their MFA implementation “phish-resistant” by using solutions that support Fast ID Online (FIDO) v2.0 and certificate-based authentication.
Defenders can also complement MFA with the following solutions and best practices to further protect their organizations from such types of attacks:
Enable conditional access policies. Conditional access policies are evaluated and enforced every time an attacker attempts to use a stolen session cookie. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as compliant devices or trusted IP address requirements.
Invest in advanced anti-phishing solutions thatmonitor and scan incoming emails and visited websites. For example, organizations can leverage web browsers that can automatically identify and block malicious websites, including those used in this phishing campaign.
Continuously monitor for suspicious or anomalous activities:
Hunt for sign-in attempts with suspicious characteristics (for example, location, ISP, user agent, use of anonymizer services).
Hunt for unusual mailbox activities such as the creation of Inbox rules with suspicious purposes or unusual amounts of mail item access events by untrusted IP addresses or devices.
Coordinated threat defense with Microsoft 365 Defender
Microsoft 365 Defender provides comprehensive protection against this AiTM phishing campaign by correlating threat data from various domains. It also coordinates threat defense against the end-to-end attack chain using multiple solutions and has advanced hunting capabilities that allow analysts to inspect their environments further and surface this threat.
Leveraging its cross-signal capabilities, Microsoft 365 Defender alerts customers using Microsoft Edge when a session cookie gets stolen through AiTM phishing and when an attacker attempts to replay the stolen session cookie to access Exchange Online:
Figure 12. Microsoft 365 Defender detecting an attempt to use a stolen session cookie to sign into Exchange Online
Microsoft 365 Defender’s unique incident correlation technology also lets defenders see all the relevant alerts related to an AiTM phishing attack pieced together into a single comprehensive view, thus allowing them to respond to such incidents more efficiently:
Figure 13. Microsoft 365 Defender incident page correlating all relevant alerts related to an AiTM phishing attempt
Microsoft 365 Defender is backed by threat experts who continuously monitor the computing landscape for new attacker tools and techniques. Their expert monitoring not only helps alert customers of a possible incident (such as a potential cookie theft during an authentication session), their research on the constantly evolving phishing techniques also enriches the threat intelligence that feeds into the abovementioned protection technologies.
Microsoft Defender for Office 365 detects threat activity associated with this phishing campaign through the following email security alerts. Note, however, that these alerts may also be triggered by unrelated threat activity. We’re listing them here because we recommend that these alerts be investigated and remediated immediately.
Email messages containing malicious file removed after delivery. This alert is generated when any messages containing a malicious file are delivered to mailboxes in an organization. Microsoft removes the infected messages from Exchange Online mailboxes using zero-hour auto purge (ZAP) if this event occurs.
Email messages from a campaign removed after delivery. This alert is generated when any messages associated with a campaign are delivered to mailboxes in an organization. Microsoft removes the infected messages from Exchange Online mailboxes using ZAP if this event occurs.
Suspicious inbox manipulation rule. The attackers set an Inbox rule to hide their malicious activities. Defender for Cloud Apps identifies such suspicious rules and alerts users when detected.
Impossible travel activity. The attackers used multiple proxies or virtual private networks (VPNs) from various countries or regions. Sometimes, their attack attempts happen at the same time the actual user is signed in, thus raising impossible travel alerts.
Activity from infrequent country. Because the attackers used multiple proxies or VPNs, on certain occasions, the egress endpoints of these VPN and proxy servers are uncommon for the user, thus raising this alert.
Azure AD Identity Protection automatically detects and remediates identity-based risks. It detects suspicious sign-in attempts and raises any of the following alerts:
Anomalous Token. This alert flags a token’s unusual characteristics, such as its token lifetime or played from an unfamiliar location.
Unfamiliar sign-in properties. In this phishing campaign, the attackers used multiple proxies or VPNs originating from various countries or regions unfamiliar to the target user.
Unfamiliar sign-in properties for session cookies. This alert flags anomalies in the token claims, token age, and other authentication attributes.
Anonymous IP address. This alert flags sign-in attempts from anonymous IP addresses (for example, Tor browser or anonymous VPN).
In addition, Continuous Access evaluation (CAE) revokes access in real time when changes in user conditions trigger risks, such as when a user is terminated or moves to an untrusted location.
When an attacker uses a stolen session cookie, the “SessionId” attribute in the AADSignInEventBeta table will be identical to the SessionId value used in the authentication process against the phishing site. Use this query to search for cookies that were first seen after OfficeHome application authentication (as seen when the user authenticated to the AiTM phishing site) and then seen being used in other applications in other countries:
let OfficeHomeSessionIds = AADSignInEventsBeta
| where Timestamp > ago(1d)
| where ErrorCode == 0
| where ApplicationId == "4765445b-32c6-49b0-83e6-1d93765276ca" //OfficeHome application | where ClientAppUsed == "Browser" | where LogonType has "interactiveUser" | summarize arg_min(Timestamp, Country) by SessionId;
AADSignInEventsBeta
| where Timestamp > ago(1d)
| where ApplicationId != "4765445b-32c6-49b0-83e6-1d93765276ca"
| where ClientAppUsed == "Browser" | project OtherTimestamp = Timestamp, Application, ApplicationId, AccountObjectId, AccountDisplayName, OtherCountry = Country, SessionId
| join OfficeHomeSessionIds on SessionId
| where OtherTimestamp > Timestamp and OtherCountry != Country
Use this query to summarize for each user the countries that authenticated to the OfficeHome application and find uncommon or untrusted ones:
AADSignInEventsBeta | where Timestamp > ago(7d) | where ApplicationId == "4765445b-32c6-49b0-83e6-1d93765276ca" //OfficeHome application | where ClientAppUsed == "Browser" | where LogonType has "interactiveUser" | summarize Countries = make_set(Country) by AccountObjectId, AccountDisplayName
Use this query to find new email Inbox rules created during a suspicious sign-in session:
//Find suspicious tokens tagged by AAD "Anomalous Token" alert
let suspiciousSessionIds = materialize(
AlertInfo
| where Timestamp > ago(7d)
| where Title == "Anomalous Token"
| join (AlertEvidence | where Timestamp > ago(7d) | where EntityType == "CloudLogonSession") on AlertId
| project sessionId = todynamic(AdditionalFields).SessionId);
//Find Inbox rules created during a session that used the anomalous token
let hasSuspiciousSessionIds = isnotempty(toscalar(suspiciousSessionIds));
CloudAppEvents
| where hasSuspiciousSessionIds
| where Timestamp > ago(21d)
| where ActionType == "New-InboxRule"
| where RawEventData.SessionId in (suspiciousSessionIds)
With summer in full swing, students and parents are preparing to kick off back-to-school shopping to get ready for the exciting year ahead. We know parents and students are always on the hunt for a great deal, and this year, as inflation continues to rise, parents’ stress over the shopping season has increased by 7% in recent weeks alone.
To help families breeze through shopping with confidence, Microsoft Store is offering back-to-school savings – starting July 11 through Sept. 11 – including discounted laptops, PCs and accessories, all supported by an extended price promise and return window.
Microsoft Store’s top back-to-school deals and savings include:
Save up to 50% off on select Windows 11 PCs
Deals extend beyond Surface devices at Microsoft Store. Families and students can choose from a variety of Windows 11 PCs, including the Lenovo Ideapad 5 Pro. The Lenovo Ideapad 5 Pro is perfect for streaming and entertainment, making it a great choice for students looking for a device that can be used for work and play.
For a full list of select Windows 11 PCs on sale, visit microsoft.com. Offers ends July 18.
Save up to $339.99 on the Surface Pro 8 and Surface Pro Keyboard Bundle
You can get one of Microsoft’s best flexible devices for over $400 off. The Surface Pro 8 and Surface Pro Keyboard Bundle is perfectly portable with tablet-to-laptop versatility, making it a must-have for whatever the school year has in store. Offer ends Aug. 21.
Save up to $300 on select Surface Laptop 4
The sleek Surface Laptop 4 is available at $300 off. Built for even the longest night of studying, the Surface Laptop 4 has a battery life that lasts all day and serious multitasking power. Offer ends July 24.
Save up to 30% off select Microsoft PC Accessories, including the Microsoft Bluetooth Ergonomic Mouse
Get the most out of a new device by pairing it with accessories like the premium wireless Microsoft Bluetooth Ergonomic Mouse, designed to help people learn or work in comfort all day with precision navigation and two programmable buttons. Offer ends July 31.
Save $125 on the Bang & Olufsen Beoplay Portal Headset
Save big on headphones sure to bring any gaming experience to the next level with a sophisticated aesthetic that makes them wearable at the library, at home and everywhere in between. Packed with quick-access gaming functions, rock-solid connectivity for mobile gaming and Dolby Atmos virtualized surround sound for an immersive gaming experience. Offer ends July 31.
Shop with confidence with the Microsoft Store Promise
You’ll also receive peace of mind shopping at Microsoft Store as all purchases come with the Microsoft Store Promise, which includes free shipping and free, extended 60-day returns, a 60-day price promise on Surface devices, personal support with back-to-school shopping and helpful videos from product experts. Additionally, purchasing select Surfaces comes with 20-30% off Microsoft Complete, Microsoft Store’s hardware warranty plan, between July 11 – 17.
Driving equity with online-ready, not online-dependent devices
Providing continuity of learning in low and intermittent connectivity scenarios
Millions of students have limited access to the internet at home, leaving them struggling to access interactive online lessons and forcing them to find offline workarounds on devices lacking storage for video and other resources. Today, devices and education technology tools are more integrated into education than ever before, and learning opportunities happen not just at school, but at home and everywhere in between. In this landscape, the ability to work online and offline is key so that learning can continue regardless of a student’s ability to connect to the internet.
In the third in a series of Accelerate Learning Kits from Microsoft Education, “Accelerating Learning for Students with Limited Internet Access,” the authors compare how Microsoft Windows 11 devices and Chromebooks support offline access to educational content and material. Their finding: when comparing based on factors such as access to learning content, accessibility, on-device storage, and the ability to create and edit content, they found that Windows 11 devices provide a better experience for learners than the equivalent experiences on Google Chrome OS.
In a study conducted by Michigan State University in 2020, researchers found that students who have no home access or rely upon cell phone data plans have the digital skills equivalent of a three-year deficit when compared to their peers with home internet access1.
According to UNICEF, up to 1.3 billion children and young people worldwide have no access to internet at home2. This issue disproportionately affects students of color, those living in poverty, and in rural communities. Additionally, a 2020 study by Michigan State University found that students who have limited or no internet access at home can fall up to three years behind classmates with full access, have a lower grade point average, score lower on college admissions tests like the SAT, and are less likely to pursue a college degree.3 This highlights the importance of ensuring that students have equitable access to tools and that there’s flexibility for those who may not have consistent access to the internet outside of school.
For the latest Microsoft learning kit comparing Windows 11 devices and Chromebooks, researchers created a learning scenario in which they used identical versions of a presentation to compare the process a student would complete to access and edit learning materials while disconnected from the internet. This included setting up offline access to the file, disconnecting the internet connection, opening and making changes to the presentation, and then reconnecting and accessing the updated online file. The comparison of the Windows 11 and Chromebook processes can help educators see some of the benefits Windows 11 devices deliver for students, including simpler and faster setup of offline capabilities.
Evaluators noted that in the side-by-side test, Microsoft Office was a faster, easier, and richer experience for students than the comparable solution. Beyond simply editing and saving files, students with limited online access can benefit from using the built-in flexibility of features such as translation and Accessibility Checker, which work online or offline.
Since schools made the unexpected and rapid shift to online instruction in 2020, existing inequities in connectivity have highlighted the challenges of making sure that all students can participate in digital learning. Microsoft Education is committed to developing solutions to advance equity in learning. And the built-in, accessible, equitable, easy-to-use tools in the Microsoft Office suite provide students the opportunity to focus on learning and explore their academic interests without having to worry about connectivity.
Over the coming decade, deep learning looks set to have a transformational impact on the natural sciences. The consequences are potentially far-reaching and could dramatically improve our ability to model and predict natural phenomena over widely varying scales of space and time. Could this capability represent the dawn of a new paradigm of scientific discovery?
Jim Gray, a Turing Award winner, and former Microsoft Technical Fellow, characterised the historical evolution of scientific discovery through four paradigms. With origins dating back thousands of years, the first paradigm was purely empirical and based on direct observation of natural phenomena. While many regularities were apparent in these observations, there was no systematic way to capture or express them. The second paradigm was characterised by theoretical models of nature, such as Newton’s laws of motion in the seventeenth century, or Maxwell’s equations of electrodynamics in the nineteenth century. Derived by induction from empirical observation, such equations allowed generalization to a much broader range of situations than those observed directly. While these equations could be solved analytically for simple scenarios, it was not until the development of digital computers in the twentieth century that they could be solved in more general cases, leading to a third paradigm based on numerical computation. By the dawn of the twenty-first century computation was again transforming science, this time through the ability to collect, store and process large volumes of data, leading to the fourth paradigm of data-intensive scientific discovery. Machine learning forms an increasingly important component of the fourth paradigm, allowing the modelling and analysis of large volumes of experimental scientific data. These four paradigms are complementary and coexist.
The pioneering quantum physicist Paul Dirac commented in 1929 that “The underlying physical laws necessary for the mathematical theory of a large part of physics and the whole of chemistry are thus completely known, and the difficulty is only that the exact application of these laws leads to equations much too complicated to be soluble.” For example, Schrödinger’s equation describes the behaviour of molecules and materials at the subatomic level with exquisite precision, and yet numerical solution with high accuracy is only possible for very small systems consisting of a handful of atoms. Scaling to larger systems requires increasingly drastic approximations leading to a challenging trade-off between scale and accuracy. Even so, quantum chemistry calculations are already of such high practical value that they form one of the largest supercomputer workloads.
However, over the last year or two, we have seen the emergence of a new way to exploit deep learning, as a powerful tool to address this speed-versus-accuracy trade-off for scientific discovery. This is a very different use of machine learning from the modelling of data that characterizes the fourth paradigm, because the data that is used to train the neural networks itself comes from numerical solution of the fundamental equations of science rather than from empirical observation. We can view the numerical solutions of scientific equations as simulators of the natural world that can be used, at high computational cost, to compute quantities of interest in applications such as forecasting the weather, modelling the collision of galaxies, optimizing the design of fusion reactors, or calculating the binding affinities of candidate drug molecules to a target protein. From a machine learning perspective, however, the intermediate details of the simulation can be viewed as training data which can be used to train deep learning emulators. Such data is perfectly labelled, and the quantity of data is limited only by computational budget. Once trained, the emulator can perform new calculations with high efficiency, achieving significant improvements in speed, sometimes by several orders of magnitude.
This ‘fifth paradigm’ of scientific discovery represents one of the most exciting frontiers for machine learning as well as for the natural sciences. While there is a long way to go before these emulators are sufficiently fast, robust, and general-purpose to become mainstream, the potential for real-world impact is clear. For example, the number of small-molecule drug candidates alone is estimated at 1060, while the total number of stable materials is thought to be around 10180 (roughly the square of the number of atoms in the known universe). Finding more efficient ways to explore these vast spaces would transform our ability to discover new substances such as better drugs to treat disease, improved substrates for capturing atmospheric carbon dioxide, better materials for batteries, new electrodes for fuel cells to power the hydrogen economy, and myriad others.
AI4Science is an effort deeply rooted in Microsoft’s mission, applying the full breadth of our AI capabilities to develop new tools for scientific discovery so that we and others in the scientific community can confront some of humanity’s most important challenges. Microsoft Research has a 30+ year legacy of curiosity and discovery, and I believe that the AI4Science team – spanning geographies and scientific fields – has the potential to yield extraordinary contributions to that legacy.
Kevin Scott, Executive Vice President and Chief Technology Officer, Microsoft
I’m delighted to announce today that I will be leading a new global team in Microsoft Research, spanning the UK, China and the Netherlands, to focus on bringing this fifth paradigm to reality. Our AI4Science team encompasses world experts in machine learning, quantum physics, computational chemistry, molecular biology, fluid dynamics, software engineering, and other disciplines who are working together to tackle some of the most pressing challenges in this field.
An example project is Graphormer, led by my colleague Tie-Yan Liu in our China team. This is a deep learning package that allows researchers and developers to train custom models for molecule modelling tasks, such as materials science, or drug discovery. Recently, Graphormer won the Open Catalyst Challenge, a molecular dynamics competition that aims to model the catalyst-absorbate reaction system by AI, and has more than 0.66 million catalyst-absorbate relaxation systems (144 million structure-energy frames) simulated by density functional theory (DFT) software. Another project, from our team in Cambridge, in collaboration with Novartis, is Generative Chemistry, where together we are empowering scientists with AI to speed up the discovery and development of break-through medicines.
“Not only can AI learn from our past experiments, but, with each new iteration of designing and testing in the lab, the machine learning algorithms can identify new patterns and help guide the early drug discovery and development process. Hopefully in doing this we can augment our human scientists’ expertise so they can design better molecules faster.”
The team has since used the platform to generate several promising early-stage molecules which have been synthesised for further exploration.
Alongside our teams in China and the UK, we have been growing a team in the Netherlands, including hiring the world-renowned machine learning expert, Max Welling. I am also excited to be able to announce today that our brand-new Lab in Amsterdam will be housed in Matrix One, which is currently under construction on the Amsterdam Science Park. This purpose-built space is in close proximity to the University of Amsterdam and the Vrije Universiteit Amsterdam, and we will maintain strong affiliations with both institutions through the co-supervision of PhD students.
Matrix One building in Amsterdam
It is with pride and excitement that we take this next step to come together as a cross-geographical team and follow in the footsteps of pioneers before us, to contribute to this next paradigm of scientific discovery, and in doing so impact many important societal challenges. If you share our excitement and ambition, and would like to join us, I encourage you to look at our open positions or get in touch to talk to anyone on the team.
As a part of our mission to support organizations’ multicloud strategy, last summer we acquired CloudKnox Security, a leader in Cloud Infrastructure Entitlement Management (CIEM). We delivered the Microsoft public preview of the solution in February. Since then, we’ve been preparing for GA with enhancements, including GDPR compliance, global localization, and automated onboarding.
Today, I’m thrilled to announce the general availability (GA) of Microsoft Entra Permissions Management, formally CloudKnox, as part of the Microsoft Entra portfolio. Permissions Management is available today as a standalone solution, priced at $125 per resource, per year. Resources supported are compute resources, container clusters, serverless functions, and databases across Amazon Web Services, Microsoft Azure, and Google Cloud Platform. Let’s dive into some of the product features and updates.
Manage permissions of any identity, across any cloud, with one unified platform
Microsoft Entra Permissions Management allows organizations to discover, remediate, and monitor permissions for all identities (both human and workloads) and resources across multicloud environments. By continuously monitoring permission usage, Permissions Management allows you to enforce the principle of least privilege at cloud scale using historical data so that your organization can improve its security posture without interrupting productivity.
Discover: Get granular visibility into every action performed by every identity, on every resource, and assess your permission risk and monitoring permissions granted verses permissions used.
Remediate: Close the permission gap by enforcing the principle of least privileges based on actual usage, leveraging our permission on-demand workflow when additional permissions are needed.
Monitor: Continuously monitor all activity to detect anomalous permission usage and generate detailed forensic reports to support rapid investigation and remediation.
New streamlined onboarding and monitoring capabilities
As part of our GA release, we’re introducing a new, automated approach to onboarding your AWS, Azure, and GCP environments into Permissions Management. With a simplified workflow, you can efficiently collect permissions data across clouds at scale with just a few clicks.
To kick off our integrations with our Microsoft portfolio, users can now monitor their Permission Creep Index and access Permissions Management directly from their Defender for Cloud dashboard, extending Defender for Cloud’s protection with CIEM.
This is just the beginning! We’re actively expanding our integrations and features and will begin rolling them out later this year. To learn more about our GA release, visit our Permissions Management documentation.
Try Microsoft Entra Permissions Management today
We’re offering a free 90-day trial to Permissions Management so that you can run a comprehensive risk assessment and identify the top permission risks across your multicloud infrastructure.
Within a few hours of onboarding, Permissions Management will generate a comprehensive Permissions Analytics Report to identify your organization’s areas of greatest risk, with actionable insights to begin remediation and secure your environment. Request a free risk assessment today at aka.ms/TryPermissionsManagement.
If you’re interested in learning more about Microsoft Entra Permissions Management, visit our website and our product documentation! We’d love to hear your feedback, so please leave a comment below and join our security experts at our Ask Me Anything session on July 19th at 9 AM PST if you have any questions.
Building great relationships requires trust, honesty, mutual support, and appreciation. From our first conversation with designer and creative powerhouse Gavin Mathieu, there was an immediate sense of 
Raised in South Central LA, Gavin spent years fostering community among creators like himself, including Jerry Lorenzo and Nipsey Hussle, before starting his own successful brand, Supervsn. When you spend any amount of time with Gavin, you’re immediately struck by his ability to make everyone in the room feel like family. The warmth and acceptance people feel in his presence is exactly what all of us look for in a community.
What Gavin has designed for this collection captures the spirit of our discussions on enabling people to move and create in a way that helps them make the most impact. Gavin believes, “humans are at their highest level of self when they create.” And we believe that expression should be effortless. This is why Hardwear is simple and designed to reduce any distractions to creativity: it’s a nine-piece collection of tees, hats, sweats, jackets, and pants. Every piece is intentional, and there is meaning behind each item in Hardwear. Here, Gavin explains why he chose MS Paint as a design element for one of the pieces in this collection: 
For Hardwear, our community was a team of people who made strides daily, building each other’s confidence by having honest conversations and creating space for suggestions and improvements. This campaign tested our comfortability and challenged us at times, but what pushed us forward was seeing the inclusion of diverse voices throughout the process and the unique perspectives on what drives those who want to improve themselves and the world around them, as well as what can distract people from progressing toward their goals.
It’s important for us to work with creators who are focused on inspiring communities and making a positive impact in the world, because enabling and empowering people to achieve more is what drives everything we do at Microsoft. And with Hardwear, it’s as much of the how as it is the what. From the talent of our people to the capsule collection launch, to the diversity of those behind and in front of the camera and our agency partners, cultural nuance and perspective are the key ingredients that make this a collection we’re proud to share with our own communities.
