Microsoft is named a Leader in the 2025 Gartner® Magic Quadrant™ for cyber-physical systems protection platforms​​

By Jason Weber, Corporate Vice President and Distinguished Engineer, Microsoft Defender for Endpoint


Critical infrastructure is a key target of both physical and cyberattacks. Microsoft has observed an increase in reported attacks on internet-exposed operational technology (OT) devices that control real-world critical processes—like water and wastewater systems, as well as critical functions across industries including healthcare, manufacturing, energy, and more.1 Our previous Microsoft Digital Defense Reports have shown that unfortunately the security of OT devices has not kept pace with the strengthened security of IT hardware and software. As of July 2024, we had identified and shared more than 300 vulnerabilities in third-party OT applications. The initiative contributed to significant improvements in security across the OT industry.1 It highlights a need for organizations to integrate OT devices into their broader endpoint security strategy.  

We are excited to announce that Gartner has named Microsoft a Leader in the 2025 Gartner® Magic Quadrant™ for Cyber Physical Systems Protection Platforms. Gartner defines cyber-physical systems (CPS) as “engineered systems that orchestrate sensing, computation, control, networking and analytics” that connect the digital and physical worlds. They span industrial control systems (ICS), OT devices, Internet of Things (IoT) devices, and more.   

CPS devices are an inherent component to any security strategy, and as the only security platform vendor now recognized as a Leader in both endpoint and CPS security, it highlights, in our opinion, our commitment to providing customers with holistic endpoint security on any platform. Our cross-platform strategy is key to making continued progress in helping organizations protect their endpoints against the latest, and most sophisticated cyberattacks as they span operating systems and cross into CPS infrastructure, while driving continued efficiency for security operations center (SOC) teams. Read the report here.  

  

Gartner, Magic Quadrant for CPS Protection Platforms, 127 February 2025, By Katell Thielemann, Wam Voster, Ruggero Contu

Meeting the unique OT security needs of organizations in every major industry  

The core of Microsoft’s CPS offering to help secure OT environments is Microsoft Defender for IoT, which provides CPS capabilities though purpose-built sensors, and combined with Defender for Endpoint, helps provide holistic endpoint security to organizations worldwide. Both are native components of our unified security operations platform.  

CPS security is deeply embedded into Microsoft’s approach to securing devices across the platforms our customers operate on. Defender for Endpoint uses its network traffic insights to discover devices that it centralizes in a unified device inventor; we provide holistic vulnerability management for software on both user, as well as CPS devices, and bring information together in a unified incident investigation experience to enable analysts to investigate endpoint-focused attacks end-to-end.

Further, Microsoft is deeply committed to helping customers achieve cost efficiencies through our strategic Microsoft 365 E5 Security bundles, while equally allowing maximum purchasing flexibility through our standalone offers for each solution.  

Secure your enterprise IoT devices with Microsoft Defender for IoT

Innovations that drive better defense strategies  

Over the last 12 months, Microsoft has delivered significant innovations that help defenders gain the upper hand against OT and other cyberthreats including:   

Microsoft’s unified security operations platform brings the foundational tools a SOC needs into a single experience, with a consistent data model, unified capabilities, and broad protection. This unified experience helps SOCs close critical security gaps and streamline their operations, delivering better overall protection, reducing their response time by 88%, and improving overall efficiency.2 Defender for IoT is core to this platform, which combines the power of leading solutions in security information and event management (SIEM), extended detection and response (XDR), and Generative AI for security. It enables security teams to detect and respond to cyberthreats across OT environments and get key insights into their OT security posture, detect cyberthreats, and understand them in context of broader incidents.  

The unified agent combines protection across endpoints, OT devices, identities and data loss prevention (DLP) to help security teams streamline deployment and protection. The sensor is the software component that monitors and protects critical infrastructure, serving as one of the first lines of defense against cyberthreat actors. With our platform approach that brings together Microsoft Sentinel and Microsoft Defender XDRwe now have the first platform-level platform-level agent that unifies protection across four solution areas. The streamlined agent simplifies how you activate and manage core capabilities to more easily and swiftly reap the benefits of our AI-powered protection. Read more about the unified agent platform on the Microsoft Defender for Endpoint blog.  

Circular diagram displaying Unified platform agent in the middle with Endpoints, OT devices, Data loss prevention, and Identities revolving around the exterior. 

Microsoft Security Exposure Management is part of the unified security operations portal and provides a unified view of security posture across company assets and workloads. Security initiatives are an experience that provides a simple way to assess security readiness for a specific security area or workload, and to constantly track and measure exposure risk over time. The OT Securityinitiative improves your OT site security posture by monitoring and protecting OT environments in the organization, and employing network layer monitoring. This initiative identifies devices and ensures that systems are working correctly, and data is protected. Your security teams can use the OT Security initiative to identify unprotected devices and harden posture across sites through vulnerability assessments, with actionable guidance to help remediate at-risk devices. Read more about security initiatives.   

Reduce risk and optimize your security posture with Microsoft Security Exposure Management

Thank you to all our customers. You inspire us as together we work to create a safer world.  

Learn more with Microsoft Security

Visit Microsoft Defender for IoT to learn how your organization can get real-time asset discovery, vulnerability management, and cyberthreat protection for your Internet of Things (IoT) and industrial infrastructure, such as industrial control systems (ICS) and operational technology (OT).   

Are you a regular user of Microsoft Defender for Endpoint or Defender for IoT? Review your experience on Gartner Peer Insights™ and get a $25 gift card.      

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.  

1Microsoft Digital Defense Report, Microsoft. 2024.
2The Total Economic Impact™ Of Microsoft SIEM And XDR, August 2022.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.  

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.  

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved.  

Gartner, Magic Quadrant for CPS Protection Platforms, 17 February 2025, By Katell Thielemann, Wam Voster, Ruggero Contu

/by

Join us for the end-to-end Microsoft RSAC 2025 Conference experience

By Dasha Zenkovich, Senior Product Marketing Manager

AI adoption is picking up speed. Many companies are growing their technology estates by embracing powerful new solutions like generative AI. But to maximize the benefits of new technology with confidence, security professionals need to stay compliant with the evolving regulatory and audit requirements in the age of AI. It is in this spirit that Microsoft invites you to join us at RSACTM 2025 Conference in San Francisco, where we will showcase end-to-end security designed to help organizations accelerate the secure adoption of AI with ready-to-go security and governance tools and solutions to multiply security teams’ productivity.

Across the Microsoft Security portfolio, our innovations, together with world-class threat and regulatory intelligence, will help give security experts the advantage they need in the era of AI. From our signature Pre-Day to hands-on demos and one-on-one meetings, join the Microsoft experience at RSAC 2025 designed just for you.

A group of men standing around a table with laptops

Microsoft at RSAC

From our signature Pre-Day to hands-on demos and one-on-one meetings, discover how Microsoft Security can give you the advantage you need in the era of AI.

Explore events 

Kick things off at Microsoft Pre-Day

The Microsoft experience at RSAC 2025 begins with Microsoft Pre-Day on Sunday, April 27, 2025, at the Palace Hotel, just around the corner from the Moscone Center. For the fourth year running, the keynote speech held on Microsoft Pre-Day will kick off the full lineup of Microsoft events and activities throughout RSAC 2025. By joining us on Sunday, you’ll have the chance to hear directly from Microsoft Security business leaders—including Vasu Jakkal, Corporate Vice President, Microsoft Security Business; Charlie Bell, Executive Vice President, Microsoft Security; Sherrod DeGrippo, Director of Threat Intelligence Strategy; and other Microsoft Security leaders as they share reporting on emerging cyberthreat trends and the product innovations designed to protect against them. Vasu will also take the RSAC 2025 stage on Day 1 for the conference keynote.

At Pre-Day, attendees will hear Microsoft Security threat intelligence on emerging trends, explore new AI-first tools, demos, and best practices, and attain a better understanding of how Microsoft can help them secure and govern their AI deployments. Attend to discover how the adaptive, end-to-end security platform from Microsoft, including Microsoft Security Copilot, can help your team catch what others miss, speed up remediation, lower your total cost of ownership, and boost—rather than burden—you and your teams.

Stick around after Pre-Day for the reception—an evening of fun, networking, and entertainment, celebrating the vibrant security community. This is a unique opportunity to meet Microsoft security leaders, expand your professional network, and learn how others are addressing the latest security trends and challenges. Light refreshments will be served. CISOs who register to attend Microsoft Pre-Day will automatically be invited to a chief information security officer (CISO) dinner with Vasu Jakkal.  

Make sure to register for Microsoft Pre-Day to join in on all the day’s activities.

Register for Microsoft Pre-Day at RSAC 2025

Dedicated calendar of events for CISOs

Microsoft will be hosting a number of events tailored to CISOs throughout RSAC 2025. To kick off the week, Microsoft will be hosting a Pre-Day, followed by the exclusive CISO dinner on April 27, 2025. Following, there will be daily lunch and learn opportunities that address some of the primary challenges facing CISOs organizations:

  • Monday April 28, 2025: Innovating Securely CISO LunchLearn insights concerning secure innovation centered around the new AI regulations, including the EU Act, Digital Operational Resilience Act (DORA), and more.
  • Tuesday April 29, 2025: SFI Executive Lunch—Open to all and focused around the needs of Latin America-based CISOs, this lunch will bring together leaders and experts interested in understanding the latest Secure Future Initiative (SFI) progress and exchanging their thoughts on related best practices.
  • Wednesday April 30, 2025Embracing Cyber resilience CISO Lunch—Attendees are invited to network, learn, and exchange their insights regarding cyber resilience as the AI landscape evolves.

Finally, CISOs who attend RSAC 2025 are invited to stay through the end of the conference to attend the Microsoft Post-Day Forum at the Microsoft Experience Center at Silicon Valley on Thursday, May 1, 2025, from 9:00 AM PT to 1:00 PM PT. The day will be full of insightful presentations, interactive discussions, networking opportunities, and a curated CISO roundtable session. This informative day will also include an immersive tour of the unique state-of-the-art Microsoft Experience Center, which highlights larger-than-life solutions that show Microsoft’s cutting-edge technology solving many of today’s challenges. This experience is facilitated by envisioning specialists who spark inspired conversations, creative ideas, and new opportunities for leaders to participate in before returning home.

Sign up for Microsoft experiences at RSAC, including the Pre-Day, the CISO dinner, CISO lunch, and the Post-Day Forum. Request a one-on-one meeting with Microsoft experts to discuss your most pressing questions here.

Discover solutions to your challenges during the keynote speech and Microsoft sessions

Vasu Jakkal speaking at RSAC 2024.

As part of the RSAC agenda, Vasu Jakkal will take the stage on Monday, April 28, 2025, at 4:40 PM PT. During the speech, she will discuss the potential of agentic workflows to dramatically reshape the security landscape. Agentic AI has the power to enable more complex problem-solving, deeper agent collaboration, and iterative learning. All of this leads us toward a previously unheard-of new paradigm for security. Join Vasu Jakkal for an imaginative look at the future of AI security agents and how the people of our security teams will work alongside them to change the game.

​After the keynote and throughout the conference, attendees will be able to split their time between the Microsoft Security sessions included in the RSAC 2025 agenda, live demonstrations at booth #5744 in Moscone North, and a variety of roundtables, one-on-one meetings, and presentations at the Microsoft Security Hub at the Palace Hotel.

Here are two sessions not to miss:

  • Tuesday, April 29, 2025, at 9:40 AM PTShaping the Future of Security with Agentic AI​—In a time of rapidly evolving cyberthreats, agentic AI is emerging as a transformative force in security. Join Dorothy Li, Corporate Vice President of Microsoft Security Copilot and Marketplace, to discover how autonomous decision-making is reshaping our approach to cybersecurity. This session will reveal how agentic AI empowers organizations to proactively mitigate risks, enhance operational efficiency, and elevate the effectiveness of your security tools. Attendees will gain actionable insights and practical strategies for harnessing the potential of agentic AI. Prepare to rethink the future of security and position your organization at the forefront of innovation.​
  • Wednesday, April 30, 2025, at 9:40 AM PT: Accelerate AI Adoption with Stronger Security—AI adoption is accelerating, creating both new opportunities and security challenges. Led by Neta Haiby, Partner Product Manager at Microsoft​, this session covers key AI adoption trends, emerging risks, and common cyberthreats. Discover actionable steps to secure and govern AI, from establishing a dedicated security team for AI to adopting AI-specific solutions, ensuring your organization can innovate with confidence.​

Other well-known Microsoft experts will host session sharing what they’ve learned from their work pioneering and securing AI:

  • Wednesday, April 30, 2025 at 8:30 AM PT: Guardians of the Cyber Galaxy: Allies Against AI-Powered Cybercrime by Sean Farrell, Assistant General Counsel, Digital Crimes Unit.
  • Monday, April 28, 2025 at 1:10 PM PT: AI Era Authentication: Securing the Future with Inclusive Identity by Abhilasha Bhargav-Spantzel, Partner Security Architect, and Aditi Shah, Senior Data and Applied Scientist.
  • Tuesday, April 29, 2025, at 8:30 AM PT: AI Safety: Where Do We Go From Here? by Ram Shankar Siva Kumar, Principal Research Lead, AI Red Team Lead.
  • Tuesday, April 29, 2025, at 2:25 PM PT: Lessons Learned from a Year(ish) of Countering Malicious Actors’ Use of AI by Sherrod DeGrippo, Director, Threat intelligence strategy.

View live demonstrations and discover engaging ways to learn at booth #5744

A woman smiling at the Microsoft booth at RSAC 2024.

At the Microsoft booth, attendees will have the chance to engage with experts, discover ready-to-go security and governance tools built for generative AI, and watch theater sessions showcasing the latest products, innovations, and industry perspectives from Microsoft. They’ll also get to enjoy a fun and interactive gaming experience. 

Microsoft product and partner experts will be on hand to showcase the newest advancements through captivating demonstrations, informative videos, and valuable resources. 

Visit the Microsoft booth theater for exclusive 20-minute demos and expert-led sessions on the latest in security and AI. Explore strategies to protect, govern, and secure AI. Listen in to insights on identity, compliance, privacy, threat defense, data protection, and more. Don’t miss this opportunity to learn from industry leaders and stay ahead in the ever-evolving security landscape.

Meetings and connections at the Microsoft Security Hub

The historic and luxurious Palace Hotel is home base for Microsoft during the week. RSAC 2025 attendees are invited to meet with Microsoft experts and executives, attend thought leadership sessions and roundtable lunches, and join networking opportunities. Detailed information about individual sessions can be found on the Microsoft Security Experiences at RSAC 2025 Landing Page.

Customers are also invited to deepen their understanding of the latest cybersecurity threats, trends, and developments by discussing their most important security product and threat intelligence questions directly with Microsoft security experts through scheduled one-on-one meetings, held from Monday, April 28, 2025, to Wednesday, April 30, 2025, at the Palace Hotel. Request your meeting directly through the Microsoft Security Experiences at RSAC 2025 Home Page.

The Microsoft Intelligent Security Association (MISA) will once again have a considerable presence at RSAC 2025. MISA partners will be featured in the Microsoft Booth #5744 and included in other events happening throughout the week. Additionally, the sixth annual Microsoft Security Excellence Awards, presented by MISA, will be held at the Palace Hotel in San Francisco on April 28, 2025, celebrating our finalists and announcing winners in nine award categories as well as enjoying a time of connecting. 

Activities include:

  • MISA demo station: Stop by the Microsoft Booth to explore the innovative solutions developed by MISA members, which integrate Microsoft Security technology.
  • Theater sessions: Attend one or more of our five theater sessions at the Microsoft booth, led by MISA members, focusing on partner strategies and solutions for cyberthreat protection.
  • View the MISA demo and theater schedule.
  • MISA Partner awards: MISA members are invited to attend the Microsoft Security Excellence Awards on Monday, April 28, 2025, where winners will be announced in nine security award categories.

Get the most by staying through Microsoft Post-Day

Microsoft Post-Day Forum is a unique experience designed to help customers, CISOs, and security leaders dive deep into new concepts, ask questions they need answered about product features, and prepare to realize and enable the AI-first, end-to-end security concepts they’ve learned about throughout RSAC 2025. The Microsoft Post-Day Forum, hosted by Microsoft Security executives, will be held on Thursday, May 1, 2025, from 10:00 AM PT to 1:00 PM PT, at the Silicon Valley Experience Center. Pick up for the event will be held at the Palace Hotel at 8:00 AM PT, with drop off organized for 2:00 PM PT.

We look forward to seeing you at RSAC 2025!

Learn more about the Microsoft experience at RSAC 2025

Customers and partners can register for the events highlighted in this blog as well as other Microsoft ancillary events and more here.

Explore Microsoft Security events at RSAC 2025

/by

New Star Blizzard spear-phishing marketing campaign targets WhatsApp accounts

By Microsoft Threat Intelligence

In mid-November 2024, Microsoft Menace Intelligence noticed the Russian risk actor we observe as Star Blizzard sending their typical targets spear-phishing messages, this time providing the supposed alternative to affix a WhatsApp group. That is the primary time we’ve recognized a shift in Star Blizzard’s longstanding techniques, strategies, and procedures (TTPs) to leverage a brand new entry vector. Star Blizzard’s targets are mostly associated to authorities or diplomacy (each incumbent and former place holders), protection coverage or worldwide relations researchers whose work touches on Russia, and sources of help to Ukraine associated to the battle with Russia.

In our final weblog publish about Star Blizzard, we mentioned how the risk actor focused dozens of civil society organizations—journalists, suppose tanks, and non-governmental organizations (NGOs)—between January 2023 and August 2024 by deploying spear-phishing campaigns to exfiltrate delicate info and intervene of their actions. Since October 3, 2024, Microsoft and the US Division of Justice have seized or taken down greater than 180 web sites associated to that exercise. Whereas this coordinated motion had a short-term affect on Star Blizzard’s phishing operations, we famous on the time that after this risk actor’s lively infrastructure was uncovered, they swiftly transitioned to new domains to proceed their operations, indicating that the risk actor is extremely resilient to operational disruptions.

We assess the risk actor’s shift to compromising WhatsApp accounts is probably going in response to the publicity of their TTPs by Microsoft Menace Intelligence and different organizations, together with nationwide cybersecurity businesses. Whereas this marketing campaign seems to have wound down on the finish of November, we’re highlighting the brand new shift as an indication that the risk actor could possibly be in search of to alter its TTPs to be able to evade detection.

As a part of our steady monitoring, evaluation, and reporting on the risk panorama, we’re sharing our info on Star Blizzard’s newest exercise to lift consciousness of this risk actor’s shift in tradecraft and to teach organizations on harden their assault surfaces towards this and related exercise. We additionally straight notify clients who’ve been focused or compromised, offering them with the required info to assist safe their environments.

Focusing on WhatsApp account information

Star Blizzard’s new spear-phishing marketing campaign, whereas novel in that it makes use of and targets WhatsApp for the primary time, reveals acquainted spear-phishing TTPs for Star Blizzard, with the risk actor initiating e mail contact with their targets, to have interaction them, earlier than sending them a second message containing a malicious hyperlink. The sender tackle utilized by the risk actor on this marketing campaign impersonates a US authorities official, persevering with Star Blizzard’s observe of impersonating recognized political/diplomatic figures, to additional guarantee goal engagement. The preliminary e mail despatched to targets comprises a fast response (QR) code purporting to direct customers to affix a WhatsApp group on “the most recent non-governmental initiatives geared toward supporting Ukraine NGOs.” This code, nonetheless, is deliberately damaged and won’t direct the consumer in the direction of any legitimate area; that is an effort to coax the goal recipient into responding.

A close-up of a text
Determine 1. Star Blizzard preliminary spear-phishing e mail with damaged QR code

When the recipient responds, Star Blizzard sends a second e mail containing a Protected Hyperlinks-wrapped t[.]ly shortened hyperlink as the choice hyperlink to affix the WhatsApp group.

A black text on a white background
Determine 2. Star Blizzard follow-on spear-phishing e mail with URL hyperlink

When this hyperlink is adopted, the goal is redirected to a webpage asking them to scan a QR code to affix the group. Nonetheless, this QR code is definitely utilized by WhatsApp to attach an account to a linked machine and/or the WhatsApp Internet portal. Because of this if the goal follows the directions on this web page, the risk actor can achieve entry to the messages of their WhatsApp account and have the aptitude to exfiltrate this information utilizing current browser plugins, that are designed for exporting WhatsApp messages from an account accessed through WhatsApp Internet.

Screenshot of the phish attempt displaying a legitimate WhatsApp webpage called To join the US-Ukraine NGOs Group, followed by instructions directing the user to scan the redacted QR code to link their device.
Determine 3. Malicious Star Blizzard phish try utilizing WhatsApp linking QR code

Whereas this marketing campaign was restricted and appeared to have terminated on the finish of November, it nonetheless marked a break in long-standing Star Blizzard TTPs and highlighted the risk actor’s tenacity in persevering with spear-phishing campaigns to achieve entry to delicate info even within the face of repeated degradations of their operations.

Microsoft Menace Intelligence recommends that each one e mail customers belonging to sectors that Star Blizzard sometimes targets all the time stay vigilant when coping with e mail, particularly emails containing hyperlinks to exterior assets. These targets are mostly associated to:

  • Authorities or diplomacy (incumbent and former place holders)
  • Analysis into protection coverage or worldwide relations when associated to Russia
  • Help to Ukraine associated to the continuing battle with Russia

When doubtful, contact the particular person you suppose is sending the e-mail utilizing a recognized and beforehand used e mail tackle to confirm that the e-mail was certainly despatched by them.

Mitigations

To harden networks towards the Star Blizzard exercise listed above, defenders can implement the next:

  • Implement Microsoft Defender for Endpoint on Android and iOS, which incorporates anti-phishing capabilities that additionally apply to QR code phishing assaults, blocking phishing websites from being accessed. 
  • Enable network protection in Microsoft Defender for Endpoint
  • Make sure that tamper protection is enabled in Microsoft Dender for Endpoint
  • Run endpoint detection and response in block mode in order that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the risk or when Microsoft Defender Antivirus is operating in passive mode.
  • Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take speedy motion on alerts to resolve breaches, considerably decreasing alert quantity.
  • Turn on PUA protection in block mode in Microsoft Defender Antivirus
  • Activate cloud-delivered protection in Microsoft Defender Antivirus or the equal on your antivirus product to cowl quickly evolving attacker instruments and strategies.
  • Activate Microsoft Defender Antivirus real-time protection.
  • Encourage customers to make use of Microsoft Edge and different internet browsers that help SmartScreen, which identifies and blocks malicious web sites, together with phishing websites, rip-off websites, and websites that host malware.
  • Activate Safe Links and Safe Attachments for Workplace 365.
  • Use the Attack Simulator in Microsoft Defender for Workplace 365 to run lifelike, but protected, simulated phishing and password assault campaigns. Make the most of the QR code payload in assault simulation coaching eventualities to reflect Star Blizzard’s and different risk actor’s QR code spear-phishing strategies.

Microsoft Defender XDR detections

Microsoft Defender XDR clients can consult with the listing of relevant detections beneath. Microsoft Defender XDR coordinates detection, prevention, investigation, and response throughout endpoints, identities, e mail, apps to offer built-in safety towards assaults just like the risk mentioned on this weblog.

Prospects with provisioned entry may also use Microsoft Security Copilot in Microsoft Defender to analyze and reply to incidents, hunt for threats, and defend their group with related risk intelligence.

Microsoft Defender for Endpoint

The next alerts may point out risk exercise related to this risk. These alerts, nonetheless, might be triggered by unrelated risk exercise and usually are not monitored within the standing playing cards supplied with this report.

  • Star Blizzard exercise group

Searching queries

Microsoft Defender XDR

Floor occasions which will have communicated with the Star Blizzard C2s

let domainList = dynamic(["civilstructgeo.org", "aerofluidthermo.org"]);union(    DnsEvents    | the place QueryType has_any(domainList) or Identify has_any(domainList)    | venture TimeGenerated, Area = QueryType, SourceTable = "DnsEvents"),(    IdentityQueryEvents    | the place QueryTarget has_any(domainList)    | venture Timestamp, Area = QueryTarget, SourceTable = "IdentityQueryEvents"),(    DeviceNetworkEvents    | the place RemoteUrl has_any(domainList)    | venture Timestamp, Area = RemoteUrl, SourceTable = "DeviceNetworkEvents"),(    DeviceNetworkInfo    | prolong DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks = parse_json(ConnectedNetworks)    | mv-expand DnsAddresses, ConnectedNetworks    | the place DnsAddresses has_any(domainList) or ConnectedNetworks.Identify has_any(domainList)    | venture Timestamp, Area = coalesce(DnsAddresses, ConnectedNetworks.Identify), SourceTable = "DeviceNetworkInfo"),(    VMConnection    | prolong RemoteDnsQuestions = parse_json(RemoteDnsQuestions), RemoteDnsCanonicalNames = parse_json(RemoteDnsCanonicalNames)    | mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames    | the place RemoteDnsQuestions has_any(domainList) or RemoteDnsCanonicalNames has_any(domainList)    | venture TimeGenerated, Area = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames), SourceTable = "VMConnection"),(    W3CIISLog    | the place csHost has_any(domainList) or csReferer has_any(domainList)    | venture TimeGenerated, Area = coalesce(csHost, csReferer), SourceTable = "W3CIISLog"),(    EmailUrlInfo    | the place UrlDomain has_any(domainList)    | venture Timestamp, Area = UrlDomain, SourceTable = "EmailUrlInfo"),(    UrlClickEvents    | the place Url has_any(domainList)    | venture Timestamp, Area = Url, SourceTable = "UrlClickEvents")| order by TimeGenerated desc

Microsoft Sentinel

Microsoft Sentinel clients can use the TI Mapping analytics (a collection of analytics all prefixed with ‘TI map’) to mechanically match the malicious area indicators talked about on this weblog publish with information of their workspace. If the TI Map analytics usually are not presently deployed, clients can set up the Menace Intelligence answer from the Microsoft Sentinel Content Hub to have the analytics rule deployed of their Sentinel workspace.

Whereas the beneath queries usually are not linked to any particular risk actor, they’re efficient in detecting potential phishing makes an attempt. Implementing these queries may also help you keep vigilant and safeguard your group from phishing assaults

Microsoft Safety Copilot

Safety Copilot clients can use the standalone expertise to create their own prompts or run the next pre-built promptbooks to automate incident response or investigation duties associated to this risk:

  • Incident investigation
  • Microsoft Consumer evaluation
  • Menace actor profile
  • Menace Intelligence 360 report primarily based on MDTI article

Notice that some promptbooks require entry to plugins for Microsoft merchandise equivalent to Microsoft Defender XDR or Microsoft Sentinel.

Menace intelligence reviews

Microsoft clients can use the next reviews in Microsoft merchandise to get probably the most up-to-date details about the risk actor, malicious exercise, and strategies mentioned on this weblog. These reviews present the intelligence, safety info, and really helpful actions to forestall, mitigate, or reply to related threats present in buyer environments.

Microsoft Defender Menace Intelligence

Microsoft Safety Copilot clients may also use the Microsoft Security Copilot integration in Microsoft Defender Menace Intelligence, both within the Safety Copilot standalone portal or within the embedded experience within the Microsoft Defender portal to get extra details about this risk actor.

Indicators of compromise

IndicatorSortFinal seen
civilstructgeo[.]orgAreaOctober 2024
aerofluidthermo[.]orgAreaOctober 2024

References

Study extra

For additional info on the threats detailed on this weblog publish, refer to those further Microsoft blogs:

For the most recent safety analysis from the Microsoft Menace Intelligence group, try the Microsoft Menace Intelligence Weblog: https://aka.ms/threatintelblog.

To get notified about new publications and to affix discussions on social media, comply with us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (previously Twitter) at https://twitter.com/MsftSecIntel.

To listen to tales and insights from the Microsoft Menace Intelligence group in regards to the ever-evolving risk panorama, hearken to the Microsoft Menace Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

/by

Hear from Microsoft Safety consultants at these prime cybersecurity occasions in 2025

By Benjamin Lim, Director, Microsoft Safety Occasions

Inspiration can spark immediately once you’re at a convention. Maybe you uncover a brand new instrument throughout a keynote that might prevent hours of time. Or possibly a peer shares a narrative over espresso that makes you rethink an strategy. One dialog, one session, or one occasion may offer you recent concepts, renewed pleasure, and a imaginative and prescient for what to do subsequent.

Within the present AI panorama, inspiration and knowledge are extra vital than ever for safety professionals to remain forward of risk actors. So when you’re seeking to enhance your abilities and keep forward of the risk panorama, be a part of Microsoft Safety on the prime cybersecurity occasions in 2025.

Whether or not you be a part of us at an business staple like RSAC or one among our personal occasions like Microsoft Safe, you’ll be able to profit in a number of key methods:

  • Get insights and techniques wanted to beat obstacles and drive your safety initiatives ahead with confidence.
  • See reside demos of the most recent merchandise, product options, abilities, and instruments you should utilize in your work. Be among the many first to listen to about Microsoft Safety improvements, corresponding to Microsoft’s Safe Future Initiative and XSPA (cross-site port assault) updates attendees of Microsoft Ignite 2024 heard.
  • Study from Microsoft Safety consultants on international risk intelligence.
  • Community with different like-minded safety professionals, be taught greatest practices out of your friends, and meet one-on-one with our consultants.

No matter your function, there’s an occasion for you and a path to efficiently safeguarding your group.

A group of men standing around a table with laptops

Microsoft at RSAC

From our signature Pre-Day to hands-on demos and one-on-one conferences, uncover how Microsoft Safety can provide the benefit you want within the period of AI.

Register now 

Conferences to encourage and have interaction everybody

Large crowd of people attending Microsoft Ignite in Chicago, November 2024.

Safety professionals of all ranges can profit from attending one of many greatest cybersecurity occasions, together with RSAC, Black Hat, plus two premier Microsoft occasions—Microsoft Safe (digital) and Microsoft Ignite (in-person and digital). If you happen to love being the primary to listen to about Microsoft product improvements, don’t miss these Microsoft occasions with insights each safety skilled can put to good use.

Microsoft Safe

Date: April 9, 2025
Location: On-line solely

Microsoft Safe is Microsoft’s cybersecurity convention. This 12 months’s one-hour digital showcase will highlight AI-first, end-to-end safety improvements with clear use circumstances and buyer tales of how they use our instruments every day. Attendees will deep-dive into cybersecurity merchandise and techniques together with hundreds of different cybersecurity professionals.

RSAC

Dates: April 27-Could 1, 2025
Location: San Francisco, CA

RSAC 2025 is a can’t-miss safety convention, bringing collectively greater than 40,000 safety professionals to debate the most recent cybersecurity challenges and innovation with one of the best of one of the best. With the theme of “Many Voices. One Neighborhood,” RSAC will function keynotes, monitor classes, interactive classes, networking alternatives, and an expo designed to foster superior safety methods.

All through RSAC, Microsoft Safety will showcase end-to-end safety improvements and share world class risk and regulatory intelligence to provide the benefit you want within the period of AI. From our signature Pre-Day to hands-on demos and one-on-one conferences, uncover how Microsoft Safety can provide the benefit you want within the period of AI.​ Try the full Microsoft at RSAC experience.

Learn more about the Microsoft Events at RSA Conference 2025

Black Hat

Dates: August 2-7, 2025
Location: Las Vegas, NV

The Black Hat Conference is a premier studying occasion within the cybersecurity business, identified for its in-depth technical classes and cutting-edge analysis displays on subjects like essential infrastructure and knowledge safety analysis information.

Microsoft is a key sponsor of the convention annually, the place we showcase our newest discoveries and AI analysis on real-world issues and options. Final 12 months, our AI Pink Teaming in Follow coaching classes and our AI Summit roundtables have been successful. Black Hat can also be identified for its safety group celebrations, together with the Cybersecurity Lady of the 12 months Awards and the Researcher celebrations, which we participate in yearly.

Learn more about the Black Hat Conference 2025

Microsoft Ignite

Dates: November 17-21, 2025
Location: San Francisco, CA, and on-line

Microsoft Ignite is Microsoft’s greatest annual convention for builders, IT professionals, enterprise leaders, safety professionals, and companions. Hundreds of safety professionals such as you attend yearly to listen to the most important safety product bulletins from Microsoft Safety and acquire coaching and skilling to organize for future developments in AI. Safety professionals of all ranges can be a part of interactive labs, workshops, keynotes, technical breakout classes, demos, and extra, led by Microsoft Safety leaders and consultants.

Over the previous few years, we’ve actually boosted Microsoft Safety experiences at Microsoft Ignite. Final 12 months, we hosted the Microsoft Ignite Safety Discussion board for safety leaders and two workshops on AI crimson teaming and Microsoft 365 Copilot deployment. Plus, we hosted greater than 30 sessions demoing new options that will help you safe your setting, use your favourite Microsoft instruments safely and securely, and ensure your organizational processes prioritize safety first.

If you happen to attend Microsoft Ignite in particular person this 12 months, you gained’t need to miss our Safety Leaders Dinner or the safety group social gathering. If you happen to’re not capable of attend in particular person, you’ll be able to register for our digital occasion.​ Signal as much as be taught extra.

Learn more about Microsoft Ignite 2025

Occasions for safety leaders and decision-makers

A woman presenting during the Microsoft AI Tour.

Microsoft AI Tour

Dates: By way of Could 30, 2025
Location: A number of worldwide

The Microsoft AI Tour is a free, one-day occasion for executives that explores the methods AI can drive progress and create lasting worth in a number of cities across the globe. Whether or not you’re a purposeful decision-maker who evaluates investments, an IT staff member charged with safety, or a CISO revamping your safety technique, there can be useful safety content material tailor-made to your wants.

Microsoft Safety’s prime enterprise leaders attend AI tour places worldwide to share with you the way Microsoft Security Copilot enables you to shield on the velocity and scale of AI. They’re additionally out there to fulfill with you.

Reserve your spot at an event near you

Occasion locationOccasion date
Dubai, United Arab EmiratesFebruary 6, 2025
Singapore, Southeast AsiaFebruary 19, 2025
Tokyo, JapanFebruary 26-27, 2025
London, United KingdomMarch 5, 2025
Brussels, BelgiumMarch 25, 2025
Seoul, South KoreaMarch 26, 2025
Paris, FranceMarch 26, 2025
Madrid, SpainMarch 27, 2025
Tokyo, JapanMarch 27, 2025
Beijing, ChinaApril 23, 2025
Athens, GreeceCould 27-30, 2025

Gartner Safety and Danger Administration Summit

Dates: June 11th of September, 2025
Location: Nationwide Harbor, MD

The Gartner Security and Risk Management Summit (Gartner SRM) explores traits in cybersecurity threat administration, together with the combination of generative AI, being an efficient CISO, the significance of balancing response and restoration efforts with prevention, combating misinformation, and shutting the cybersecurity abilities hole to construct a resilient workforce.

Microsoft Safety executives host classes at Gartner SRM that will help you make sure the safety of AI techniques and undertake AI to drive innovation and effectivity. Our hottest subjects focus on securing and governing AI.

Learn more about the Gartner Security and Risk Management Summit

Occasions for technical and safety practitioners

People attending the Microsoft booth at RSAC 2024.

Safety groups search for conferences that present specialised data on the business by which they work or on a slender cybersecurity matter.

Legalweek

Dates: March 24-27, 2025
Location: New York, NY

Legalweek is a weeklong convention the place roughly 6,000 members of the authorized group will collect to community with their friends, discover rising traits, highlight the most recent tech, and provide a roadmap by way of business shifts. Matters explored at previous Legalweek conferences embrace the moral and regulatory influence of utilizing your knowledge to coach AI, litigation within the age of cybersecurity, and maximizing effectivity and authorized automation.  

This 12 months, we’ll be sponsoring three classes on AI and one on collaboration in advanced litigation. As in years previous, Microsoft is internet hosting an Government Breakfast at Legalweek from 7:30 AM ET-8:45 AM ET on Tuesday, March 25, 2025. RSVP today and cease by Sales space #3103 in New York Hilton Midtown Americas Corridor 2 to be taught extra in regards to the newest Microsoft Purview improvements. If you happen to’d like to fulfill with our staff whereas at Legalweek, sign up for a one-on-one meeting.

Learn more about Legalweek 2025

Identiverse

Dates: June 3-6, 2025
Location: Las Vegas, NV

Limiting entry to AI, apps, and assets to these with the correct permissions is a vital a part of safety. The Identiverse conference supplies schooling, collaboration, and perception into the way forward for identification safety. Greater than 2,500 attendees will share insights, develop new concepts, and advance the state of contemporary digital identification and safety.

The occasion options classes on greatest practices, business traits, and newest applied sciences; an exhibition corridor to showcase the most recent identification answer improvements; and networking alternatives. Microsoft will host a sales space the place attendees can join with Microsoft Safety consultants and leaders.

Learn more about Identiverse 2025

Occasions for builders

The cybersecurity expertise scarcity is requiring many to step up even when cybersecurity isn’t of their official job description. In case you are an IT skilled being tasked with cybersecurity or somebody with an eagerness to be taught cybersecurity ways, be a part of our Microsoft occasions geared toward serving to you uplevel your cybersecurity abilities.

Microsoft Construct

Dates: Could 19-22, 2025
Location: Seattle, WA

Safety is a staff sport and builders are more and more the primary string staff members who construct safety into the event of functions. Microsoft Build Conference 2025 is Microsoft’s developer-focused occasion. It should showcase thrilling updates and improvements from Microsoft Safety for builders to create AI-enabled safety options for his or her organizations.

The occasion consists of connection alternatives, demos, and security-focused classes. Previous subjects have included utilizing AI to speed up improvement processes, instruments for enhancing the developer expertise, and techniques for constructing within the cloud. Keep updated on Microsoft Construct information and find out when registration is open.

Learn more about the Microsoft Build Conference 2025

Discover your inspiration at an occasion this 12 months

Cybersecurity occasions foster a tradition of steady studying and adaptation, empowering you to remain forward of rising cyberthreats and keep a resilient safety posture. The concepts will stream freely at these occasions. Whether or not you attend one of many greatest conferences of the 12 months or a smaller occasion (or each), you’ll be in good firm. Microsoft Safety can be there be, too, excited to share and wanting to be taught.

Hope to see you at a future occasion!

To be taught extra about Microsoft Safety options, go to our website. Bookmark the Security blog to maintain up with our professional protection on safety issues. Additionally, comply with us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the most recent information and updates on cybersecurity.

/by

7 cybersecurity traits and suggestions for small and medium companies to remain protected

,

By Scott Woodgate, General Manager, Threat Protection

As October draws to a close, marking 21 years of Cybersecurity Awareness Month, cyberattacks continue to be a challenge for businesses of all sizes, however, small and medium businesses (SMBs) face distinct challenges when it comes to cybersecurity. Although SMBs face heightened cybersecurity threats, unlike large enterprises, they often lack the resources and expertise to implement extensive security measures or manage complex security solutions, making them prime targets for bad actors. Both the risks that SMBs face and their current level of security readiness are not widely understood.

To help us better understand the SMB security needs and trends, Microsoft partnered with Bredin, a company specializing in SMB research and insights, to conduct a survey focused on security for businesses with 25 to 299 employees. As we share these insights below, and initial actions that can take to address them, SMBs can also find additional best practices to stay secure in the Be Cybersmart Kit.  

Decorative image of three bars - one blue, one yellow, and one green

SMB Cybersecurity Research Report

Read the full report to learn more about how security is continuing to play an important role for SMBs.

Discover more 

Graphic of 7 top 7 cybersecurity trends for small and medium sized businesses

1. One in three SMBs have been victims of a cyberattack 

With cyberattacks on the rise, SMBs are increasingly affected. Research shows that 31% of SMBs have been victims of cyberattacks such as ransomware, phishing, or data breaches. Despite this, many SMBs still hold misconceptions that increase their risk and vulnerability. Some believe they are too small to be targeted by hackers or assume that compliance equates to security. It is crucial to understand that bad actors pose a threat to businesses of all sizes, and complacency in cybersecurity can lead to significant risks. 

How can SMBs approach this?

Microsoft, in collaborating with the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA), has outlined four simple best practices to creates a strong cybersecurity foundation.

  • Use strong passwords and consider a password manager.
  • Turn on multifactor authentication.
  • Learn to recognize and report phishing.
  • Make sure to keep your software updated.
Graphic of 1 in 3 of all SMBs have experienced of a cyberattack

2. Cyberattacks cost SMBs more than $250,000 on average and up to $7,000,000 

The unexpected costs of a cyberattack can be devastating for an SMB and make it difficult to financially recover from. These costs can include expenses incurred for investigation and recovery efforts to resolve the incident, and associated fines related to a data breach. Cyberattacks not only present an immediate financial strain but can also have longer term impacts on an SMB. Diminished customer trust due to a cyberattack can cause broader reputational damage and lead to missed business opportunities in the future. It’s difficult to anticipate the impact of a cyberattack because the time it takes to recover can vary from one day to more than a month. While many SMBs are optimistic about their ability to withstand a cyberattack, some fail to accurately estimate the time needed to restore operations and resume normal business activities 

How can SMBs approach this?

SMBs can conduct a cybersecurity risk assessment to understand gaps in security and determine steps to resolve them. These assessments can help SMBs uncover areas open to attack to minimize them, ensure compliance with regulatory requirements, establish incident response plans, and more. Effectively and proactively planning can help minimize the financial, reputational, and operational costs associated with a cyberattack should one happen. Many organizations provide self-service assessments, and working with a security specialist or security service provider can bring additional expertise and guidance through the process as needed.

Graphic of The average cost of an attack for SMBs is over $250,000

3. 81% of SMBs believe AI increases the need for additional security controls

The rapid advancement of AI technologies and the ease of use through simple user interfaces creates notable challenges for SMBs when used by employees. Without the proper tools in place to secure company data, AI use can lead to sensitive or confidential information getting in the wrong hands. Fortunately, more than half of companies currently not using AI security tools intend to implement them within the next six months for more advanced security. 

How can SMBs approach this?

Data security and data governance play a critical role in successful adoption and use of AI. Data security, which includes labeling and encrypting documents and information, can mitigate the chance of restricted information being referenced in AI prompts. Data governance, or the process of managing, understanding, and securing data, can help establish a framework to effectively organize data within.

Graphic of 81% of SMBs believe AI increases the need for additional security controls

4. 94% consider cybersecurity critical to their business 

Recognizing the critical importance of cybersecurity, 94% of SMBs consider it essential to their operations. While it was not always considered a top priority given limited resources and in-house expertise, the rise in cyberthreats and increased sophistication of cyberattacks now pose significant risks for SMBs that is largely recognized across the SMB space. Managing work data on personal devices, ransomware, and phishing and more are cited as top challenges that SMBs are facing. 

How can SMBs approach this?

For SMBs that want to get started with available resources to train and educate employees, security topics across Cybersecurity 101Phishing, and more are provided through Microsoft’s Cybersecurity Awareness site.

Graphic of 94% of SMBs consider cybersecurity critical to their companies

5. Less than 30% of SMBs manage their security in-house 

Given the limited resources and in-house expertise within SMBs, many turn to security specialists for assistance. Less than 30% of SMBs manage security in-house and generally rely on security consultants or service providers to manage security needs. These security professionals provide crucial support in researching, selecting, and implementing cybersecurity solutions, ensuring that SMBs are protected from new threats. 

How can SMBs approach this?

Hiring a Managed Service Provider (MSP) is commonly used to supplement internal business operations. MSPs are organizations that help manage broad IT services, including security, and serve as strategic partners to improve efficiency and oversee day-to-day IT activities. Examples of security support can consist of researching and identifying the right security solution for a business based on specific needs and requirements. Additionally, MSPs can implement and manage the solution by configuring security policies and responding to incidents on the SMBs behalf. This model allows more time for SMBs to focus on core business objectives while MSPs keep the business protected.

Graphic of Less than 30% of SMBs manage their security in-house

6. 80% intend to increase their cybersecurity spending, with data protection as top area of spend 

Given the heightened importance of security, 80% of SMBs intend to increase cybersecurity spending. Top motivators are protection from financial losses and safeguards for client and customer data. It’s no surprise that data protection comes in as the top investment area with 65% of SMBs saying that is where increased spending will be allocated, validating the need for additional security with the rise of AI. Other top areas of spending include firewall services, phishing protection, ransomware and device protection, access control, and identity management.  

How can SMBs approach this?

Prioritizing these investments in the areas above, SMBs can improve security posture and reduce the risk of cyberattacks. Solutions such as Data Loss Prevention (DLP) help identify suspicious activity and prevent sensitive data from leaving leaking outside of the business, Endpoint Detection and Response (EDR) help protect devices and defend against threats, and Identity and Access Management (IAM) help ensure only the right people get access to the right information.

Graphic of 80% of SMBs intend to increase their cybersecurity spending

7. 68% of SMBs consider secure data access a challenge for remote workers 

The transition to hybrid work models has brought new security challenges for SMBs, and these issues will continue as hybrid work becomes a permanent fixture. With 68% of SMBs employing remote or hybrid workers, ensuring secure access for remote employees is increasingly critical. A significant 75% of SMBs are concerned about data loss on personal devices. To safeguard sensitive information in a hybrid work setting, it is vital to implement device security and management solutions so employees can securely work from anywhere.  

How can SMBs approach this?

Implement measures to protect data and internet-connected devices that include installing software updates immediately, ensuring mobile applications are downloaded from legitimate app stores, and refraining from sharing credentials over email or text, and only doing so over the phone in real-time.

Graphic of 68% of SMBs find secure data access for remote workers a challenge
/by