Back to Insights

Protect Remote Workers With Microsoft ATP

Cyber security 04/07/2020 - 12:15 by Swami Nathan

Secure Remote Workers with Microsoft ATP

Owing to the coronavirus pandemic, the world has changed in unexpected ways over the last few weeks. Though it has in many ways brought out the best of humanity, it can also draw the worst in some situations in every crisis. Cybercriminals use the fear of the people and need information to steal confidential information or distribute malware for profit through phishing attacks. Even as many criminal groups say that they will avoid targeting healthcare and nursing homes, the truth is that they cannot completely monitor how malware spreads.

Although phishing and other email attacks do occur, the number of malicious emails that reference the coronavirus is very small. Customers also ask us what Microsoft is doing to help defend them from these kinds of threats, and what they can do to defend themselves better. We figured this would be a useful time to recapture how our automated detection and signal-sharing works to protect customers (with a particular recent example), as well as, share some best practices that you can use personally to stay safe from phishing attempts.

What Microsoft is doing?

First, email starts with 91 percent of all Cyber Attacks. That’s why the first line of security is doing, what we can to block malicious emails from getting to you first. In our ability to quickly identify and shut down email attacks, a multi-layered security framework that involves machine learning, detonation, and signal sharing is crucial.

If any of these mechanisms detect a malicious text, URL, or attachment, it will block the message and will not find its way to your inbox. It detonates all attachments and links (open in isolated virtual machines). To detect malicious behavior, machine learning, anomaly analyzers, and heuristics are used. Human security researchers constantly review the user-submitted suspicious mail files to provide additional feedback and train models of machine learning.

If a file or URL is marked as malicious, the information is shared with other email detection services such as Microsoft Defender Advanced Threat Protection (ATP) to ensure endpoint detection benefits, and vice versa.

A significant example of this occurred earlier this month when a spear-phishing operation was initiated by an intruder that lasted less than 30 minutes.

Attackers created an email intended to look like a credible study on food coloring additives supply chain risk with an update focused on coronavirus disruptions. Nevertheless, the attachment was malicious and supplied a sophisticated, multi-layer payload based on the trojan Lokibot (Trojan: Win32/Lokibot. GJ! MTB).

Had this payload been deployed successfully, it could have been used by hackers to capture credentials for other systems — in this case FTP accounts and passwords — that could then be used for further attacks.

Only 135 customer tenants were attacked, with a spray of 2,047 malicious messages but the attack did not impact any customers. The detonation service Office 365 ATP, enterprise-wide signal-sharing, and human analysts worked together to stop it.

So, customers not using a Microsoft email service such as Office 365, hosted Exchange, or but using a Windows PC with Microsoft Defender enabled were completely secured, thanks to the signal to share across services. When a user tried to open the malicious attachment from their non-Microsoft email service, Microsoft ATP kicked in, querying its cloud-based machine learning models and finding that the attachment was blocked based on a previous cloud detection of Office 365 ATP. The attachment was stopped from running on the PC and covered the consumer.

What you can do?

Although bad actors seek to capitalize on the COVID-19 crisis, they use the same strategies that they always do. You will now be more cautious in taking action to protect yourself.

Verify that your computers have enabled the latest security updates and an antivirus or anti-malware service. Microsoft ATP Antivirus is a free built-in service for Windows 10 computers, which is allowed via Settings. Switch on cloud-based security and automated sampling to enable artificial intelligence (AI) and machine learning to detect and stop new and unknown threats quickly.

Use multi-factor authentication (MFA) on all accounts you have. Many online services also have a way to take advantage of your mobile device or other methods to secure your accounts. Support for MFA is available as part of the free Azure Active Directory (Azure AD) deal.

Educate yourself, friends, and colleagues on how to identify phishing attempts, and track suspicious meetings. Here are some of the signs that tell the story.

  1. Spelling and grammar which is poor. Cybercrimes are not known for their grammar and spelling. Professional businesses or organizations typically have an editorial staff to ensure that consumers get accurate, high-quality content. If an email message is full of mistakes, then it is likely to be a scam.
  2. Suspicious links. If you think an e-mail is a scam, do not click on any links. One way to test a link’s validity is to place your mouse over the link — but not click — to see if the address matches what’s been typed in the document.
  3. Suspicious attachments. When you get an email with an attachment from someone you don’t know or an email from someone you do know but with an attachment you weren’t expecting it could be a phishing attempt, so we suggest that you don’t open any attachments until you have checked their legitimacy. Attackers use several methods to try to trick recipients into trusting that a file attached is legitimate.
    1. Don’t trust the Attachment button.
    2. Be vigilant of several file extensions, like “pdf.exe” “rar.exe” or “txt. ha”
    3. If in doubt, please contact the person who sent you the message and ask them to check the authenticity of the email and attachment.
  4. Threats. Such kinds of emails trigger a sense of fear or pressure to get you to quickly respond. It can, for example, contain a comment like “You have to respond by the end of the day”. Or say you may face financial penalties if you don’t answer.
  5. Spoofing. Spoofing emails tend to be linked to legitimate websites or companies but take you to fake scam sites or show pop-up windows that look legitimate.
  6. Modified web addresses. A type of spoofing where web addresses closely resemble but are slightly changed, names of well-known companies; for example, “” or
  7. Your name is wrongly saluted.
  8. The text of the links and the URL differs from each other; or the name, signature, and URL of the sender differ.

If you think you got a phishing email or followed a link in an email that took you to a suspicious website, then there are a few ways to report what you found.

If you think the e-mail you got is suspicious:

  1. If you receive a suspicious email demanding personal information, click the checkbox next to your Outlook inbox. Select the arrow next to Junk, then point to Phishing scam.
  2. Microsoft Office Outlook 2016 and 2019 and Microsoft Office 365. While in the suspicious message, select Report message on the ribbon in the Security tab, then click Phishing.

When you are on a suspicious website:

  1. Microsoft Edge - While you are on a suspicious site, click the More (…) icon > Send Feedback > Report Unsafe site. Follow the web page directions displayed for reporting the website.
  2. Internet Explorer - While on a questionable site, click the gear icon, point to Safety, and then click Unsafe Report Unsafe Website. Follow the web page directions displayed for reporting the website.

Licensing – what's available to you today

Right now, you need to be able to access a greater number of endpoints faster than ever before. This versatility is provided with Microsoft Defender ATP, without the need to obtain additional licenses. Microsoft Defender ATP is purchased on a per-user basis that protects users for up to 5 licensed users’ simultaneous devices, enabling you to extend endpoint security to other devices that licensed users use with zero friction. If you have any more concerns or need more support, please contact us.

The only way to protect what you’ve worked hard to build is to be vigilant when it comes to cybersecurity. If you’d like to know more about how your business can benefit from managed services, just give us a call, we are here to help.

Protect your remote workers from Phishing Attacks with the help of Microsoft ATP. Microsoft Defender ATP is an anti-malware component of Microsoft Windows.