Microsoft is open-sourcing COVID-19 threat intelligence

Pierluigi Paganini May 16, 2020

Microsoft has recently announced that it has made some of its COVID-19 threat intelligence open-source. 

While the number of Coronavirus-themed attacks continues to increase increased Microsoft announced it is open-sourcing its COVID-19 threat intelligence to help organizations to repeal these threats.

“Microsoft processes trillions of signals each day across identities, endpoint, cloud, applications, and email, which provides visibility into a broad range of COVID-19-themed attacks, allowing us to detect, protect, and respond to them across our entire security stack.” reads a post published by Microsoft. “Today, we take our COVID-19 threat intelligence sharing a step further by making some of our own indicators available publicly for those that are not already protected by our solutions. “

Sharing information could offer the community a more complete view of attackers’ tactics, techniques, and procedures.

Microsoft experts have already been sharing examples of malicious lures and have provided guided hunting of COVID-themed attacks through Azure Sentinel Notebooks.

COVID malspam

Microsoft is going to publicly release some of its threat indicators, the company pointed out that its users are already protected against these attacks by Microsoft Threat Protection (MTP).

Microsoft has made available the indicators both in the Azure Sentinel GitHub repo, and through the Microsoft Graph Security API.

“These indicators are now available in two ways. They are available in the Azure Sentinel GitHub and through the Microsoft Graph Security API. For enterprise customers who use MISP for storing and sharing threat intelligence, these indicators can easily be consumed via a MISP feed.” continues Microsoft.

“This threat intelligence is provided for use by the wider security community, as well as customers who would like to perform additional hunting, as we all defend against malicious actors seeking to exploit the COVID crisis.”

This is just the beginning of the threat intelligence sharing of Coronavirus-related IOCs that will be offered through the peak of the outbreak.

Microsoft is releasing file hash indicators related to malicious email attachments employed in the campaigns. 

Azure Sentinel customers can import the indicators using a Playbook or access them directly from queries. Microsoft added that both Office 365 ATP and Microsoft Defender ATP already block the attacks associated with the above indicators.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Coronavirus, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment