Microsoft to alert enterprise security teams when nation-state attackers target their employees

Microsoft will introduce this month a new security alert that will notify enterprise security teams when an employee is being targeted by suspected nation-state attackers.

The notification will appear in the dashboard of Microsoft Defender for Office 365, a cloud-based email filtering service that protects enterprise Office 365 users against advanced and targeted threats (e.g., BEC, credential phishing, etc.), so that security teams may immediately start with remediation actions independently of the targeted user, who will also receive an email alert but might not see it or react to it with the required haste.

Advanced and persistent threat activity

“[Nation state] attacks represent some of the most advanced and persistent threat activity Microsoft tracks. The Microsoft Threat Intelligence Center follows these threats, builds comprehensive profiles of the activity, and works closely with all Microsoft security teams to implement detections and mitigations to protect our customers,” the company explained in the description of the new feature.

“We’re adding an alert to the security portal to alert customers when suspected nation-state activity is detected in the tenant.”

The new feature might be a direct consequence of the recent SolarWinds hack, during which the attackers – who are believed to be government-backed – have also compromised some of the company’s Office 365 email accounts (though that was not the initial attack vector).

Alerts about suspected nation-state targeting of email accounts are not a new thing.

Microsoft has already been alerting users of its consumer email services such as Outlook and Hotmail when they have been targeted by government-backed hackers, and has previously been directly alerting enterprise users of its offerings via email. In fact, in July 2019, Tom Burt, Microsoft’s corporate VP of Customer Security & Trust, said that in the year before, the company had notified nearly 10,000 customers they’ve been targeted or compromised by nation-state attacks (about 84% of these attacks targeted enterprise customers).

Google has, on the other hand, started warning Gmail users of state-sponsored attacks in 2012 and G Suite admins in 2018, allowing them to reset the password of any account with suspicious activity, enroll the user in 2-Step Verification, or ask them to take additional steps to secure their account.