| Category | Microsoft Docs article | Related commit history on GitHub | Change details |
|---|---|---|---|
| admin | Create Groups | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/create-groups/create-groups.md | Last updated 02/18/2020 f1.keywords: CSH -+ audience: Admin |
| admin | About Shared Mailboxes | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/about-shared-mailboxes.md | Title: "About shared mailboxes" f1.keywords: - NOCSH--++ Last updated 08/18/2023 audience: Admin |
| admin | Configure A Shared Mailbox | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/configure-a-shared-mailbox.md | Title: "Configure shared mailbox settings" f1.keywords: - NOCSH--++ Last updated 08/21/2023 audience: Admin |
| admin | Convert User Mailbox To Shared Mailbox | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/convert-user-mailbox-to-shared-mailbox.md | Title: "Convert a user mailbox to a shared mailbox" f1.keywords: - NOCSH--++ Last updated 08/18/2023 audience: Admin |
| admin | Create A Shared Mailbox | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/create-a-shared-mailbox.md | Title: "Create a shared mailbox" f1.keywords: - NOCSH--++ Last updated 08/21/2023 audience: Admin |
| admin | Remove License From Shared Mailbox | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/remove-license-from-shared-mailbox.md | Title: "Remove license from shared mailbox" f1.keywords: - NOCSH--++ audience: Admin |
| admin | Resolve Issues With Shared Mailboxes | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/resolve-issues-with-shared-mailboxes.md | Title: "Resolve issues with shared mailboxes" f1.keywords: - NOCSH--++ Last updated 02/18/2020 audience: Admin |
| enterprise | M365 Dr Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/m365-dr-overview.md | There are three methods for ensuring that the _Tenant_ data location for a parti | Viva Topics <br/> |- <br/> |- <br/> |X<sup>3</sup> <br/> | | Microsoft Purview <br/> |- <br/> |- <br/> |X<sup>3</sup> <br/> | -1. Only available in the following countries/regions: Australia, Brazil, Canada, France, Germany, India, Japan, Poland, Qatar, South Korea, Norway, South Africa, Sweden, Switzerland, United Arab Emirates, United Kingdom, European Union and the United States. +1. Only available in the following countries/regions: Australia, Brazil, Canada, France, Germany, India, Japan, Qatar, South Korea, Norway, South Africa, Sweden, Switzerland, United Arab Emirates, United Kingdom, European Union and the United States. 1. Available in _Local Region Geography_, _Expanded Local Region Geography_ (when the future data center is launched) and _Regional Geography countries/regions_ 1. Only available for _Local Region Geography_ and _Expanded Local Region Geography_ (when the future data center is launched) countries/regions. [Learn about supported Microsoft Purview services and solutions](m365-dr-workload-purview.md). |
| enterprise | Use The Centralized Deployment Powershell Cmdlets To Manage Add Ins | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/use-the-centralized-deployment-powershell-cmdlets-to-manage-add-ins.md | Before you can use the Centralized Deployment cmdlets, you need to sign in. Connect-OrganizationAddInService ``` -3. In the **Enter Credentials** page, enter your Microsoft 365 **User Admin**, or **Global admin** credentials. Alternately, you can enter your credentials directly into the cmdlet. -- Run the following cmdlet specifying your company admin credentials as a PSCredential object. -- ```powershell - $secpasswd = ConvertTo-SecureString "MyPassword" -AsPlainText -Force - $mycredentials = New-Object System.Management.Automation.PSCredential ("serviceaccount@contoso.com", $secpasswd) - Connect-OrganizationAddInService -Credential $mycredentials - ``` +3. In the sign in prompt that opens, select or enter your Microsoft 365 **User Admin** or **Global admin** credentials. > [!NOTE] > For more information about using PowerShell, see [Connect to Microsoft 365 with PowerShell](./connect-to-microsoft-365-powershell.md). |
| includes | Microsoft 365 Content Updates | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/microsoft-365-content-updates.md | +## Week of September 04, 2023 +++| Published On |Topic title | Change | +|||--| +| 9/5/2023 | [Microsoft 365 Lighthouse frequently asked questions (FAQs)](/microsoft-365/lighthouse/m365-lighthouse-faq?view=o365-worldwide) | modified | +| 9/5/2023 | [Frequently asked questions (FAQs) on tamper protection](/microsoft-365/security/defender-endpoint/faqs-on-tamper-protection?view=o365-worldwide) | modified | +| 9/5/2023 | [Deploy add-ins in the admin center](/microsoft-365/admin/manage/manage-deployment-of-add-ins?view=o365-worldwide) | modified | +| 9/5/2023 | [Teams apps that work on Outlook and Microsoft 365](/microsoft-365/admin/manage/teams-apps-work-on-outlook-and-m365?view=o365-worldwide) | modified | +| 9/5/2023 | [Advanced deployment guidance for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/comprehensive-guidance-on-linux-deployment?view=o365-worldwide) | modified | +| 9/6/2023 | [Monitor and maintain Microsoft 365 Business Premium and Defender for Business](/microsoft-365/business-premium/m365bp-mdb-maintain-environment?view=o365-worldwide) | modified | +| 9/6/2023 | [Configure remediation for Microsoft Defender Antivirus detections](/microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus?view=o365-worldwide) | modified | +| 9/6/2023 | [Microsoft Defender Antivirus compatibility with other security products](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide) | modified | +| 9/7/2023 | [MICROSOFT SYNTEX FEATURES LIMITED TIME LICENSE](/microsoft-365/syntex/feature-limited-license) | added | +| 9/7/2023 | [Compare security features in Microsoft 365 plans for small and medium-sized businesses](/microsoft-365/security/defender-business/compare-mdb-m365-plans?view=o365-worldwide) | modified | +| 9/7/2023 | [Get Microsoft Defender for Business](/microsoft-365/security/defender-business/get-defender-business?view=o365-worldwide) | modified | +| 9/7/2023 | [Microsoft Defender for Business](/microsoft-365/security/defender-business/index?view=o365-worldwide) | modified | +| 9/7/2023 | [View and manage incidents in Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-view-manage-incidents?view=o365-worldwide) | modified | +| 9/7/2023 | [Manage self-service license requests in the Microsoft 365 admin center](/microsoft-365/commerce/licenses/manage-license-requests?view=o365-worldwide) | modified | +| 9/7/2023 | [Deploy frontline static teams at scale with PowerShell for frontline workers](/microsoft-365/frontline/deploy-teams-at-scale?view=o365-worldwide) | modified | +| 9/7/2023 | [Protect macOS security settings with tamper protection](/microsoft-365/security/defender-endpoint/tamperprotection-macos?view=o365-worldwide) | modified | +| 9/7/2023 | [Web content filtering](/microsoft-365/security/defender-endpoint/web-content-filtering?view=o365-worldwide) | modified | +| 9/7/2023 | [Detect and remediate the Outlook rules and custom forms injections attacks.](/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide) | modified | +| 9/8/2023 | [Enter your product key for a Microsoft business product or service](/microsoft-365/commerce/enter-your-product-key?view=o365-worldwide) | modified | +| 9/8/2023 | [Join or leave a multitenant organization in Microsoft 365 (Preview)](/microsoft-365/enterprise/join-leave-multi-tenant-org?view=o365-worldwide) | modified | +| 9/8/2023 | [Microsoft 365 multitenant Organization People Search](/microsoft-365/enterprise/multi-tenant-people-search?view=o365-worldwide) | modified | +| 9/8/2023 | [Plan for multitenant organizations in Microsoft 365 (Preview)](/microsoft-365/enterprise/plan-multi-tenant-org-overview?view=o365-worldwide) | modified | +| 9/8/2023 | [Set up a multitenant org in Microsoft 365 (Preview)](/microsoft-365/enterprise/set-up-multi-tenant-org?view=o365-worldwide) | modified | +| 9/8/2023 | [Synchronize users in multitenant organizations in Microsoft 365 (Preview)](/microsoft-365/enterprise/sync-users-multi-tenant-orgs?view=o365-worldwide) | modified | +| 9/8/2023 | [Test Base FAQ](/microsoft-365/test-base/faq?view=o365-worldwide) | modified | +| 9/8/2023 | [Share files and videos in Microsoft Teams and SharePoint](/microsoft-365/business-premium/share-files-and-videos?view=o365-worldwide) | modified | ++ ## Week of August 28, 2023 | 8/10/2023 | [Cross-tenant OneDrive migration overview](/microsoft-365/enterprise/cross-tenant-onedrive-migration?view=o365-worldwide) | modified | | 8/11/2023 | [Alert classification for malicious exchange connectors](/microsoft-365/security/defender/alert-classification-malicious-exchange-connectors?view=o365-worldwide) | renamed | | 8/11/2023 | [What's new in Microsoft Defender for Endpoint on Android](/microsoft-365/security/defender-endpoint/android-whatsnew?view=o365-worldwide) | modified |---## Week of July 31, 2023 ---| Published On |Topic title | Change | -|||--| -| 7/31/2023 | [Batch Delete Indicators API](/microsoft-365/security/defender-endpoint/batch-delete-ti-indicators?view=o365-worldwide) | added | -| 7/31/2023 | [URLs and IP address ranges for Office 365 operated by 21Vianet](/microsoft-365/enterprise/urls-and-ip-address-ranges-21vianet?view=o365-worldwide) | modified | -| 7/31/2023 | [Service advisories for eDiscovery cmdlet exception spike in Exchange Online monitoring](/microsoft-365/enterprise/microsoft-365-exchange-monitoring-service-advisories?view=o365-worldwide) | added | -| 8/1/2023 | [Asset rule management - Dynamic rules](/microsoft-365/security/defender/configure-asset-rules?view=o365-worldwide) | added | -| 8/1/2023 | [Onboard to Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/mdvm-onboard-devices?view=o365-worldwide) | added | -| 8/1/2023 | [Set up and manage content assembly in Microsoft Syntex](/microsoft-365/syntex/content-assembly-setup) | added | -| 8/1/2023 | [Compare Microsoft Defender Vulnerability Management plans and capabilities](/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-capabilities?view=o365-worldwide) | modified | -| 8/1/2023 | [Microsoft Defender Vulnerability Management frequently asked questions](/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-faq?view=o365-worldwide) | modified | -| 8/1/2023 | [About the Microsoft Defender Vulnerability Management trial](/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-trial?view=o365-worldwide) | modified | -| 8/1/2023 | [Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management?view=o365-worldwide) | modified | -| 8/1/2023 | [Sign up for Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management?view=o365-worldwide) | modified | -| 8/1/2023 | [Event timeline](/microsoft-365/security/defender-vulnerability-management/threat-and-vuln-mgt-event-timeline?view=o365-worldwide) | modified | -| 8/1/2023 | [Trial user guide - Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/trial-user-guide-defender-vulnerability-management?view=o365-worldwide) | modified | -| 8/1/2023 | [Assign device value](/microsoft-365/security/defender-vulnerability-management/tvm-assign-device-value?view=o365-worldwide) | modified | -| 8/1/2023 | [Block vulnerable applications](/microsoft-365/security/defender-vulnerability-management/tvm-block-vuln-apps?view=o365-worldwide) | modified | -| 8/1/2023 | [Browser extensions assessment](/microsoft-365/security/defender-vulnerability-management/tvm-browser-extensions?view=o365-worldwide) | modified | -| 8/1/2023 | [Certificate inventory](/microsoft-365/security/defender-vulnerability-management/tvm-certificate-inventory?view=o365-worldwide) | modified | -| 8/1/2023 | [Create and view exceptions for security recommendations](/microsoft-365/security/defender-vulnerability-management/tvm-exception?view=o365-worldwide) | modified | -| 8/1/2023 | [Exposure score in Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/tvm-exposure-score?view=o365-worldwide) | modified | -| 8/1/2023 | [Firmware and hardware assessment](/microsoft-365/security/defender-vulnerability-management/tvm-hardware-and-firmware?view=o365-worldwide) | modified | -| 8/1/2023 | [Hunt for exposed devices](/microsoft-365/security/defender-vulnerability-management/tvm-hunt-exposed-devices?view=o365-worldwide) | modified | -| 8/1/2023 | [Microsoft Secure Score for Devices](/microsoft-365/security/defender-vulnerability-management/tvm-microsoft-secure-score-devices?view=o365-worldwide) | modified | -| 8/1/2023 | [Network share configuration assessment](/microsoft-365/security/defender-vulnerability-management/tvm-network-share-assessment?view=o365-worldwide) | modified | -| 8/1/2023 | [Remediate vulnerabilities](/microsoft-365/security/defender-vulnerability-management/tvm-remediation?view=o365-worldwide) | modified | -| 8/1/2023 | [Security baselines assessment](/microsoft-365/security/defender-vulnerability-management/tvm-security-baselines?view=o365-worldwide) | modified | -| 8/1/2023 | [Security recommendations](/microsoft-365/security/defender-vulnerability-management/tvm-security-recommendation?view=o365-worldwide) | modified | -| 8/1/2023 | [Software inventory](/microsoft-365/security/defender-vulnerability-management/tvm-software-inventory?view=o365-worldwide) | modified | -| 8/1/2023 | [Software usage insights](/microsoft-365/security/defender-vulnerability-management/tvm-usage-insights?view=o365-worldwide) | modified | -| 8/1/2023 | [Vulnerable devices report](/microsoft-365/security/defender-vulnerability-management/tvm-vulnerable-devices-report?view=o365-worldwide) | modified | -| 8/1/2023 | [Vulnerabilities in my organization](/microsoft-365/security/defender-vulnerability-management/tvm-weaknesses?view=o365-worldwide) | modified | -| 8/1/2023 | [Mitigate zero-day vulnerabilities](/microsoft-365/security/defender-vulnerability-management/tvm-zero-day-vulnerabilities?view=o365-worldwide) | modified | -| 8/1/2023 | [What's new in Microsoft Defender Vulnerability Management Public Preview](/microsoft-365/security/defender-vulnerability-management/whats-new-in-microsoft-defender-vulnerability-management?view=o365-worldwide) | modified | -| 8/1/2023 | [DeviceInfo table in the advanced hunting schema](/microsoft-365/security/defender/advanced-hunting-deviceinfo-table?view=o365-worldwide) | modified | -| 8/1/2023 | [SKOS format reference for SharePoint taxonomy](/microsoft-365/syntex/skos-format-reference) | modified | -| 8/1/2023 | [Microsoft Syntex documentation # < 60 chars](/microsoft-365/syntex/index) | modified | -| 8/2/2023 | [What's new in Microsoft 365 Defender Unified role-based access control (RBAC)](/microsoft-365/security/defender/whats-new-in-microsoft-defender-urbac?view=o365-worldwide) | added | -| 8/2/2023 | [Create a rule to set a content type when a file is added to a document library in Microsoft Syntex](/microsoft-365/syntex/content-processing-content-type) | added | -| 8/2/2023 | [How to prepare a Windows VHD for Test Base](/microsoft-365/test-base/prepare-testbase-vhd-file?view=o365-worldwide) | added | -| 8/2/2023 | Contracts FAQ | removed | -| 8/2/2023 | [Create a rule to move or copy a file from one document library to another in Microsoft Syntex](/microsoft-365/syntex/content-processing-create-rules) | modified | -| 8/2/2023 | [Overview of content processing in Microsoft Syntex](/microsoft-365/syntex/content-processing-overview) | modified | -| 8/2/2023 | [Overview](/microsoft-365/test-base/overview?view=o365-worldwide) | modified | -| 8/2/2023 | [Pilot ring deployment using Group Policy and Windows Server Update Services](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-pilot-ring-deployment-group-policy-wsus?view=o365-worldwide) | added | -| 8/2/2023 | [Production ring deployment using Group Policy and Windows Server Update Services](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-production-ring-deployment-group-policy-wsus?view=o365-worldwide) | added | -| 8/2/2023 | [Production ring deployment using Group Policy and Microsoft Update (MU)](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-group-policy-microsoft-update?view=o365-worldwide) | added | -| 8/2/2023 | [Production ring deployment using Group Policy and network share](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-group-policy-network-share?view=o365-worldwide) | added | -| 8/2/2023 | [Appendices for ring deployment using Group Policy and Windows Server Update Services (WSUS)](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-group-policy-wsus-appendices?view=o365-worldwide) | added | -| 8/2/2023 | [Ring deployment using Intune and Microsoft Update (MU)](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-intune-microsoft-update?view=o365-worldwide) | added | -| 8/2/2023 | [Ring deployment using System Center Configuration Manager and Windows Server Update Services](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-sscm-wsus?view=o365-worldwide) | added | -| 8/2/2023 | [Microsoft Defender Antivirus ring deployment guide overview](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment?view=o365-worldwide) | added | -| 8/3/2023 | [Test against Windows monthly security updates](/microsoft-365/test-base/validate-monthly-security-updates?view=o365-worldwide) | added | -| 8/3/2023 | [Overview and Definitions](/microsoft-365/enterprise/m365-dr-overview?view=o365-worldwide) | modified | -| 8/3/2023 | [Manage quarantined messages and files as an admin](/microsoft-365/security/office-365-security/quarantine-admin-manage-messages-files?view=o365-worldwide) | modified | -| 8/3/2023 | [Find and release quarantined messages as a user](/microsoft-365/security/office-365-security/quarantine-end-user?view=o365-worldwide) | modified | -| 8/3/2023 | [Quarantined messages FAQ](/microsoft-365/security/office-365-security/quarantine-faq?view=o365-worldwide) | modified | -| 8/3/2023 | [Quarantine policies](/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide) | modified | -| 8/3/2023 | [Quarantine notifications (end-user spam notifications) in Microsoft 365](/microsoft-365/security/office-365-security/quarantine-quarantine-notifications?view=o365-worldwide) | modified | -| 8/4/2023 | [Test against Windows new features](/microsoft-365/test-base/against-windows-new-features?view=o365-worldwide) | added | -| 8/4/2023 | [What's new in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-whats-new?view=o365-worldwide) | modified | -| 8/4/2023 | [Configure Microsoft Defender for Endpoint on Android risk signals using App Protection Policies (MAM)](/microsoft-365/security/defender-endpoint/android-configure-mam?view=o365-worldwide) | modified | -| 8/4/2023 | [Configure Microsoft Defender for Endpoint on Android features](/microsoft-365/security/defender-endpoint/android-configure?view=o365-worldwide) | modified | -| 8/4/2023 | [Configure Microsoft Defender for Endpoint on iOS features](/microsoft-365/security/defender-endpoint/ios-configure-features?view=o365-worldwide) | modified | -| 8/4/2023 | [Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview compliance](/microsoft-365/security/office-365-security/scc-permissions?view=o365-worldwide) | modified | -| 8/4/2023 | [Azure Active Directory setup guides](/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide) | modified | -| 8/4/2023 | [Step 2. Protect your Microsoft 365 privileged accounts](/microsoft-365/enterprise/protect-your-global-administrator-accounts?view=o365-worldwide) | modified | -| 8/4/2023 | [Deploy frontline dynamic teams at scale](/microsoft-365/frontline/deploy-dynamic-teams-at-scale?view=o365-worldwide) | modified | -| 8/4/2023 | [Create a B2B extranet with managed guests](/microsoft-365/solutions/b2b-extranet?view=o365-worldwide) | modified | |
| ms-feed | M365 Feed | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/ms-feed/m365-feed.md | Title: "Overview of the Microsoft Feed" Previously updated : 03/28/2023 Last updated : 08/03/2023 audience: Admin Read more about how the feed works here: [Discover and learn with Microsoft Fee ## Where can users see Microsoft Feed? -In **Microsoft Edge**, select the **Work feed** page when opening a new tab. +In **Microsoft 365** (previously Office.com), while signed in with a work or school account select **Feed** from the left navigation bar. - -See the section *Find your way around* in [Discover and learn with Microsoft Feed](https://support.microsoft.com/en-us/office/discover-and-learn-with-microsoft-feed-9c190800-e348-46b7-9d46-41c628b80ebb) +In **Microsoft Edge**, while signed in with a work or school account, select the **Work Feed** page when opening a new tab. -## Availability -In Microsoft 365, the new Feed experience will be rolled out gradually to customers, beginning with the tenants who have selected a Targeted Release attribute in their Microsoft 365 Admin Center. +In **Outlook Mobile**, while signed in with a work or school account, select the Feed Tab from the bottom navigation bar. -In Microsoft Edge Enterprise New Tab Page, the new Feed experience will be rolled out in February-March 2023. ++In **Microsoft 365 Mobile**, while signed in with a work or school account, select the Feed Tab from the bottom navigation bar. +++For more information, see the section "Find your way around" in [Discover and learn with Microsoft Feed](https://support.microsoft.com/en-us/office/discover-and-learn-with-microsoft-feed-9c190800-e348-46b7-9d46-41c628b80ebb). ## Privacy in Microsoft Feed -The information in Microsoft Feed is tailored to each user. Users will only see documents or other content they have access to or that was shared directly with them. This can be documents that are stored in a shared folder in OneDrive or on a SharePoint site that the user has access to, or a link that someone shared in an email conversation or a Teams chat. +The information in Microsoft Feed is tailored to each user. Users only see documents or other content that they have access to. This content can include documents that are stored in a shared folder in OneDrive or on a SharePoint site that the user has access to. It can also include a link that someone shared in an email conversation or a Teams chat. -Microsoft Feed doesn’t change any permissions, so each user has a unique feed based on what they already have access to. Documents and information are not stored in Microsoft Feed, and changing permissions must be done from where the information is stored, such as in OneDrive or SharePoint. +Microsoft Feed doesn’t change any permissions, so each user has a unique feed based on what they already have access to. Documents and information aren't stored in Microsoft Feed, and changing permissions must be done from where the information is stored, such as in OneDrive or SharePoint. To learn more, see [Share OneDrive files and folders - Microsoft Support](https://support.microsoft.com/en-us/office/share-onedrive-files-and-folders-9fcc2f7d-de0c-4cec-93b0-a82024800c07) and [Set up secure file sharing and collaboration with Microsoft Teams](../solutions/setup-secure-collaboration-with-teams.md). ++We have also added a feature where users can see who has access to a document by selecting **Who can see this** behind the three-dot menu (...) on the document card as shown in the following screenshot: + ## What controls are available? Microsoft Feed is built on Microsoft 365 and implicitly respects all settings and restrictions enabled by admins and users, such as People Insights (see more information on how to [Customize people insights privacy in Microsoft Graph](/graph/insights-customize-people-insights-privacy)), and Item Insights (see more information on how item insights setting works [Item insights overview](/graph/item-insights-overview)). -In addition, Microsoft Feed respects LinkedIn visibility settings (when a user prefers to limit the visibility of their profile information outside of LinkedIn). To learn more, see [Off-LinkedIn Visibility | LinkedIn Help](https://www.linkedin.com/help/linkedin/answer/a1340507), and [Disconnecting Your LinkedIn and Microsoft Accounts and Managing Your Data | LinkedIn Help](https://www.linkedin.com/help/linkedin/answer/a552108). +In addition, Microsoft Feed respects the settings in the "Visibility section" in LinkedIn Settings & Privacy (when a user chooses to restrict the visibility of their profile information outside of LinkedIn). To learn more, see [Off-LinkedIn Visibility | LinkedIn Help](https://www.linkedin.com/help/linkedin/answer/a1340507), and [Disconnecting Your LinkedIn and Microsoft Accounts and Managing Your Data | LinkedIn Help](https://www.linkedin.com/help/linkedin/answer/a552108). ++## Disabling the Feed ++As a tenant admin, if you want to disable the Feed, you can do so by following the steps in this section that disable the Feed in the respective endpoints. ++- Disabling the Feed in Microsoft 365 (previously Office.com) +- Disabling the Feed in Microsoft Edge +- Disabling the Feed in Outlook Mobile +- Disabling the Feed in Microsoft 365 Mobile ++### Disabling the Feed in Microsoft 365 (previously Office.com) ++In Microsoft 365 (previously Office.com), as a tenant admin, if you want to disable the experience there, you can contact Microsoft via a service request to turn off Microsoft Feed. Turning off Microsoft Feed removes the Feed icon from the left navigation of Microsoft 365. ++1. [Sign in to Microsoft 365](https://admin.microsoft.com) with your Microsoft 365 admin account. +2. Select **Support** > **New service request.** -In Microsoft 365, as a tenant admin, if you want to disable the new experience, you can contact Microsoft via a service request to turn off Microsoft Feed. This is a temporary solution which removes the Feed icon from the left navigation of Microsoft 365. +To re-enable the feature, you can create **New service request**. -1. [Sign in to Microsoft 365](https://admin.microsoft.com) with your Microsoft 365 admin account. -2. **Select Support** > **New service request.** -3. If you're in the admin center, select **Support** > **New service request.** -4. To re-enable the feature, you can create a **New service request.** +### Disabling the Feed in Microsoft Edge -In Microsoft Edge, while signed in with a work or school account, as a tenant admin, if you want to disable the new experience, you can choose to *not show* Work feed content on the Microsoft Edge new tab page: +In Microsoft Edge, while signed in with a work or school account, as a tenant admin, if you want to disable the new experience, you can choose to not show Work feed content on the Microsoft Edge new tab page: -1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com) -2. Go to **Org settings** > **News.** -3. Under **News**, select **Microsoft Edge new tab page**. -4. *Clear* the box that says **Show Microsoft 365 content on the Microsoft Edge new tab page.** -5. To re-enable the feature, check the box that says **Show Microsoft 365 content on the Microsoft Edge new tab page.** -6. To make it a default feed, **Set Users default to Work feed**. +1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com) +2. Go to **Org settings** > **News.** +3. Under **News**, select **Microsoft Edge new tab page**. +4. Clear the box that says **Show Microsoft 365 content on the Microsoft Edge new tab page.** ++To re-enable the feature, check the box that says **Show Microsoft 365 content on the Microsoft Edge new tab page.** ++### Disabling the Feed in Outlook Mobile ++In **Outlook Mobile**, if you want to disable the experience there, you can find the instructions here: [Outlook mobile configuration settings](/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune) ++### Disabling the Feed in Microsoft 365 Mobile ++In **Microsoft 365 Mobile** you can now enable/disable Microsoft 365 Feed by configuring the following setting in the Intune portal. These app settings can be deployed using an [app configuration policy](/mem/intune/apps/app-configuration-policies-use-ios) in Intune. ++- ***Key***: **com.microsoft.office.officemobile.Feed.IsAllowed** +- ***Value***: + - **true** **(Default)** - Feed is enabled for the tenant + - **false** - disables Feed for the tenant ++For more information about adding configuration keys, see [Add app configuration policies for managed iOS/iPadOS devices](/mem/intune/apps/app-configuration-policies-use-ios) ## Provide feedback We would love to hear from you! To let us know what you think of this feature, you can reach us by: 1. Responding to our Message Center post with feedback. This option is only available for tenant admins with access to the Microsoft Admin Center in Microsoft 365.-2. Providing general feature feedback when viewing Microsoft Feed by clicking on "Feedback" in the lower right-hand corner. +2. In Microsoft 365 (previously Office.com), and on Microsoft Edge, you can provide general in-product feature feedback when viewing Microsoft Feed by clicking on **Feedback** in the lower right-hand corner. ## Frequently Asked Questions (FAQ) 1. **What documents can users see in Microsoft Feed?** -When a user creates and stores a document in a folder in OneDrive, and this folder is shared with other people, the document can be picked up and showed in those people’s feeds, even if the user hasn’t explicitly shared the document with others (yet). The same is the case if a user stores a document on a SharePoint site that others have access to. +By interacting with resources such as files in Microsoft 365, you produce signals that Microsoft aggregates and assembles into a graph for your organization. In the graph, the signal data is represented as relationships between you and the other resources. Derived from signals in the graph are insights that power a few Microsoft 365 experiences. For more information, see [Item insights in Microsoft Graph - Microsoft Graph | Microsoft Learn](/graph/item-insights-overview) and [Customize people insights privacy in Microsoft Graph](/graph/insights-customize-people-insights-privacy) ++When a user creates and stores a document in a folder in OneDrive, and this folder is shared with other people, the document is picked up and shown in those people’s feeds. This can happen even if the user hasn’t explicitly shared the document with others yet. The same is the case if a user stores a document on a SharePoint site that others have access to. 2. **How does following work?** -Following is synchronized between Microsoft Feed and Viva Engage. Following features in Microsoft Feed are only available to users who have a Viva Engage license. If users don’t have a Viva Engage license, the My network page is not available, and the users can’t follow others from Microsoft Feed. +Following is synchronized between Microsoft Feed and Viva Engage. Following features in Microsoft Feed are only available to users who have a Viva Engage license. If users don’t have a Viva Engage license, the **Manage network** page isn't available, and the users can’t follow others from Microsoft Feed. To learn more, see the section *Influence what and who you see by following people* in [Discover and learn with Microsoft Feed](https://support.microsoft.com/en-us/office/discover-and-learn-with-microsoft-feed-9c190800-e348-46b7-9d46-41c628b80ebb) 3. **What's the connection between** [Office Delve](https://delve.office.com) **and Microsoft Feed?** -Office Delve and Microsoft Feed are both based on Microsoft Graph. However, turning off Office Delve will not turn off Microsoft Feed. +Office Delve and Microsoft Feed are both based on Microsoft Graph. However, turning off Office Delve doesn't turn off Microsoft Feed. ++4. **Why can I not see the Feed Tab in Outlook Mobile?** ++If your organization’s administrator has turned off the Feed for your organization, you should still see the Feed tab, but with the Sections View and not the Feed View. |
| security | Linux Whatsnew | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-whatsnew.md | This article is updated frequently to let you know what's new in the latest rele - [What's new in Defender for Endpoint on macOS](mac-whatsnew.md) - [What's new in Defender for Endpoint on iOS](ios-whatsnew.md) +<details> + <summary> August-2023 (Build: 101.23072.0021 | Release version: 30.123072.0021.0)</summary> ++## August-2023 Build: 101.23072.0021 | Release version: 30.123072.0021.0 ++ Released: **August 8,2023**<br/> + Published: **August 8,2023**<br/> + Build: **101.23072.0021**<br/> + Release version: **30.123072.0021.0**<br/> + Engine version: **1.1.20100.7**<br/> + Signature version: **1.385.1648.0**<br/> ++**What's new** ++- There are multiple fixes and new changes in this release + - In mde_installer.sh v0.6.3, during cleanup user has to provide channel info for the configured repository, user can do it using --channel argument. For e.x: `sudo ./mde_installer --clean --channel prod` + - Added support for sensor-level process exclusions for eBPF. + - Added support for process based exclusions for fanotify. + - The Network Extension can now be reset by administrators using `mdatp network-protection reset`. +- Other fixes and improvements + - Improved performance of Network Protection in audit mode. ++- Bug Fixes +- Other performance improvements ++**Known issues** ++- While upgrading from mdatp version 101.75.43 or 101.78.13, you may encounter a kernel hang. Run the following commands before attempting to upgrade to version 101.98.05. More information about the underlying issue can be found at [System hang due to blocked tasks in fanotify code](https://access.redhat.com/solutions/2838901). ++There are two ways to mitigate this upgrade issue: ++1. Use your package manager to uninstall the 101.75.43 or 101.78.13 mdatp version. ++Example: +```bash +sudo apt purge mdatp +sudo apt-get install mdatp +``` ++2. As an alternative you can follow the instructions to [uninstall](/microsoft-365/security/defender-endpoint/linux-resources#uninstall), then [install](/microsoft-365/security/defender-endpoint/linux-install-manually#application-installation) the latest version of the package. ++If you don't want to uninstall mdatp you can disable rtp and mdatp in sequence before upgrading. +Some customers (<1%) experience issues with this method. ++ ```bash +sudo mdatp config real-time-protection --value=disabled +sudo systemctl disable mdatp +``` +</details> <details> <summary> July-2023 (Build: 101.23062.0010 | Release version: 30.123062.0010.0)</summary> |
| security | Advanced Hunting Go Hunt | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-go-hunt.md | and DeviceName == deviceName You can use the *go hunt* option after selecting any of these entity types: -- Files-- Emails+- Devices - Email clusters+- Emails +- Files +- Groups +- IP addresses - Mailboxes - Users-- Devices-- IP addresses - URLs ## Query for event information |
| security | Microsoft 365 Security Center Mdi | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-mdi.md | f1.keywords: Previously updated : 06/28/2023 Last updated : 08/29/2023 audience: ITPro search.appverid: The table below lists the changes in navigation between Microsoft Defender for I | **Defender for** Identity | **Microsoft 365 Defender** | | -- | | | **Timeline** |- Microsoft 365 Defender Alerts/Incidents queue |-| **Reports** |The following types of reports are available from the **Settings > Identities > Report management** page in Microsoft 365 Defender, either for immediate download or scheduled for a periodic email delivery: <br><br>- A summary report of alerts and health issues you should take care of. <br>- A list of each time a modification is made to sensitive groups. <br>- A list of source computer and account passwords that are detected as being sent in clear text.<br>- A list of the sensitive accounts exposed in lateral movement paths. <br><br>For more information, see [Report management](/defender-for-identity/reports). | +| **Reports** |The following types of reports are available from the **Reports** > **Identities** > **Report management** page in Microsoft 365 Defender, either for immediate download or scheduled for a periodic email delivery: <br><br>- A summary report of alerts and health issues you should take care of. <br>- A list of each time a modification is made to sensitive groups. <br>- A list of source computer and account passwords that are detected as being sent in clear text.<br>- A list of the sensitive accounts exposed in lateral movement paths. <br><br>For more information, see [Report management](/defender-for-identity/reports). | | **Identity page** | Microsoft 365 Defender user details page | | **Device page** | Microsoft 365 Defender device details page | | **Group page** | Microsoft 365 Defender groups side pane | |
| security | Coinminer Malware | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/intelligence/coinminer-malware.md | - Title: Coin miners- -description: Learn about coin miners, how they can infect devices, and what you can do to protect yourself. -keywords: security, malware, coin miners, protection, cryptocurrencies ---ms.sitesec: library ------ m365-security-- tier2- Previously updated : 03/18/2022---# Coin miners --Cybercriminals are always looking for new ways to make money. With the rise of digital currencies, also known as cryptocurrencies, criminals see a unique opportunity to infiltrate an organization and secretly mine for coins by reconfiguring malware. --## How coin miners work --Many infections start with: --- Email messages with attachments that try to install malware.--- Websites hosting exploit kits that attempt to use vulnerabilities in web browsers and other software to install coin miners.--- Websites taking advantage of computer processing power by running scripts while users browse the website.--Mining is the process of running complex mathematical calculations necessary to maintain the blockchain ledger. This process generates coins but requires significant computing resources. --Coin miners aren't inherently malicious. Some individuals and organizations invest in hardware and electric power for legitimate coin mining operations. However, others look for alternative sources of computing power and try to find their way into corporate networks. These coin miners aren't wanted in enterprise environments because they eat up precious computing resources. --Cybercriminals see an opportunity to make money by running malware campaigns that distribute, install, and run trojanized miners at the expense of other people's computing resources. --### Examples --DDE exploits, which have been known to distribute ransomware, are now delivering miners. --For example, a sample of the malware detected as Trojan:Win32/Coinminer (SHA-256: 7213cbbb1a634d780f9bb861418eb262f58954e6e5dca09ca50c1e1324451293) is installed by Exploit:O97M/DDEDownloader.PA, a Word document that contains the DDE exploit. --The exploit launches a cmdlet that executes a malicious PowerShell script (Trojan:PowerShell/Maponeir.A). It downloads the trojanized miner, a modified version of the miner XMRig, which then mines Monero cryptocurrency. --## How to protect against coin miners --**Enable potentially unwanted applications (PUA) detection**. Some coin mining tools aren't considered malware but are detected as PUA. Many applications detected as PUA can negatively impact machine performance and employee productivity. In enterprise environments, you can stop adware, torrent downloaders, and coin mining by enabling PUA detection. --Since coin miners are becoming a popular payload in many different kinds of attacks, see general tips on how to [prevent malware infection](prevent-malware-infection.md). --For more information on coin miners, see the blog post [Invisible resource thieves: The increasing threat of cryptocurrency miners](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/13/invisible-resource-thieves-the-increasing-threat-of-cryptocurrency-miners/). |
| security | Exploits Malware | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/intelligence/exploits-malware.md | - Title: Exploits and exploit kits- -description: Learn about how exploits use vulnerabilities in common software to give attackers access to your computer and install other malware. -keywords: security, malware, exploits, exploit kits, prevention, vulnerabilities, Microsoft, Exploit malware family, exploits, java, flash, adobe, update software, prevent exploits, exploit pack, vulnerability, 0-day, holes, weaknesses, attack, Flash, Adobe, out-of-date software, out of date software, update, update software, reinfection, Java cache, reinfected, won't remove, won't clean, still detects, full scan, MSE, Defender, WDSI, MMPC, Microsoft Malware Protection Center ---ms.sitesec: library ------ m365-security-- tier2- Previously updated : 03/18/2022---# Exploits and exploit kits --Exploits take advantage of vulnerabilities in software. A vulnerability is like a hole in your software that malware can use to get onto your device. Malware exploits these vulnerabilities to bypass your computer's security safeguards to infect your device. --## How exploits and exploit kits work --Exploits are often the first part of a larger attack. Hackers scan for outdated systems that contain critical vulnerabilities, which they then exploit by deploying targeted malware. Exploits often include shellcode, which is a small malware payload used to download additional malware from attacker-controlled networks. Shellcode allows hackers to infect devices and infiltrate organizations. --Exploit kits are more comprehensive tools that contain a collection of exploits. These kits scan devices for different kinds of software vulnerabilities and, if any are detected, deploy additional malware to further infect a device. Kits can use exploits targeting various software, including Adobe Flash Player, Adobe Reader, Internet Explorer, Oracle Java, and Sun Java. --The most common method used by attackers to distribute exploits and exploit kits is through webpages, but exploits can also arrive in emails. Some websites unknowingly and unwillingly host malicious code and exploits in their ads. --The infographic below shows how an exploit kit might attempt to exploit a device after you visit a compromised webpage. -- --*Figure 1. Example of how to exploit kits work* --Several notable threats, including Wannacry, exploit the Server Message Block (SMB) vulnerability CVE-2017-0144 to launch malware. --Examples of exploit kits: --- Angler / [Axpergle](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=JS/Axpergle)--- [Neutrino](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=JS/NeutrinoEK)--- [Nuclear](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=JS/Neclu)--To learn more about exploits, read this blog post on [taking apart a double zero-day sample discovered in joint hunt with ESET.](https://cloudblogs.microsoft.com/microsoftsecure/2018/07/02/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset/) --## How we name exploits --We categorize exploits in our Malware encyclopedia by the "platform" they target. For example, Exploit:Java/CVE-2013-1489.A is an exploit that targets a vulnerability in Java. --A project called "Common Vulnerabilities and Exposures (CVE)" is used by many security software vendors. The project gives each vulnerability a unique number, for example, CVE-2016-0778. -The portion "2016" refers to the year the vulnerability was discovered. The "0778" is a unique ID for this specific vulnerability. --You can read more on the [CVE website](https://cve.mitre.org/). --## How to protect against exploits --The best prevention for exploits is to keep your organization's [software up to date](https://portal.msrc.microsoft.com/). Software vendors provide updates for many known vulnerabilities, so make sure these updates are applied to all devices. --For more general tips, see [prevent malware infection](prevent-malware-infection.md). |
| security | Fileless Threats | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/intelligence/fileless-threats.md | - Title: Fileless threats- -description: Learn about the categories of fileless threats and malware that live off the land -keywords: fileless, fileless malware, living off the land, lolbins, amsi, behavior monitoring, memory scanning, boot sector protection, security, malware, Windows Defender ATP, antivirus, AV, Microsoft Defender ATP, next-generation protection ---ms.sitesec: library ------ m365-security-- tier2- Previously updated : 03/18/2022---# Fileless threats --What exactly are fileless threats? The term "fileless" suggests that a threat doesn't come in a file, such as a backdoor that lives only in the memory of a machine. However, there's no one definition for fileless malware. The term is used broadly, and sometimes to describe malware families that do rely on files to operate. --Attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK_Matrix) for functionalities like execution, persistence, or information theft. Some parts of the attack chain may be fileless, while others may involve the file system in some form. --For clarity, fileless threats are grouped into different categories. --<br> -*Figure 1. Comprehensive diagram of fileless malware* --Fileless threats can be classified by their entry point, which indicates how fileless malware can arrive on a machine. They can arrive via an exploit, through compromised hardware, or via regular execution of applications and scripts. --Next, list the form of entry point. For example, exploits can be based on files or network data, PCI peripherals are a type of hardware vector, and scripts and executables are subcategories of the execution vector. --Finally, classify the host of the infection. For example, a Flash application may contain a variety of threats such as an exploit, a simple executable, and malicious firmware from a hardware device. --Classifying helps you divide and categorize the various kinds of fileless threats. Some are more dangerous but also more difficult to implement, while others are more commonly used despite (or precisely because of) not being very advanced. --From this categorization, you can glean three main types of fileless threats based on how much fingerprint they may leave on infected machines. --## Type I: No file activity performed --A fully fileless malware can be considered one that never requires writing a file on the disk. How would such malware infect a machine in the first place? One example is where a target machine receives malicious network packets that exploit the EternalBlue vulnerability. The vulnerability allows the installation of the DoublePulsar backdoor, which ends up residing only in the kernel memory. In this case, there's no file or any data written on a file. --A compromised device may also have malicious code hiding in device firmware (such as a BIOS), a USB peripheral (like the BadUSB attack), or in the firmware of a network card. All these examples don't require a file on the disk to run, and can theoretically live only in memory. The malicious code would survive reboots, disk reformats, and OS reinstalls. --Infections of this type can be particularly difficult to detect because most antivirus products don't have the capability to inspect firmware. In cases where a product does have the ability to inspect and detect malicious firmware, there are still significant challenges associated with remediation of threats at this level. This type of fileless malware requires high levels of sophistication and often depends on particular hardware or software configuration. It's not an attack vector that can be exploited easily and reliably. While dangerous, threats of this type are uncommon and not practical for most attacks. --## Type II: Indirect file activity --There are other ways that malware can achieve fileless presence on a machine without requiring significant engineering effort. Fileless malware of this type doesn't directly write files on the file system, but they can end up using files indirectly. For example, with the [Poshspy backdoor](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html) attackers installed a malicious PowerShell command within the WMI repository and configured a WMI filter to run the command periodically. --It's possible to carry out such installation via command line without requiring a backdoor to already be on the file. The malware can be installed and theoretically run without ever touching the file system. However, the WMI repository is stored on a physical file in a central storage area managed by the CIM Object Manager, and usually contains legitimate data. Even though the infection chain does technically use a physical file, it's considered a fileless attack because the WMI repository is a multi-purpose data container that can't be detected and removed. --## Type III: Files required to operate --Some malware can have a sort of fileless persistence, but not without using files to operate. An example for this scenario is Kovter, which creates a shell open verb handler in the registry for a random file extension. Opening a file with such extension will lead to the execution of a script through the legitimate tool mshta.exe. --<br> -*Figure 2. Kovter's registry key* --When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an autorun key configured to open such file when the machine starts. --Kovter is considered a fileless threat because the file system is of no practical use. The files with random extensions contain junk data that isn't usable in verifying the presence of the threat. The files that store the registry are containers that can't be detected and deleted if malicious content is present. --## Categorizing fileless threats by infection host --Having described the broad categories, we can now dig into the details and provide a breakdown of the infection hosts. This comprehensive classification covers the panorama of what is usually referred to as fileless malware. It drives our efforts to research and develop new protection features that neutralize classes of attacks and ensure malware doesn't get the upper hand in the arms race. --### Exploits --**File-based** (Type III: executable, Flash, Java, documents): An initial file may exploit the operating system, the browser, the Java engine, the Flash engine, etc. to execute a shellcode and deliver a payload in memory. While the payload is fileless, the initial entry vector is a file. --**Network-based** (Type I): A network communication that takes advantage of a vulnerability in the target machine can achieve code execution in the context of an application or the kernel. An example is WannaCry, which exploits a previously fixed vulnerability in the SMB protocol to deliver a backdoor within the kernel memory. --### Hardware --**Device-based** (Type I: network card, hard disk): Devices like hard disks and network cards require chipsets and dedicated software to function. Software residing and running in the chipset of a device is called firmware. Although a complex task, the firmware can be infected by malware, as the [Equation espionage group has been caught doing](https://www.kaspersky.com/blog/equation-hdd-malware/7623/). --**CPU-based** (Type I): Modern CPUs are complex and may include subsystems running firmware for management purposes. Such firmware may be vulnerable to hijacking and allow the execution of malicious code that would operate from within the CPU. In December 2017, two researchers reported a vulnerability that can allow attackers to execute code inside the [Management Engine (ME)](https://en.wikipedia.org/wiki/Intel_Management_Engine) present in any modern CPU from Intel. Meanwhile, the attacker group PLATINUM has been observed to have the capability to use Intel's [Active Management Technology (AMT)](https://en.wikipedia.org/wiki/Intel_Active_Management_Technology) to perform [invisible network communications](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/), bypassing the installed operating system. ME and AMT are essentially autonomous micro-computers that live inside the CPU and that operate at a very low level. Because these technologies' purpose is to provide remote manageability, they have direct access to hardware, are independent of the operating system, and can run even if the computer is turned off. --Besides being vulnerable at the firmware level, CPUs could be manufactured with backdoors inserted directly in the hardware circuitry. This attack has been [researched and proved possible](https://www.microsoft.com/en-us/security/blog/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/) in the past. It has been reported that certain models of x86 processors contain a secondary embedded RISC-like CPU core that can [effectively provide a backdoor](https://www.theregister.co.uk/2018/08/10/via_c3_x86_processor_backdoor/) through which regular applications can gain privileged execution. --**USB-based** (Type I): USB devices of all kinds can be reprogrammed with malicious firmware capable of interacting with the operating system in nefarious ways. For example, the [BadUSB technique](https://arstechnica.com/information-technology/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/) allows a reprogrammed USB stick to act as a keyboard that sends commands to machines via keystrokes, or as a network card that can redirect traffic at will. --**BIOS-based** (Type I): A BIOS is a firmware running inside a chipset. It executes when a machine is powered on, initializes the hardware, and then transfers control to the boot sector. The BIOS is an important component that operates at a low level and executes before the boot sector. It's possible to reprogram the BIOS firmware with malicious code, as has happened in the past with the [Mebromi rootkit](https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/). --**Hypervisor-based** (Type I): Modern CPUs provide hardware hypervisor support, allowing the operating system to create robust virtual machines. A virtual machine runs in a confined, simulated environment, and is in theory unaware of the emulation. A malware taking over a machine may implement a small hypervisor to hide itself outside of the realm of the running operating system. Malware of this kind has been theorized in the past, and eventually real hypervisor rootkits [have been observed](http://seclists.org/fulldisclosure/2017/Jun/29), although few are known to date. --### Execution and injection --**File-based** (Type III: executables, DLLs, LNK files, scheduled tasks): This is the standard execution vector. A simple executable can be launched as a first-stage malware to run an additional payload in memory, or injected into other legitimate running processes. --**Macro-based** (Type III: Office documents): The [VBA language](/office/vba/Library-Reference/Concepts/getting-started-with-vba-in-office) is a flexible and powerful tool designed to automate editing tasks and add dynamic functionality to documents. As such, it can be abused by attackers to carry out malicious operations like decoding, running, or injecting an executable payload, or even implementing an entire ransomware, like in [the case of qkG](https://blog.trendmicro.com/trendlabs-security-intelligence/qkg-filecoder-self-replicating-document-encrypting-ransomware/). Macros are executed within the context of an Office process (e.g., Winword.exe) and implemented in a scripting language. There's no binary executable that an antivirus can inspect. While Office apps require explicit consent from the user to execute macros from a document, attackers use social engineering techniques to trick users into allowing macros to execute. --**Script-based** (Type II: file, service, registry, WMI repo, shell): The JavaScript, VBScript, and PowerShell scripting languages are available by default on Windows platforms. Scripts have the same advantages as macros, they are textual files (not binary executables) and run within the context of the interpreter (like wscript.exe, powershell.exe), which is a clean and legitimate component. Scripts are versatile and can be run from a file (by double-clicking them) or executed directly on the command line of an interpreter. Running on the command line allows malware to encode malicious scripts as autostart services inside [autorun registry keys](https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file) as [WMI event subscriptions](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html) from the WMI repo. Furthermore, an attacker who has gained access to an infected machine may input the script on the command prompt. --**Disk-based** (Type II: Boot Record): The Boot Record is the first sector of a disk or volume, and contains executable code required to start the boot process of the operating system. Threats like [Petya](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/?source=mmpc) are capable of infecting the Boot Record by overwriting it with malicious code. When the machine is booted, the malware immediately gains control. The Boot Record resides outside the file system, but it's accessible by the operating system. Modern antivirus products have the capability to scan and restore it. --## Defeating fileless malware --At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. --To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/) --## Additional resources and information --Learn how to [deploy threat protection capabilities across Microsoft 365 E5](/microsoft-365/solutions/deploy-threat-protection). |
| security | Macro Malware | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/intelligence/macro-malware.md | - Title: Macro malware- -description: Learn about macro viruses and malware, which are embedded in documents and are used to drop malicious payloads and distribute other threats. -keywords: security, malware, macro, protection, WDSI, MMPC, Microsoft Malware Protection Center, macro virus, macro malware, documents, viruses in Office, viruses in Word ---ms.sitesec: library ------ m365-security-- tier2- Previously updated : 03/18/2022---# Macro malware --Macros are a powerful way to automate common tasks in Microsoft Office and can make people more productive. However, macro malware uses this functionality to infect your device. --## How macro malware works --Macro malware hides in Microsoft Office files and is delivered as email attachments or inside ZIP files. These files use names that are intended to entice or scare people into opening them. They often look like invoices, receipts, legal documents, and more. --Macro malware was fairly common several years ago because macros ran automatically whenever a document was opened. In recent versions of Microsoft Office, macros are disabled by default. Now, malware authors need to convince users to turn on macros so that their malware can run. They try to scare users by showing fake warnings when a malicious document is opened. --We've seen macro malware download threats from the following families: --* [Ransom:MSIL/Swappa](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:MSIL/Swappa.A) -* [Ransom:Win32/Teerac](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Teerac&threatId=-2147277789) -* [TrojanDownloader:Win32/Chanitor](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Win32/Chanitor.A) -* [TrojanSpy:Win32/Ursnif](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif) -* [Win32/Fynloski](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Fynloski) -* [Worm:Win32/Gamarue](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Gamarue) --## How to protect against macro malware --* Make sure macros are disabled in your Microsoft Office applications. In enterprises, IT admins set the default setting for macros: - * [Enable or disable macros](https://support.office.com/article/Enable-or-disable-macros-in-Office-documents-7b4fdd2e-174f-47e2-9611-9efe4f860b12) in Office documents --* Don't open suspicious emails or suspicious attachments. --* Delete any emails from unknown people or with suspicious content. Spam emails are the main way macro malware spreads. --* Enterprises can prevent macro malware from running executable content using [ASR rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) --For more tips on protecting yourself from suspicious emails, see [phishing](phishing.md). --For more general tips, see [prevent malware infection](prevent-malware-infection.md). |
| security | Phishing Trends | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/intelligence/phishing-trends.md | - Title: Phishing trends and techniques- -description: Learn about how to spot phishing techniques -keywords: security, malware, phishing, information, scam, social engineering, bait, lure, protection, trends, targeted attack, spear phishing, whaling ---ms.sitesec: library ------ m365-security-- tier2- Previously updated : 03/18/2022---# Phishing trends and techniques --Phishing attacks are scams that often use social engineering bait or lure content. Legitimate-looking communication, usually email, that links to a phishing site is one of the most common methods used in phishing attacks. The phishing site typically mimics sign in pages that require users to input credentials and account information. The phishing site then captures the sensitive information as soon as the user provides it, giving attackers access to the information. --Below are some of the most common phishing techniques attackers will employ to try to steal information or gain access to your devices. --## Invoice phishing --In this scam, the attacker attempts to lure you with an email stating that you have an outstanding invoice from a known vendor or company. They then provide a link for you to access and pay your invoice. When you access the site, the attacker is poised to steal your personal information and funds. --## Payment/delivery scam --You're asked to provide a credit card or other personal information so that your payment information can be updated with a commonly known vendor or supplier. The update is requested so that you can take delivery of your ordered goods. Generally, you may be familiar with the company and have likely done business with them in the past. However, you aren't aware of any items you have recently purchased from them. --## Tax-themed phishing scams --A common IRS phishing scam is receiving an urgent email letter indicating that you owe money to the IRS. Often the email threatens legal action if you don't access the site in a timely manner and pay your taxes. When you access the site, the attackers can steal your personal credit card or bank information and drain your accounts. --## Downloads --An attacker sends a fraudulent email requesting you to open or download a document attachment, such as a PDF. The attachment often contains a message asking you to sign in to another site, such as email or file sharing websites, to open the document. When you access these phishing sites using your sign-in credentials, the attacker now has access to your information and can gain additional personal information about you. --## Phishing emails that deliver other threats --Phishing emails are often effective, so attackers sometimes use them to distribute [ransomware](/security/compass/human-operated-ransomware) through links or attachments in emails. When run, the ransomware encrypts files and displays a ransom note, which asks you to pay a sum of money to access to your files. --We have also seen phishing emails that have links to [tech support scam](support-scams.md) websites. These websites use various scare tactics to trick you into calling hotlines and paying for unnecessary "technical support services" that supposedly fix contrived device, platform, or software problems. --## Spear phishing --Spear phishing is a targeted phishing attack that involves highly customized lure content. Attackers will typically do reconnaissance work by surveying social media and other information sources about their intended target. --Spear phishing may involve tricking you into logging into fake sites and divulging credentials. I may also lure you into opening documents by clicking on links that automatically install malware. With this malware in place, attackers can remotely manipulate the infected computer. --The implanted malware serves as the point of entry for a more sophisticated attack, known as an advanced persistent threat (APT). APTs are designed to establish control and steal data over extended periods. Attackers may try to deploy more covert hacking tools, move laterally to other computers, compromise or create privileged accounts, and regularly exfiltrate information from compromised networks. --## Whaling --Whaling is a form of phishing directed at high-level or senior executives within specific companies to gain access to their credentials and/or bank information. The content of the email may be written as a legal subpoena, customer complaint, or other executive issue. This type of attack can also lead to an APT attack within an organization. --## Business email compromise --Business email compromise (BEC) is a sophisticated scam that targets businesses who frequently work with foreign suppliers or do money wire transfers. One of the most common schemes used by BEC attackers involves gaining access to a company's network through a spear phishing attack. The attacker creates a domain similar to the company they're targeting, or spoofs their email to scam users into releasing personal account information for money transfers. --## More information about phishing attacks --For information on the latest phishing attacks, techniques, and trends, you can read these entries on the [Microsoft Security blog](https://www.microsoft.com/security/blog/): --- [Phishers unleash simple but effective social engineering techniques using PDF attachments](https://cloudblogs.microsoft.com/microsoftsecure/2017/01/26/phishers-unleash-simple-but-effective-social-engineering-techniques-using-pdf-attachments/?source=mmpc)-- [Tax themed phishing and malware attacks proliferate during the tax filing season](https://cloudblogs.microsoft.com/microsoftsecure/2017/03/20/tax-themed-phishing-and-malware-attacks-proliferate-during-the-tax-filing-season/?source=mmpc)-- [Phishing like emails lead to tech support scam](https://cloudblogs.microsoft.com/microsoftsecure/2017/08/07/links-in-phishing-like-emails-lead-to-tech-support-scam/?source=mmpc) |
| security | Phishing | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/intelligence/phishing.md | - Title: How to protect against phishing attacks- -description: Learn about how phishing work, deliver malware do your devices, and what you can do to protect yourself -keywords: security, malware, phishing, information, scam, social engineering, bait, lure, protection, trends, targeted attack ---ms.sitesec: library ------ m365-security-- tier2- Previously updated : 03/18/2022---# How to protect against phishing attacks --Phishing attacks attempt to steal sensitive information through emails, websites, text messages, or other forms of electronic communication. They try to look like official communication from legitimate companies or individuals. --Cybercriminals often attempt to steal usernames, passwords, credit card details, bank account information, or other credentials. They use stolen information for malicious purposes, such as hacking, identity theft, or stealing money directly from bank accounts and credit cards. The information can also be sold in cybercriminal underground markets. --Social engineering attacks are designed to take advantage of a user's possible lapse in decision-making. Be aware and never provide sensitive or personal information through email or unknown websites, or over the phone. Remember, phishing emails are designed to appear legitimate. --## Learn the signs of a phishing scam --The best protection is awareness and education. Don't open attachments or links in unsolicited emails, even if the emails came from a recognized source. If the email is unexpected, be wary about opening the attachment and verify the URL. --Enterprises should educate and train their employees to be wary of any communication that requests personal or financial information. They should also instruct employees to report the threat to the company's security operations team immediately. --Here are several telltale signs of a phishing scam: --- The links or URLs provided in emails are **not pointing to the correct location** or are pointing to a third-party site not affiliated with the sender of the email. For example, in the image below the URL provided doesn't match the URL that you'll be taken to.--  --- There's a **request for personal information** such as social security numbers or bank or financial information. Official communications won't generally request personal information from you in the form of an email.--- **Items in the email address will be changed** so that it is similar enough to a legitimate email address, but has added numbers or changed letters.--- The message is **unexpected and unsolicited**. If you suddenly receive an email from an entity or a person you rarely deal with, consider this email suspect.--- The message or the attachment asks you to **enable macros, adjust security settings, or install applications**. Normal emails won't ask you to do this.--- The message contains **errors**. Legitimate corporate messages are less likely to have typographic or grammatical errors or contain wrong information.--- The **sender address doesn't match the signature** on the message itself. For example, an email is purported to be from Mary of Contoso Corp, but the sender address is john<span></span>@example.com.--- There are **multiple recipients** in the "To" field and they appear to be random addresses. Corporate messages are normally sent directly to individual recipients.--- The greeting on the message itself **doesn't personally address you**. Apart from messages that mistakenly address a different person, greetings that misuse your name or pull your name directly from your email address tend to be malicious.--- The website looks familiar but there are **inconsistencies or things that aren't quite right**. Warning signs include outdated logos, typos, or ask users to give additional information that is not asked by legitimate sign-in websites.--- The page that opens is **not a live page**, but rather an image that is designed to look like the site you are familiar with. A pop-up may appear that requests credentials.--If in doubt, contact the business by known channels to verify if any suspicious emails are in fact legitimate. --## Software solutions for organizations --- [Microsoft Edge](/microsoft-edge/deploy/index) and [Windows Defender Application Guard](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview) offer protection from the increasing threat of targeted attacks using Microsoft's industry-leading Hyper-V virtualization technology. If a browsed website is deemed untrusted, the Hyper-V container will isolate that device from the rest of your network thereby preventing access to your enterprise data.--- [Microsoft Exchange Online Protection (EOP)](https://products.office.com/exchange/exchange-email-security-spam-protection) offers enterprise-class reliability and protection against spam and malware, while maintaining access to email during and after emergencies. Using various layers of filtering, EOP can provide different controls for spam filtering, such as bulk mail controls and international spam, that will further enhance your protection services.--- Use [Microsoft Defender for Office 365](https://products.office.com/exchange/online-email-threat-protection?ocid=cx-blog-mmpc) to help protect your email, files, and online storage against malware. It offers holistic protection in Microsoft Teams, Word, Excel, PowerPoint, Visio, SharePoint Online, and OneDrive for Business. By protecting against unsafe attachments and expanding protection against malicious links, it complements the security features of Exchange Online Protection to provide better zero-day protection.--## What to do if you've been a victim of a phishing scam --If you feel you've been a victim of a phishing attack: --1. Contact your IT admin if you are on a work computer -2. Immediately change all passwords associated with the accounts -3. Report any fraudulent activity to your bank and credit card company --### Reporting spam --- **Outlook.com**: If you receive a suspicious email message that asks for personal information, select the check box next to the message in your Outlook inbox. Select the arrow next to **Junk**, and then select **Phishing**.--- **Microsoft Office Outlook**: While in the suspicious message, select **Report message** from the ribbon, and then select **Phishing**.--- **Microsoft 365**: Use the [Submissions portal in Microsoft 365 Defender](/microsoft-365/security/office-365-security//submissions-admin) to submit the junk or phishing sample to Microsoft for analysis. For more information, see [How do I report a suspicious email or file to Microsoft?](/microsoft-365/security/office-365-security/submissions-report-messages-files-to-microsoft).--- **Anti-Phishing Working Group**: phishing-report@us-cert.gov. The group uses reports generated from emails sent to fight phishing scams and hackers. ISPs, security vendors, financial institutions, and law enforcement agencies are involved.--### If you're on a suspicious website --- **Microsoft Edge**: While you're on a suspicious site, select the **More (...) icon** > **Help and feedback** > **Report Unsafe site**. Follow the instructions on the webpage that displays to report the website.--- **Internet Explorer**: While you're on a suspicious site, select the gear icon, point to **Safety**, and then select **Report Unsafe Website**. Follow the instructions on the webpage that displays to report the website.--## More information about phishing attacks --- [Protect yourself from phishing](https://support.microsoft.com/help/4033787/windows-protect-yourself-from-phishing)-- [Phishing trends](phishing-trends.md) |
| security | Prevent Malware Infection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/intelligence/prevent-malware-infection.md | - Title: Prevent malware infection- -description: Learn steps you can take to help prevent a malware or potentially unwanted software from infecting your computer. -keywords: security, malware, prevention, infection, tips, Microsoft, MMPC, Microsoft Malware Protection Center, virus, trojan, worm, stop, prevent, full scan, infection, avoid malware, avoid trojan, avoid virus, infection, how, detection, security software, antivirus, updates, how malware works, how virus works, firewall, turn on, user privileges, limit, prevention, WDSI, MMPC, Microsoft Malware Protection Center ---ms.sitesec: library ------ m365-security-- tier2- Previously updated : 08/18/2023---# Prevent malware infection --Attackers are always looking for new ways to infect computers. Follow the tips below to stay protected and minimize threats to your data and accounts. --## Keep software up to date --[Exploits](exploits-malware.md) typically use vulnerabilities in software. It's important to keep your software, apps, and operating systems up to date. --To keep Microsoft software up to date, ensure that [automatic Microsoft Updates](https://support.microsoft.com/help/12373/windows-update-faq) are enabled. Also, upgrade to the latest version of Windows to benefit from the latest built-in security enhancements. --## Be wary of links and attachments --Email, SMS messages, Microsoft Teams chat, and other messaging tools are a few of the most common ways attackers can infect devices. Attachments or links in messages can open malware directly or can stealthily trigger a download. --- Use an email service that provides protection against malicious attachments, links, and abusive senders. [Microsoft Office 365](/microsoft-365/security/office-365-security/defender-for-office-365) has built-in anti-malware, link protection, and spam filtering. Microsoft Outlook contains additional security configurations and settings you can enable. See [Advanced Outlook.com security for Microsoft 365 subscribers](https://support.microsoft.com/office/advanced-outlook-com-security-for-microsoft-365-subscribers-882d2243-eab9-4545-a58a-b36fee4a46e2)--- Some attackers try to get you to share information about your login information, passwords, and more. Be aware of some of the common tactics attackers use to try to trick you. For more information, see [phishing](phishing.md).--## Watch out for malicious or compromised websites --When you visit malicious or compromised sites, your device can get infected with malware automatically or you can get tricked into downloading and installing malware. See [exploits and exploit kits](exploits-malware.md) as an example of how some of these sites can automatically install malware to visiting computers. --To identify potentially harmful websites, keep the following in mind: --- The initial part (domain) of a website address should represent the company that owns the site you're visiting. Check the domain for misspellings. For example, malicious sites commonly use domain names that swap the letter O with a zero (0) or the letters L and I with a one (1). If `example.com` is spelled `examp1e.com`, the site you're visiting is suspect.--- Sites that aggressively open popups and display misleading buttons often trick users into accepting content through constant popups or mislabeled buttons.--To block malicious websites, use a modern web browser like [Microsoft Edge](https://www.microsoft.com/windows/microsoft-edge?ocid=cx-wdsi-articles) that identifies phishing and malware websites and checks downloads for malware. --If you encounter an unsafe site, click **More [...] > Send feedback** on Microsoft Edge. You can also [report unsafe sites directly to Microsoft](https://www.microsoft.com/wdsi/support/report-unsafe-site). --### Pirated material on compromised websites --Using pirated content isn't only illegal, it can also expose your device to malware. Sites that offer pirated software and media are also often used to distribute malware when the site is visited. Sometimes pirated software is bundled with malware and other unwanted software when downloaded, including intrusive browser plugins and adware. --Users don't openly discuss visits to these sites, so any untoward experience are more likely to stay unreported. --To stay safe, download movies, music, and apps from official publisher websites or stores. --## Don't attach unfamiliar removable drives --Some types of malware spread by copying themselves to USB flash drives or other removable drives. There are malicious individuals that intentionally prepare and distribute infected drives by leaving them in public places for unsuspecting individuals. --Only use removable drives that you're familiar with or that come from a trusted source. If a drive has been used in publicly accessible devices, like computers in a café or a library, make sure you have antimalware running on your computer before you use the drive. Avoid opening unfamiliar files you find on suspect drives, including Office and PDF documents and executable files. --## Use a non-administrator account --At the time they're launched, whether inadvertently by a user or automatically, most malware run under the same privileges as the active user. This means that by limiting account privileges, you can prevent malware from making consequential changes any devices. --By default, Windows uses [User Account Control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview) to provide automatic, granular control of privileges—it temporarily restricts privileges and prompts the active user every time an application attempts to make potentially consequential changes to the system. Although UAC helps limit the privileges of admin users, users can override this restriction when prompted. As a result, it's quite easy for an admin user to inadvertently allow malware to run. --To help ensure that everyday activities don't result in malware infection and other potentially catastrophic changes, it's recommended that you use a non-administrator account for regular use. By using a non-administrator account, you can prevent installation of unauthorized apps and prevent inadvertent changes to system settings. Avoid browsing the web or checking email using an account with administrator privileges. --Whenever necessary, log in as an administrator to install apps or make configuration changes that require admin privileges. --[Read about creating user accounts and giving administrator privileges](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) --## Other safety tips --To further ensure that data is protected from malware and other threats: --- Backup files. Follow the 3-2-1 rule: make **3 copies**, store in at least **2 locations**, with at least **1 offline copy**. Use [OneDrive](https://onedrive.live.com/about) for reliable cloud-based copies that allow access to files from multiple devices and helps recover damaged or lost files, including files locked by ransomware.--- Be wary when connecting to public Wi-Fi hotspots, particularly those that don't require authentication.--- Use [strong passwords](https://support.microsoft.com/help/12410/microsoft-account-help-protect-account) and enable multi-factor authentication.--- Don't use untrusted devices to log on to email, social media, and corporate accounts.--- Avoid downloading or running older apps. Some of these apps might have vulnerabilities. Also, older file formats for Office 2003 (.doc, .pps, and .xls) allow macros or run. This could be a security risk.--## Software solutions --Microsoft provides comprehensive security capabilities that help protect against threats. We recommend: --- [Automatic Microsoft updates](https://support.microsoft.com/help/12373/windows-update-faq) keeps software up to date to get the latest protections.--- [Microsoft Edge](/microsoft-edge/deploy/index) browser protects against threats such as ransomware by preventing exploit kits from running. By using [Windows Defender SmartScreen](/microsoft-edge/deploy/index), Microsoft Edge blocks access to malicious websites.--- [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows) is built into Windows and helps provide real-time protection against viruses, malware, and other attacks.--- [Microsoft Safety Scanner](safety-scanner-download.md) helps remove malicious software from computers. NOTE: This tool doesn't replace your antimalware product.- -- [Microsoft Defender](https://support.microsoft.com/topic/getting-started-with-microsoft-defender-9df0cb0f-4866-4433-9cbc-f83e5cf77693) is the simple way to protect your digital life and all of your devices. It's included as part of your Microsoft 365 Family, or Personal, subscription at no extra cost.--### Use Zero Trust -Businesses should move to a [Zero Trust security strategy](/security/zero-trust/zero-trust-overview). Zero Trust isn't a product or a service, but an approach in designing and implementing the following set of security principles: --- Verify explicitly-- Use least privilege access-- Assume breach --### Software solutions for business --- [Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-overview) is a security solution designed especially for the small- and medium-sized business (up to 300 employees). With this endpoint security solution, your company's devices are better protected from ransomware, malware, phishing, and other threats.- -- [Microsoft Exchange Online Protection (EOP)](https://products.office.com/exchange/exchange-email-security-spam-protection) offers enterprise-class reliability and protection against spam and malware, while maintaining access to email during and after emergencies.--- [Microsoft Defender for Office 365](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description) includes machine learning capabilities that block dangerous emails, including millions of emails carrying ransomware downloaders.--- [OneDrive for Business](https://support.office.com/article/restore-a-previous-version-of-a-file-in-onedrive-159cad6d-d76e-4981-88ef-de6e96c93893?ui=en-US&rs=en-US&ad=US) can back up files, which you would then use to restore files in the event of an infection.--- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) provides comprehensive endpoint protection, detection, and response capabilities to help prevent ransomware. In the event of a breach, Microsoft Defender for Endpoint alerts security operations teams about suspicious activities and automatically attempts to resolve the problem.--- [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication on your devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. It lets user authenticate to an Active Directory or Azure Active Directory account.--## What to do with a malware infection --Microsoft Defender for Endpoint antivirus capabilities help reduce the chances of infection and automatically remove threats that it detects. --In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware). |
| security | Rootkits Malware | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/intelligence/rootkits-malware.md | - Title: Rootkits- -description: Rootkits may be used by malware authors to hide malicious code on your computer and make malware or potentially unwanted software harder to remove. -keywords: security, malware, rootkit, hide, protection, hiding, WDSI, MMPC, Microsoft Malware Protection Center, rootkits, Sirefef, Rustock, Sinowal, Cutwail, malware, virus ---ms.sitesec: library ------ m365-security-- tier2- Previously updated : 03/18/2022---# Rootkits --Malware authors use rootkits to hide malware on your device, allowing malware to persist as long as possible. A successful rootkit can potentially remain in place for years if it's undetected. During this time, it steals information and resources. --## How rootkits work --Rootkits intercept and change standard operating system processes. After a rootkit infects a device, you can't trust any information that device reports about itself. --If asked a device to list all of the programs that are running, the rootkit might stealthily remove any programs it doesn't want you to know about. Rootkits are all about hiding things. They want to hide both themselves and their malicious activity on a device. --Many modern malware families use rootkits to try to avoid detection and removal, including: --* [Alureon](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fAlureon) --* [Cutwail](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fCutwail) --* [Datrahere](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win64/Detrahere) (Zacinlo) --* [Rustock](https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fRustock) --* [Sinowal](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fSinowal) --* [Sirefef](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fSirefef) --## How to protect against rootkits --Like any other type of malware, the best way to avoid rootkits is to prevent it from being installed in the first place. --* Apply the latest updates to operating systems and apps. --* Educate your employees so they can be wary of suspicious websites and emails. --* Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite. --For more general tips, see [prevent malware infection](prevent-malware-infection.md). --### What if I think I have a rootkit on my device? --Microsoft security software includes many technologies designed specifically to remove rootkits. If you think you have a rootkit, you might need an extra tool that helps you boot to a known trusted environment. --[Microsoft Defender Offline](https://support.microsoft.com/help/17466/microsoft-defender-offline-help-protect-my-pc) can be launched from the Windows Security app and has the latest antimalware updates from Microsoft. It's designed to be used on devices that aren't working correctly because of a possible malware infection. --[System Guard](https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard/) in Windows 10 protects against rootkits and threats that affect system integrity. --### What if I can't remove a rootkit? --If the problem persists, we strongly recommend reinstalling the operating system and security software. Then restore your data from a backup. |
| security | Supply Chain Malware | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/intelligence/supply-chain-malware.md | - Title: Supply chain attacks- -description: Learn about how supply chain attacks work, deliver malware do your devices, and what you can do to protect yourself -keywords: security, malware, protection, supply chain, hide, distribute, trust, compromised ---ms.sitesec: library ------ m365-security-- tier2- Previously updated : 03/18/2022---# Supply chain attacks --Supply chain attacks are an emerging threats that target software developers and suppliers. The goal is to access source codes, build processes, or update mechanisms by infecting legitimate apps to distribute malware. --## How supply chain attacks work ---Attackers hunt for unsecure network protocols, unprotected server infrastructures, and unsafe coding practices. They break in, change source codes, and hide malware in build and update processes. --Because software is built and released by trusted vendors, these apps and updates are signed and certified. In software supply chain attacks, vendors are likely unaware that their apps or updates are infected with malicious code when they're released to the public. The malicious code then runs with the same trust and permissions as the app. --The number of potential victims is significant, given the popularity of some apps. A case occurred where a free file compression app was poisoned and deployed to customers in a country/region where it was the top utility app. --### Types of supply chain attacks --* Compromised software building tools or updated infrastructure --* Stolen code-sign certificates or signed malicious apps using the identity of dev company --* Compromised specialized code shipped into hardware or firmware components --* Pre-installed malware on devices (cameras, USB, phones, etc.) --To learn more about supply chain attacks, read this blog post called [attack inception: compromised supply chain within a supply chain poses new risks](https://www.microsoft.com/security/blog/2018/07/26/attack-inception-compromised-supply-chain-within-a-supply-chain-poses-new-risks/). --## How to protect against supply chain attacks --* Deploy strong code integrity policies to allow only authorized apps to run. --* Use endpoint detection and response solutions that can automatically detect and remediate suspicious activities. --### For software vendors and developers --* Maintain a highly secure build and update infrastructure. - * Immediately apply security patches for OS and software. - * Implement mandatory integrity controls to ensure only trusted tools run. - * Require multi-factor authentication for admins. --* Build secure software updaters as part of the software development lifecycle. - * Require SSL for update channels and implement certificate pinning. - * Sign everything, including configuration files, scripts, XML files, and packages. - * Check for digital signatures, and don't let the software updater accept generic input and commands. --* Develop an incident response process for supply chain attacks. - * Disclose supply chain incidents and notify customers with accurate and timely information --For more general tips on protecting your systems and devices, see [prevent malware infection](prevent-malware-infection.md). |
| security | Support Scams | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/intelligence/support-scams.md | - Title: Tech Support Scams- -description: Microsoft security software can protect you from tech support scams that claims to scan for malware or viruses and then shows you fake detections and warnings. -keywords: security, malware, tech support, scam, protection, trick, spoof, fake, error messages, report, rogue security software, fake, antivirus, fake software, rogue, threats, fee, removal fee, upgrade, pay for removal, install full version, trial, lots of threats, scanner, scan, clean, computer, security, program, XP home security, fake microsoft, activate, activate scan, activate antivirus, warnings, pop-ups, security warnings, security pop-ups tech support scams, fake Microsoft error notification, fake virus alert, fake product expiration, fake Windows activation, scam web pages, scam phone numbers, telephone numbers, MMPC, WDSI, Microsoft Malware Protection Center, tech support scam numbers ---ms.sitesec: library ------ m365-security-- tier2- Previously updated : 03/18/2022---# Tech support scams --Tech support scams are an industry-wide issue where scammers use scare tactics to trick users into paying for unnecessary technical support services that supposedly fix contrived device, platform, or software problems. --## How tech support scams work --Scammers may call you directly on your phone and pretend to be representatives of a software company. They might even spoof the caller ID so that it displays a legitimate support phone number from a trusted company. They can then ask you to install applications that give them remote access to your device. Using remote access, these experienced scammers can misrepresent normal system output as signs of problems. --Scammers might also initiate contact by displaying fake error messages on websites you visit, displaying support numbers and enticing you to call. They can also put your browser on full screen and display pop-up messages that won't go away, essentially locking your browser. These fake error messages aim to trick you into calling an indicated technical support hotline. Note that Microsoft error and warning messages never include phone numbers. --When you engage with the scammers, they can offer fake solutions for your "problems" and ask for payment in the form of a one-time fee or subscription to a purported support service. --**For more information, view [known tech support scam numbers and popular web scams](https://support.microsoft.com/help/4013405/windows-protect-from-tech-support-scams).** --## How to protect against tech support scams --Share and implement the general tips on how to [prevent malware infection](prevent-malware-infection.md). --It's also important to keep the following in mind: --* Microsoft doesn't send unsolicited email messages or make unsolicited phone calls to request personal or financial information, or to fix your computer. --* Any communication with Microsoft has to be initiated by you. --* Don't call the number in the pop-ups. Microsoft's error and warning messages never include a phone number. --* Download software only from official vendor websites or the Microsoft Store. Be wary of downloading software from third-party sites, as some of them might have been modified without the author's knowledge to bundle support scam malware and other threats. --* Use [Microsoft Edge](https://www.microsoft.com/windows/microsoft-edge) when browsing the internet. It blocks known support scam sites using Windows Defender SmartScreen (which is also used by Internet Explorer). Furthermore, Microsoft Edge can stop pop-up dialogue loops used by these sites. --* Enable [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) in Windows 10. It detects and removes known support scam malware. --## What to do if information has been given to a tech support person --* Uninstall applications that scammers asked to be install. If access has been granted, consider resetting the device --* Run a full scan with Microsoft Defender Antivirus to remove any malware. Apply all security updates as soon as they're available. --* Change passwords. --* Call your credit card provider to reverse the charges, if you've already paid. --* Monitor anomalous logon activity. Use Windows Defender Firewall to block traffic to services that you wouldn't normally access. --### Reporting tech support scams --Help Microsoft stop scammers, whether they claim to be from Microsoft or from another tech company, by reporting tech support scams: --<b>www.microsoft.com/reportascam</b> --You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/wdsi/support/report-unsafe-site) or using built in web browser functionality. |
| security | Trojans Malware | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/intelligence/trojans-malware.md | - Title: Trojan malware- -description: Trojans are a type of threat that can infect your device. This page tells you what they're and how to remove them. -keywords: security, malware, protection, trojan, download, file, infection, trojans, virus, protection, cleanup, removal, antimalware, antivirus, WDSI, MMPC, Microsoft Malware Protection Center, malware types ---ms.sitesec: library ------ m365-security-- tier2- Previously updated : 03/18/2022---# Trojans --Trojans are a common type of malware, which, unlike viruses, can't spread on their own. This means they either have to be downloaded manually or another malware needs to download and install them. --Trojans often use the same file names as real and legitimate apps. It's easy to accidentally download a trojan thinking that it's a legitimate app. --## How trojans work --Trojans can come in many different varieties, but generally they do the following tasks: --- Download and install other malware, such as viruses or [worms](worms-malware.md).--- Use the infected device for select fraud.--- Record keystrokes and websites visited.--- Send information about the infected device to a malicious hacker including passwords, sign in details for websites, and browsing history.--- Give a malicious hacker control over the infected device.--## How to protect against trojans --Use the following free Microsoft software to detect and remove it: --- [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) for Windows 10 and Windows 8.1, or [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for previous versions of Windows.--- [Microsoft Safety Scanner](safety-scanner-download.md)--For more general tips, see [prevent malware infection](prevent-malware-infection.md). |
| security | Understanding Malware | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/intelligence/understanding-malware.md | - Title: Understanding malware & other threats- -description: Learn about the most prevalent viruses, malware, and other threats. Understand how they infect systems, how they behave, and how to prevent and remove them. -keywords: security, malware, virus, malware, threat, analysis, research, encyclopedia, dictionary, glossary, ransomware, support scams, unwanted software, computer infection, virus infection, descriptions, remediation, latest threats, mmpc, microsoft malware protection center, wdsi ---ms.sitesec: library ------ m365-security-- tier2- Previously updated : 03/18/2022---# Understanding malware & other threats --Malware is a term used to describe malicious applications and code that can cause damage and disrupt normal use of devices. Malware can allow unauthorized access, use system resources, steal passwords, lock you out of your computer and ask for ransom, and more. --Cybercriminals that distribute malware are often motivated by money and will use infected computers to launch attacks, obtain banking credentials, collect information that can be sold, sell access to computing resources, or extort payment from victims. --As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), businesses can stay protected with next-generation protection and other security capabilities. --For good general tips, check out the [prevent malware infection](prevent-malware-infection.md) topic. --There are many types of malware, including: --- [Coin miners](coinminer-malware.md)-- [Exploits and exploit kits](exploits-malware.md)-- [Macro malware](macro-malware.md)-- [Phishing](phishing.md)-- [Ransomware](/security/compass/human-operated-ransomware)-- [Rootkits](rootkits-malware.md)-- [Supply chain attacks](supply-chain-malware.md)-- [Tech support scams](support-scams.md)-- [Trojans](trojans-malware.md)-- [Unwanted software](unwanted-software.md)-- [Worms](worms-malware.md)--## Additional resources and information --- Keep up with the latest malware news and research. Check out our [Microsoft security blogs](https://www.microsoft.com/security/blog/product/windows/) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections.--- Learn more about [Windows security](../../index.yml).--- Learn how to [deploy threat protection capabilities across Microsoft 365 E5](/microsoft-365/solutions/deploy-threat-protection). - |
| security | Unwanted Software | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/intelligence/unwanted-software.md | - Title: Unwanted software- -description: Learn about how unwanted software changes your default settings without your consent and what you can do to protect yourself. -keywords: security, malware, protection, unwanted, software, alter, infect, unwanted software, software bundlers, browser modifiers, privacy, security, computing experience, prevent infection, solution, WDSI, MMPC, Microsoft Malware Protection Center, virus research threats, research malware, pc protection, computer infection, virus infection, descriptions, remediation, latest threats ---ms.sitesec: library ------ m365-security-- tier2- Previously updated : 03/18/2022---# Unwanted software --Unwanted software are programs that alter the Windows experience without your consent or control. This can take the form of modified browsing experience, lack of control over downloads and installation, misleading messages, or unauthorized changes to Windows settings. --## How unwanted software works --Unwanted software can be introduced when a user searches for and downloads applications from the internet. Some applications are software bundlers, which means that they're packed with other applications. As a result, other programs can be inadvertently installed when the original application is downloaded. --Here are some indications of unwanted software: --- There are programs that you didn't install and that may be difficult to uninstall--- Browser features or settings have changed, and you can't view or modify them--- There are excessive messages about your device's health or about files and programs--- There are ads that can't be easily closed--Some indicators are harder to recognize because they're less disruptive, but are still unwanted. For example, unwanted software can modify web pages to display specific ads, monitor browsing activities, or remove control of the browser. --Microsoft uses an extensive [evaluation criteria](criteria.md) to identify unwanted software. --## How to protect against unwanted software --To prevent unwanted software infection, download software only from official websites, or from the Microsoft Store. Be wary of downloading software from third-party sites. --Use [Microsoft Edge](/microsoft-edge/deploy/index) when browsing the internet. Microsoft Edge includes additional protections that effectively block browser modifiers that can change your browser settings. Microsoft Edge also blocks known websites hosting unwanted software using [Windows Defender SmartScreen](/microsoft-edge/deploy/index) (also used by Internet Explorer). --Enable [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software. --Download [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for real-time protection in Windows 7 or Windows Vista. --For more general tips, see [prevent malware infection](prevent-malware-infection.md). --### What should I do if my device is infected? --If you suspect that you have unwanted software, you can [submit files for analysis](https://www.microsoft.com/wdsi/filesubmission). --Some unwanted software adds uninstallation entries, which means that you can **remove them using Settings**. -1. Select the Start button -2. Go to **Settings > Apps > Apps & features**. -3. Select the app you want to uninstall, then select **Uninstall**. --If you only recently noticed symptoms of unwanted software infection, consider sorting the apps by install date, and then uninstall the most recent apps that you didn't install. --You may also need to **remove browser add-ons** in your browsers, such as Internet Explorer, Firefox, or Chrome. --In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware). |
| security | Worms Malware | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/intelligence/worms-malware.md | - Title: Worms- -description: Learn about how worms replicate and spread to other computers or networks. Read about the most popular worms and steps you can take to stop them. -keywords: security, malware, protection, worm, vulnerabilities, infect, steal, Jenxcus, Gamarue, Bondat, WannaCrypt, WDSI, MMPC, Microsoft Malware Protection Center, worms, malware types, threat propagation, mass-mailing, IP scanning ---ms.sitesec: library ------ m365-security-- tier2- Previously updated : 03/18/2022---# Worms --A worm is a type of malware that can copy itself and often spreads through a network by exploiting security vulnerabilities. It can spread through email attachments, text messages, file-sharing programs, social networking sites, network shares, removable drives, and software vulnerabilities. --## How worms work --Worms represent a large category of malware. Different worms use different methods to infect devices. Depending on the variant, they can steal sensitive information, change security settings, send information to malicious hackers, stop users from accessing files, and other malicious activities. --Jenxcus (also known as Dunihi), Gamarue (also known as Androm), and Bondat have consistently remained at the top of the list of malware that infects users running Microsoft software. Although these worms share some commonalities, it's interesting to note that they also have distinct characteristics. --* **Jenxcus** has capabilities of not only infecting removable drives but can also act as a backdoor that connects back to its server. This threat typically gets into a device from a drive-by download attack, meaning it's installed when users just visit a compromised web page. --* **Gamarue** typically arrives through spam campaigns, exploits, downloaders, social networking sites, and removable drives. When Gamarue infects a device, it becomes a distribution channel for other malware. We've seen it distribute other malware such as info stealers, spammers, clickers, downloaders, and rogues. --* **Bondat** typically arrives through fictitious Nullsoft Scriptable Install System (NSIS), Java installers, and removable drives. When Bondat infects a system, it gathers information about the machine such as device name, Globally Unique Identifier (GUID), and OS build. It then sends that information to a remote server. --Both Bondat and Gamarue have clever ways of obscuring themselves to evade detection. By hiding what they're doing, they try to avoid detection by security software. --* [**WannaCrypt**](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/WannaCrypt) also deserves a mention here. Unlike older worms that often spread just because they could, modern worms often spread to drop a payload (like ransomware). --This image shows how a worm can quickly spread through a shared USB drive. -- --### *Figure worm spreading from a shared USB drive* --## How to protect against worms --Enable [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software. --Download [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for real-time protection in Windows 7 or Windows Vista. --In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://www.microsoft.com/wdsi/help/troubleshooting-infection). --For more general tips, see [prevent malware infection](/microsoft-365/security/intelligence/prevent-malware-infection). |
| security | Azure Ip Protection Features | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/azure-ip-protection-features.md | - Title: Protection features in Azure Information Protection rolling out to existing tenants - - NOCSH --- Previously updated : 6/14/2023--- - MET150 -- - m365-security - - tier3 -- - seo-marvel-apr2020 -description: This article explains the changes being rolled out to the protection features in Azure Information Protection ---appliesto: - - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview" target="_blank">Microsoft Defender for Office 365 plan 2</a> - - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> ---# Protection features in Azure Information Protection rolling out to existing tenants --To help with the initial step in protecting your information, starting July 2018 all Azure Information Protection eligible tenants will have the protection features in Azure Information Protection turned on by default. The protection features in Azure Information Protection were formerly known in Office 365 as Rights Management or Azure RMS. If your organization has an Office E3 service plan or a higher service plan, you'll now get a head start protecting information through Azure Information Protection when we roll out these features. --## Changes beginning July 1, 2018 --Starting July 1, 2018, Microsoft will enable the protection capability in Azure Information Protection for all organizations with one of the following subscription plans: --- Office 365 Message Encryption is offered as part of Office 365 E3 and E5, Microsoft E3 and E5, Office 365 A1, A3, and A5, and Office 365 G3 and G5. You don't need additional licenses to receive the new protection capabilities powered by Azure Information Protection.--- You can also add Azure Information Protection Plan 1 to the following plans to receive the new Office 365 Message Encryption capabilities: Exchange Online Plan 1, Exchange Online Plan 2, Office 365 F1, Microsoft 365 Business Basic, Microsoft 365 Business Standard, or Office 365 Enterprise E1.--- Each user benefiting from Office 365 Message Encryption needs to be licensed to be covered by the feature.--- For the full list, see the [Exchange Online service descriptions](/office365/servicedescriptions/exchange-online-service-description/exchange-online-service-description) for Office 365 Message Encryption.--Tenant administrators can check the protection status in the Office 365 administrator portal. ---## Why are we making this change? --Office 365 Message Encryption leverages the protection capabilities in Azure Information Protection. At the heart of the recent improvements to Office 365 Message Encryption and our broader investments to information protection in Microsoft 365, we're making it easier for organizations to turn on and use our protection capabilities, as historically, encryption technologies have been difficult to set up. By turning on the protection features in Azure Information Protection by default, you can quickly get started to protect your sensitive data. --## Does this impact me? --If your organization has purchased an eligible Office 365 license, then your tenant will be impacted by this change. --> [!IMPORTANT] -> If you're using Active Directory Rights Management Services (AD RMS) in your on-premises environment, you must either opt-out of this change immediately or migrate to Azure Information Protection before we roll out this change within the next 30 days. For information on how to opt-out, see "I use AD RMS, how do I opt out?" later in this article. If you prefer to migrate, see [Migrating from AD RMS to Azure Information Protection.](/azure/information-protection/plan-design/migrate-from-ad-rms-to-azure-rms). --## Can I use Azure Information Protection with Active Directory Rights Management Services (AD RMS)? --No. This isn't a supported deployment scenario. Without taking the additional opt-out steps, some computers might automatically start using the Azure Rights Management service and also connect to your AD RMS cluster. This scenario isn't supported and has unreliable results, so it's important that you opt out of this change within the next 30 days before we roll out these new features. For information on how to opt-out, see "I use AD RMS, how do I opt out?" later in this article. If you prefer to migrate, see [Migrating from AD RMS to Azure Information Protection.](/azure/information-protection/plan-design/migrate-from-ad-rms-to-azure-rms) --## How do I know if I'm using AD RMS? --Use these instructions from [Preparing the environment for Azure Rights Management when you also have Active Directory Rights Management Services (AD RMS)](/azure/information-protection/deploy-use/prepare-environment-adrms) to check if you have deployed AD RMS: --1. Although optional, most AD RMS deployments publish the service connection point (SCP) to Active Directory so that domain computers can discover the AD RMS cluster. -- Use ADSI Edit to see whether you have an SCP published in Active Directory: CN=Configuration [server name], CN=Services, CN=RightsManagementServices, CN=SCP --2. If you aren't using an SCP, Windows computers that connect to an AD RMS cluster must be configured for client-side service discovery or licensing redirection by using the Windows registry: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\ServiceLocation or HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSIPC\ServiceLocation`. --For more information about these registry configurations, see [Enabling client-side service discovery by using the Windows registry](/azure/information-protection/rms-client/client-deployment-notes#enabling-client-side-service-discovery-by-using-the-windows-registry) and [Redirecting licensing server traffic](/azure/information-protection/rms-client/client-deployment-notes#redirecting-licensing-server-traffic). --## I use AD RMS, how do I opt out? --To opt out of the upcoming change, complete these steps: --1. Using a work or school account that has global administrator permissions in your organization, start a Windows PowerShell session and connect to Exchange Online. For instructions, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). --2. Run the Set-IRMConfiguration cmdlet using the following syntax: -- ```powershell - Set-IRMConfiguration -AutomaticServiceUpdateEnabled $false - ``` --## What can I expect after this change has been made? --Once this is enabled, provided you haven't opted out, you can start using the new version of Office 365 Message Encryption, which was announced at [Microsoft Ignite 2017](https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Email-Encryption-and-Rights-Protection/ba-p/110801) and leverages the encryption and protection capabilities of Azure Information Protection. ---For more information about the new enhancements, see [Office 365 Message Encryption](/purview/ome). |
| security | Eop About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/eop-about.md | f1.keywords: Previously updated : 6/20/2023 Last updated : 9/11/2023 audience: ITPro For information about requirements, important limits, and feature availability a |False positive ratio SLA|\< 1:250,000| |Virus detection and blocking SLA|100% of known viruses| |Monthly uptime SLA|99.999%|-|Phone and web technical support 24 hours a day, seven days a week|[Help and support for EOP](help-and-support-for-eop.md).| +|Phone and web technical support 24 hours a day, seven days a week|[Get support for Microsoft 365 for business](/microsoft-365/admin/get-help-support).| |**Other features**|| |A geo-redundant global network of servers|EOP runs on a worldwide network of datacenters that are designed to help provide the best availability. For more information, see the [EOP datacenters](#eop-datacenters) section earlier in this article.| |Message queuing when the on-premises server can't accept mail|Messages in deferral remain in our queues for one day. Message retry attempts are based on the error we get back from the recipient's mail system. On average, messages are retried every 5 minutes. For more information, see [EOP queued, deferred, and bounced messages FAQ](mail-flow-delivery-faq.yml).| |Office 365 Message Encryption available as an add-on|For more information, see [Encryption in Office 365](/purview/encryption).|-||| |
| security | Help And Support For Eop | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/help-and-support-for-eop.md | - Title: Help and support for EOP - - NOCSH -----description: Microsoft provides help for EOP using self-support and assisted-support. ----- m365-security-- tier3 Previously updated : 6/20/2023-appliesto: - - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> - - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> - - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> ---# Help and support for EOP ---In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, the technical support resources listed in this article can help you find answers if you have difficulty with EOP. Microsoft provides self-support and assisted-support for EOP. --## Self-support options --After you sign in, the Microsoft 365 admin center at <https://admin.microsoft.com> provides information about the status of your organization's services. Also, the service health section shows the current status of your services, details about disruptions and outages, and lists planned maintenance times. The Microsoft 365 admin center also provides information about known issues and expected resolutions. If you're affected by a service-wide event, then you should see a communication alert (typically accompanied by a bell icon). We recommend that you read and act on any items as appropriate. For more information about the service health area, see [Service health and continuity](/office365/servicedescriptions/office-365-platform-service-description/service-health-and-continuity). You might be able to find more help on your own by using the tools, forums, and community sites listed here. --- [Product Overview for Exchange Online Protection](https://products.office.com/exchange/exchange-email-security-spam-protection)-- [Contact support for business products - Admin Help](../../admin/get-help-support.md)-- [Microsoft 365 community](https://techcommunity.microsoft.com/t5/Office-365/ct-p/Office365)-- [Microsoft Support and Recovery Assistant (SaRA)](https://support.microsoft.com/office/e90bb691-c2a7-4697-a94f-88836856c72f)-- [Mail flow troubleshooter](https://aka.ms/FixEmail)--## Assisted support from Microsoft --You can get help from Microsoft by starting a new service request within the Microsoft 365 admin center or by calling on the phone. Premier Support subscribers have other support options. --These options are described in the following subsections --### Support for Microsoft Premier Support Subscribers --EOP customers with Microsoft Premier Support contracts can get support through the normal Microsoft Premier Support channels (for example, a Premier Technical Account Manager (TAM) and case submission). Premier Support for Microsoft Online Services provides you with a unified support experience across all products and services. This service helps ensure that customers can resolve issues quickly, and simplifies the task of managing support for different components of an IT infrastructure. --For more information about how Premier Support can help your organization maximize value from your IT investments, see [Premier Support for Partners](https://partner.microsoft.com/support/microsoft-services-premier-support). --### Ask for help on the web --Open the Microsoft 365 admin center at <https://admin.microsoft.com>, and then go to **...Show all** (if necessary) \> **Support** \> **Help & support**. --In the **How can we help?** flyout that opens, adds information about your issue, search for solutions to previous issues, or attach logs or related files. --## Support telephone numbers --Microsoft provides local or toll-free telephone numbers for product support around the world. Many of these support centers provide help in your local language during business hours or in English 24 hours a day, every day. --|Country or region|Pre-purchase and billing questions|Technical Support questions| -|||| -|Brazil|Toll-free: 08007621146 <br> Local: 1147001999|Same| -|France|Toll-free: 0805 540 594 <br> Local: 01 57 32 42 97|Same| -|Germany|Toll-free: 0800 589 2332 <br> Local: 069 380 789 508|Same| -|Japan|Toll-free: 0120-628860 <br> Local: 343326257|Toll-free: 0120-996680 <br> Local: 357679793| -|Korea|Toll-free: 080-495-0880 <br> Local: 234831937|Same| -|Spain|Toll-free: 900 814 197 <br> Local: 912 718 160|Same| -|United Kingdom|Toll-free: 0800 032 6417 <br> Local: 0203 450 6455|Same| -|United States|Toll-free: 1-877-913-2707|Toll-free: 1-800-865-9408| --## For more information about EOP documentation --[Accessibility in Exchange Online](/Exchange/accessibility/accessibility) |
| security | How Policies And Protections Are Combined | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/how-policies-and-protections-are-combined.md | There are two major factors that determine which policy is applied to a message: |Order|Email protection|Category|Where to manage| |::||||- |1|Malware|CAT:MALW|[Configure anti-malware policies in EOP](anti-malware-policies-configure.md)| - |2|High confidence Phish|CAT:HPHSH|[Configure anti-spam policies in EOP](anti-spam-policies-configure.md)| - |3|Phishing|CAT:PHSH|[Configure anti-spam policies in EOP](anti-spam-policies-configure.md)| - |4|High confidence spam|CAT:HSPM|[Configure anti-spam policies in EOP](anti-spam-policies-configure.md)| - |5|Spoofing|CAT:SPOOF|[Spoof intelligence insight in EOP](anti-spoofing-spoof-intelligence.md)| - |6<sup>\*</sup>|User impersonation (protected users)|UIMP|[Configure anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-mdo-configure.md)| - |7<sup>\*</sup>|Domain impersonation (protected domains)|DIMP|[Configure anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-mdo-configure.md)| - |8<sup>\*</sup>|Mailbox intelligence (contact graph)|GIMP|[Configure anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-mdo-configure.md)| - |9|Spam|CAT:SPM|[Configure anti-spam policies in EOP](anti-spam-policies-configure.md)| - |10|Bulk|CAT:BULK|[Configure anti-spam policies in EOP](anti-spam-policies-configure.md)| + |1|Malware|`CAT:MALW`|[Configure anti-malware policies in EOP](anti-malware-policies-configure.md)| + |2|High confidence Phish|`CAT:HPHSH`|[Configure anti-spam policies in EOP](anti-spam-policies-configure.md)| + |3|Phishing|`CAT:PHSH`|[Configure anti-spam policies in EOP](anti-spam-policies-configure.md)| + |4|High confidence spam|`CAT:HSPM`|[Configure anti-spam policies in EOP](anti-spam-policies-configure.md)| + |5|Spoofing|`CAT:SPOOF`|[Spoof intelligence insight in EOP](anti-spoofing-spoof-intelligence.md)| + |6<sup>\*</sup>|User impersonation (protected users)|`CAT:UIMP`|[Configure anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-mdo-configure.md)| + |7<sup>\*</sup>|Domain impersonation (protected domains)|`CAT:DIMP`|[Configure anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-mdo-configure.md)| + |8<sup>\*</sup>|Mailbox intelligence (contact graph)|`CAT:GIMP`|[Configure anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-mdo-configure.md)| + |9|Spam|`CAT:SPM`|[Configure anti-spam policies in EOP](anti-spam-policies-configure.md)| + |10|Bulk|`CAT:BULK`|[Configure anti-spam policies in EOP](anti-spam-policies-configure.md)| <sup>\*</sup> These features are available only in anti-phishing policies in Microsoft Defender for Office 365. |
| security | Message Headers Eop Mdo | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/message-headers-eop-mdo.md | description: Admins can learn about the header fields that are added to messages Previously updated : 7/5/2023 Last updated : 9/8/2023 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> For information about how to view an email message header in various email clien After you have the message header information, find the **X-Forefront-Antispam-Report** header. There are multiple field and value pairs in this header separated by semicolons (;). For example: -`...CTRY:;LANG:hr;SCL:1;SRV:;IPV:NLI;SFV:NSPM;PTR:;CAT:NONE;SFTY:;...` +`...CTRY:;LANG:hr;SCL:1;SRV:;IPV:NLI;SFV:NSPM;PTR:;SFTY:;...` The individual fields and values are described in the following table. The individual fields and values are described in the following table. |Field|Description| ||| |`ARC`|The `ARC` protocol has the following fields: <ul><li>`AAR`: Records the content of the **Authentication-results** header from DMARC.</li><li>`AMS`: Includes cryptographic signatures of the message.</li><li>`AS`: Includes cryptographic signatures of the message headers. This field contains a tag of a chain validation called `"cv="`, which includes the outcome of the chain validation as **none**, **pass**, or **fail**.</li></ul>|-|`CAT:`|The category of protection policy, applied to the message: <ul><li>`BULK`: Bulk</li><li>`DIMP`: Domain Impersonation</li><li>`GIMP`: [Mailbox intelligence based impersonation](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>`HPHSH` or `HPHISH`: High confidence phishing</li><li>`HSPM`: High confidence spam</li><li>`MALW`: Malware</li><li>`PHSH`: Phishing</li><li>`SPM`: Spam</li><li>`SPOOF`: Spoofing</li><li>`UIMP`: User Impersonation</li><li>`AMP`: Anti-malware</li><li>`SAP`: Safe attachments</li><li>`FTBP`: Anti-malware filetype policy</li><li>`OSPM`: Outbound spam</li><li>`INTOS`: Intra-Org phish action</li></ul> <br/> An inbound message might be flagged by multiple forms of protection and multiple detection scans. Policies have different priorities, and the policy with the highest priority is applied first. For more information, see [What policy applies when multiple protection methods and detection scans run on your email](how-policies-and-protections-are-combined.md).| +|`CAT:`|The category of protection policy that's applied to the message: <ul><li>`AMP`: Anti-malware</li><li>`BULK`: Bulk</li><li>`DIMP`: Domain impersonation<sup>\*</sup></li><li>`FTBP`: Anti-malware [common attachments filter](anti-malware-protection-about.md#common-attachments-filter-in-anti-malware-policies)</li><li>`GIMP`: [Mailbox intelligence](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) impersonation<sup>\*</sup></li><li>`HPHSH` or `HPHISH`: High confidence phishing</li><li>`HSPM`: High confidence spam</li><li>`INTOS`: Intra-Organization phishing</li><li>`MALW`: Malware</li><li>`OSPM`: Outbound spam</li><li>`PHSH`: Phishing</li><li>`SAP`: Safe Attachments<sup>\*</sup></li><li>`SPM`: Spam</li><li>`SPOOF`: Spoofing</li><li>`UIMP`: User impersonation<sup>\*</sup></li></ul> <br/> <sup>\*</sup>Defender for Office 365 only. <br/><br/> An inbound message might be flagged by multiple forms of protection and multiple detection scans. Policies are applied in an order of precedence, and the policy with the highest priority is applied first. For more information, see [What policy applies when multiple protection methods and detection scans run on your email](how-policies-and-protections-are-combined.md).| |`CIP:[IP address]`|The connecting IP address. You can use this IP address in the IP Allow List or the IP Block List. For more information, see [Configure connection filtering](connection-filter-policies-configure.md).| |`CTRY`|The source country/region as determined by the connecting IP address, which might not be the same as the originating sending IP address.| |`DIR`|The Directionality of the message: <ul><li>`INB`: Inbound message.</li><li>`OUT`: Outbound message.</li><li>`INT`: Internal message.</li></ul>| |
| test-base | Testapplication | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/testapplication.md | In the left-hand menu under **Package catalog**, select the **New package**. The 1. Select the **Type of test**. There are two test types supported: - An **Out of Box (OOB) test** performs an install, launch, close, and uninstall of your package. After the install, the launch-close routine is repeated 30 times before a single uninstall is run. The OOB test provides you with standardized telemetry on your package to compare across Windows builds. - A **Functional test** would execute your uploaded test script(s) on your package. The scripts are run in the sequence you specified and a failure in a particular script will stop subsequent scripts from executing.+ - A **Flown Driven test** allows you to arrange your test scripts with enhanced flow control. To help you comprehensively validate the impact of an in-place Windows upgrade, you can use flow driven tests to execute your tests on both the baseline OS and target OS with a side-by-side test result comparison. > [!NOTE]+ > Users can also select the pre-installed Microsoft apps option. This option will install Microsft apps, like Office, before the user application is installed. + > > Out of Box test is optional now. > [!div class="mx-imgBorder"] |