From 6f8c82995c2f9b6346343160de3180024b52c4c3 Mon Sep 17 00:00:00 2001 From: puneethmeister <3039750+puneethmeister@users.noreply.github.com> Date: Tue, 8 Apr 2025 20:49:43 +0530 Subject: [PATCH 1/4] Update mdo-threat-classification.md --- .../mdo-threat-classification.md | 25 +++++++++++++++---- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/defender-office-365/mdo-threat-classification.md b/defender-office-365/mdo-threat-classification.md index e248799441..d9d5534b21 100644 --- a/defender-office-365/mdo-threat-classification.md +++ b/defender-office-365/mdo-threat-classification.md @@ -49,21 +49,24 @@ _Threat detections_ refer to the technologies and methodologies that are used to _Threat classification_ is the process of categorizing a threat based on intent and the specific nature of the attack. The threat classification system uses LLMs, ML models, and other advanced techniques to understand the intent behind threats and provide a more accurate classification. As the system evolves, you can expect new threat classifications to keep pace with emerging attack methods. +> [!NOTE] +> Items marked with (*) are planned for future release. Additional spam and bulk classifications will also be introduced and are not currently reflected in this documentation. + Different threat classes are described in the following list: - **Advance fee scam**: Victims are promised large financial rewards, contracts, or prizes in exchange for upfront payments or a series of payments, which the attacker never delivers. - **Business intelligence**: Requests for information regarding vendors or invoices, which are used by attackers to build a profile for further targeted attacks, often from a look-alike domain that mimics a trusted source. -- **Callback phishing**: Attackers use phone calls or other communication channels to manipulate individuals into revealing sensitive information or performing actions that compromise security. +- **Callback phishing***: Attackers use phone calls or other communication channels to manipulate individuals into revealing sensitive information or performing actions that compromise security. - **Contact establishment**: Email messages (often generic text) to verify whether an inbox is active and to initiate a conversation. These messages aim to bypass security filters and build a trusted reputation for malicious future messages. -- **Credential phishing**: Attackers attempt to steal usernames and passwords by tricking individuals into entering their credentials on a fraudulent website or through manipulative email prompts. +- **Credential phishing***: Attackers attempt to steal usernames and passwords by tricking individuals into entering their credentials on a fraudulent website or through manipulative email prompts. -- **Credit card collection**: Attackers attempt to steal credit card information and other personal details by deceiving individuals into providing their payment information through fake email messages, websites, or messages that appear legitimate. +- **Credit card collection***: Attackers attempt to steal credit card information and other personal details by deceiving individuals into providing their payment information through fake email messages, websites, or messages that appear legitimate. -- **Extortion**: The attacker threatens to release sensitive information, compromise systems, or take malicious actions unless a ransom is paid. This type of attack typically involves psychological manipulation to coerce the victim into compliance. +- **Extortion***: The attacker threatens to release sensitive information, compromise systems, or take malicious actions unless a ransom is paid. This type of attack typically involves psychological manipulation to coerce the victim into compliance. - **Gift cards**: Attackers impersonate trusted individuals or organizations, convincing the recipient to purchase and send gift card codes, often using social engineering tactics. @@ -73,10 +76,22 @@ Different threat classes are described in the following list: - **Personally identifiable information (PII) gathering**: Attackers impersonate a high-ranking individual, such as a CEO, to request personal information. These email messages are often followed by a shift to external communication channels like WhatsApp or text messages to evade detection. -- **Social OAuth phishing**: Attackers use single sign-on (SSO) or OAuth services to deceive users into providing their sign in credentials, gaining unauthorized access to personal accounts. +- **Social OAuth phishing***: Attackers use single sign-on (SSO) or OAuth services to deceive users into providing their sign in credentials, gaining unauthorized access to personal accounts. - **Task fraud**: Short, seemingly safe email messages asking for assistance with a specific task. These requests are designed to gather information or induce actions that can compromise security. +- **HackTool**: Tools that are used for hacking. + +- **Ransom**: Software (often called ransomware) that denies users from using or accessing their PC or desktop, usually for malicious purposes. These kinds of software may (1) require users to pay a certain amount of money (the ransom) (2) encrypt files and other data (3) require users to perform activities like answering surveys or CAPTCHAS to regain access to the machine. Commonly they prevent the user from diverting input device focus away from the ransomware and don’t give the user an option to terminate the malicious process normally. In some rare cases, the ransomware automatically performs denial of access to users, even after reboot or in safe mode. + +- **Downloader**: A trojan that downloads other malware. + +- **Adware**: A program that displays an advertisement that is out of context + +- **Spyware**: Trojan that has the capability to steal information from an affected user beyond passwords. + +- **Remote Access Trojan**: A type of trojan that provides attackers with remote unauthorized access and control of infected computers. Bots are a subcategory of backdoor trojans. + ## Where threat classification results are available The results of threat classification are available in the following experiences in Defender for Office 365: From 653faa7d7394d517ac7c6c7ddafb8afcf0d767ec Mon Sep 17 00:00:00 2001 From: Chris Davis Date: Tue, 8 Apr 2025 09:35:47 -0700 Subject: [PATCH 2/4] Update threat classification descriptions and ms.date --- .../mdo-threat-classification.md | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/defender-office-365/mdo-threat-classification.md b/defender-office-365/mdo-threat-classification.md index d9d5534b21..68557dcc49 100644 --- a/defender-office-365/mdo-threat-classification.md +++ b/defender-office-365/mdo-threat-classification.md @@ -16,7 +16,7 @@ ms.collection: - tier1 description: Admins can learn about threat classification in Microsoft Defender for Office 365. ms.service: defender-office-365 -ms.date: 01/21/2025 +ms.date: 04/08/2025 appliesto: - ✅ Microsoft Defender for Office 365 Plan 1 and Plan 2 - ✅ Microsoft Defender XDR @@ -49,48 +49,48 @@ _Threat detections_ refer to the technologies and methodologies that are used to _Threat classification_ is the process of categorizing a threat based on intent and the specific nature of the attack. The threat classification system uses LLMs, ML models, and other advanced techniques to understand the intent behind threats and provide a more accurate classification. As the system evolves, you can expect new threat classifications to keep pace with emerging attack methods. -> [!NOTE] -> Items marked with (*) are planned for future release. Additional spam and bulk classifications will also be introduced and are not currently reflected in this documentation. - -Different threat classes are described in the following list: +Currently available threat classes are described in the following list: - **Advance fee scam**: Victims are promised large financial rewards, contracts, or prizes in exchange for upfront payments or a series of payments, which the attacker never delivers. -- **Business intelligence**: Requests for information regarding vendors or invoices, which are used by attackers to build a profile for further targeted attacks, often from a look-alike domain that mimics a trusted source. +- **Adware**: A program that displays an advertisement that is out of context -- **Callback phishing***: Attackers use phone calls or other communication channels to manipulate individuals into revealing sensitive information or performing actions that compromise security. +- **Business intelligence**: Requests for information regarding vendors or invoices, which are used by attackers to build a profile for further targeted attacks, often from a look-alike domain that mimics a trusted source. - **Contact establishment**: Email messages (often generic text) to verify whether an inbox is active and to initiate a conversation. These messages aim to bypass security filters and build a trusted reputation for malicious future messages. - **Credential phishing***: Attackers attempt to steal usernames and passwords by tricking individuals into entering their credentials on a fraudulent website or through manipulative email prompts. -- **Credit card collection***: Attackers attempt to steal credit card information and other personal details by deceiving individuals into providing their payment information through fake email messages, websites, or messages that appear legitimate. - -- **Extortion***: The attacker threatens to release sensitive information, compromise systems, or take malicious actions unless a ransom is paid. This type of attack typically involves psychological manipulation to coerce the victim into compliance. +- **Downloader**: A trojan that downloads other malware. - **Gift cards**: Attackers impersonate trusted individuals or organizations, convincing the recipient to purchase and send gift card codes, often using social engineering tactics. +- **HackTool**: Tools that are used for hacking. + - **Invoice fraud**: Invoices that look legitimate, either by altering details of an existing invoice or submitting a fraudulent invoice, with the intent to trick recipients into making payments to the attacker. - **Payroll fraud**: Manipulate users into updating payroll or personal account details to divert funds into the attacker's control. - **Personally identifiable information (PII) gathering**: Attackers impersonate a high-ranking individual, such as a CEO, to request personal information. These email messages are often followed by a shift to external communication channels like WhatsApp or text messages to evade detection. -- **Social OAuth phishing***: Attackers use single sign-on (SSO) or OAuth services to deceive users into providing their sign in credentials, gaining unauthorized access to personal accounts. +- **Ransom**: Software (often called ransomware) that prevents users from using or accessing their PC, usually for malicious purposes. The software might take the following actions: + - Require users to pay (the ransom). + - Encrypt files and other data. + - Require users to do activities like answering surveys or CAPTCHAS to regain access to the machine. -- **Task fraud**: Short, seemingly safe email messages asking for assistance with a specific task. These requests are designed to gather information or induce actions that can compromise security. + Commonly, users can't move input device focus out of the ransomware, and users can't easily end the malicious process. In some cases, the ransomware denies PC access to users, even after a reboot or booting into Safe Mode. -- **HackTool**: Tools that are used for hacking. +- **Remote Access Trojan**: Softeare that gives attackers unauthorized remote access and control of infected computers. Bots are a subcategory of backdoor trojans. -- **Ransom**: Software (often called ransomware) that denies users from using or accessing their PC or desktop, usually for malicious purposes. These kinds of software may (1) require users to pay a certain amount of money (the ransom) (2) encrypt files and other data (3) require users to perform activities like answering surveys or CAPTCHAS to regain access to the machine. Commonly they prevent the user from diverting input device focus away from the ransomware and don’t give the user an option to terminate the malicious process normally. In some rare cases, the ransomware automatically performs denial of access to users, even after reboot or in safe mode. +- **Spyware**: Software that can steal information from an affected user beyond passwords. -- **Downloader**: A trojan that downloads other malware. - -- **Adware**: A program that displays an advertisement that is out of context - -- **Spyware**: Trojan that has the capability to steal information from an affected user beyond passwords. +- **Task fraud**: Short, seemingly safe email messages asking for assistance with a specific task. These requests are designed to gather information or induce actions that can compromise security. -- **Remote Access Trojan**: A type of trojan that provides attackers with remote unauthorized access and control of infected computers. Bots are a subcategory of backdoor trojans. + ## Where threat classification results are available From edd3c7f75eb341502e3469b7170439a93989987a Mon Sep 17 00:00:00 2001 From: Chris Davis Date: Tue, 8 Apr 2025 09:37:12 -0700 Subject: [PATCH 3/4] Remove duplicate credential phishing entry --- defender-office-365/mdo-threat-classification.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/defender-office-365/mdo-threat-classification.md b/defender-office-365/mdo-threat-classification.md index 68557dcc49..f679883f32 100644 --- a/defender-office-365/mdo-threat-classification.md +++ b/defender-office-365/mdo-threat-classification.md @@ -59,8 +59,6 @@ Currently available threat classes are described in the following list: - **Contact establishment**: Email messages (often generic text) to verify whether an inbox is active and to initiate a conversation. These messages aim to bypass security filters and build a trusted reputation for malicious future messages. -- **Credential phishing***: Attackers attempt to steal usernames and passwords by tricking individuals into entering their credentials on a fraudulent website or through manipulative email prompts. - - **Downloader**: A trojan that downloads other malware. - **Gift cards**: Attackers impersonate trusted individuals or organizations, convincing the recipient to purchase and send gift card codes, often using social engineering tactics. From b4592981513c7bb1c0ee2765fa02bda1307479db Mon Sep 17 00:00:00 2001 From: Chris Davis Date: Tue, 8 Apr 2025 09:38:14 -0700 Subject: [PATCH 4/4] Uncomment extortion and OAuth phishing sections --- defender-office-365/mdo-threat-classification.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defender-office-365/mdo-threat-classification.md b/defender-office-365/mdo-threat-classification.md index f679883f32..c4bea6100d 100644 --- a/defender-office-365/mdo-threat-classification.md +++ b/defender-office-365/mdo-threat-classification.md @@ -86,8 +86,8 @@ Currently available threat classes are described in the following list: ## Where threat classification results are available