Microsoft Malware Protection Center

Threat Research & Response Blog

Microsoft Malware Protection Center

  • MAPS in the cloud: How can it help your enterprise?

    Malware can easily send a huge enterprise infrastructure into a tailspin. However, you can get greater protection from malware by using services in the cloud. Yes, there’s an opportunity to get real-time results from suspicious malware triggers where your system can: Consult the cloud upon detecting suspicious malware behaviors. Respond by blocking malware based on derived logic from the account ecosystem data, and local signals from the client. How? Through the Microsoft...
  • Crowti update - CryptoWall 3.0

    After almost two months of hiatus over the holidays, a new campaign of Crowti tagged as 'CryptoWall 3.0' has been observed. It uses a similar distribution channel as before, having been downloaded by other malware and serving as a payload through exploits. The graph below shows the spike after two days of no activity from 288 unique machines affected by this malware: Figure 1. Sudden spike from CryptoWall 3.0 activity this month . It still follows the same behavior as previous...
  • MSRT January 2015 – Dyzap

    ​This month we added the Win32/Emotet and Win32/Dyzap malware families to the Malicious Software Removal Tool . Both Emotet and Dyzap are trojans that steal personal information, including banking credentials. In a previous blog we detailed how Emotet targets German-language banking websites . In this blog, we will focus on Dyzap – another prevalent banking trojan that predominantly targets English-speaking countries. Dyzap variants target credentials for online banking, crypto currency...
  • Emotet spam campaign targets banking credentials

    A new variant in the Win32/Emotet family is targeting banking credentials with a new spam email campaign. The emails include fraudulent claims, such as fake phone bills, and invoices from banks or PayPal. Since November 2014 we have been monitoring a new variant: Trojan:Win32/Emotet.C . This variant was part of a recent spam campaign that peaked in November. Our telemetry indicates this campaign primarily targeted German-language speakers and banking websites. Figure 1: Emotet infections...
  • Before you enable those macros…

    The Microsoft Malware Protection Center (MMPC) has recently seen an increasing number of threats using macros to spread their malicious code. This technique uses spam emails and social engineering to infect a system. Using macros in Microsoft Office can help increase productivity by automating some processes. However, malware authors have also exploited these capabilities. Since Microsoft set the default setting to "Disable all macros with notification", the number of macro-related malware...
  • Make your browsing 14x safer for the holidays!

    The browser is how most people access the Internet, and with the proliferation of malware online today, it is one of the first lines of defense in helping to protect systems. Each new browser version can offer new capabilities, protections, and fixes for vulnerabilities. This means that a newer browser is often safer than its predecessor. It turns out, Microsoft Malware Protection Center’s data analysis reinforces this theory. Computer security professionals often remind people to regularly...
  • Your Browser is (not) Locked

    Most ransomware has a binary file that needs to be executed before it can infect your PC. Ransomware usually relies on social engineering or exploits to infect unsuspecting users. However, some malware authors are bypassing this requirement with a new trick - browser lockers. Unlike traditional ransomware threats that lock the entire desktop, browser lockers only lock the web browser of an infected PC. Most other malware needs a user (or other malware) to manually run it. Browser lockers don’t...
  • Wire transfer spam spreads Upatre

    The Microsoft Malware Protection Center (MMPC) is currently monitoring a spam email campaign that is using a wire transfer claim to spread Trojan:Win32/Upatre . It is important to note that customers running up-to-date Microsoft security software are protected from this threat. Additionally, customers with Microsoft Active Protection Service Community (MAPS) enabled also benefit from our cloud protection service . Upatre typically uses spam email campaigns to spread and then downloads other...
  • ​​​​A timeline of consent and control

    In October we announced some changes to our BrowserModifier detection criteria . These changes were designed to keep a user in charge of their web browsers through consent and control. Since the changes were announced we have been working with software developers to align their programs with our criteria. To provide more clarity, we are sharing our timeline for compliance. This blog sets an enforcement timetable and further clarifies our detection criteria. Control Our objective criteria...
  • MSRT December 2014

    This month is our final release of the Malicious Software Removal Tool (MSRT) for 2014. Although we didn’t add any new malware families, we updated the tool with the latest detection and remediation capabilities for the malware families added in previous releases. Since January 2014, there have been more than seven billion successful MSRT installs via Microsoft Windows Update . This is an average of 500 million installs every month. The MSRT detected and successfully removed malware on more...