Microsoft Azure AD Service Keeps an Eye on Suspicious Behavior

Microsoft previews a new Azure Active Directory service that makes it tougher for phishers to reel in victims.

Microsoft Azure Active Directory, security

Phishers beware. Azure Active Directory (AD) Identity Protection is in public beta, announced Alex Simons, director of Program Management for Microsoft's Identity division, yesterday.

The service, an add-on to Microsoft's cloud-based user identity and access management software, helps businesses thwart attacks and breaches caused by compromised user accounts. A common way for users to lose control of their credentials is falling for a phishing emails that seemingly originate from trusted sources.

"Today, phishing attacks and account compromise are one of the biggest cyber risks that organizations face," Simons said in a blog post. "A single compromised identity in your organization can give cyber-criminals an opening into your environment." From there, attackers will often try to work their way up to privileged accounts with access to valuable data.

Last month, Cloudmark's annual threat report revealed that 91 percent of the 300 U.S. and UK companies surveyed by the data security specialist encountered a phishing attack in 2015. Eighty-four percent admitted that phishing attacks had made it past their defenses.

To guard against the Shellshock vulnerability, the Dyre banking Trojan and other cyber-threats, IBM recommends that financial firms educate users about the dangers of phishing and deploy anti-phishing controls on their mail gateways.

As of June 2015, Microsoft's own Exchange Online Protection offering helps businesses combat what the company calls "peer-phishing" attacks.

These attacks involve spoofing an organization's email domain and impersonating high-ranking executives and business leaders. Not only does the tactic make it difficult to detect and filter malicious emails since they appear to originate from within the same organization, recipients are likely to act on such emails because they believe that they are legitimate requests from their bosses or colleagues.

Azure AD Identity Protection employs real-time, machine-learning-based detection and automated mitigation technologies to catch uninvited guests in the act and block off their access. The solution works with both on-premises and cloud applications whose users are managed by Azure AD.

Each Azure AD authentication request generates a real-time user and log-in risk score. If suspicious behavior is detected, Azure AD Identity Protection can be configured to block a log-in; demand that users pass a multi-factor authentication challenge; or require that users change their credentials, said Simons. Suspicious behavior can constitute a log-in from an anonymized network location or from a botnet.

Azure AD Identity Protection can detect the signs of a suspected attack, courtesy of Microsoft's own massive cloud services slate, which spans Office 365, Xbox Live and Azure. According to Simons, the company's machine-learning system processes in excess of 10 terabytes of data, including information pertaining to 14 billion log-ins belonging to nearly a billion users.

"These log-in signals are combined with data feeds from Microsoft's Digital Crimes Unit and Microsoft Security Response Center, phishing attack data from and Exchange Online as well as information we acquire from partnering with law enforcement, academia, security researchers and industry partners around the world," Simons added.

Pedro Hernandez

Pedro Hernandez

Pedro Hernandez is a contributor to eWEEK and the IT Business Edge Network, the network for technology professionals. Previously, he served as a managing editor for the network of...