Updated on October 11, with details of Microsoft Edge’s proposed new technology to take on Google Chrome over user privacy as well as security.
Microsoft has just issued a new warning for millions of Windows users, with “threat actors increasingly using [new] tactics aimed at circumventing defense mechanisms.” These attacks have escalated over the last six months, and the company has now issued a detailed set of recommendations.
The attacks, which “misuse legitimate file hosting services, increasingly use defense evasion tactics involving files with restricted access and view-only restrictions.” Ultimately, though, there is still a reliance on a fraudulent website to harvest user credentials—this is the weak point of the attack chain and the best opportunity for users and their enterprises to stop attacks in their tracks.
Which leads to Microsoft’s recommendation to “leverage Microsoft Edge to automatically identify and block malicious websites, including those used in this phishing campaign.” This uses the linkage between Edge and Microsoft Defender SmartScreen to “provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a focused attack.”
Last month I reported on Microsoft issuing this same switch to Edge warning to Chrome users, on that occasion in the wake of a zero-day vulnerability its threat hunters had identified and which had prompted the US government to mandate all federal employees to updater Chrome or cease using the browser completely.
Microsoft’s advisory warned enterprises to encourage the use of “Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.” Put more simply—not Google Chrome.
As I commented at the time, “while there is a case for Edge over Chrome with regards to malware protection, it feels somewhat askew for a Microsoft product that competes with Chrome to be recommended in a security advisory for a CVE disclosed by Microsoft, now riding a wave of Chrome generated publicity.”
There isn’t that specific angle this time around, but Microsoft is pushing a joined up, enterprise approach to defending against such business compromises. The company is on a mission to switch Chrome users to Edge, and has been called out in the past for security warnings flashed to users when they install Chrome from a Windows PC. And so, set against that backdrop, this does seems part of that broader campaign.
The use of trusted file-sharing platforms—specifically Dropbox, Sharepoint and OneDrive—is designed to trick employees into opening files that seemingly come with their organization’s security wrap. “The widespread use of such services also makes them attractive targets for threat actors, who exploit the trust and familiarity associated with these services to deliver malicious files and links, often avoiding detection by traditional security measures.”
Such attacks are not new, but the recent twist Microsoft has identified is the use of files with access restricted to the recipient or those with view only settings, both of which are intended to trick enterprise security systems into giving links a pass and to trick users into trusting the malicious a payload.
“Often,” Microsoft says, “users from trusted vendors are added to allow lists through policies set by the organization on Exchange Online products, enabling phishing emails to be successfully delivered.” The attacks themselves have typical objectives—theft of organizational credentials and access to business systems and financial gain.
Because the chain starts with one compromise allowing the attack to originate inside a trusted environment, bad actors can also tune the filenames to appear relevant to ongoing engagements: “familiar topics based on existing conversations… for example, if the two organizations have prior interactions related to an audit, the shared files could be named ‘Audit Report 2024’.” Microsoft has also seen such file names and outreach use urgent headlines to prompt immediate action.
Once the user has run through MFA to access their legitimate file sharing platform, and “the user is successfully authorized and can view a document,” the next step is a a file “often masquerading as a preview, with a malicious link, which is another lure to make the targeted user click the ‘View my message’ access link.”
This link takes the user to the fraudulent website, crafted for the campaign, “where the user is prompted to provide the password and complete multifactor authentication (MFA). The compromised token can then be leveraged by the threat actor to perform the second stage attack and continue the campaign.”
This is where the recommended enterprise use of Edge kicks in, but Microsoft also recommends the use of conditional access policies, which can restrict access based on analysis of various signals and the wider user of Microsoft Defender.
“By understanding these evolving threats and implementing the recommended mitigations,” Microsoft says, “organizations can better protect themselves against these sophisticated campaigns and safeguard digital assets.”
This isn’t the only current push for Windows users to switch to Edge, and we have just seen performance improvements highlighted as part of the campaign. But as I have commented before, the use of this joined-up enterprise approach to defending against business threats is clever. Pushing Edge as a CISO recommendation rather than a user choice would see more users, and if the browser performs maybe Edge will finally eat into Chrome’s staggering domination of the desktop browser market.
Putting security and performance to one side, there’s perhaps an even more interesting development within Microsoft’s Edge ecosystem that might well have Chrome firmly in its sights. And this one could target a much more sensitive area when it comes to Chrome—privacy and the dreaded tracking cookies that should have been long dead by now, but which have been given a new lease of life.
As picked up by Neowin, Microsoft has just released details of “a limited preview of a new privacy-preserving ads API for developers on the Canary and Dev channels of Microsoft Edge… The API is called the Ad Selection API and is designed to display online ads but in a more privacy-friendly way than using third-party cookies which track you around the web.”
According to Microsoft, while this new proposal “is substantially similar to other ad serving proposals from a structure, flow, and syntax perspective,” it has “some core differences related to overall model and infrastructure that we believe provide critical capabilities that will enable the open web ecosystem to effectively move to privacy-preserving ads APIs.”
This is still early days for Microsoft’s foray into privacy preserving ad tech, but the timing is pretty apt. Google is struggling to find a replacement for tracking cookies that the ad industry and regulators deem acceptable. Microsoft doesn’t have the same vested interests and so is an interesting heavyweight to be weighing into this now.
“We want to make the use of privacy-preserving advertising viable,” Microsoft says, which today it clearly is not. Google’s latest proposal is to enable consumers to opt out of tracking cookies and into a new, semi-anonymized tracking platform that can serve preferences to advertisers without enabling digital fingerprinting or cross-site tracking. The industry fears most will opt out—as happened when Apple did the same, which would enable Google’s proposed solution to be deployed despite regulatory concerns. Against this backdrop, alternative solutions will be interesting.
All that said, Microsoft is coming from miles behind the line when it coms to Edge versus Chrome, and one can’t help but think that the better chance of disruption will come from AI search rather than anything else. And that will pitch Microsoft’s relationship with OpenAI against Google’s Gemini, which will be a much more open battle than security or performance or tracking, with users making their choice.
Meanwhile, Microsoft “is rolling out the functionality to users gradually so you may not even see it in the Canary and Dev channels,” Neowin explains. “If you want to switch it on manually, type the following in the URL bar edge://flags#edge-ad-selection-api then enable the API. Unfortunately, the preview is still in limited regions and notably excludes the European Economic Area (EEA) and the UK.”