Wednesday, August 23, 2017

Microsoft perspective on cyber resilience

This post is authored by Ann Johnson, Vice President, Enterprise Cybersecurity Group.

In the wake of recent ransomware outbreaks, I wanted to understand how impacted firms have evolved their thinking on cyber resilience planning and implementation. I asked the Detection and Response Team at Microsoft, who help our customers proactively and in real time to respond and recover from cyberattacks, to share their experiences. I’ve included below a few anonymized customer scenarios the team shared with me, which point to the acute need for a cyber resilience plan.

What follows is a reference framework of Microsoft capabilities which can help our customers become more agile in the face of modern attacks. In other words, this post is about mapping the road to cyber resilience.

Why cyber resilience matters

Organizations globally are highly dependent on technology to conduct personal and business-related tasks. As of the end of Q1CY2017, there were over 3.7B Internet users worldwide and this population is growing. As Internet adoption is growing, the attack surface is growing. The current cybersecurity threat landscape creates a real risk to people and assets. Therefore, organizations should maintain a balance between allowing access and managing risk. Commonly, enterprise organizations approach cybersecurity by implementing tools and technologies and personnel for “protection” and “incident response”. While this is important, the root purpose of implementing cybersecurity tools and technologies is business continuity. Enterprise organizations should also be thinking at a strategic level about the “big picture” of how to fortify their critical systems, IT infrastructure, and data centers to stay resilient in the face of human errors and cyberthreats that cause downtime. This is where a cyber resilience strategy comes into play. Organizations need to build a cyber resilience strategy and execute a cyber resilience program specifically tailored to their business needs to ensure business continuity in the event of a security incident.

According to Accenture’s “State of Cybersecurity and Digital Trust”, while 75% of all survey takers say they have high cybersecurity confidence levels, only 37% claim they have confidence in their organization’s ability to monitor for breaches and 36% claim confidence in their ability to minimize disruptions. According to Gartner, the average cost of downtime is USD $5,600 per minute—over USD $300,000 per hour. Human error is the most common contributor to downtime. Some studies conclude that human error accounts for 75% of downtime.

With organizations more reliant on IT than ever before, it is important to acknowledge business continuity and disaster response (BCDR) as a vital component to the entire organization, instead of as an issue that has implications for IT teams only. Every enterprise organization needs to be prepared to handle outages caused by unforeseen events. Downtime of critical applications and services could lead to a stop in productivity and operations, lost revenues, and lower customer confidence in the organization. A strong cyber resilience plan effectively executed can help organizations’ computer systems, IT infrastructure and data centers withstand impact from cyberthreats and human error.

Cyber resilience scenarios

There are many news stories about organizations who have suffered from cyberattacks and/or data breaches. Developing a strategy and taking actions in support of cyber resilience may help reduce the extent and cost of recovery from damage due to such incidents.

Example #1 – Ransomware infecting multiple organizations globally:

Recent ransomware attacks in the first half of 2017 have highlighted the need to be able to access critical IP, systems, and infrastructure even when it’s locked down by ransomware. WannaCry ransomware impacted multiple industries and companies worldwide, including automobile manufacturing plants that had to halt production for some time. Regardless of the motivation of the attack, clearly it resulted in unplanned downtime and recovery costs to impacted companies.

A key takeaway is ransomware can impact any type of organization. Keeping computer systems patched and up-to-date, backing up data regularly, having fully tested disaster recovery plans in place, and providing education on cyberthreats (e.g. phishing and ransomware) to direct employees and contractors can help to at least reduce the extent of damage from such an incident.

Example #2 – Data breaches continue to impact US healthcare industry:

Cyberattacks continue to measurably impact the healthcare industry since cybercriminals who successfully gain access to medical data could use it for conducting fraud or identity theft for lucrative purposes. Also, the personal data often includes information on a patient’s medical history, which may be used in targeted spear-phishing attacks. As of August 9, 2017, the US Department of Health and Human Services’ HIPAA Breach Reporting Tool website – often called the “wall of shame” – showed a total of 2,018 breaches since 2009. The number of individuals affected by health data breaches also has surged in recent years, from 31.5 million as of May 30, 2014, to about 175 million as of August 9, 2017.

There are three key takeaways from these trends and statistics. The first is that healthcare personnel and patients need to be alert to and inform their IT organization of suspicious communications (fraud/phishing emails) and identity theft incidents as much as possible. Another takeaway is that personal health and identification information should not be exposed without an express requirement to share (e.g. for a patient to offer proof of identity for a medical examination or procedure). Further, the use of data classification and information protection solutions can help reduce the impact of exposure by protecting sensitive information across its lifecycle.

Example #3 – Human error led to client information exposure for financial services firm:

Financial services and banking industries, despite putting in place relatively tighter monitoring and controls over their infrastructure and data than other industries, continue to be impacted by data breaches. In early 2017, a financial services firm inadvertently left exposed to the public a database containing sensitive information on thousands of its clients. The company claimed that the incident was due to human error by a 3rd party vendor.

A key takeaway is that it is important for organizations to hold accountable all contractors with access to the organization’s network and data. For instance, this was a major issue that came to light even with the outbreak of the Petya ransomware, in that 3rd party contractors failed to follow organizational cybersecurity policies, which was a root cause of the crisis.

Considerations for a cyber resilience program

To enhance the ability for computer systems, IT infrastructure, and data centers to withstand damages from human error, cyberthreats, and cyberattacks, we suggest enterprise organizations consider a cyber resilience program that leverages the combination of people, processes, and cloud services.


Every person with corporate network access, including full-time employees, consultants, and contractors, should be regularly trained to develop a cyber resilient mindset. This includes not only adhering to IT security policies around identity-based access control, but also alerting IT to suspicious events and infections as soon as possible to help minimize time to remediation.


Organizations should consider implementing several processes for an effective cyber resilient posture. Some of these can be implemented as IT security policies. Suggested processes include the ones listed in the table below.

Cloud services:

To maintain cyber resilience, the suggested processes should be performed on a regular basis based upon the threshold of the business to handle risk and its ability to operationally execute the processes through a combination of human efforts and technology products and services.

Fortunately, cloud service based architectures can be used to rapidly reconstitute on-premises infrastructure or fail over to a mirrored infrastructure. A key consideration when adopting cloud services is to look at how the provider conducts their assessments and look for 3rd party audits and certifications as examples of how they are performing.

Cloud services such as Microsoft Azure and Office 365 can serve at least as a first step towards helping customers with their cyber resilience needs.



Microsoft Services

Early warning and alerting system Organizations should receive early warning and alerts on suspicious or investigation-worthy electronic information.


Azure Security Center automatically collects, analyzes, and integrates log data from your Azure resources, which can be used for eDiscovery.

Office 365:

eDiscovery in Office 365 can be used to search for content in Exchange Online mailboxes, Office 365 Groups, Microsoft Teams, SharePoint Online and sites, and Skype for Business conversations.

Incorporate cyber incidents into disaster recovery and business continuity planning Incorporate cyber incidents into your existing disaster recovery and business continuity planning, and characterize or assign a higher likelihood to these incidents than to traditional acts of nature.



If you are looking to implement disaster recovery for all your major IT systems—without the expense of secondary infrastructure, Microsoft offers a variety of architectures available to help organizations design and implement secure, highly-available, performant, and resilient solutions on Azure.

Office 365:

Office 365 offerings are delivered by highly resilient systems that help to ensure high levels of service. Service continuity provisions are part of the Office 365 system design. These provisions enable Office 365 to recover quickly from unexpected events such as hardware or application failure, data corruption, or other incidents that affect users. These service continuity solutions also apply during catastrophic outages (for example, natural disasters or an incident within a Microsoft data center that renders the entire data center inoperable).

Platform hardening Lock down platform against hacking attempts.


From a platform hardening perspective, Microsoft performs our own internal assessments through penetration testing and red teams. Microsoft uses Red Teaming to simulate real-world breaches, conduct continuous security monitoring, and practice security incident response to validate and improve the security of Microsoft Azure and Office 365. We strive to provide a robust cloud platform that customers can depend on for accessing critical applications and data in a secure manner.

Office 365:

Office 365 is a security-hardened service, designed following the Microsoft Security Development Lifecycle. We bring together best practices from two decades of building enterprise software and managing online services to give you an integrated software-as-a-service solution.

Protect against email cyberthreats Implement security policies for detecting and protecting users from opening email based web links and attachments that are suspicious or malicious (e.g. phishing).

Office 365:

Office 365 Advanced Threat Protection helps protect mailboxes against new, sophisticated attacks in real time. By protecting against unsafe attachments and expanding protection against malicious links, it complements the security features of Exchange Online Protection to provide better zero-day protection.

Control access Limit access to data and applications, to reduce risk.


Azure Multi-Factor Authentication helps safeguard access to data and applications, and helps to meet customer demand for a simple sign-in process. Get strong authentication with a range of easy verification options—phone call, text message, or mobile app notification—and allow customers to choose the method they prefer.

Office 365:

Multi-Factor Authentication for Office 365 helps secure access to Office 365. It increases the security of user logins for cloud services above and beyond just a password. Users are required to acknowledge a phone call, text message, or an app notification on their smartphone after correctly entering their password. Only after this second authentication factor has been satisfied can a user sign in.

Detect and defend against rogue systems Apply conditional access-based security defenses to systems that have gone rogue


Conditional access in Azure Active Directory enables you to enforce controls on the access to apps in your environment based on specific conditions. With controls, you can either tie additional requirements to the access or you can block it. The implementation of conditional access is based on policies. A policy-based approach simplifies your configuration experience because it follows the way you think about your access requirements.

Office 365:

Device Health Attestation (DHA) for Office 365 enables enterprises to raise the security bar of their organization to hardware monitored and attested security, with minimal or no impact on operation cost. You can use DHA to assess device health for:

  • Windows 10 and Windows 10 Mobile devices that support TPM 1.2 or 2.0.
  • On-premises devices that are managed by using Active Directory with Internet access, devices that are managed by using Active Directory without Internet access, devices managed by Azure Active Directory, or a hybrid deployment using both Active Directory and Azure Active Directory.
Vulnerability assessment Learn about vulnerabilities in order of severity to be able to focus mitigation efforts on those presenting the most risk to the organization


The vulnerability assessment in Azure Security Center is part of the Security Center virtual machine (VM) recommendations. If Security Center doesn’t find a vulnerability assessment solution installed on your VM, it recommends that you install one.

Software updates and patching Continuously patch vendor software as new updates become available to help reduce probability of attack or at least mitigate damage incurred.



Hosting applications in Microsoft Azure not only alleviates management of systems for companies. It also helps with system updates and keeping servers up to date. As new security vulnerabilities are identified, Microsoft will automatically apply updates to Microsoft Azure roles (if configured to do so). Admins can choose to have Microsoft keep their roles (instances) up to date and apply these updates when they are available, thereby eliminating a tremendous administrative effort for the company.

Office 365:

Microsoft Office 365 ProPlus software can receive updates automatically from the Internet or from an on-premises location (based on organization’s preference).

Identification-based access control Protect access to applications and resources end-to-end: across the corporate datacenter and into the cloud.



Microsoft identity and management solutions enable you to centrally manage identities across your datacenter and the cloud:

  • Azure Active Directory cloud identity and access management solutions – get single sign-on to thousands of cloud apps and access to web apps that you run on-premises with Azure Active Directory Premium. Built for ease of use, Azure Active Directory management tools enable collaboration and deliver holistic identity protection and adaptive access control.
  • Azure Active Directory B2C – cloud identity service allows you to connect to any customer. Governments and enterprises worldwide are using this service to serve their applications to their citizens and customers with fully customizable experiences, while protecting their identities at the same time.

Office 365:

Office 365 uses Azure Active Directory cloud based user authentication service to manage users. You can choose from three main identity models in Office 365 when you set up and manage user accounts:

  • Cloud identity. Manage your user accounts in Office 365 only. No on-premises servers are required to manage users; it’s all done in the cloud.
  • Synchronized identity. Synchronize on-premises directory objects with Office 365 and manage your users on-premises. You can also synchronize passwords so that the users have the same password on-premises and in the cloud, but they will have to sign in again to use Office 365.
  • Federated identity. Synchronize on-premises directory objects with Office 365 and manage your users on-premises. The users have the same password on-premises and in the cloud, and they do not have to sign in again to use Office 365. This is often referred to as single sign-on.
Regular data backups Back up data in case your organization is impacted by ransomware or other cyberthreats.


Azure Backup enables protection for hybrid backups via prevention, alerting, and recovery features.

Office 365:

OneDrive for Business is an integral part of Office 365, and provides place in the cloud where you can store, share, and sync work files. It also allows for incremental restoration of files.

Protection of administrative credentials Secure administrative credentials from compromise and misuse.
  • Microsoft Cloud Services, including Azure and Office 365, are built on a foundation of trust and security. The following and many other principles apply to our cloud services:
  • Microsoft provides you security controls and capabilities to help you protect your data and applications.
  • You own your data and identities and the responsibility for protecting them, the security of your on-premises resources, and the security of cloud components you control.

How Microsoft partners with the ecosystem

Cyber resiliency is not a problem we can address alone. Our commitment is to make sure our products work with technology our customers already use. Microsoft is fostering a vibrant ecosystem of partners who help us raise the bar across the industry. Through our technology partner network, we can offer proactive vulnerability tools as well as more feature rich solutions like application firewall and threat detection to customers. We also collaborate extensively with customers and industry standards bodies to help us meet specific customer cyber resiliency needs and industry regulations. Microsoft has been working with the Center for Internet Security (CIS) to demonstrate that our operating systems and most recently, our cloud platform, Azure, have been hardened against cyberthreats. We are working towards getting Azure to pass the CIS Benchmark requirements. CIS Benchmarks are the only consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia. Also, Microsoft is actively working to align our offerings with the SANS Critical Security Controls set of recommendations, which organizations use to prepare for the most important actual threats that exist in today’s Internet world.


Developing and executing a cyber resilience program is not trivial – it is a journey, not a destination. It requires organizational focus, commitment, and effort. For additional, detailed guidance on this topic, stay tuned for a white paper to be published later this year.

Ann Johnson, Vice President
Enterprise & Cybersecurity

Ann Johnson leads Enterprise & Cybersecurity at Microsoft. Her organization empowers global enterprises to confidently move to the cloud by modernizing their architectures for maximum business agility and security. Ann is a recognized industry leader with a proven track record for building and leading high-performing global enterprise software go-to-market teams. Ann has a background in cybersecurity, infrastructure and storage and is a frequent speaker on topics of online banking fraud, information security, healthcare security, mobile security, workforce diversity, privacy and compliance. She currently serves on the board of the Security Advisor Alliance and as Board Advisor to the biometric security firm HYPR.

from Microsoft Secure Blog Staff

[SANS ISC] Malicious script dropping an executable signed by Avast?

I published the following diary on “Malicious script dropping an executable signed by Avast?“.

Yesterday, I found an interesting sample that I started to analyze… It reached my spam trap attached to an email in Portuguese with the subject: “Venho por meio desta solicitar orçamento dos produtos” (“I hereby request the products budget”). There was one attached ZIP archive:… [Read more]

[The post [SANS ISC] Malicious script dropping an executable signed by Avast? has been first published on /dev/random]

from Xavier

Tuesday, August 22, 2017

"Charts Like This is Why Information Security is Failing"

I recently saw this chart being shared on LinkedIn. I do not who developed the chart, nor is this a personal attack, but it is approaches like this why information security will never succeed. People were promoting this chart as a great reference on how to secure critical data. The overall approach is to identify … Continue reading Charts Like This is Why Information Security is Failing

from lspitzner

[SANS ISC] Defang all the things!

I published the following diary on “Defang all the things!“.

Today, I would like to promote a best practice via a small Python module that is very helpful when you’re dealing with suspicious or malicious URLs. Links in documents are potentially dangerous because users can always click by mistake on them. Many automated tools and scripts are processing documents to fetch links. Even if the original document does not provide dynamic links, many applications will detect them and change them to real links… [Read more]

[The post [SANS ISC] Defang all the things! has been first published on /dev/random]

from Xavier

Who’s Blocked by Bad Guys?

Just a quick post about an interesting file found in a phishing kit. Bad guys use common techniques to prevent crawlers, scanners or security companies from accessing their pages. Usually, they deploy a .htaccess file to achieve this. Today, I found a phishing kit related to a bank (ANZ) with such protection. But, in this case, the attackers took the time to comment out the blocked IP addresses and user-agents. Note that they also prevent other malicious traffic (like bots) to reach them. Very interesting! Want to know who’s blocked? Have a look at the file:

<Limit GET POST>
order allow,deny
deny from # totaldomaindata (checkmark)
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from 203.68. # taiwan academic network
deny from 218.58.124. # china jpg giftsite spammer
deny from 218.58.125.
deny from 62.194.7. # NE spambot
deny from 85.17.6. # netherlands
deny from 194.213. # czech norway sweden etc
deny from # SEO masked as SE
deny from # SEO masked as SE
deny from 212.187.116. # clown from Netherlands siphoning bible site
deny from 84.87. # clown from Netherlands siphoning bible site
deny from 222.252. # vietnam spammer
deny from 203.160.1. # vietnam spammer
deny from 82.60.1. # spamming Italy block
deny from # clown on comcast
deny from # unknown spain bot
deny from 82.131.195. # hungarian BS bot
deny from 217.153. # poland
deny from 202.108.252. # repeated merch spam!
deny from 82.208. # czech russia romania etc
deny from # BW sucking bot
deny from # bogus crawler
deny from 80.96. # romania
deny from # unknown bot
deny from #
deny from # unknown Java BW waster
deny from # blacklisted spammer
deny from 220.181.26. # sohu bot
deny from # unknown stealth bot
deny from 62.163. # netherlands
deny from 195.113. # czech
deny from 213.185.106. # nigeria
deny from 213.185.107. # nigeria
deny from # blacklisted IP
deny from 219.95. # malaysia
deny from #
deny from 81.93.165. # norway bot
deny from 81.223.254. # austrian bs bot
deny from 87.123.74. # patwebbot
deny from 62.193.213. # french BS bot
deny from 86.120. # romania
deny from 86.121.
deny from 86.122.
deny from 86.123.
deny from 86.124.
deny from 86.125.
deny from 86.126.
deny from 86.127.
deny from 220.194.54. # BS bandwidth wasting bot
deny from 210.51.167. # BS bot
deny from 204.14.48. # stealth bots webhost etc
deny from # development bot
deny from # bot rips way too fast
deny from # unknown clown UK
deny from # stealth bandwidth hog
deny from # stealth bot
deny from # stealth bot
deny from # unknown bot
deny from # stealth bot
deny from 139.18.2. # findlinks bot
deny from # unknown bot
deny from 82.80. # israel
deny from 82.81.
deny from 213.180.128. # poland
deny from 213.180.129.
deny from 213.180.130.
deny from 213.180.131.
deny from # stealth bot
deny from # unknown bot
deny from # spanish SE
deny from 194.224.199. # private spanish server
deny from 81.19.66. # russia
deny from 213.176.126. # iran
deny from #
deny from
deny from
deny from
deny from
deny from # BS scraper site bot
deny from 194.44.42. # ukraine
deny from 209.203.192. # Expedite Marketing
deny from 209.203.193.
deny from 209.203.194.
deny from 209.203.195.
deny from 209.203.196.
deny from 209.203.197.
deny from 209.203.198.
deny from 209.203.199.
deny from 209.203.200.
deny from 209.203.201.
deny from 209.203.202.
deny from 209.203.203.
deny from 209.203.204.
deny from 209.203.205.
deny from 209.203.206.
deny from 209.203.207.
deny from 64.62.175. # unknown bandwidth sucker
deny from 219.136.171. # china unknown bot
deny from # spambot
deny from
deny from 210.14.32. # annoying philipines spammer
deny from 220.132.126. # taiwan useragent = 3
deny from 66.194.6. # bandwidth waster
deny from # sitesucker
deny from
deny from
deny from
deny from 198.54. # south africa scams, spam, etc
deny from #
deny from 81.18.32. # nigeria
deny from 81.18.33.
deny from 81.18.34.
deny from 81.18.35.
deny from 81.18.36.
deny from 81.18.37.
deny from 81.18.38.
deny from 81.18.39.
deny from 81.18.40.
deny from 81.18.41.
deny from 81.18.42.
deny from 81.18.43.
deny from 81.18.44.
deny from 81.18.45.
deny from 81.18.46.
deny from 81.18.47.
deny from 192.115.134. # Israel, hacker heaven
deny from # direct revenue bot
deny from #
deny from 204.8.168. #
deny from 204.8.169.
deny from 204.8.170.
deny from 204.8.171.
deny from 64.152.73.
deny from # spambot from russia
deny from # clown using site copier on books
deny from # spambot
deny from # clown hitting with gethtmlcontents3 from secure site
deny from 80.230. # israel
deny from 80.250.32. # nigeria
deny from 80.250.33.
deny from 80.250.34.
deny from 80.250.35.
deny from 80.250.36.
deny from 80.250.37.
deny from 80.250.38.
deny from 80.250.39.
deny from 80.250.40.
deny from 80.250.41.
deny from 80.250.42.
deny from 80.250.43.
deny from 80.250.44.
deny from 80.250.45.
deny from 80.250.46.
deny from 80.250.47.
deny from 69.28.130. #
deny from 213.8. # israel
deny from 64.42.105. # unknown speed bot
deny from 141.85. # romania
deny from 128.238.55. # polybot
deny from 67.68.89. # unknown masking bot
deny from # unknown bot
deny from 81.199. # israel nigeria etc
deny from 195.111. # hungary
deny from 192.115.106. # clown from Israel speed downloading
deny from 204.94.59. # bandwidth waster
deny from # speed ripping unknown agent
deny from 217.73. # romania ukraina russia etc
deny from 217.218. # iran
deny from 217.219. # iran
deny from #
deny from # - new jersey law firm
deny from 213.226.16. # bulgaria
deny from 216.252.167. # idiot from Ghana demands free merch for many emails
deny from 65.102. # WebContent Internatioanl
deny from # bored employees
deny from # DSL bandwidth waster
deny from 193.253.199. # france SE bandwidth waster
deny from 80.179.254. # clown from Israel using downloader
deny from 64.37.103. # spambots and other non customers
deny from # spambot from
deny from
deny from
deny from 64.124.14. #
deny from #
deny from
deny from
deny from
deny from
deny from
deny from
deny from 206.28.72. # bandwidth waster
deny from 206.28.73.
deny from 206.28.74.
deny from 206.28.75.
deny from 206.28.76.
deny from 206.28.77.
deny from 206.28.78.
deny from 206.28.79.
deny from #
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from 158.108. # thailand university
deny from 168.187. # kuwait ministry of communications
deny from 168.188. # korea university
deny from #
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from
deny from 167.24. # and p3p client
deny from # (Israel, hacker heaven)
deny from
deny from
deny from 67.209.128. # clown from TX, wastes bandwidth, abusive feedback
deny from 12.148.209. # bandwidth waster
deny from 12.148.196. # bandwidth waster
deny from 212.19.205. # clown from Netherlands impersonating Webcrawler!
deny from # bandwidth waster (4 IPs)
deny from
deny from
deny from
deny from 211.157.
deny from 211.74.
deny from
deny from
deny from 193.220.178. # abusive crawler from Benin
deny from # abusive OK cable user
deny from # unknown user (java1.4.0_03) slowly crawling whole site!
deny from # unknown .MIL user (keeps hitting one page over and over!)
deny from 63.148.99. # bandwidth waster
deny from 65.118.41. # bandwidth waster
deny from 192.116.85. # abusive crawler, no ref, no ua, Israel?
deny from 62.119.21. # sweden including bot
deny from 80.179.100. # Israeli bot
deny from # guestbook spambot
deny from 64.106.213. # some clown in Jersey, Russian name, hammering links page
deny from 62.220.103. # Iran
allow from all
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^-?$ [NC,OR] # blank user-agent
RewriteCond %{HTTP_USER_AGENT} "addresses\.com" [NC,OR] # spambot
RewriteCond %{HTTP_USER_AGENT} "agnitum" [NC,OR] # firewall sw from Cyprus
RewriteCond %{HTTP_USER_AGENT} aipbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} alkaline [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "almaden" [NC,OR] # IBM unknown crawler
RewriteCond %{HTTP_USER_AGENT} amfibi [NC,OR] # spanish SE
RewriteCond %{HTTP_USER_AGENT} "anarchie" [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} anonymous [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "applewebkit" [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} "art-online" [NC,OR] # France SE
RewriteCond %{HTTP_USER_AGENT} arikus [NC,OR] # webhost
RewriteCond %{HTTP_USER_AGENT} "aspseek" [NC,OR] # unknown agent
RewriteCond %{HTTP_USER_AGENT} baidu [NC,OR] # chinese language SE
RewriteCond %{HTTP_USER_AGENT} "blackbox" [NC,OR] # HTML to JPG converter
RewriteCond %{HTTP_USER_AGENT} "bordermanager" [NC,OR] # Novell network controller iow workers goofing off
RewriteCond %{HTTP_USER_AGENT} botswana [NC,OR] # Unknown Agent
RewriteCond %{HTTP_USER_AGENT} "bravobrian" [NC,OR] # unknown agent
RewriteCond %{HTTP_USER_AGENT} bruinbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} btbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "caddbot" [NC,OR] # classified ad bot
RewriteCond %{HTTP_USER_AGENT} ccubee [NC,OR] # czech crawler
RewriteCond %{HTTP_USER_AGENT} cfetch [NC,OR]
RewriteCond %{HTTP_USER_AGENT} cfnetwork [NC,OR]
RewriteCond %{HTTP_USER_AGENT} cherry.?picker [NC,OR] # spambot
RewriteCond %{HTTP_USER_AGENT} cjnetworkquality [NC,OR] # bot
RewriteCond %{HTTP_USER_AGENT} claria [NC,OR] #
RewriteCond %{HTTP_USER_AGENT} combine [NC,OR] # swedish harvester
RewriteCond %{HTTP_USER_AGENT} contactbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} convera [NC,OR] #
RewriteCond %{HTTP_USER_AGENT} ConveraCrawler [NC,OR] #
RewriteCond %{HTTP_USER_AGENT} cosmos [NC,OR] # bot
RewriteCond %{HTTP_USER_AGENT} cowbot [NC,OR] # korean naver bot
RewriteCond %{HTTP_USER_AGENT} cuill [NC,OR] #
RewriteCond %{HTTP_USER_AGENT} crescent [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} dattatec [NC,OR] # argentina bot
RewriteCond %{HTTP_USER_AGENT} deepak [NC,OR] # research bot from California
RewriteCond %{HTTP_USER_AGENT} dloader [NC,OR] # unknown downloader
RewriteCond %{HTTP_USER_AGENT} "^DA \d\.\d " [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} "DTS Agent" [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} "^download" [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} diamond [NC,OR] #
RewriteCond %{HTTP_USER_AGENT} dtaagent [NC,OR] # bot grabs too fast
RewriteCond %{HTTP_USER_AGENT} dumbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} easydl [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} e?mail.?(collector|magnet|reaper|siphon|sweeper|harvest|collect|wolf) [NC,OR] # spambots
RewriteCond %{HTTP_USER_AGENT} "Educate Search" [NC,OR] # guestbook spambot
RewriteCond %{HTTP_USER_AGENT} ejupiter [NC,OR] # pathetic SE
RewriteCond %{HTTP_USER_AGENT} entrieva [NC,OR]
RewriteCond %{HTTP_USER_AGENT} [NC,OR]
RewriteCond %{HTTP_USER_AGENT} experimental [NC,OR]
RewriteCond %{HTTP_USER_AGENT} expired [NC,OR]
RewriteCond %{HTTP_USER_AGENT} express [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} extractor [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} faxobot [NC,OR] #
RewriteCond %{HTTP_USER_AGENT} "Fetch API Request" [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} "fast firstpage retriever" [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} "fetchbook\.info" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} findexa [NC,OR] # norway SE
RewriteCond %{HTTP_USER_AGENT} findlinks [NC,OR] # german experimental bot
RewriteCond %{HTTP_USER_AGENT} findwhat [NC,OR]
RewriteCond %{HTTP_USER_AGENT} flashget [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} FlickBot [NC,OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} "Franklin Locator" [NC,OR] # guestbook spambot
RewriteCond %{HTTP_USER_AGENT} gais [NC,OR] # Chinese SE
RewriteCond %{HTTP_USER_AGENT} gazz/ [NC,OR] # Japanese language bot
RewriteCond %{HTTP_USER_AGENT} geobot [NC,OR] # spain bot
RewriteCond %{HTTP_USER_AGENT} gethtmlcontent [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} getright [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} girafabot [NC,OR] # SE thingy
RewriteCond %{HTTP_USER_AGENT} giveramp [NC,OR]
RewriteCond %{HTTP_USER_AGENT} go.?zilla [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} gonzo [NC,OR]
RewriteCond %{HTTP_USER_AGENT} grabber [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} "green research" [NC,OR] # unknown bot
RewriteCond %{HTTP_USER_AGENT} "green research, inc." [NC,OR] # unknown bot
RewriteCond %{HTTP_USER_AGENT} gulper [NC,OR]
RewriteCond %{HTTP_USER_AGENT} harvest [NC,OR]
RewriteCond %{HTTP_USER_AGENT} hloader [NC,OR] # unknown downloader
RewriteCond %{HTTP_USER_AGENT} hoowwwer [NC,OR] # finnish SE
RewriteCond %{HTTP_USER_AGENT} html2jpg [NC,OR] # HTML to JPG converter
RewriteCond %{HTTP_USER_AGENT} htmlparser [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "http generic" [NC,OR] # Unknown agent
RewriteCond %{HTTP_USER_AGENT} httpclient [NC,OR] # OD Webdown
RewriteCond %{HTTP_USER_AGENT} httprequest [NC,OR]
RewriteCond %{HTTP_USER_AGENT} httrack [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} ia_archiver [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ichiro [NC,OR] # Japanese language bot (see gazz)
RewriteCond %{HTTP_USER_AGENT} "ie plagin" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "ie plugin" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} imagefetch [NC,OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} "Indy Library" [NC,OR] # spambot
RewriteCond %{HTTP_USER_AGENT} "Industry Program" [NC,OR] # guestbook spambot
RewriteCond %{HTTP_USER_AGENT} "^internet explorer$" [NC,OR] # BS agent
RewriteCond %{HTTP_USER_AGENT} ineturl [NC,OR]
RewriteCond %{HTTP_USER_AGENT} innerprise [NC,OR] #
RewriteCond %{HTTP_USER_AGENT} irlbot [NC,OR] # research bot
RewriteCond %{HTTP_USER_AGENT} ithenticate [NC,OR] # iThenticate spybot
RewriteCond %{HTTP_USER_AGENT} iupui [NC,OR] # Unknown research (spam?) bot
RewriteCond %{HTTP_USER_AGENT} java [NC,OR] # generic textbook bots
RewriteCond %{HTTP_USER_AGENT} jetbot [NC,OR] # Unknown private SE
RewriteCond %{HTTP_USER_AGENT} joedog [NC,OR]
RewriteCond %{HTTP_USER_AGENT} k2spider [NC,OR] # unknown bot
RewriteCond %{HTTP_USER_AGENT} kuloko [NC,OR] #
RewriteCond %{HTTP_USER_AGENT} lanshan [NC,OR]
RewriteCond %{HTTP_USER_AGENT} lcabotaccept [NC,OR] # unknown bot
RewriteCond %{HTTP_USER_AGENT} larbin [NC,OR] # unknown (spambot)
RewriteCond %{HTTP_USER_AGENT} lapozz [NC,OR] # BS hungarian bot
RewriteCond %{HTTP_USER_AGENT} law-x [NC,OR] # scraper site bot
RewriteCond %{HTTP_USER_AGENT} linksmanager [NC,OR] # spambot
RewriteCond %{HTTP_USER_AGENT} linkwalker [NC,OR] # spambot
RewriteCond %{HTTP_USER_AGENT} lmcrawler [NC,OR]
RewriteCond %{HTTP_USER_AGENT} lmqueuebot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} loopimprovements [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "lwp\:\:simple" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "lwp-trivial" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "Mac Finder" [NC,OR] # guestbook spambot
RewriteCond %{HTTP_USER_AGENT} "Microsoft URL Control" [NC,OR] # spambot
RewriteCond %{HTTP_USER_AGENT} "mister pix" [NC,OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} "missauga" [NC,OR] # guestbook spambot
RewriteCond %{HTTP_USER_AGENT} "missigua" [NC,OR] # guestbook spambot
RewriteCond %{HTTP_USER_AGENT} madlyrics [NC,OR] # Winamp downloader
RewriteCond %{HTTP_USER_AGENT} marvin [NC,OR] # danish/whoever bot
RewriteCond %{HTTP_USER_AGENT} microsoftprototypecrawler [NC,OR]
RewriteCond %{HTTP_USER_AGENT} minirank [NC,OR]
RewriteCond %{HTTP_USER_AGENT} miva [NC,OR]
RewriteCond %{HTTP_USER_AGENT} mizzu [NC,OR] # Mizzu Labs bot
RewriteCond %{HTTP_USER_AGENT} mj12 [NC,OR]
RewriteCond %{HTTP_USER_AGENT} majestic [NC,OR]
RewriteCond %{HTTP_USER_AGENT} mogren [NC,OR] # russian bot
RewriteCond %{HTTP_USER_AGENT} "mozilla\(ie compatible\)" [NC,OR] # BS agent
RewriteCond %{HTTP_USER_AGENT} MSIECrawler [NC,OR] # IE's "make available offline" mode
RewriteCond %{HTTP_USER_AGENT} MSFrontPage [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} msrbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} msproxy [NC,OR] # discontinued proxy software
RewriteCond %{HTTP_USER_AGENT} msx [NC,OR] # unknown agent
RewriteCond %{HTTP_USER_AGENT} mvaclient [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "my session" [NC,OR] # unknown agent
RewriteCond %{HTTP_USER_AGENT} "NASA Search" [NC,OR] # bogus clown on comcast
RewriteCond %{HTTP_USER_AGENT} netresearchserver [NC,OR]
RewriteCond %{HTTP_USER_AGENT} netsprint [NC,OR]
RewriteCond %{HTTP_USER_AGENT} netwhat [NC,OR]
RewriteCond %{HTTP_USER_AGENT} nextgensearch [NC,OR] # BW waster
RewriteCond %{HTTP_USER_AGENT} nusearch [NC,OR] # spider OD
RewriteCond %{HTTP_USER_AGENT} nutch [NC,OR] # experimental bot
RewriteCond %{HTTP_USER_AGENT} ocelli [NC,OR] #
RewriteCond %{HTTP_USER_AGENT} offline [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} omniexplorer [NC,OR] # useless bot
RewriteCond %{HTTP_USER_AGENT} "" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} outfoxbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} nameprotect [NC,OR] # NameProtect spybot
RewriteCond %{HTTP_USER_AGENT} naver [NC,OR] # Korean robot
RewriteCond %{HTTP_USER_AGENT} net.?(ants|mechanic|spider|vampire|zip) [NC,OR] # ODs
RewriteCond %{HTTP_USER_AGENT} netcaptor [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} nicebot [NC,OR] # stealth bot
RewriteCond %{HTTP_USER_AGENT} nicerspro [NC,OR] # spambot
RewriteCond %{HTTP_USER_AGENT} ninja [NC,OR] # Download Ninja OD
RewriteCond %{HTTP_USER_AGENT} nobody [NC,OR] # Unknown Agent
RewriteCond %{HTTP_USER_AGENT} noxtrum [NC,OR] # spanish private server
RewriteCond %{HTTP_USER_AGENT} NPBot [NC,OR] # NameProtect spybot
RewriteCond %{HTTP_USER_AGENT} "\ obot" [NC,OR] # Unknown bot
RewriteCond %{HTTP_USER_AGENT} "^obot$" [NC,OR] # Unknown bot
RewriteCond %{HTTP_USER_AGENT} openfind [NC,OR] # taiwan bot
RewriteCond %{HTTP_USER_AGENT} panopy [NC,OR] # unknown bot
RewriteCond %{HTTP_USER_AGENT} patwebbot [NC,OR] # bs bot from germany
RewriteCond %{HTTP_USER_AGENT} peerfactor [NC,OR]
RewriteCond %{HTTP_USER_AGENT} pipeline [NC,OR] # cable account based SE
RewriteCond %{HTTP_USER_AGENT} plink [NC,OR] # stealth bot
RewriteCond %{HTTP_USER_AGENT} "program shareware" [NC,OR] # guestbook spambot
RewriteCond %{HTTP_USER_AGENT} plantynet [NC,OR] # Korean bot
RewriteCond %{HTTP_USER_AGENT} "poe-component-client" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "polybot" [NC,OR] #
RewriteCond %{HTTP_USER_AGENT} psbot [NC,OR] # Picture Downloader
RewriteCond %{HTTP_USER_AGENT} picsearch [NC,OR] # Picture Downloader
RewriteCond %{HTTP_USER_AGENT} qarp [NC,OR]
RewriteCond %{HTTP_USER_AGENT} qcreep [NC,OR] # quepasa in disguise
RewriteCond %{HTTP_USER_AGENT} quepasa [NC,OR] # SouthAmerican bot
RewriteCond %{HTTP_USER_AGENT} "safari" [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} "^sew$" [NC,OR] # unknown agent
RewriteCond %{HTTP_USER_AGENT} rampybot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} research [NC,OR]
RewriteCond %{HTTP_USER_AGENT} sbider [NC,OR]
RewriteCond %{HTTP_USER_AGENT} schibstedsok [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} scspider [NC,OR] # SpamBot
RewriteCond %{HTTP_USER_AGENT} scumbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} search-o-rama [NC,OR]
RewriteCond %{HTTP_USER_AGENT} searchsight [NC,OR]
RewriteCond %{HTTP_USER_AGENT} searchwarp [NC,OR]
RewriteCond %{HTTP_USER_AGENT} seekbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} seznambot [NC,OR] # czech bot
RewriteCond %{HTTP_USER_AGENT} shim-crawler [NC,OR]
RewriteCond %{HTTP_USER_AGENT} siphon [NC,OR]
RewriteCond %{HTTP_USER_AGENT} sitemapper [NC,OR]
RewriteCond %{HTTP_USER_AGENT} sitesell [NC,OR]
RewriteCond %{HTTP_USER_AGENT} skywalker [NC,OR]
RewriteCond %{HTTP_USER_AGENT} sleuth [NC,OR]
RewriteCond %{HTTP_USER_AGENT} SlySearch [NC,OR] # SlySearch spybot
RewriteCond %{HTTP_USER_AGENT} snagger [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} societyrobot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "sohu agent" [NC,OR] # spambot
RewriteCond %{HTTP_USER_AGENT} sohu-search [NC,OR] # spambot
RewriteCond %{HTTP_USER_AGENT} sonicquest [NC,OR]
RewriteCond %{HTTP_USER_AGENT} spider_pro [NC,OR] #
RewriteCond %{HTTP_USER_AGENT} spiderku [NC,OR]
RewriteCond %{HTTP_USER_AGENT} spiderman [NC,OR]
RewriteCond %{HTTP_USER_AGENT} sproose [NC,OR]
RewriteCond %{HTTP_USER_AGENT} sqworm [NC,OR] # unknown bot
RewriteCond %{HTTP_USER_AGENT} stackrambler [NC,OR] # russian bot
RewriteCond %{HTTP_USER_AGENT} steeler [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} SurveyBot [NC,OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} szukacz [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} tcf [NC,OR]
RewriteCond %{HTTP_USER_AGENT} tele(port|soft) [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} "test/0" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "test1" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "test 1" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "test rig" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "tsw bot" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} terrawiz [NC,OR] # India SE
RewriteCond %{HTTP_USER_AGENT} trademark [NC,OR] # bandwidth waster
RewriteCond %{HTTP_USER_AGENT} transgenikbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} Turnitin [NC,OR] # Turnitin spybot
RewriteCond %{HTTP_USER_AGENT} twiceler [NC,OR] #
RewriteCond %{HTTP_USER_AGENT} twotrees [NC,OR] # willow internet crawler
RewriteCond %{HTTP_USER_AGENT} "under the rainbow" [NC,OR] # unknown bot
RewriteCond %{HTTP_USER_AGENT} "unknown origin" [NC,OR] # unknown bot
RewriteCond %{HTTP_USER_AGENT} unchaos [NC,OR] # SE that spams web logs
RewriteCond %{HTTP_USER_AGENT} url2file [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} usyd-nlp [NC,OR] # research spider
RewriteCond %{HTTP_USER_AGENT} "vb openurl" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} visvo [NC,OR]
RewriteCond %{HTTP_USER_AGENT} votay [NC,OR]
RewriteCond %{HTTP_USER_AGENT} voyager [NC,OR]
RewriteCond %{HTTP_USER_AGENT} w3crobot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} w3mir [NC,OR] # site copier
RewriteCond %{HTTP_USER_AGENT} wbdbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} weasel [NC,OR]
RewriteCond %{HTTP_USER_AGENT} weazel [NC,OR]
RewriteCond %{HTTP_USER_AGENT} web.?(auto|bandit|collector|copier|devil|downloader|fetch|hook|mole|miner|mirror|reaper|sauger|sucker|site|snake|stripper|weasel|zip) [NC,OR] # ODs
RewriteCond %{HTTP_USER_AGENT} webclipping [NC,OR] # bandwidth waster
RewriteCond %{HTTP_USER_AGENT} webbug [NC,OR]
RewriteCond %{HTTP_USER_AGENT} webcollage [NC,OR]
RewriteCond %{HTTP_USER_AGENT} webindexer [NC,OR] # development bot
RewriteCond %{HTTP_USER_AGENT} webpix [NC,OR]
RewriteCond %{HTTP_USER_AGENT} webrace [NC,OR] # crawler
RewriteCond %{HTTP_USER_AGENT} webspider [NC,OR]
RewriteCond %{HTTP_USER_AGENT} websquash [NC,OR] # SEO
RewriteCond %{HTTP_USER_AGENT} "wells search" [NC,OR] # spambot
RewriteCond %{HTTP_USER_AGENT} "wep search" [NC,OR] # spambot
RewriteCond %{HTTP_USER_AGENT} wget [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} [NC,OR] # Clown in NL
RewriteCond %{HTTP_USER_AGENT} "" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} xirq [NC,OR]
RewriteCond %{HTTP_USER_AGENT} yottashopping [NC,OR]
RewriteCond %{HTTP_USER_AGENT} zao/ [NC,OR] # experimental Japan crawler
RewriteCond %{HTTP_USER_AGENT} zedzo [NC,OR]
RewriteCond %{HTTP_USER_AGENT} zeus [NC,OR]
RewriteCond %{HTTP_USER_AGENT} zspider [NC,OR]
RewriteCond %{HTTP_REFERER} [NC,OR] # spam bot
RewriteCond %{HTTP_REFERER} wizard.yellowbrick.oz [NC,OR] # spam bot
RewriteCond %{HTTP_REFERER} brandimensions [NC,OR] # bandidth waster
RewriteCond %{HTTP_REFERER} imgurl= [NC,OR]
RewriteCond %{HTTP_REFERER} imgrefurl= [NC,OR]
RewriteCond %{REMOTE_ADDR} ^193.95.([1-2][0-9][0-9]). [NC,OR] # slovenia etc
RewriteCond %{REMOTE_ADDR} ^203.147.([0-4][0-9]). [NC,OR] # thailand
RewriteCond %{REMOTE_ADDR} ^80.87.([3-9][0-9]). [NC,OR] # ghana russia etc
RewriteCond %{REMOTE_ADDR} ^80.88.(1[0-5][0-9]). [NC,OR]
RewriteCond %{REMOTE_ADDR} ^203.87.(1[2-9][0-9]). [NC,OR] # philippines
RewriteCond %{REMOTE_ADDR} ^218.(1[0-9][0-9]). [NC,OR] # china korea
RewriteCond %{REMOTE_ADDR} ^211.([1-9][0-9]). [NC,OR] # china korea
RewriteCond %{REMOTE_ADDR} ^66.150.55.(2[2-3][0-9]). [NC,OR] # stealth bot
RewriteCond %{REMOTE_ADDR} ^64.110.([4-9][0-9]). [NC,OR]
RewriteCond %{REMOTE_ADDR} ^64.110.(1[0-8][0-9]). [NC]
RewriteRule .* - [F,L]
Options -Indexes


[The post Who’s Blocked by Bad Guys? has been first published on /dev/random]

from Xavier

Thursday, August 17, 2017

Microsoft Security Intelligence Report Volume 22 is now available

The latest volume of the Microsoft Security Intelligence Report is now available for free download at

This new volume of the report includes threat data from the first quarter of 2017. The report also provides specific threat data for over 100 countries/regions. As mentioned in a recent blog, using the tremendous breadth and depth of signal and intelligence from our various cloud and on-premises solutions deployed globally, we investigate threats and vulnerabilities and regularly publish this report to educate enterprise organizations on the current state of threats and recommended best practices and solutions.

In this 22nd volume, we’ve made two significant changes:

  • We have organized the data sets into two categories, cloud and endpoint. Today, most enterprises now have hybrid environments and it’s important to provide more holistic visibility.
  • We are sharing data from a shorter time period, one quarter (January 2017 – March 2017), instead of the typical six months, as we shift our focus to delivering improved and more frequent updates in the future.

The threat landscape is constantly changing. Going forward, we plan to improve how we share the insights, and plan to share data on a more frequent basis – so that you can have more timely visibility into the latest threat insights. We are committed to continuing our investment in researching and sharing the latest security intelligence with you, as we have for over a decade. This shift in our approach is rooted in a principle that guides Microsoft technology investments: to leverage vast data and unique intelligence to help our customers respond to threats faster.

Here are 3 key findings from the report:

As organizations migrate more and more to the cloud, the frequency and sophistication of attacks on consumer and enterprise accounts in the cloud is growing.

  • There was a 300 percent increase in Microsoft cloud-based user accounts attacked year-over-year (Q1-2016 to Q1-2017).
  • The number of account sign-ins attempted from malicious IP addresses has increased by 44 percent year over year in Q1-2017.

Cloud services such as Microsoft Azure are perennial targets for attackers seeking to compromise and weaponize virtual machines and other services, and these attacks are taking place across the globe.

  • Over two-thirds of incoming attacks on Azure services in Q1-2017 came from IP addresses in China and the United States, at 35.1 percent and 32.5 percent, respectively. Korea was third at 3.1 percent, followed by 116 other countries and regions.

Ransomware is affecting different parts of the world to varying degrees.

  • Ransomware encounter rates are the lowest in Japan (0.012 percent in March 2017), China (0.014 percent), and the United States (0.02 percent).
  • Ransomware encounter rates are the highest in Europe vs. the rest of the world in Q1-2017.
    • Multiple European countries, including the Czech Republic (0.17 percent), Italy (0.14 percent), Hungary (0.14 percent), Spain (0.14 percent), Romania (0.13 percent), Croatia (0.13 percent), and Greece (0.12 percent) had much higher ransomware encounter rates than the worldwide average in March 2017.

Download Volume 22 of the Microsoft Security Intelligence Report today to access additional insights:

from Microsoft Secure Blog Staff

[SANS ISC] Maldoc with auto-updated link

I published the following diary on “Maldoc with auto-updated link“.

Yesterday, while hunting, I found another malicious document that (ab)used a Microsoft Word feature: auto-update of links. This feature is enabled by default for any newly created document (that was the case for my Word 2016 version). If you add links to external resources like URLs, Word will automatically update them without any warning or prompt… [Read more]

[The post [SANS ISC] Maldoc with auto-updated link has been first published on /dev/random]

from Xavier