Microsoft Defender SmartScreen

AppWizard
May 14, 2025
Since April 2024, the threat actor Marbled Dust has been exploiting a zero-day vulnerability (CVE-2025-27920) in the Output Messenger chat application, targeting user accounts that have not applied necessary fixes. This exploitation has resulted in the collection of sensitive data from users in Iraq, specifically linked to the Kurdish military. Microsoft has high confidence in this assessment and notes that Marbled Dust conducts reconnaissance to identify potential targets using Output Messenger. Marbled Dust has successfully utilized this vulnerability to deploy malicious files and exfiltrate data. Microsoft notified the application’s developer, Srimax, about the vulnerability, leading to the release of a software update. A second vulnerability (CVE-2025-27921) was also found, but no exploitation of this second flaw has been observed. The zero-day vulnerability allows an authenticated user to upload malicious files to the server's startup directory. Marbled Dust has exploited this flaw to place a backdoor file, OMServerService.vbs, in the startup folder, enabling them to access communications and sensitive data indiscriminately. The attack chain begins with Marbled Dust gaining access to the Output Messenger Server Manager, likely through DNS hijacking or other credential interception techniques. Once inside, they exploit the vulnerability to drop malicious files, including a GoLang backdoor, which connects to a Marbled Dust command-and-control domain for data exfiltration. To mitigate this threat, Microsoft recommends updating to the latest version of Output Messenger, activating various security protections, and implementing rigorous vulnerability management strategies. Microsoft Defender XDR customers can identify potential threat activity through specific alerts related to Marbled Dust and utilize advanced hunting queries for detection. Indicators of compromise include traffic to the domain api.wordinfos[.]com, associated with Marbled Dust activities.
Winsage
March 10, 2025
Microsoft has revised its support documentation to highlight the importance of recognizing unsafe applications on Windows 10 and encourages users to upgrade to Windows 11. Applications on a PC can be categorized into three groups: Clean apps (from the Microsoft Store or pre-installed), malware apps (from untrusted sources), and potentially unwanted apps (PUAs) which may not be malicious but can clutter user experience. Microsoft warns that after October 2025, Windows 10 will no longer receive updates, increasing vulnerability to cyber threats. Upgrading to Windows 11 enhances security with features like Smart App Control. To clean install Windows 11, users need the Media Creation Tool to create a bootable USB drive. The process involves downloading the tool, creating the USB, and then installing Windows 11 on the target PC. Users should ensure their PC meets the hardware requirements for Windows 11. After upgrading to Windows 11, users are advised to configure settings to block potentially unwanted applications by enabling options in the Privacy and Security settings. To minimize risks, it is recommended to download apps from the Microsoft Store, keep Windows 11 updated, and use the Microsoft Edge browser with SmartScreen.
Winsage
March 8, 2025
Microsoft is encouraging users to transition from Windows 10 to Windows 11, which currently holds a market share of 38% compared to Windows 10's nearly 60%. In February 2024, Microsoft launched a promotional campaign to highlight the benefits of Windows 11, and by June, it aimed to dispel myths about the new operating system. The company emphasized security features, particularly the Smart App Control feature in Windows 11, which helps protect against potentially unwanted applications (PUAs). The updated support page for Windows 11 includes recommendations such as downloading apps from trusted sources, using updated antivirus software, and keeping devices up-to-date. Smart App Control requires a clean installation of Windows 11, and users upgrading from Windows 10 must perform a reset, as an in-place upgrade is not sufficient.
Winsage
February 10, 2025
Microsoft is exploring deeper integration of its Copilot feature in Edge, with potential developments including a troubleshooter in the Settings menu and automatic sidebar activation upon browser launch on Windows 10 and 11. An "Ask Copilot" button may also be introduced in the Settings app for user assistance. References suggest Copilot could activate with new tabs or browser launches. Additionally, Edge has launched an AI-driven "Scareware Blocker" in version 133 for Windows 11 to protect users from online scams by blocking harmful sites in real-time. This feature is expected to improve over time and complements Microsoft Defender SmartScreen Protection.
Winsage
October 19, 2024
Google's Chrome holds a 65% market share and faces potential break-up actions from the Department of Justice. Microsoft is promoting its Edge browser to Windows users, highlighting enhanced security features through Microsoft Defender SmartScreen. Microsoft encourages enterprises to adopt Edge, suggesting that employees may also use it at home, threatening Chrome's user base. In response, Google has launched a campaign to reassure its 3 billion Chrome users about its security measures, emphasizing its innovations and commitment to user safety. Google is also addressing privacy concerns related to tracking cookies and plans to introduce an opt-in tracking mechanism, while Microsoft is developing the “Privacy-Preserving Ads API” for Edge. Both companies are focusing on security and privacy as key competitive factors. Chrome has recently updated to version 130.0.6723.58/.59, and users are advised to restart their browsers after the update for optimal security.
Winsage
October 12, 2024
Microsoft has issued a warning to Windows users about increasing attacks that exploit legitimate file hosting services, using tactics to evade security measures. These attacks involve fraudulent websites designed to harvest user credentials, prompting Microsoft to recommend the use of Microsoft Edge, which integrates with Microsoft Defender SmartScreen to block malicious sites. Microsoft previously advised Chrome users to update or stop using the browser due to a zero-day vulnerability, encouraging a shift to Edge. The attacks leverage trusted file-sharing platforms like Dropbox and OneDrive, deceiving users into opening malicious files. Microsoft emphasizes using Edge with conditional access policies and Microsoft Defender for enhanced security. Additionally, Microsoft is developing a privacy-preserving ads API for Edge, aiming to improve user privacy while addressing the challenges of third-party cookie tracking. This new API is currently in limited preview and requires manual activation in specific regions.
Winsage
October 9, 2024
Microsoft has issued a warning to Windows users about an increase in sophisticated attacks that use legitimate file hosting services to evade security measures. These attacks often involve fraudulent websites designed to steal user credentials, exploiting trusted platforms like Dropbox, SharePoint, and OneDrive. Microsoft recommends using Microsoft Edge, which can automatically block malicious websites through Microsoft Defender SmartScreen. The company has also advised enterprises to promote Edge and implement conditional access policies to enhance security. Recent trends show attackers manipulating enterprise security systems by using files with restricted access and view-only settings to deliver phishing emails. The ultimate goal of these attacks is typically the theft of organizational credentials for financial gain.
Tech Optimizer
October 4, 2024
Session hijacking has evolved to bypass multi-factor authentication (MFA) checks, with Microsoft reporting 147,000 token replay attacks in 2023, a 111% increase from the previous year. Google noted that session cookie attacks now rival traditional password-focused cyberattacks. Modern session hijacking techniques include Adversary-in-the-Middle (AitM) attacks, Browser-in-the-Middle (BitM) attacks, and infostealers. Infostealers can target all session cookies and credentials stored in a user's browser and were responsible for 43% of malware detected in 2023, according to the 2024 Sophos Threat Report. Advanced malware can evade detection by Endpoint Detection and Response (EDR) systems. Effective prevention measures include keeping personal information private, using robust antivirus and EDR solutions, and implementing strong in-app controls.
Winsage
September 27, 2024
In the early 2000s, third-party antivirus solutions dominated Windows operating system security until Microsoft introduced Security Essentials in 2009, which evolved into a comprehensive security product. With the launch of Windows 8, Security Essentials transitioned to Windows Defender, which further developed into a suite of security products for Windows 10 and 11. Microsoft Defender Antivirus protects users against threats like keyloggers and screen scrapers using artificial intelligence, machine learning, and the Microsoft Intelligent Security Graph. Key protection mechanisms include Secure Boot, Trusted Boot, and Measured Boot for system verification, multiple detection engines for malware identification, Tamper Protection to prevent malware from altering security features, and Microsoft Defender SmartScreen to block malware downloads. Microsoft recommends using Microsoft Defender for Endpoint for enhanced security.
Search