Updated on October 11, with details of Microsoft Edge’s proposed new technology to take on Google Chrome over user privacy as well as security.
Microsoft’s Warning and Recommendations
Microsoft has recently issued a significant warning to millions of Windows users, highlighting a concerning trend where “threat actors increasingly use [new] tactics aimed at circumventing defense mechanisms.” Over the past six months, these attacks have intensified, prompting the company to provide a comprehensive set of recommendations for users and enterprises alike.
The nature of these attacks involves the misuse of legitimate file hosting services, employing sophisticated defense evasion tactics that include files with restricted access and view-only settings. At the core of these attacks remains a reliance on fraudulent websites designed to harvest user credentials—this vulnerability represents a critical point where users can effectively thwart such attacks.
In response, Microsoft recommends leveraging Microsoft Edge to automatically identify and block malicious websites, particularly those involved in phishing campaigns. This capability is powered by the integration of Edge with Microsoft Defender SmartScreen, which serves as an early warning system against potential phishing attacks or malware distribution.
Last month, Microsoft issued a similar advisory to Chrome users following the discovery of a zero-day vulnerability. This prompted the U.S. government to mandate that all federal employees either update Chrome or discontinue its use entirely. In that advisory, Microsoft urged enterprises to promote the use of “Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen,” effectively steering users away from Google Chrome.
While the previous advisory had a specific angle, this latest recommendation reflects Microsoft’s broader strategy to enhance enterprise security against business compromises. The company has faced scrutiny for its security warnings directed at users installing Chrome on Windows PCs, and this latest advisory appears to be part of a concerted effort to transition Chrome users to Edge.
Exploiting Trusted File-Sharing Platforms
The attacks identified by Microsoft exploit trusted file-sharing platforms such as Dropbox, SharePoint, and OneDrive. By masquerading as legitimate communications from within an organization, these threats trick employees into opening files that appear secure. The familiarity and trust associated with these services make them attractive targets for threat actors, who can deliver malicious files and links while evading traditional security measures.
Although these types of attacks are not new, Microsoft has noted a recent twist: the use of files with restricted access or view-only settings. These tactics are designed to deceive enterprise security systems and instill trust in users regarding the malicious payloads. Microsoft explains that often, users from trusted vendors are added to allow lists through policies set by organizations on Exchange Online products, facilitating the successful delivery of phishing emails.
The objectives of these attacks typically revolve around the theft of organizational credentials and unauthorized access to business systems for financial gain. By initiating the attack from within a trusted environment, bad actors can tailor filenames to appear relevant to ongoing engagements. For instance, if two organizations have previously interacted regarding an audit, the shared files might be named ‘Audit Report 2024’, further enhancing the deception.
Once a user authenticates through multi-factor authentication (MFA) to access a legitimate file-sharing platform, they may encounter a file that masquerades as a preview but contains a malicious link. This link directs the user to a fraudulent website, where they are prompted to provide their password and complete MFA again. The compromised token can then be exploited by the threat actor to execute the second stage of the attack.
Microsoft’s Comprehensive Security Approach
To counter these threats, Microsoft emphasizes the importance of using Edge alongside conditional access policies, which can restrict access based on various signals and the broader use of Microsoft Defender. “By understanding these evolving threats and implementing the recommended mitigations,” Microsoft asserts, “organizations can better protect themselves against these sophisticated campaigns and safeguard digital assets.”
This push for Windows users to adopt Edge is not solely about security; performance improvements have also been highlighted as part of the campaign. The strategic positioning of Edge as a recommendation from Chief Information Security Officers (CISOs) rather than merely a user choice could potentially increase its adoption, especially if the browser continues to perform well against Chrome’s dominance in the desktop market.
Privacy Innovations in Microsoft Edge
Beyond security and performance, Microsoft is also making strides in addressing user privacy concerns within its Edge ecosystem. Recently, the company announced a limited preview of a new privacy-preserving ads API for developers on the Canary and Dev channels of Microsoft Edge. Dubbed the Ad Selection API, this initiative aims to display online ads in a manner that respects user privacy, moving away from traditional third-party cookies that track user behavior across the web.
Microsoft’s proposal is said to share similarities with other ad-serving frameworks but introduces core differences that could facilitate a transition to privacy-preserving advertising APIs within the open web ecosystem. This development comes at a crucial time, as Google grapples with finding a suitable replacement for tracking cookies that satisfies both the ad industry and regulatory bodies.
“We want to make the use of privacy-preserving advertising viable,” Microsoft states, acknowledging the current challenges in this area. Google’s latest proposal allows consumers to opt out of tracking cookies in favor of a semi-anonymized tracking platform, which could face significant opt-out rates similar to those seen with Apple’s privacy changes. In this context, alternative solutions like Microsoft’s may prove to be compelling options.
Despite being at a disadvantage compared to Chrome, Microsoft’s focus on security, performance, and privacy could pave the way for a more competitive landscape. As the tech giant gradually rolls out this functionality, users may need to manually enable the new API by navigating to edge://flags#edge-ad-selection-api in the URL bar. However, it’s worth noting that this preview is currently limited to specific regions, excluding the European Economic Area (EEA) and the UK.
