Security Unlocked 9.1.21
Ep 43 | 9.1.21

Battling BazaCall BuzzKill


Nic Fillingham: Hello, and welcome to "Security Unlocked," a new podcast from Microsoft where we unlock insights from the latest in news and research from across Microsoft security, engineering and operations teams. I'm Nic Fillingham.

Natalia Godyla: And I'm Natalia Godyla. In each episode, we'll discuss the latest stories from Microsoft security, deep dive into the newest threat intel, research and data science. 

Nic Fillingham: And profile some of the fascinating people working on artificial intelligence in Microsoft security. 

Natalia Godyla: And now let's unlock the pod. 

Natalia Godyla: Hello, everyone. Welcome to another episode of "Security Unlocked." Today, we are joined by not one but two guests - Justin Carroll and Emily Hacker. They are both threat analysts at Microsoft, both returning guests to the "Security Unlocked" podcast. They are also dangerously close to being on the podcast five times. At that point, we'll have to give them a smoking jacket, just like "SNL." And today, they're joining us to talk about BazaCall, which they covered in a recent Microsoft Security blog. So BazaCall is a delivery method using a phone number and an email campaign to lure victims to contact a real, live operator in a call center, who uses social engineering to convince you to download malicious payload to your device. And from there, hands-on-keyboard, the cybercriminal is able to get extensive access to your data and not only exfiltrates it but also looks to ransom the entire organization. 

Natalia Godyla: So it's a heavy, heavy conversation with a lot of great technical detail. But Emily and Justin do a really fantastic job at walking through all of the nuances of this particular campaign. With that, on with the pod. 

Natalia Godyla: Hello, Emily Hacker and Justin Carroll. Thank you both for joining us again on the "Security Unlocked" podcast. If I remember right, Emily, I think this is your third time on the show. And, Justin, this is a whopping four. 

Justin Carroll: Yeah, sounds about right. 

Emily Hacker: Something like that. Been on a few times. 


Justin Carroll: Happy to be here. 

Natalia Godyla: Great. Yeah, and we're happy to have both of you back. So today, we'll be talking about another blog that both of you had authored on the Microsoft Security blog entitled "BazaCall: Phony Call Centers Lead to Exfiltration and Ransomware." Really excited to dive into this today. Why don't we just start, as a quick refresher, just introducing both of you to our audience? So, Emily Hacker, would you mind starting? 

Emily Hacker: Sure. Thanks for having me on again. I'm Emily Hacker, like you said. I'm an intelligence analyst on the Tiger team here at Microsoft threat intelligence team, and I focus mostly on threats delivered via email. So in the BazaCall case, that was very up my alley since there is an email component to it. 

Natalia Godyla: Awesome, awesome. And Justin? 

Justin Carroll: Thanks for having me again. I focus mostly on endpoint, looking at desktop and server activity in the Windows environment to try and understand some of the behaviors that we're seeing and kind of collaborate to figure out the combination of successful attacks and see what we can figure out on what attackers are doing to get in and what they're doing once they're there. 

Natalia Godyla: Awesome. Thank you for that. With that, let's dive in. So, BazaCall - what is it? 

Emily Hacker: That is a great question. So BazaCall is specifically a delivery method. So a lot of times when things get names, they might be a type of malware or perhaps a vulnerability, and this one is unique because BazaCall is not its own malware; it is specifically a delivery method for BazaLoader - or BazarLoader. So the method being, as the name would imply, that it involves calling, hence BazaCall. So in this case, it is when the attackers send emails to the recipients - the intended victims, I suppose - that don't contain any links or attachments but rather contain a phone number for the recipient to call and talk with a human in a call center that will guide them through the process of downloading the BazaLoader malware onto their machine. 

Natalia Godyla: And how long has this delivery method been around? Is this something new that we're noticing? 

Emily Hacker: So BazaCall specifically has been around, I want to say, since January. But the method of using phone numbers, I suppose, or a phone type of scam is not necessarily new. Vishing - as it's called, voice phishing - has been around for a while. Tech support scams have been around for a very long time. But in terms of them using that same type of scam to deliver malware, that is fairly new. I'm not sure of, of the top of my head, another malware other than BazaLoader that's using a call type of delivery method. 

Natalia Godyla: And in the blog, you also note that the threat - how did you put it? - is more dangerous than previously discussed in the public or publicly. What's new or what new observations have we found about the nature of this threat? 

Justin Carroll: So one of the things we saw was - some researchers had looked into it, and they were finding the successful compromises and kind of, like, the activity of, like, how it was working and how they were delivering some of the malicious files. We've seen it now shifting to kind of, like, extensive credential theft, exfiltrating massive amounts of data out of organizations and then deploying Conti ransomware. So it's kind of one of many type of ransomware-as-a-service kind of attacks. It's just a unique method that they're using successfully to get into environments. So it's a little bit more severe than folks have realized. 

Justin Carroll: A lot of the research out there had been surrounding the delivery method and not so much the outcomes of a lot of the attacks. And we were able to kind of combine those two into a cohesive story to really understand, end to end, kind of what these attacks were doing and how they related to ransomware deployments and Conti, which is a known ransomware-as-a-service. So it's one of the more successful methods of getting entry into an environment but also using that access to do much more nefarious things than folks originally were seeing. 

Natalia Godyla: And both of you had hinted at this. So BazaCall sounds like it's unique. It's not similar to other phishing campaigns in that there is no malicious link or attachment. You know, as a user, those are typically signals to me when I see a suspected phishing email that I consider a red flag, if I see a link that I am being encouraged to open. That's not the case here, so I'd love to hear a little bit more about, you know, why they've chosen this unique delivery method and what else is particularly unique about these BazaCall campaigns. 

Emily Hacker: Yeah, so for the delivery method, there's definitely a few reasons why an attacker would want to use this, the first one being what you just mentioned - is that the people who are receiving this have been trained on what to avoid in email, and this type of delivery mechanism really kind of goes around all of the things that people are trying to avoid. And so since there's no link, there's no attachments, people might see the phone number and think, well, this must be legit. Another thing that they're doing is that they are - in these emails, they're pretending to be real services, real companies. Or in this week's most recent campaign, they're actually using some concert ticket lures, and they're using real artists. Monday, this week, was Justin Bieber concert tickets. So they're things that people in some cases have heard of. 

Emily Hacker: So if someone were to Google, you know, I got this weird email or whatever, and then I Google the name of the company or Google the concert, they might actually get results. And I think that's one thing that people are trying to do. It's like, oh, I got this weird email from this company. Google weird company. Like, OK, this is fine. And in this case, you know, obviously, it may not be. Another thing is, once the user does call - granted, the number of successful callers might be lower than what might be the number of successful clickers, but as Justin mentioned, since this is leading to severe consequences, you really only need one person to call. And when that person does call, there's also a higher chance of, I guess, success on the attacker side in terms of getting the user, the victim, to actually complete the entire process of downloading the malware. 

Emily Hacker: So in this case, when they're on the phone, they're on the phone with a real human, a call center agent, who walks them through - OK, visit this website. The user will go to that website. And they'll say, OK, navigate to this page, and you need to click on this thing in order to unsubscribe or whatever, you know, to get your credit card taken off of this. Download the Excel. OK, now make sure that you click to enable content and enable the macros. And then that's how you download the malware, right? So in a case where the user wasn't on the phone with the customer - or the victim, rather - there's a lot of steps along that chain where the victim might have gotten stopped. 

Emily Hacker: So the first one being if the email was sent containing a link or an attachment, a lot of email security technologies are very good at blocking malicious attachments. They're - that's what our kind of bread and butter is. But blocking just a plain text email can be a little bit more difficult because you can't just block based on the technique. If there is none, they're using, you know, real email services, like free ones such as AOL. So you just can't block one domain. So it makes it easier for the email to get delivered, not to mention the actual act of downloading the malware. So, you know, the user, if they were left to their own devices, they might not ever download the Excel, or they might download the Excel but never execute the macros. And in this case, having a human on the phone walking them through it can get someone who either would be, you know, suspicious to not go through with it or maybe a little less technically savvy to actually download the malware. 

Emily Hacker: And then finally, like it circumvents the email technologies, the email security technologies, it's also going to circumvent, potentially, some more endpoint security technologies. I believe we had mentioned this in the blog. I don't remember. But we did see that, in one case at least, a user had been on the phone, obviously, with the attacker, and you see them try to access the malicious site on Edge, and it's blocked. And then they go to Chrome, and it's blocked. And then they go back to Edge, I believe, and it's blocked. And then we actually see them circumventing SmartScreen, which is our protection that keeps them from navigating to these bad sites. So you can almost hear that conversation with the attacker being like, oh, that's a real site. Like, you know, I don't know why Microsoft has this blocked. Try it on Chrome. Or, like, just click this button that says navigate to it anyway 'cause it's fine. 

Emily Hacker: And, like, without being on the phone with the attacker, I think the majority, if not all, people in that situation would have been like, oh, this site is bad? Like, X out, never go back. But because they're on the phone with a real human, they have someone telling them like, no, no, this is OK. Trust me. I work here. Like, I don't know why this is blocked, but just go to it anyway. So it gives the attacker the kind of more - even though it initially kind of feels like there would be less chance of success because, like, who's really going to call this number? Because you only need one - if you're going to be deploying ransomware - right? - you only need one successful compromise, this is actually a higher probability of them actually successfully getting someone to be compromised. 

Natalia Godyla: Do we know what the success rate has been, how much has been lost to BazaCall? 

Justin Carroll: We were seeing for quite a while - like, each wave of these, we would see, you know, five to 10 devices a week, give or take, where, like, there would be successful compromise with hands-on keyboard activity, which doesn't sound like a lot at first. But when you realize that each one of these is a potential ransom that could be in the hundreds of thousands or millions if it's an enterprise, depending on the scope of the ransomware and how widely it's deployed, you really don't need that many to hit. 

Justin Carroll: So they do send a large swath of emails out, and then it's just a matter of figuring out the ones that can connect all the way through the chain and figuring out where the attacker's actually seeing that success to the very end. And for the most part, it seems like they're - compared to a lot of other delivery methods for these types of ransomware, like, they're doing pretty well, unfortunately. 

Natalia Godyla: So let's unpack this. We've talked about some of the steps that occur in the campaign. But you know, end-to-end, what's the flow of the attack chain? 

Emily Hacker: So the attack chain for this really starts with the email. So the first thing that we'll see is the wave of emails being sent out. And they are usually sent out once or twice a week, kind of in these big waves, to tons of users. And they use a different lure - like, lure - it's a word I cannot say, but L-U-R-E... 

Natalia Godyla: (Laughter). 

Emily Hacker: ...Lure - a different one of those per week. And each email contains, like I mentioned, the phone number for the - whatever the lure that week is. So in the case - I think in the blog we were talking about one where someone had supposedly purchased a subscription service or something. And so that would be calling the phone number in order to cancel your subscription. 

Emily Hacker: There have been other ones where - you know, I believe there was one that was pretending to be - you had to call a lawyer because you had some kind of, like, traffic violation. I'm struggling to remember exactly what the lure was there. But it was basically, like, call us if you want to get out of this violation. And like I mentioned, this week, there was the one for the concert tickets. And so in each case, there's kind of this thing at the bottom that's like, oh, go ahead and call us if you want to cancel. 

Emily Hacker: So another aspect of the emails that is important is that every single email has a unique ID associated with it. So they're all kind of similar in that they follow the same pattern, but each one - it'll be, like, one to three letters and then nine to 15 numbers or something. And each email has one that's unique. And that's important because the next step of the kill chain is that the user will call the number in the email, and the person on the other end of the phone who answers will ask for that ID. So they're able to actually tie it back. 

Emily Hacker: So let's say that I had called the number. I received the email, and I called the number, and I gave them my ID. They'd be like, oh, Emily Hacker? Because they would have it tied to my actual account. So that makes it interesting from an analysis perspective because we can't just, like, call up and be like, yo, what up? Because we don't have the account numbers, or we would have to basically impersonate a customer, which isn't something that we really want to be doing. 

Emily Hacker: So once the user does call, as I kind of mentioned, the call center person will walk them through the next step, which will tell them to navigate to a malicious website that is in some way, shape or form related to the email lure that week. 

Emily Hacker: So there have been times where - for example, there was one that was, like, a cooking subscription. And there was a couple of websites that were used that the name was not the same as the name in the email, which probably should have been a red flag to the users, but that might be something that's really difficult to spot if you're just kind of in panic mode, trying to get your credit card from not being charged. The attacker will say, OK, visit this website in order to cancel, and we'll take your credit card off this list. They will tell them to navigate to the account page or the cancellation page, where they are told to download an Excel in order to, like, cancel, which, again, probably is another red flag (laughter). If you ever are told to download something in order to cancel your subscription, like, just halt right there, and don't do it. 

Natalia Godyla: Yeah. I don't really understand what an Excel file would do for me at that point. 

Emily Hacker: No. Nothing good. 

Natalia Godyla: (Laughter). 

Emily Hacker: And that is exactly what it does, is nothing good. So the Excel file is - if the user does download it, another thing that's interesting is that it also does contain the ID number that I was talking about. But it claims that the spreadsheet is protected in some way, shape or form, which is a very, very common lure that we see in Office documents in general, is that they'll claim that, oh, this document is protected or it's old, so you need to enable editing and enable content in order to view it. Of course, in that case, no. That's also not true. It's just going to enable macros on this spreadsheet. And the macros are what will then, I guess, initiate the next phase of the attack, which is Justin's realm. 

Justin Carroll: Kind of, like, what they'll do from that point - once they've gotten the user to execute the macro, the person on the call center is basically done, right? Like, they've kind of done their part. The malicious code is now executing. In all likelihood, depending on configurations for each device or organization, the device is basically soon to be controlled by an attacker. It will use a method of downloading the next payload that it needs to kind of ascertain information about the device, doing what's called a living off the land binary, where - so they'll use built-in Windows tools - in this case, Certutil - to actually download the next malicious payload, which is BazaLoader. And then once BazaLoader is in there, it will install a backdoor, and then it will allow subsequent command and control using Cobalt Strike. 

Justin Carroll: So at that point, the user is unaware of all of this happening. They did the document, and they're like, oh, I got it cancelled. That's it. The automated process portion of the attack will also add persistence into a start folder, where it will - basically if the machine ever gets rebooted or anything like that, it will automatically attempt to try and reestablish the connection to the attacker so that even if there are some errors or anything like that - you know, user shuts down the machine when all this is going on - they can just hit it again the next day. 

Justin Carroll: From that point, once they've established that kind of hands-on-keyboard control of the device, it's getting pretty close to game over at that point. There are things that organizations can do to kind of slow and stop the attacker and mitigate the attacks. But the clock is ticking. Most of the time when you have that hands-on-keyboard attacker in your environment, it's a matter of time until they are able to get credentials with higher privileges. And then from there, they can move laterally and continually elevate their privileges, as they did in this case, where they eventually moved to some kind of, like, high-value targets that have information that they could use to do what's kind of the new hotness and ransomware, where it's called double extortion, where basically the end goal is to steal as much data as possible and ransom all of the devices that they can gain access to. 

Justin Carroll: And then if the organization doesn't want to pay the ransom, then you threaten to release the data that you stole or make them pay for that instead, basically kind of ensuring that the organization will unfortunately comply and pay the ransom. So in this case, usually a lot of the times we were seeing - could be anywhere to, like, 48 hours from time of initial compromise to complete hands-on-keyboard control. 

Justin Carroll: One of the other things that they've been doing - we've been seeing a lot of ransomware-as-a-service groups doing this, so it's kind of no surprise because they kind of tend to all overlap and use similar scripts amongst each other - is they make a backup of the Active Directory database. What that essentially means is they are able to get hashed copies of all the users and passwords for the entire organization. So in effect, with a little bit of time, every one of your users in your entire environment is compromised. 

Justin Carroll: So you essentially have to take extensive action to try and stop the attacker from coming back. They will play in multiple forms of persistence so that they will add users, right? Like, at that point, you're constantly trying to put out fires, trying to stop the attacker from doing whatever it is. And a lot of times while you're trying to do that, they're off in the background stealing your data and all of that kind of fun stuff. So it can get really nasty, really quick. And unfortunately, it usually emanates from a singular user making a phone call. 

Natalia Godyla: How does BazaCall evade detection? So there's a human element of social engineering in that it is a phone call instead of, like you said, Emily, a link or an attachment that our typical technologies would detect and remediate. But there were a couple other components later in the attack chain that also talked about technical details of how they stayed covert once they were inside the system. Could you describe a few of those, Justin? 

Justin Carroll: They're always trying different ways to kind of evade detection as much as possible. I would say most attackers are - they don't typically know what alerts are going to fire for which behaviors. But they do know where their successes and their failures are, so it's a constant cat-and-mouse game of, as we update and improve detections or capabilities of alerting or blocking, then they'll shift part of their attack chain to then bypass that and then, you know, back-and-forth. 

Justin Carroll: So in this case, one of the new things that they were doing that we hadn't seen too many folks do is - so that Certutil tool that I was talking about - it has a legitimate purpose. So what they would do is they would make a copy of that tool and then put it in a different folder, rename it, and then execute it to download their malicious payload. So any rule-based alerting that you have for Certutil being used as Alobin, if it's based on naming, which some security providers might do, then it's not going to fire because in this case, it's not Certutil. It's a copy of Certutil named something else. So it's a new way. They didn't have to deliver a payload to download their next one, right? Like, it was already built in. They just had to make a copy and rename it, whereas if they hadn't renamed it, then it would be more likely to be caught. So it's just kind of one of the many ways. 

Justin Carroll: The other thing that they'll do is, like - it's a really common technique that you'll see. And what's tied to that is, attackers love to put things in folders that are hidden by default. So, like, with the Windows file system, you have certain folders that, by default, are hidden, and you have to kind of go out of your way to show their presence. In addition - so in this case, this was program data. And there are a couple of them, to say the least. There are no right protections to these folders. So you can put whatever files you want. Many of the hidden folders prevent users or would-be attackers from putting data in the folder because it's in an important directory or anything like that. There are some special ones where there are no right protections. So you can put whatever files you want in there. And it's completely invisible to the user. 

Justin Carroll: So even if the user opens folders and is looking around - you know, they're like, you know, I'm not sure about that document that I opened. Let me look and see if I can find anything that they did. All the files are in a hidden file. Like, the signs are there. But you have to have kind of some security acumen and know what tools to use to kind of understand, like, oh, no, this is far worse than I realized. And, you know, the attacker may already have my credentials and may be using my account to log into a different device or dump their credentials from an administrator that logged onto my account for maintenance and then use their credentials for stuff like that. 

Justin Carroll: So with a lot of the ransomware-type stuff and the hands and keyboard, they know most of the time they're detected. And so that's why it's a scramble to deploy and distribute the ransomware as fast as I can, right? Like, they know for themselves the clock is likely ticking, right? The odds are they did something that the alert product in place caught and notified. And it's a matter of time until an organization can triage it versus when it can be stopped. At some point, they kind of - once they get to a certain point, you can kind of tell that there is a little less care in evading defenses and more move quickly. 

Emily Hacker: They also do defense evasion other than just the fact that the email doesn't contain links and attachments. They also have been adding defense evasion into the email as well. To kind of add to what Justin's saying, like, they have to successfully get onto the box. And that's kind of the main goal. And then after that, it's just, like, a scramble. But if the email never gets delivered, it is kind of - the whole operation is a fail. 

Emily Hacker: And so the emails, you know, themselves - despite having, you know, no links, no attachments, being delivered by common domains such as, you know, Gmail, AOL, et cetera, obviously, the attackers were finding that these emails were not being successfully delivered in some cases, probably, you know, because, like I do, a lot of security researchers are aware that they're being delivered and are tracking them. And if you have tracking rules that, perhaps, are based on the body of the email containing, maybe, that ID that I was talking about in a phone number, then you might be able to not block these outright but surface them in a way where you can identify and quickly block them. 

Emily Hacker: But we're seeing in the email that they are now trying to obfuscate the fact that it contains a phone number. So back at the beginning, you know, a lot of these emails just contained a phone number, so call us at one, number, number, number, number, number, number. And early on, I did see some attempt at obfuscation where they would put, basically, like, throwaway HTML tags in between the numbers. So instead of - let's pretend it was, like, one, five, five, five. It would be, like, one and then, like, a random HTML tag and then five, five, five, and then, like, a random HTML tag. And so to the user, it just looks like a phone number. 

Emily Hacker: But if you have security technologies that are reading this email, they're reading the HTML. And it might break up the phone number and not actually look like anything. Well, that's not entirely successful because, basically, if you also have security technologies that can read the rendered email itself, then it still looks like a phone number. And so more recently, what we're seeing is that they're actually using white text to put extra numbers in between the numbers. So instead of saying one, five, five, five, it'll say one, nine, five, five, five, seven, five, five, five, three, five, five, five, five or whatever. And then, to the user, it just looks like a phone number. But to any security technology reading that, it's not going to match the template of a phone number at all because it has three too many numbers. So that's. Another layer of what I would personally consider defense evasion in the email sphere that they are also doing. So... 

Natalia Godyla: Oof, that one sounds clever. There seems to be a high level of sophistication and personalization, right? So in the blog, you also stated that there's a unique email sender every time. You address the fact that there's a unique account number. There are different email titles and lures. Who's running the BazaCall campaigns? Do we know anything about the profile of these threat actors? 

Justin Carroll: So with attacker activity like this, because it's criminal industry, what ends up happening is you have multiple different groups that are kind of collaborating together for different aspects of the kill chain and working on different parts. So with the ransomware as a service, so they're deploying Conti. So in this case, you have the operators who are building and deploying the ransomware. And then you have the affiliates who are actually, like, working and giving it to the customers and trying to get payment from the operators and such. Then you also have other people who are working on granting access and standing up the call centers and figuring out, you know, what techniques we should do for the email. So there are so many different groups that are all kind of working together to kind of ensure successful compromise. And they're buying and selling access from each other and buying and selling tools. It's kind of a mess a lot of the times... 

Natalia Godyla: (Laughter). 

Justin Carroll: ...Whenever you're in the criminal industry because there is so much collaboration between all of them. And you'll see a lot of overlap in techniques and code similarities and stuff like that. So it makes it a little bit more tricky to kind of nail down which specific part. So you really kind of have to focus on the different aspects of the behaviors and kind of look at them in that way and say like, OK, let's figure out who's behind these parts and stuff like that and try and see if you can dig deeper into that, and then kind of build a whole cohesive picture to it. But it does take a long time because it is fairly complex and they're ever shifting. So it's - it makes for a fun challenge. 

Natalia Godyla: Oh, I'm sure. I was going to add that last point. I'm sure it's particularly difficult because you finally build this profile of this particular group and the function that they play in the larger cybercrime infrastructure, and then boom, they change their behavior. So let's talk a little bit about protections then. So how can someone who's listening to this episode today defend against such an elusive attack as this? 

Emily Hacker: I suppose one of the things - like our product, if someone is using MDO, which is, you know, Microsoft Defender for Office, which is our email protection, this is something that we have teams, such as myself, constantly looking at. So we are the ones who are the defense, in terms of, while this might be evading that organization's specific defenses in their email, and they might not have a team that's big enough to constantly be, like, looking for the new email every week, that's what Microsoft does. And that's why we have threat intelligence teams and people like myself who are constantly looking and have been constantly looking for weeks on end. And so when I see these new waves of emails, these immediately go into our product stack so that they won't be delivered to our customers or so they can be removed from inbox if they've already been delivered to our customers, if, you know, they slipped through, for example. So by just using the product itself is one way that customers can be protected from this. 

Emily Hacker: And then on the rest of the delivery front, such as, you know, enabling SmartScreen - that was one that I had mentioned earlier, that we saw a customer click the, like, bypass SmartScreen message. Obviously, that is less than ideal. But what that does show us is that these bad sites - you know, Microsoft knows about them and has them blocked on Edge. So if someone is using Edge, you know, I would say that if you showed five people that message, at least a few of them are going to be like, I don't know about this. Never mind. I'm going to get off the phone and not click through this. So like, utilizing Edge and SmartScreen are other ways that you can prevent this from happening. 

Emily Hacker: And then on top of that, the Excel spreadsheets themselves - we have security protections in place that identify that these spreadsheets are malicious. So in some of the waves, we saw people posting that they would get - like researchers that were actually trying to see what was bad about these spreadsheets were posting that they were trying to analyze a spreadsheet, and they kept getting a pop up from Microsoft being like, this spreadsheet's bad. Like, nope, you don't get it. And so like, while I'm sure as a researcher that's frustrating, that's really good because what that means is that people who did through all of these steps are going to download these spreadsheets, and Microsoft already is aware that they're malicious. And so they don't get the opportunity to enable the macro and move on to the next phase of the attack. 

Justin Carroll: On that note, one of the things - like a specific protection that would go a long way for this threat - there is a protection that customers can implement disabling the use of unsigned macros. It's a way basically where they can only allow macros for business needs that are signed and are launched in trusted locations from the environment - so - because, you know, organizations are going to need to have macros in documents. It's just - there is no way around that. But macros are one of the main methods of executing malicious code on the endpoint and actually getting a dropper or taking control a device. So that's one of the biggest things that they could do to really kind of stem that attack because, you know, we do have amazing detection technologies, as Emily was talking about, where it will identify the malicious workbooks and basically block the Excel document from the start and prevent the user from doing anything with it. But not everybody uses the same antivirus provider. So it's one of those - this one is kind of a good solution for that. 

Justin Carroll: And they can also look into - Microsoft has these attack surface reduction rules, which kind of help slow and stop attackers. One of the big ones for ransomware is the - blocking process creations originating from PsExec and WMI. So PsExec is a little bit older, but system administration tool that, like most tools - right? - like you - it depends on who's using it and what their intent is. It's one of the more common tools used in ransomware deployments 'cause it allows you to easily distribute ransomware to hundreds or thousands of devices simultaneously. So putting that in place can really inhibit the attacker's ability to distribute the ransomware. And they have to figure out different, maybe slower or less effective methods. Those two things alone, with what Emily was talking about, can really go a long way to slow and in many cases completely stop the attackers from having a successful campaign. 

Natalia Godyla: Wow. OK. That's awesome. Thank you for sharing all of those details. Thank you again for joining us, Emily and Justin. It was great to really deep dive on the - on this blog on BazaCall. And as always, it's great to have both of you on the podcast. 

Justin Carroll: Awesome. Thanks so much for having us. 

Emily Hacker: Thank you for having us. 

Natalia Godyla: Well, we had a great time unlocking insights into security from research to artificial intelligence. Keep an eye out for our next episode. 

Nic Fillingham: And don't forget to tweet us @msftsecurity or email us at with topics you'd like to hear on a future episode. Until then, stay safe. 

Natalia Godyla: Stay secure.