Microsoft Cloud App Security (MCAS) and Advanced Threat Analytics

Do you know how many cloud applications are being accessed by your employees?
Are your employees sharing valuable information via emails and attachments?
Is Your Help Desk Inundated with Password Reset Requests Over and Over?
Get Started With A FREE Trial Get Started With A FREE Trial Request a Consultation Request a Consultation Download FREE MOBILE DEVICE SECURITY REPORT

Ransomware and Microsoft Cloud App Security (MCAS)

The rise of ransomware and its media presence in recent months has highlighted, perhaps now more than ever, the importance of robust security systems to detect and respond to devious and evolving threats. Extortion via ransomware is a big scare tactic – after all, victims can be of both consumer and commercial variants – and in all cases, attacks are evolving at a pace and frequency unparalleled by most other cybersecurity threats. Today, many strains of ransomware are searching for innovative and advanced ways to wreak the maximum amount of havoc possible to victims’ assets.

With this new age of cybersecurity, we want to provide powerful tools that can deliver control back to you through strong detection and remediation capabilities. Today we will show how two products that are a part of the Enterprise Mobility + Security (EMS) suite – Microsoft Cloud App Security (MCAS) and Advanced Threat Analytics (ATA) – can help to protect users both in the cloud and on-premises through robust detection systems. We’ll walk through the malware detection capabilities of each product as part of your comprehensive, defense-in-depth security strategy.


UEBA: Detection through abnormal user and file behavior

As a User and Entity Behavior Analytics (UEBA) product, ATA learns the behavior of users and other entities in an organization and builds a behavioral profile around these. When malicious software establishes a foothold in a network, and starts to spread from a compromised machine to other computers in the network, an abnormal behavior detection is raised. Why? A departure from the “norm” of activity for the account indicates a probability of compromise; this detection and alert informs the admin immediately.


Similarly, Microsoft Cloud App Security (MCAS) can detect abnormal file behavior across a tenant’s cloud applications. Microsoft Cloud App Security will identify large amounts of deletions and file syncs across a short period of time; coupled with indications that files are ransomware encrypted (e.g., by file extension changes), the system will alert on these abnormalities through fully customizable activity policies. The speed of detection here is critical: since file deletion can be identified immediately, the chances of retrieving original files (which become immediately replaced by encrypted, ransomware-controlled files) are greatly increased.


As ransomware evolves, there is a shift in encryption tactics – instead of using the highly-known method of encrypting the first machine breached, some attackers are using the initial computer as a springboard to spread ransomware to any accessible machine in the network. Both Advanced Threat Analytics and Microsoft Cloud App Security (MCAS) play important roles in this scenario: ATA to detect the compromised account used to spread the ransomware, and MCAS to detect the abnormal file behavior in cloud apps.

Microsoft Cloud App Security (MCAS)


What is Behind the Anatomy of an Attack? Detection Through File and Protocol Abnormalities

Ransomware attackers can implement some network protocols (such as SMB/Kerberos) with only minor deviations from the normal implementation in an environment. These deviations may indicate the presence of an attacker attempting to leverage, or already successfully leveraging, compromised credentials. In some well-known ransomware campaigns, such deviations were noted. Advanced Threat Analytics detects these abnormalities in a user’s environment and alerts an admin immediately so that appropriate actions can be taken to protect the affected assets.


Ransomware isn’t ransomware without a ransom note. That said, Cloud App Security file policies can be utilized to search for ransom notes in users’ cloud applications. When a ransom note is left behind, it usually details specific download instructions, navigation, and bitcoin payment terms.  By using these types of indicators, Cloud App Security file policies can alert, for example, on the presence of .txt or .rtf or .html files that includes a combination of “.onion” and bitcoin, or Tor Browser and “ransom,” in their construction.


Cloud App Security threat detection also uses file policies to search for specific file extensions that are unique or non-standard. This can be as simple as a policy that looks for “.locky” or something more abstract such as “.xyz” or “.rofl”. Cloud App Security also delivers a built-in template for potential ransomware activity. This template is pre-populated with many of the most common extension types and is fully customizable. The policy template also allows governance actions to suspend suspect users, thereby mitigating the attack by preventing further encryption of most of the user’s files that are in Office 365, Box, or Dropbox.


Regaining control with support

Advanced Threat Analytics and Cloud App Security don’t replace endpoint ransomware detection or network Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). Rather, they extend intelligent support and detection capabilities to your overall security coverage and accelerate how quickly your security operations teams can respond to hostile events. EMS is committed to providing the best protection, detection, and response to users to combat ever-evolving threats and support you in facing one of the strongest of cybersecurity issues: ransomware.

If you would like to learn more, please visit:

Advanced Threat Analytics Technical Documentation

Cloud App Security Technical Documentation

Cloud App Security Yammer

Advanced Threat Analytics Yammer


To discuss cybersecurity or EMS further please reach out to MessageOps at 

or visit

(Visited 297 times, 1 visits today)