Category: Skype for Business

July 2nd, 2022 by Dr Nitin Paranjape

Using Visio for flowcharts is now easy because it is now available as a part of business and enterprise versions of Office 365. Now you no longer have to struggle with the 3 decades old PowerPoint shapes. Try it out now! Watch Visio flowcharts video If you prefer, view this 1 min video. Check Visio […]

The post Use Visio flowcharts – not PowerPoint. appeared first on Efficiency 365.

Posted in Skype for Business

July 1st, 2022 by Pieter Veenstra

When you want to return arrays from a flow in Power Automate to an app in Power Apps you could use the Response action, however this requires a premium connector

Return Arrays from Power Automate to Power Apps without a premium licence Microsoft Office 365 image 6

Avoiding the premium licences

First of all if your flow really uses premium features then just get that premium licence in place, but if you don’t use any other premium features then you might want to use the method described in this post to avoid the costs of a premium licence.

In my case my client wanted to display documents in a a document library and enable the management of document versions inside an app.

Building the flow

So I started by creating a flow that asks for the ID of a document and then all the versions are returned by the REST API call following.

Return Arrays from Power Automate to Power Apps without a premium licence Microsoft Office 365 image 8

The above returns potentially a lot of data that we want to send to the app.

The data that we get returned will need to be reshaped using the apply to each with a compose action side. Simply create a list of fields returned by the Apply to each and separate them by something that you would never find in the data. I’m using ### in this case.

Return Arrays from Power Automate to Power Apps without a premium licence Microsoft Office 365 image 9

Now we just need to return this to the app:

Return Arrays from Power Automate to Power Apps without a premium licence
In the Respond to a Power App action we use the following expression

This will now give us an array of data where each item is separated by ##Version## and each field is separated by ###

Using the data in the app

Now within the app we can create a gallery that has the following items code:


And use some code to set this collection using the following one liner

ClearCollect(colVersionHistory, Split(Getversionsofdocuments.Run(ThisItem.ID).result,”##Version##”).Result);

Then for each field we want to display inside the gallery


The above will get the first field. To get the second field simply replace the 1 with a 2 and so on.

And that is it. An easy way to send arrays of data back to your app.

Posted in Skype for Business

July 1st, 2022 by johnacook

Microsoft Teams AA/CQ Orchestrator (TACO) App. Contribute to OfficeDev/TACO development by creating an account on GitHub.
— Read on

Posted in Skype for Business

June 30th, 2022 by Marc D Anderson

PnP.PowerShell is one of my favorite tools of the trade. I’ve had to set up multiple machines for myself or others for this lately, and I always find myself looking for the fastest path to glory. Usually, it takes about 9 articles and 15 blind alleys, so I figured I’d capture what seems to work for me. Hopefully I can keep this up to date if things change.

Install Visual Studio Code

Visual Studio Code aka VS Code aka VSCode aka Code (which I’ll use in the rest of this post) is the “modern”, free code editor from Microsoft. I’ve used dozens of code editors over the years and Code is one of the best. Plus, everyone else is using it!

Obviously, you need to have VS Code installed to start. You can download it from Download Visual Studio Visual Studio Code – Mac, Linux, Windows.

Set Execution Policy

This one gets me every time. You’ll want your Execution Policies set like this:

This allows you to install PowerShell modules with less friction. It’s possible your organization won’t let you make this change. You can see your current settings by typing

Get-ExecutionPolicy -List

in a terminal window. To open things up, run this cmdlet:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine

I’m sure there are reasons to set this in different ways based on your organization’s view of security. I’m not going to get into that here: heed your governance rules.

Install PowerShell 7

If you’re running a Windows machine, you’ve most likely got PowerShell 5 (PS5) installed by default. PowerShell 7 (PS7) has more capabilities and is required for PnP.PowerShell to run successfully. Some cmdlets may run just fine with PS5, but don’t be fooled: you want PS7.)

Installing PowerShell on Windows – PowerShell | Microsoft Docs

Install the PowerShell Extension

One of the great things about Code is the rich ecosystem of extensions. The PowerShell extension from Microsoft makes Code smart about PowerShell. You want it.

PowerShell – Visual Studio Marketplace

Switch Code to PS7

I find the instructions for this confusing. PS5 is also called Windows PowerShell (x64) and PS7 is also called PowerShell (x64). In other words, the 5 and 7 don’t show un in the instructions in Using Visual Studio Code for PowerShell Development – PowerShell | Microsoft Docs.

This part is clear:

Use the following steps to choose the version:

  1. Open the Command Palette on Windows or Linux with Ctrl+Shift+P. On macOS, use Cmd+Shift+P.
  2. Search for Session.
  3. Click on PowerShell: Show Session Menu.
  4. Choose the version of PowerShell you want to use from the list.

You’ll want to choose PowerShell (x64), if it isn’t already selected.

Pro tip: When you’ve got a PowerShell file (.ps1, .psm1, etc.) open, you can also get to the PowerShell Session Menu by clicking on the squiggly brackets next to PowerShell in the bottom toolbar. Plus, the version is there!

Install PnP.PowerShell

Finally, the piece de resistance: PnP.PowerShell. This is the module that lets us do so much with Microsoft 365. If you’re using the SPO module instead, I say switch.

You need to run Code as an administrator if you want to install modules. To do this, I usually just type Code in the search box in Windows 11, right click the result, and choose Run as administrator.

From here, follow the instruction on the Installing PnP PowerShell | PnP PowerShell page.

Happy PowerShelling!

This article is for those of you on a Windows machine. I don’t have a Mac, nor do I want a Mac. I also don’t run Linux. Or a Sinclair Z-80 (though I loved the one I had way back when, it wouldn’t run PowerShell).

I expect I’ve missed a few little bits here. Feel free to tell me so in the comments, and I’ll make updates. Also, let me know if this is helpful!


Posted in Skype for Business

June 30th, 2022 by Shobhit Sahay

Hello Everyone,


In March 2022, we announced our simplified change management process, which allows customers to predictably plan their deployments. Earlier this month at RSA, we introduced Microsoft Entra as our new product family that encompasses all of Microsoft’s identity and access capabilities. Today we're excited to share that our newly announced change management process will expand to cover all of Microsoft Entra. We're also sharing our June train for feature changes and breaking changes.


We communicate these changes every quarter to our customers with the blog and release notes and via email. We're also continuing to make it easier for our customers to manage lifecycle changes (deprecations, retirements, service breaking changes) within the Entra portal experience. Below is a quick snapshot of our communication schedule, with biannual product retirement communication and quarterly breaking/feature changes.




Communication Schedule 

Retirement announcement 

Refers to the retirement of a feature, capability, or product in a specified period. This is typically accompanied by the service/feature rejecting new customers and a reduction in engineering investments to enhance retired features or capability. Eventually, the feature is no longer available to any customer and marks end-of-life.  

2 x per year (Mar and Sep) 

Breaking change announcement, feature change announcement 

Breaking change: Expected to break the customer/partner experience if the customer doesn’t act or make a change in their workload for continued operation.  


Feature change: Change to an existing Identity feature​ that doesn’t require customer action but is noticeable to the customer. These are typically UI/UX changes. 


These changes generally happen more often and require a more frequent communication schedule. 

4 x per year (Mar, June, Sep, and Nov) 



Here’s the list of feature change announcements that are part of the June 2022 train: 


Max configured permissions for app

Microsoft recently made a change to enforce our documented limits on the maximum number of configured permissions for an app registration. Apps that exceed these limits could enter a broken state in which consent is no longer possible. On October 31, 2022, apps that already have more than 400 configured permissions in their "requiredResourceAccess" collection will no longer be able to add additional permissions above the limit. Current permissions will remain configured on the app but adding a new permission will require the app owner to remove existing permissions until the total number is below the documented limit. This change will help customers avoid getting their apps into a broken state in which they aren’t able to give consent. For more information, see Microsoft Graph permissions reference - Microsoft Graph | Microsoft Docs and Validation differences by supported account types - Microsoft Entra | Microsoft Docs.  


Admin consent for Directory.AccessAsUser.All

On August 31, 2022, Microsoft will require admin consent for the Directory.AccessAsUser.All by default on all services. Admin consent will be required by default when the permission is requested for either Azure AD Graph ( or Microsoft Graph ( Previously, the permission didn’t require admin consent by default in certain scenarios. This change will only affect new consent requests and will improve security and align Directory.AccessAsUser.All with its current documented behavior. For more information, see Azure Active Directory (AD) Graph API Permission Scopes | Microsoft Docs. 


Group email

We’re switching to a new and improved service to send group-related emails. Group-related emails for the following scenarios will remain the same but will come from a new alias ( When a Microsoft 365 group is going to expire; when a user requests to join a Microsoft 365 or security group; and when a group owner responds to a request to join a Microsoft 365 or security group. This change will help improve reliability and will enable faster email delivery and scalability for group emails.


Default consent setting

Starting September 30, 2022, Microsoft will enforce that all new tenants “Follow the Latest Microsoft Recommendation” as the new default consent setting. End users will no longer be able to grant consent to multi-tenant apps that request permissions beyond Microsoft-determined low-impact permissions without verified publishers. This change will reduce the risk of malicious applications attempting to trick users into granting access to their organization's data. 


As always, we’d love to hear your feedback or suggestions. Let us know what you think in the comments below or on the Azure AD feedback forum. You may also send your questions, open issues, and feature requests through Microsoft Q&A by using the tag #AzureADChangeManagementJune2022Train. 



Learn more about Microsoft identity: 



Posted in Skype for Business

June 30th, 2022 by kumarsnehansu

The Office Mobile team is excited to announce the availability of Quick Access filters in Office Mobile on Android phones and tablets! This feature can help you increase your productivity while customizing Office on your Android mobile device, so it works best for you.


Locate your content easily with Quick Access filters


We heard you! We know that you would like to navigate your Office app more efficiently, especially when it comes to accessing your content. Quick Access filters provide you with easy navigation and personalization options, helping you locate your content more quickly.


With Quick Access, you can utilize multiple filters to view different content types. Content-usage filters, such as, “RECENT”, “SHARED”, and “OPENED” help users find their content based on interactions, while content-type filters, such as, “WORD”, “EXCEL”, and “PDF” make it easier to filter by file type. Users can personalize their home screen by adding, removing, or organizing these filters for quick access.


How to get Quick Access filters in Office app for Android


If you don’t have the Office app, you can download it from the Google Play store. If you already have the Office app on your Android device, download the latest version. The next time the app is launched, you will immediately see a guided experience introducing you to this new feature.


To start using the new Quick Access filters experience in the Office app for Android, follow these steps:


  1. Open the Office app on your Android device and locate the Quick Access options at the top of your home screen.

An image demonstrating the Quick Access options available on the Office app home screen on an Android device.An image demonstrating the Quick Access options available on the Office app home screen on an Android device.

NOTE: These options have replaced the “Recent” and “Shared” options on the home screen.


  1. Tap on a Quick Access option to see filtered content based on the filter you choose. You can add or remove options on the Quick Access bar by tapping the [...] More option at the end. 

An image demonstrating the additional options available when users click the "More" option on the Quick Access bar on the Office app home screen on an Android device.An image demonstrating the additional options available when users click the "More" option on the Quick Access bar on the Office app home screen on an Android device.



Quick Access for the Office app for Android has been rolled out worldwide and is available on app versions 16.0.5102.20000 and later. To learn more about Office app for Android, check out this helpful Microsoft Support article


Last but not the least, we are always listening to feedback from users. You can send us in-app feedback or leave us a comment below!


Continue the conversation by joining us in the Microsoft 365 Tech Community! Whether you have product questions or just want to stay informed with the latest updates on new releases, tools, and blogs, Microsoft 365 Tech Community is your go-to resource to stay connected! 

Posted in Skype for Business

June 30th, 2022 by Jared Spataro

The ways we work have changed dramatically over the past several years, and those changes go so much further than whether work happens at home, in an office, or somewhere in between. In this collaboration-first world, every organization needs a digital fabric that binds people together—from the C-suite to the frontline, and across every role and function.

The post From Viva Sales to new Office experiences—here’s what’s new in Microsoft 365 appeared first on Microsoft 365 Blog.

Posted in Skype for Business

June 30th, 2022 by Mark Kashman

Are you on vacation? Did you just finish your fiscal year close – sell, sell, close, close, close? Or kickin’ it doing your normal thing month to month?


Beyond prepping for Microsoft Inspire next month, we saw June 2022 bring a lot of new tech to Microsoft 365 - lots of SharePoint and related tech goodness: The LGBTQ+ Employee Resource Group site template in time for this year’s Pride month, Viva Topics in Teams chat, inline playback of videos in Hero web part, updated site logo management, multilingual UI when editing team sites, rename Add to OneDrive Shortcuts, OneDrive: Pin and unpin shared libraries, Planner cards in team site activity feed, SPS'2013 Workflows migration assessment tool, Teams chat with self, and more.


We also hear from Adam Ford (Principal design manager - OneDrive and SharePoint) - his insights about the focus on user experience (UX) - especially in SharePoint pages and how they appear in Microsoft Teams. So, design yourself a little listening time for this new episode of The Intrazone.


The Intrazone guest this month: Adam Ford - Principal design manager – OneDrive and SharePoint (Microsoft).


The Intrazone by Microsoft

Subscribe to The Intrazone podcast


All features listed below began rolling out to Targeted Release customers in Microsoft 365 as of June 2022 (possibly early July 2022).


Inform and engage with dynamic employee experiences

Build your intelligent intranet on SharePoint in Microsoft 365 and get the benefits of investing in business outcomes – reducing IT and development costs, increasing business speed and agility, and up-leveling the dynamic, personalized, and welcoming nature of your intranet.


Celebrating Pride Month (June 2022) | The LGBTQ+ Employee Resource Group site template

Across the globe we see the celebration of wonderful cultural moments. In living up to our mission statement – “to empower every person and every organization on the planet to achieve more,” we here at Microsoft provide solutions to empower organizations to celebrate these cultural moments with their employees throughout the year. 


Full-screen view of the main home page from the LGBTQ+ Employee Resource Group site template once deployed as a site within your tenant.Full-screen view of the main home page from the LGBTQ+ Employee Resource Group site template once deployed as a site within your tenant.

Once you deploy the site from the Look Book, you find it has:

    • A Home page filled with inspiration to make this site your own.
    • A unique page template so you can create news and pages quickly.
    • A pre-populated News web part
    • And a pre-populated Events web part - with real, related events and ready to add your own


I deployed this site template from the Look Book site to my demo tenant and appreciated the default mission statement that appears on the home page read: "... fostering career development, advancing equality, celebrating diversity, ..." and that it has a beautiful pride enhanced @ContosoInc logo. It's a well-designed site that exemplifies that mission statement - put it to use in your own intranet.


Viva Topics in Microsoft Teams chat

Share your knowledge with a simple hashtag in your chats. Viva Topics in Teams allows people to mention topics in their chat conversations so that others in the conversation can easily learn more about a topic by hovering over the topic name and viewing the topic card - and returning immediately to the chat at hand. Note: You must have a Viva Topics license to do this.


Hover over a Viva Topics highlight (hashtag) within a Teams chat to share knowledge - revealing the Topics card.Hover over a Viva Topics highlight (hashtag) within a Teams chat to share knowledge - revealing the Topics card.

Mention topics by typing the # character and choosing a topic from the topic picker - refining as you type ahead. Once a topic is selected, users can post the message - the hashtag'ged topic becomes active once you send your message or reply.


Recipients with Viva Topics licenses will see the selected topic's name as highlighted text and will be able to hover over it to dive into the details of the topic: such as the alternate names for the topic, descriptions, associated people, and resources (documents, sites, and more).


SharePoint: Inline playback of videos in Hero web part

Like Viva Topics, the focus is to keep you in the flow of work - aka, not taking you to a page or site beyond where you were already engaged. When you create a Communication site, the Hero web part is included on your page by default. It is pre-populated with default content that you change to display your own images, text, pages, links, documents, or videos.


When you add a video to a Hero web part on a communications site, it now plays inline (no longer launching out to the video's Stream page).When you add a video to a Hero web part on a communications site, it now plays inline (no longer launching out to the video's Stream page).

And to help keep that engagement with your content and communications, when someone clicks to play a video in the Hero web part section of a SharePoint site, the video will now play inline. No launch out of your established context, watch inline, return, browse, and continue to scroll through the other contents of the page uninterrupted.


That makes the Hero web part more heroic - esp. in the burgeoning SharePoint-powered metadataverse.


SharePoint page improvements (times two)

First, more Control vertical section reflow | Currently the vertical section in pages goes to the bottom of the page when viewed on smaller screens. We’re adding the ability for page authors to control this reflow and choose whether the vertical section goes to the top or bottom of the screen when the screen is condensed to a smaller size.


When you click to edit a vertical column, you'll now see a new option to have the vertical column appear on the top or bottom when the full page resizes to a single column on smaller devices or low resolutions.When you click to edit a vertical column, you'll now see a new option to have the vertical column appear on the top or bottom when the full page resizes to a single column on smaller devices or low resolutions.

And second, we are making more room for page editing in Microsoft Teams | Last year, we enabled the ability to author SharePoint pages directly in Teams. With this latest change, when editing the page, users will get a full screen experience, making it easier for users to edit their pages. Expand (the page) and focus while you work; heck, even whistle while you work.


Updated site logo management in SharePoint

We're centralizing the management of your site logo. To update or manage your site logo, you will now exclusively visit the Header panel under the 'Change the Look' settings. Site owners will be able to navigate to the 'Header' panel from the 'Change the Look' settings, and then scroll to the bottom of the panel where the site logo options will be located. 


Control all header options within the 'Change the Look' settings.Control all header options within the 'Change the Look' settings.

Consolidation is often the root of less upheaval. Wanna change the look of your site, well - It's now all there in one place.


Teamwork updates across SharePoint team sites, OneDrive, and Microsoft Teams

Microsoft 365 is designed to be a universal toolkit for teamwork – to give you the right tools for the right task, along with common services to help you seamlessly work across applications. SharePoint is an intelligent content service that powers teamwork – to better collaborate on proposals, projects, and campaigns throughout your organization – with integration across Microsoft Teams, OneDrive, Yammer, Stream, Planner and much more.


Streamlining the SharePoint multilingual user interface when editing team sites

This new release includes other improvements to the navigation and site title editing experience for users whose preferred language differs from the site’s default language. Think of this update as improved guidance and readability when taking advantage of the multilingual feature across communication sites and now team sites.


Here's a summary of changes:

  • Additional language information is available when editors update navigational labels, site descriptions, footers, and the site's name.
  • The new language information displays even if multilingual settings have not been enabled for the site.
  • When editors change site content that is not in their preferred language, it will modify the label instead of creating a translation.
  • Additional information appears in tool tips next to the content that’s being edited to confirm the language.


Note: Translations for site content can only be created when multilingual settings have been enabled.



Rename Add to OneDrive Shortcuts in OneDrive Web

People will be able to rename a shortcut within their OneDrive. You can rename the shortcut by selecting the shortcut and clicking the "Rename" command in the command bar or the context menu. When they rename the shortcut, the name change will be only reflected for the shortcut as opposed to at the shortcut’s source. The shortcut’s new name will be updated across all endpoints and products where the shortcut is shown. 


Rename a shortcut you added to OneDrive - to best organize without impacting the destination folder in its original location.Rename a shortcut you added to OneDrive - to best organize without impacting the destination folder in its original location.


Pin and unpin shared libraries for quick access

We’re consistently working to improve how you organize and access what you need in OneDrive. This is one thing you can thank Adam and the team for as they worked with the OneDrive team to improve how you manage the list of places you've recently accessed or opened a file from.


Pin and unpin shared libraries within the Quick access panel in OneDrive to better organize your work.Pin and unpin shared libraries within the Quick access panel in OneDrive to better organize your work.

You can pin these places so you can easily and predictably get back to what you’ve been working on. Pin, pin, pin for the win win win!


Planner cards now appear within the SharePoint team site activity feed

Now, when a team member assigns a task to you within a plan, beyond the Planner user interface, a card will show up on your site activity feed if you are within two days of the due date. Timely tasks are visible when you need to see them.


When a task in Planner nears its due date, it will appear to your view in the team site activity feed.When a task in Planner nears its due date, it will appear to your view in the team site activity feed.

As Hannibal Smith might say, "I love it when a plan comes together (in the SharePoint activity feed)." A-Team references never get old, or is it an A-Team reference never ceases to expose how old I am? ;)


SharePoint 2013 Workflows migration assessment tool

The SharePoint 2013 Workflows platform was introduced 10 years ago. Since then, Microsoft has evolved workflow orchestration to not only encompass SharePoint, but all the productivity services you use within Microsoft 365 and extend to third parties. Today, Power Automate is THE Microsoft solution for workflow orchestration. It connects to all Microsoft 365 services and over 220 other external services to let an enterprise build custom workflows in a more robust, modern way.


To help those in need of transition, we've developed a new, open-source Microsoft 365 Assessment tool - available to help you identify and evaluate your existing use of SharePoint 2013 workflows within your tenant and generating a Power BI report to help plan your migration of 2013 workflows to a modern workflow orchestration service.


Over time, it is our goal to minimize the reliance on older workflow technology, as you've seen us do for SharePoint 2010 workflows, and now for remaining SharePoint 2013 workflows.


Review the related documentation:


Related technology

Teams chat with self 

Talk to yourself on purpose, with a purpose. That purpose being now that people can chat with themselves.


All the same chat functionality that works when chatting with others will work for the individual chatting with themselves. They will be able to start a chat with themselves by typing their full name in the To field when creating a new chat. Pin that to the top of your chat and chat with yourself any time you wish.


Use Teams chat with self to send yourself reminders, quick 'back of napkin planning', and access between devices - even start a Loop component with yourself to keep track of those silly ideas of yours until they're ready to share.Use Teams chat with self to send yourself reminders, quick 'back of napkin planning', and access between devices - even start a Loop component with yourself to keep track of those silly ideas of yours until they're ready to share.

And as our community Loop expert Darrell Webster put it: "You will be able to create a Microsoft Loop on your own. You can use the Loop for personal notes. Or prepare a Loop for collaboration with a group, then add share the Loop link in the group chat." Pretty cool observations, Darrell. Thanks for looping us all in on that one in Twitter – and as you see above, I tested this by creating a bulleted list Loop component with myself to enumerate a few silly SharePoint planning ideas.


Outlook on the Web | Inline Suggestions from Viva Insights appear while composing an email or meeting invitation

Inline suggestions in Outlook are brief data and AI-driven notifications that appear in Outlook while you are reading or composing an email or meeting invitation. These are inline useful suggestions, tips, and best practices around managing emails and organizing meetings - to help you reclaim focus hours and build better collaboration habits.


Get suggestions and insights as you write and reply to emails and meeting invitations.Get suggestions and insights as you write and reply to emails and meeting invitations.

Be on the lookout for Outlook on the web suggesting you to:

  • Delay delivery accounting for respective time zones.
  • Remember outstanding tasks.
  • Plan your time away.
  • Shorten a meeting to buffer and save time.
  • Track email open rate.


We can all learn more about how to do email and meetings better - and why not learn from Outlook thanks to recent innovation integration with Viva Insights.

  • Roadmap ID: 93350
  • Learn more:


Respondé si vous plait with clarity | Outlook additional RSVP options

The additional options for more detailed RSVP responses let attendees inform the organizer and other attendees know how they plan to attend a meeting, whether in person or virtually. These responses can be seen by anyone in the meeting invite, inside and outside of their organization.


When accepting a meeting, users will now have three options: Yes, Yes in-person, Yes virtually. Other people in the meeting invited will be able to see everyone's responses. Note: Users using a client that does not yet support the feature will not be able to respond with a detailed RSVP nor will they be able to see the detailed RSVPs from other attendees.


In a hybrid work world, it helps to let people know if you plan to attend a meeting in-person or virtual.In a hybrid work world, it helps to let people know if you plan to attend a meeting in-person or virtual.

Users using the classic Outlook for Windows with a Microsoft 365 or Microsoft Exchange Online account will be able to see detailed RSVPs but will not be able to RSVP to the meeting with these detailed options.


"Class Action" | A podcast documentary series about the next generation of lawyers

I'm pleased to share this new show: It's hosted by Katie S. Phang from MSNBC, and is produced by our very own Intrazone producer, Lisa Gray and co-creator, Kevin Huffman.


"Class Action" is a new, immersive documentary show about the next generation of lawyers disentangling the complexities of American law. Throughout the 12-part series, we track a diverse cast of outstanding law students who are battling it out in mock trial competitions across the country. It is a new podcast offering, focusing on the trials (literally) and tribulations of what it's like to prepare for litigation through the world of mock trial competitions.


"Class Action" | A podcast documentary series about the next generation of lawyers. []"Class Action" | A podcast documentary series about the next generation of lawyers. []

I've listened to the first few episodes and am hooked on hearing behind-the-scenes of what makes trial lawyers tick! Especially noting the value of fair representation showing that a prepared lawyer is one that people - everyone - can count on. Go behind the scenes with St. Mary's University, Dillard University, Brooklyn Law School, and the University of South Dakota into the depths of law to understand #MockTrial #LawSchool #TheLawyerLife and #EqualJustice.qualJustice


July 2022 teasers

Psst, still here? Still scrolling the page looking for more roadmap goodness? If so, here is a few teasers of what’s to come to production next month…


  • Teaser #1: Create Power Automate flows from built-in Microsoft Lists templates [Roadmap ID: 88906
  • Teaser #2: Microsoft Lists: Commenting (iOS) [Roadmap ID: 70705]

… shhh, tell everyone.


Helpful, ongoing change management resources

  • Follow me to catch news and interesting SharePoint things: @mkashman; warning, occasional bad puns may fly in a tweet or two here and there.


Thanks for tuning in and/or reading this episode/blog of the Intrazone Roadmap Pitstop – June 2022. We are open to your feedback in the comments below to hear how both the Roadmap Pitstop podcast episodes and blogs can be improved over time.


Engage with us. Ask those questions. Push us where you want and need to get the best information and insights. We are here to put both our and your best change management foot forward.


Stay safe out there on the road’map, and thanks for listening and reading.


I appreciate your time,

Mark Kashman – senior product manager (SharePoint/Lists) | Microsoft)


The Intrazone Roadmap Pitstop – June 2022 graphic showing some of the highlighted release features.The Intrazone Roadmap Pitstop – June 2022 graphic showing some of the highlighted release features.

Posted in Skype for Business

June 30th, 2022 by Microsoft 365 Defender Threat Intelligence Team

Toll fraud malware, a subcategory of billing fraud in which malicious applications subscribe users to premium services without their knowledge or consent, is one of the most prevalent types of Android malware – and it continues to evolve.

Compared to other subcategories of billing fraud, which include SMS fraud and call fraud, toll fraud has unique behaviors. Whereas SMS fraud or call fraud use a simple attack flow to send messages or calls to a premium number, toll fraud has a complex multi-step attack flow that malware developers continue to improve.

For example, we saw new capabilities related to how this threat targets users of specific network operators. It performs its routines only if the device is subscribed to any of its target network operators. It also, by default, uses cellular connection for its activities and forces devices to connect to the mobile network even if a Wi-Fi connection is available. Once the connection to a target network is confirmed, it stealthily initiates a fraudulent subscription and confirms it without the user’s consent, in some cases even intercepting the one-time password (OTP) to do so. It then suppresses SMS notifications related to the subscription to prevent the user from becoming aware of the fraudulent transaction and unsubscribing from the service.

Another unique behavior of toll fraud malware is its use of dynamic code loading, which makes it difficult for mobile security solutions to detect threats through static analysis, since parts of the code are downloaded onto the device in certain parts of the attack flow. Despite this evasion technique, we’ve identified characteristics that can be used to filter and detect this threat. We also see adjustments in Android API restrictions and Google Play Store publishing policy that can help mitigate this threat.

Toll fraud has drawn media attention since Joker, its first major malware family, found its way to the Google Play Store back in 2017. Despite this attention, there’s not a lot of published material about how this type of malware carries out its fraudulent activities. Our goal for this blog post is to share an in-depth analysis on how this malware operates, how analysts can better identify such threats, and how Android security can be improved to mitigate toll fraud. This blog covers the following topics:

The WAP billing mechanism: An overview

To understand toll fraud malware, we need to know more about the billing mechanism that attackers use. The commonly used type of billing in toll fraud is Wireless Application Protocol (WAP). WAP billing is a payment mechanism that enables consumers to subscribe to paid content from sites that support this protocol and get charged directly through their mobile phone bill. The subscription process starts with the customer initiating a session with the service provider over a cellular network and navigating to the website that provides the paid service. As a second step, the user must click a subscription button, and, in some cases, receive a one-time password (OTP) that has to be sent back to the service provider to verify the subscription. The overall process is depicted below:

A diagram of how the Wireless Application Protocol billing process works. Interactions between the mobile device and premium service provider are mapped out, from the moment the device browses through services until the confirmation of service subscription.
Figure 1. The WAP billing process in a nutshell

It should be noted that the process depends on the service provider, thus not all steps are always present. For example, some providers do not require an OTP, which means that the mobile user can subscribe to a service by simply clicking the subscription button while the device is connected to a cellular network.  

Fraudulent subscriptions via toll fraud

We classify a subscription as fraudulent when it takes place without a user’s consent. In the case of toll fraud, the malware performs the subscription on behalf of the user in a way that the overall process isn’t perceivable through the following steps:

  1. Disable the Wi-Fi connection or wait for the user to switch to a mobile network
  2. Silently navigate to the subscription page
  3. Auto-click the subscription button
  4. Intercept the OTP (if applicable)
  5. Send the OTP to the service provider (if applicable)
  6. Cancel the SMS notifications (if applicable)

One significant and permissionless inspection that the malware does before performing these steps is to identify the subscriber’s country and mobile network through the mobile country codes (MCC) and mobile network codes (MNC). This inspection is done to target users within a specific country or region. Both codes can be fetched by using either the TelephonyManageror the SystemPropertiesclass. The TelephonyManager.getSimOperator() API call returns the MCC and MNCcodes as a concatenated string, while other functions of the same class can be used to retrieve various information about the mobile network that the device is currently subscribed to. As the network and SIM operator may differ (e.g., in roaming), the getSimOperatorfunction is usually preferred by malware developers.

The same type of information can be fetched by using the SystemProperties.get(String key) function where the key parameter may be one or several (using multiple calls) of the following strings: gsm.operator.numeric, gsm.sim.operator.numeric, gsm.operator.iso-country, gsm.sim.operator.iso-country, gsm.operator.alpha, gsm.sim.operator.alpha

The difference with the first call is that the android.os.SystemProperties class is marked as @SystemApi, therefore an application has to use Java reflection to invoke the function. The MNC and MCC codes are also used to evade detection, as the malicious activity won’t be performed unless the SIM operator belongs to the ones targeted:

A screenshot of code snippet from the Joker malware. The code specifies that the malware will only run if the device is under a South African mobile operator.
Figure 2. Joker malware running its payload, targeting South African mobile operators

The following sections present an analysis of the fraudulent subscription steps in the context of the Android operating system. This analysis can help identify the API calls and the permissions needed for the implementation of a toll fraud scheme.

Forcing cellular communication

Variants of toll fraud malware targeting Android API level 28 (Android 9.0) or lower disable the Wi-Fi by invoking the setWifiEnabled method of the WifiManager class. The permissions needed for this call are ACCESS_WIFI_STATE and CHANGE_WIFI_STATE. Since the protection level for both permissions is set to normal, they are automatically approved by the system.

Meanwhile, malware targeting a higher API level uses the requestNetwork function of the ConnectivityManagerclass. The Android developers page describes the requestNetwork method as:

This method will attempt to find the best network that matches the given NetworkRequest, and to bring up one that does if none currently satisfies the criteria. The platform will evaluate which network is the best at its own discretion. Throughput, latency, cost per byte, policy, user preference and other considerations may be factored in the decision of what is considered the best network.

The required permission for this call is either CHANGE_NETWORK_STATE (protection level: normal) or WRITE_SETTINGS(protection level: signature|preinstalled|appop|pre23), but since the latter is protected, the former is usually preferred by malware developers. In the code snippet depicted below from a malware sample that can perform toll fraud, the function vgy7is requesting a TRANSPORT_CELLULAR transport type (Constant Value: 0x00000000) with NET_CAPABILITY_INTERNET (Constant Value: 0x0000000c):

A screenshot of code snippet from a Joker malware where the malware requests for a TRANSPORT_CELLULAR transport type.
Figure 3. Code from a Joker malware sample requesting a TRANSPORT_CELLULAR transport type

Figure 3. Code from a Joker malware sample requesting a TRANSPORT_CELLULAR transport type

The NetworkCallbackis used to monitor the network status and retrieve a networktype variable that can be used to bind the process to a particular network via the ConnectivityManager.bindProcessToNetworkfunction. This allows the malware to use the mobile network even when there is an existing Wi-Fi connection. The proof-of-concept code depicted below uses the techniques described above to request a TRANSPORT_CELLULAR transport type. If the transport type is available, it binds the process to the mobile network to load the host at in the application’s WebView:

A screenshot of proof-of-concept code to demonstrate a request for a TRANSPORT_CELLULAR transport type.
Figure 4. Proof-of-concept code to request a TRANSPORT_CELLULAR transport type

While it is expected that the Wi-Fi connection is preferred even when mobile connection is also available, the process exclusively uses the cellular network to communicate with the server:

A screenshot of two Android mobile browser screens, side by side. The browser screen on the left loads the content of, while the browser screen on the right loads a blank page.
Figure 5. The mobile browser loads when TRANSPORT_CELLULAR transport type is available and loads a blank page when only Wi-Fi is available

In fact, the user must manually disable mobile data to prevent the malware from using the cellular network. Even though the setWifiEnabledhas been deprecated, it can still be used by malware targeting API level 28 or lower.

Fetching premium service offers and initiating subscriptions

Assuming that the SIM operator is on the target list and the device is using a TRANSPORT_CELLULARtype network, the next step is to fetch a list of websites offering premium services and attempt to automatically subscribe to them.

The malware will communicate with a C2 server to retrieve a list of offered services. An offer contains, between else, a URL which will lead to a redirection chain that will end up to a web page, known as landing page.

What happens next depends on the way that the subscription process is initiated, thus the malware usually includes code that can handle various subscription flows. In a typical case scenario, the user has to click an HTML element similar to the one depicted below (JOIN NOW), and as a second step, send a verification code back to the server:

A screenshot of a website offering subscriptions to apps and premium services. There are two banners on the website, with the one above displaying the text "Join Now". The banner at the bottom displays sports-related images (football and car racing).
Figure 6. A subscription page that’s loaded in the background without the user’s knowledge.

For the malware to do this automatically, it observes the page loading progress and injects JavaScript code designed to click HTML elements that initiate the subscription. As the user can only subscribe once to one service, the code also marks the HTML page using a cookie to avoid duplicate subscriptions. The following is an example of such a code:

Figure 7. JavaScript injected code scraping related HTML elements

On line 76, getElementsByTagNamereturns a collection of all the Document Object Model (DOM) elements tagged as input. The loop on line 78 goes through every element and checks its typeas well as its name, value, and altproperties. When an element is found to contain keywords, such as “confirm”, “click”, and “continue”, it is sent to the cfunction, as depicted below:

A screenshot of JavaScript code of a function where it simulates clicks on selected HTML elements.
Figure 8. JavaScript function simulating clicks on selected HTML elements

The if statement on line 36 checks if the element has already been clicked by calling the jdh function, displayed below in Figure 12. Finally, the c function invokes the click() or submit() function by the time the branch on line 37 (see figure 11) is followed:

A screenshot of the JavaScript code where the malware checks if a premium service page has already been visited.
Figure 9. JavaScript code checking if the page has already been visited

The HTML page loading process is tracked using an onPageFinishedcallback of the WebViewClientattached to the WebView. Subsequently, a handler that listens for relative message types acts depending on the next steps that are required for the subscription to take place. In the code snippet below, the URL loaded in the WebView and a signalwith id “128”is sent to handler2to evaluate the service and initiate the subscription process:

A screenshot of malware code where it checks for specific message types to determine the next steps required for a subscription to take place.
Figure 10. Malware evaluating the steps required to initiate the subscription process

Multi-step or target subscription processes may require additional verification steps. The handler depicted below checks the page URL loaded in the WebView. If the URL matches doi[.], then the handler runs the JavaScript code assigned to the Properties.call_jbridge_dump variable:

A screenshot of malware code where it identifies the conditions required to determine what routine to run next. It assigns code based on specific conditions such as URL displayed.
Figure 11. Malware running code depending on certain conditions

A signal with id “107” triggers some additional steps that require communication with the command and control (C2) server. This case is demonstrated in the following figures:

A screenshot of malware code that is run when a signal with the ID number "107" is identified.
Figure 12. Malware running code depending on the specific signal id

Upon receiving the signal, the handler invokes the v1.bhu8 function:

A screenshot of malware code where the handler invokes the v1.bhu8 function. The said function checks if a service related to anti-fraud protection is running on the device.
Figure 13. Malware attacking anti-fraud protection

After checking for the web-zdm[.]secure-d[.]io/api/v1/activatein the server’s reply, the malware invokes the tpack[.]l2.bhu8[.]vgy7 function. This function sends the current URL loaded in the application’s WebView as well as some extra information like country code, and HTML code:

A screenshot if malware code where the malware sends information from the device to its C2 server. Sent information include country code, the HTML code of the website shown on the browser.
Figure 14. Malware sending information to the C2 server
A screenshot of malware code where a solver-type service is offered by the C2 server.
Figure 15. A solver-type service offered by the C2 server

Intercepting OTPs

In most cases, the service provider sends an OTP that must be sent back to the server to complete the subscription process. As the OTP can be sent by using either the HTTP or USSD protocol or SMS, the malware must be capable of intercepting these types of communication. For the HTTP protocol, the server’s reply must be parsed to extract the token. For the USSD protocol, on the other hand, the only way to intercept is by using the accessibility service.

One method of intercepting an SMS message, requiring android.permission.RECEIVE_SMS permission, is to instantiate a BroadcastReceiver that listens for the SMS_RECEIVED action.

The following code snippet creates a BroadcastReceiverand overrides the onReceivecallback of the superclass to filter out messages that start with “rch”:

A screenshot of malware code where the malware filters SMS messages that start with "rch"
Figure 16. Code that filters out SMS messages that start with “rch”

Subsequently, it creates an IntentFilter, which renders the receiver capable of listening for an SMS_RECEIVED action, and finally the receiver is registered dynamically:

A screenshot of the IntentFilter code, enabling the receiver to listen for any received SMS messages.
Figure 17. The IntentFilter enabling the receiver to listen for an SMS_RECEIVED action

To handle OTP messages that are sent using the HTTP protocol, the malware parses the HTML code to search for keywords indicating the verification token. The following code contains a flow where the extracted token is sent to the server using the sendTextMessage API call:

A screenshot of the malware code where an extracted verification token from the OTP message is sent to the C2 server. The code indicates that this is done through the sendTextMessage API.
Figure 18. Extracted token is sent to the C2 server using the sendTextMessage API call

The additional permission that is required to enable this flow is SEND_SMS.

Another way of intercepting SMS messages is to extend the NotificationListenerService. This service receives calls from the system when new notifications are posted or removed, including the ones sent from the system’s default SMS application. The code snippet below demonstrates this functionality:

A screenshot of malware code where the NotificationLIstenerService is extended. This enables the app to receive calls from the system when new notifications are posted or removed.
Figure 19. Extending the NotificationListenerService service

We triggered a notification with the title “SMS_Received” and text “Pin:12345” during our analysis, resulting in the following output in the application’s logcat:

A screenshot of the malware's logcat. The logcat output shows that it is able to capture contents of a notification received by the device.
Figure 20. Logcat output after a notification is posted

Finally, besides the broadcast receiver and the notification listener techniques of intercepting an SMS message, a ContentObserver can be used to receive callbacks for changes to specific content. The onChange callback of the SmsObserver class (depicted below) is called each time the system changes the SMS content provider state:

A screenshot of proof-of-concept code to demonstrate how the malware monitors for incoming SMS messages.
Figure 21. The proof-of-concept code monitoring for incoming SMS messages through SmsObserver

Suppressing notifications

Since API level 18, an application that extends the NotificationListenerService is authorized to suppress notifications triggered from other applications. The relevant API calls are:

  • cancelAllNotifications() to inform the notification manager to dismiss all notifications
  • cancelNotification(String key) to inform the notification manager to dismiss a single notification
  • cancelNotifications(String [] keys) to inform the notification manager to dismiss multiple notifications at once.

This API subset is abused by malware developers to suppress service subscription notification messages posted by the default SMS application. More specifically, upon successful subscription, the service provider sends a message to the user to inform them about the charges and offers the option to unsubscribe. By having access to the notification listener service, the malware can call any of the functions mentioned above to remove the notification.

Using dynamic code loading for cloaking

Cloaking refers to a set of techniques used to hide malicious behavior. For example, most toll fraud malware won’t take any action if the mobile network is not among its targets. Another example of a cloaking mechanism used by these threats is dynamic code loading. This means that certain malware codes are only loaded when certain conditions are met, making it difficult to detect by static analysis.

The following is a characteristic example of a multi-stage toll fraud malware with SHA-256: 2581aba12919ce6d9f89d86408d286a703c1e5037337d554259198c836a82d75 and package name: com.cful.mmsto.sthemes.

Stage one

This malware’s entry point is found to be the, a subclass of the Application class. The malicious flow leads to the function below:

A screenshot of malware code showing the function where the entry point of the malware leads to. This is the starting point of the dynamic code loading done by the malware.
Figure 22. The function where the entry point of the malware leads to

The call on line 21 fills the filesarray with the filenames fetched from the assets directory. The for loop enters theif branch at line 32 if the name of the asset file ends with “355”. Querying the asset files of the app for such a filename yields the following result:

A screenshot of the result when querying the malware's asset file for a file name that ends with "355". The result is a file with the name PhoneNUmberAlternateFormatsProto_355
Figure 23. Query result when searching for “355”

The PhoneNumberAlternateFormatsProto_355 is the source file which, in conjunction with a destination file and the string “xh7FEC2clYuoNQ$ToT99ue0BINhw^Bzy”, is given as parameters to the ns.j function:

A screenshot of the code of the ns.j function. It shows that the function accepts parameters from the source file PhotoNumberAlternateFormatsProto_355.
Figure 24. The ns.j function

The SecretKeySpec on line 68 is constructed from the first 16 bytes of the SHA-1 digest of the password string. This key is used to decrypt the file fetched from the assets using Advanced Encryption Standard (AES) in electronic codebook (ECB) mode. The decryption result is an ELF file that is saved in the application’s cache directory and loaded using the System.load function.

Stage two

The loaded library fetches the PhoneNumberAlternateFormatsProto_300file from the assets folder using the AAssetManager_fromJava function and writes it to a temporary file with the name b in the /data/data/<package_name>/ directory, as seen on line 93 below:

A screenshot of code wherein the malware fetches the second payload from the assets directory.
Figure 25. Fetching the second payload from the assets directory.

The file b is then decrypted using an XOR operation with the key “xh7FEC2clYuoNQ$ToT99ue0BINhw^Bzy”, which is given from the Java side (see following figures). The decrypted payload is saved with the name l in the application’s data directory:

A screenshot of code where the malware decrypts the asset with the name "l_file_fd".
Figure 26. Decrypting asset

Figure 27. The native handleTask called from the Java code

The same function loads the decrypted payload l and invokes the com.AdsView.pulgn using the DexClassLoader class loader (variable names have been changed for clarity):

A screenshot of the malware code where it loads the decrypted asset using the DexClassLoader class loader.
Figure 28. Dynamically loading the decrypted asset using the DexClassLoader

Decrypting the second payload manually yields the following APK file:

A screenshot of the code of the decrypted asset which is an APK file.
Figure 29. The decrypted APK file

It must be mentioned that the DexClassLoadercan be used to load classes from .jar and .apk files that contain a classes.dex entry.

Stage three

This decrypted APK consists of two main classes: the com.Helperand com.AdsView. The com.AdsView.pulgnfunction is the first to be invoked by the native library described in the previous section:

A screenshot of the code for the pulgn function, which is the first to be invoked once the payload is loaded.
Figure 30. pulgn is the first function to be invoked when the payload is loaded

The runnable thread’s main functionality is to connect the host to xn3o[.]oss-accelerate[.]aliyuncs[.]com and download a JAR file named xn30, which is saved to the cache directory with name nvi and then loaded using the startSdk function, as shown on line 81 below:

A screenshot of the malware code where it triggers the download of the final payload.
Figure 31. Download and trigger the final payload

The file xn30 is the final payload of stage three and is the one that performs the toll fraud activities previously described.

Mitigating the threat of toll fraud malware

Toll fraud is one of the most common malware categories with high financial loss as its main impact. Due to its sophisticated cloaking techniques, prevention from the side of the user plays a key role in keeping the device secure. A rule of thumb is to avoid installing Android applications from untrusted sources (sideloading) and always follow up with device updates. We also recommend end users take the following steps to protect themselves from toll fraud malware:

  • Install applications only from the Google Play Store or other trusted sources.
  • Avoid granting SMS permissions, notification listener access, or accessibility access to any applications without a strong understanding of why the application needs it. These are powerful permissions that are not commonly needed.
  • Use a solution such as Microsoft Defender for Endpoint on Android to detect malicious applications.
  • If a device is no longer receiving updates, strongly consider replacing it with a new device.

Identifying potential malware

For security analysts, it is important to be aware that conventional mitigation techniques based on static detection of malware code patterns can only offer limited remediation against this malware. This is due to the extended use of reflection, encryption, compression, obfuscation, steganography, and dynamic code loading.

There are, however, characteristics that can be used to identify this type of malware. We can classify these characteristics into three:

  • Primary characteristics – patterns in plaintext included in the application that can be analyzed statically
  • Secondary characteristics – common API calls used to conduct toll fraud activities
  • Tertiary characteristics – patterns in Google Play Store metadata such as the application’s category, the developer’s profile, and user reviews, among others

The tertiary characteristics are useful for initial filtering for potential malware. Patterns observed in the apps’ metadata are related to malware developers’ attempts to infect as many devices as possible in a short amount of time, while remaining published on the Google Play Store for as long as they can. We’ve observed that attackers often follow these steps to keep their apps in the Google Play Store:  

  1. Use open-source applications that belong to popular categories and can be trojanized with minimal effort. The preferred application categories include personalization (like wallpaper and lock screen apps), beauty, editor, communication (such as messaging and chat apps), photography, and tools (like cleaner and fake antivirus apps).
  2. Upload clean versions until the application gets a sufficient number of installs.
  3. Update the application to dynamically load malicious code.
  4. Separate the malicious flow from the uploaded application to remain undetected for as long as possible.

These applications often share common characteristics:

  • Excessive use of permissions that are not suitable to the application’s usage (for example, wallpaper, editor, and camera apps that bind the notification listener service or ask for SMS permissions)
  • Consistent user interfaces, with similar icons, policy pages, and buttons
  • Similar package names
  • Suspicious developer profile (fake developer name and email address)
  • Numerous user complaints in the reviews

Once potential malware samples are identified based on these tertiary characteristics, the primary characteristics can be used for further filtering and confirmation. Applications cannot obfuscate their permission requests, use of the notification listener service, or use of accessibility service. These requests must appear in the AndroidManifest.xml file within the APK, where they can be easily detected using static analysis. The commonly requested permissions by malware performing toll fraud may include: READ_SMS, RECEIVE_SMS, SEND_SMS, CHANGE_WIFI_STATE, ACCESS_WIFI_STATE, CHANGE_NETWORK_STATE. Requests for notification listener and accessibility service should be considered extremely suspicious.

Secondary characteristics also include suspicious API calls including: setWifiEnabled, requestNetwork, setProccessDefaultnetwork, bindProcessToNetwork, getSimOperator and cancelAllNotifications. However, since these calls may be obfuscated and may be hard to identify during static analysis, a more in-depth analysis may be necessary for certainty.

Improving Android security and privacy

Google continuously improves Android security and privacy as the mobile threat landscape evolves and new threats and adversary techniques are discovered. For example, in the operating system, API calls that can reveal potentially sensitive information continue to be removed or restricted, and in the Google Play Store, the publication policies guard against use of certain high-risk permissions (for example, the ability to receive or send SMSs) by requiring a Permission Declaration Form to be completed justifying their use. We anticipate Android security will continue to evolve to address abuse.

As discussed, applications currently can identify the cellular network operator and can send network traffic over the cellular network without any transparency to the user. Additionally, applications can request access to read and dismiss notifications, a very powerful capability, without needing to justify this behavior.


Toll fraud has been one of the most prevalent types of Android malware in Google Play Store since 2017, when families like Joker and their variants made their first appearance. It accounted for 34.8% of installed Potentially Harmful Application (PHA) from the Google Play Store in the first quarter of 2022, ranking second only to spyware.

By subscribing users to premium services, this malware can lead to victims receiving significant mobile bill charges. Affected devices also have increased risk because this threat manages to evade detection and can achieve a high number of installations before a single variant gets removed.

With this blog, we want to inform end users about the details of this threat and how they can protect themselves from toll fraud. We also aim to provide security analysts with guidance on how to identify other malicious applications that use these techniques.

Our in-depth analysis of this threat and its continuous evolution informs the protection we provide through solutions like Microsoft Defender for Endpoint on Android.

Learn how Microsoft Defender for Endpoint provides cross-platform security, including mobile threat defense capabilities.

Dimitrios Valsamaras and Sang Shin Jung
Microsoft 365 Defender Research Team


Samples (SHA-256)

Initial APK file2581aba12919ce6d9f89d86408d286a703c1e5037337d554259198c836a82d75 (com.cful.mmsto.sthemes)
Payload of stage two: Elf File (loader)904169162209a93ac3769ae29c9b16d793d5d5e52b5bf198e59c6812d7d9eb14 (PhoneNumberAlternateFormatsProto_355, decrypted)
Payload of stage three: APK (hostile downloader)61130dfe436a77a65c04def94d3083ad3c6a18bf15bd59a320716a1f9b39d826 (PhoneNumberAlternateFormatsProto_300, decrypted)
Payload of stage four: DEX (billing fraud)4298952f8f254175410590e4ca2121959a0ba4fa90d61351e0ebb554e416500f

Common API calls and permissions

API CallsPermissionsSDK
setProcessDefaultNetwork <23
bindProcessToNetwork >22
get (SystemProperties)  
evaluateJavascript >18
onReceive for SMS BroadcastReceiver w/ android.provider.Telephony.SMS_RECEIVEDRECEIVE_SMS>19
onChange for SMS ContentObserver w/ android.provider.telephony.SmsProvider’s content URI (“content://sms”)READ_SMS 


The post Toll fraud malware: How an Android application can drain your wallet appeared first on Microsoft Security Blog.

Posted in Skype for Business

June 30th, 2022 by Microsoft 365 Defender Threat Intelligence Team

We developed a robust detection method in Microsoft Defender for Endpoint that can catch known and unknown variations of a process execution class used by attackers to evade detection. This class of stealthy execution techniques breaks some assumptions made by security products and enables attackers to escape antimalware scans by circumventing process creation callbacks using a legacy process creation syscall. Publicly known variations of this class are process doppelganging, process herpaderping, and process ghosting.

Evasion techniques used by attackers often involve running malware within the context of a trusted process or hiding code from filesystem and memory scanners. More sophisticated attackers even carefully choose their process host so that their actions are run by a process that often performs these actions for benign reasons. For example, a browser process communicating with the internet seems completely normal, while an instance of cmd.exe doing the same sticks out like a sore thumb. This class of stealthy execution techniques, however, allows malware to create its own malicious process and prevent antimalware engines from detecting it.

This blog post presents our detailed analysis of how this process execution class works and how it takes advantage of Windows functionalities to evade detection. It also presents a peek into the research, design, and engineering concerns that go into the development of a detection method aiming to be as robust and future-proof as possible.

Common classes of stealthy process execution

On Windows systems, most methods attackers use to run code within another process fall within two classes: process injection and process hollowing. These classes allow attackers to run their code within another process without explicitly creating it from an executable, or making it load a dynamic link library (DLL).  Similar classes of techniques are often also called process injection, but this term will be used in a more specific definition for clarity.

Process injection

Process injection, the widest and most common class, consists of different techniques that introduce attacker-supplied executable memory into an already running process. Techniques in this class consist of two main parts:

  • Write primitive: A Windows API function, or a set of APIs, used to introduce malware into the target process.
  • Execution primitive: A Windows API method to redirect the execution of the process to the code provided by the attacker.

An example of a classic process injection flow is malware using the VirtualAllocEx API to allocate a buffer within a target process, WriteProcessMemory to fill that buffer with the contents of a malware module, and CreateRemoteThread to initiate a new thread in the target process, running the previously injected code.

Process hollowing

In process hollowing, instead of abusing an already running process, an attacker might start a new process in a suspended state and use a write primitive to introduce their malware module before the process starts running. By redirecting the entry point of the process before unsuspending, the attacker may run their code without using an explicit execution primitive.

Variants (and sometimes combinations) of both classes exist and differ from each other mostly by the  APIs being used. The APIs vary because a different function used to achieve the goal of one of the steps may not go through the numerous points at which an endpoint protection product intercepts such behavior, which can break detection logic.

New stealth techniques

In the past few years, stealth techniques from a process execution class have emerged that don’t strictly fit into any of the previously mentioned classes. In this class, instead of modifying the memory of an already created (but perhaps not yet executing) process, a new process is created from the image section of a malware. By the time a security product is ready to scan the file, the malware bits aren’t there anymore, effectively pulling the rug from under antimalware scanners. This technique requires defenders to use a different detection method to catch attacks that use it. As of today, the following variations of this class are known publicly as the following:

  • Process doppelganging1: Abusing transactional NTFS features to create a volatile version of an executable file used for process creation, with the file never touching the disk.
  • Process herpaderping2: Utilizing a writable handle to an executable file to overwrite the malware bits on disk before antimalware services can scan the executable, but after a process has already been created from the malicious version.
  • Process ghosting3: Abusing a handle with delete permissions to the process executable to delete it before it has a chance to be scanned.

This process execution class, including the variations mentioned above, takes advantage of the way the following functionalities in the operating system are designed to evade detection by security products:

  • Antimalware engines don’t scan files after every single modification.
  • Process creation callbacks, the operating system functionality that allows antimalware engines to scan a process when it’s created, is invoked only when the first thread is inserted into a process.
  • NtCreateProcessEx, a legacy process creation syscall, allows the creation of a process without populating it with any thread.

The following sections explain in more detail how these functionalities are abused.

When are files scanned?

A key feature of this process execution class is circumventing a file scan. Ideally, files are scanned whenever they’re modified. Otherwise, an attacker could simply modify an existing file into a malicious one, use it to create a process, and then either revert the file or delete it. So, why aren’t files scanned on every file change?

The answer lies in performance concerns. Consider a scenario in which a 1MB file is opened, and it’s overwritten by calling an API like WriteFile for every byte that needs to be overwritten. While only 1MB would be written to disk, the file would have to be scanned one million times, resulting in ~1 terabyte of data being scanned!

While the example is a good way to assure no detectably malicious content is written to disk, the amount of computing power it will use up makes it an unviable solution. Even a caching solution would simply shift the high resource usage to memory, as a product would need to keep information about the content of every single open file on the machine to be useful.

Therefore, the most common design for file scanning engines ignores the various transient states of the file content and initiates a scan whenever the handle to the file is closed.  This is an optimal signal that an application is done modifying a file for now, and that a scan would be meaningful. To determine what the file is about to execute as a process, the antimalware engine scans the file’s content at the time of process creation through a process creation callback.

Process creation callbacks in the kernel, such as those provided by the PsSetCreateProcessNotifyRoutineEx API, is the functionality in the operating system that allows antimalware engines to inspect a process while it’s being created. It can intercept the creation of a process and perform a scan on the relevant executable, all before the process runs.

Process creation notification isn’t invoked right when a process creation API is called, but rather when the first thread is inserted into a process. But since NtCreateUserProcess, the syscall used by all common high-level APIs to create a process, is designed to do a lot of the work required to create a process in the kernel, the insertion of the initial thread into the created process happens within the context of the syscall itself. This means that the callback launches while the process is still being created, before user mode has a chance to do anything.

A screenshot of code with a list of process creation callbacks invoked from the syscall NtCreateUserProcess.
Figure 1. Process creation callbacks being invoked from NtCreateUserProcess

The call stack indicates that in this scenario, PspCallProcessNotifyRoutines, the function responsible for invoking process creation callbacks, is called from PspInsertthread during the insertion of the initial thread into the process. It also indicates that the subsequent process creation callbacks are all called from within NtCreateUserProcess, and that they both finish executing before the syscall returns. This enables the antimalware to scan the process for malware activity as it’s created. This works if the process is created using NtCreateUserProcess. However, as researchers have found, there are other ways to create a process apart from this syscall.

How are processes created?                                                                                        

The syscall NtCreateUserProcess has only been available since the release of Windows Vista. Processes created by the CreateProcess API or any API using the NtCreateUserProcess syscall only provide the path to the executable. Meanwhile, the kernel opens the file without any share access that could allow modification (no SHARE_WRITE/SHARE_DELETE), creates an image section, and returns to user mode with the process pretty much ready to run (most legitimate Windows processes would require additional work to be done in user mode to operate correctly, but the NtCreateUserProcess syscall does the minimum work needed for a process to execute some code). This means that an attacker doesn’t have the time or the capability to modify an executable file after calling NtCreateUserProcess, but only before it’s scanned.

Versions of the NT kernel prior to the release of Windows Vista used a different syscall called NtCreateProcessEx. This function doesn’t adhere to the principle of doing a lot of the work in the kernel and in fact delegates a lot of the work normally associated with process creation on modern Windows platforms to user mode.

Screenshot of code of the function signature of the syscall NtCreateProcessEx. Unlike NtCreateUserProcess, this syscall does not have contain code that receives a path argument.
Figure 2. The function signature of NtCreateProcessEx. Note the absence of a path argument and the presence of SectionHandle.

One difference between the two is that NtCreateProcessEx doesn’t receive a path to the process executable as an argument, as is the case with NtCreateUserProcess.  NtCreateProcessEx expects the application to open the file on its own and create an image section from that file, which will be used as the main image section of the process, and the handle to which will be passed to NtCreateProcessEx.

Also, unlike NtCreateUserProcess, NtCreateProcessEx  creates a process object without populating the process with any threads, and the user application needs to explicitly insert the initial thread into the process using an API like NtCreateThread.

A screenshot of a callstack with the invocation of PspCallProcessNotifyRoutine and PspInsertThread. It is observed that the invocation of both happens from within NtCreateThreadEx.
Figure 3. In this callstack, the invocation of PspCallProcessNotifyRoutine and PspInsertThread happens from within NtCreateThreadEx, not from within a process creation syscall.

Combining this information with what we know about process creation callbacks allows us to come up with a generic flow for this stealthy process creation technique:

  1. The attacker opens the malware file and brings it into a transient modifiable state (writable without closing a handle, delete pending or an uncommitted transaction, and some other unpublished ones) while having malware content. The attacker doesn’t close the file yet.
  2. The attacker creates an image section from the file handle using NtCreateSection(Ex).
  3. The attacker creates a process using the image section handle as input.
  4. The attacker reverts the file’s transient state to a benign state (the file is deleted or overwritten, or a transaction is rolled back), and the handle is closed. At this point, the bits of the malware still exist in memory as the image section object is still there, but there is no trace of the malware content on the disk.
  5. The attacker inserts the initial thread into the process, and only then will the process creation notification callback for that process be launched. At that point, there is no malware content left to scan.
  6. The attacker now runs the malware process without its backing file ever being scanned.

In this generalized flow, a security product should be able to detect any variation of the technique if it can recognize that the process was created using the legacy NtCreateProcessEx syscall, which allows an adversary to run the process from a file in a transient state.

Of course, one could circumvent the need for NtCreateProcessEx by performing a similar trick with loading DLLs. However, in this scenario, the adversary can either load a new DLL into a process they already have full code execution capabilities without changing its identity, or remotely place the offending DLL into another process, performing what is essentially process injection. In both cases, the technique’s effectiveness as an evasion method is greatly diminished.

Detecting legacy process creation

The first anomaly to recognize to detect attacks using this technique is to find out whether a process was created using the legacy NtCreateProcessEx syscall.

The simplest way to do so would be to utilize user-mode hooking on the appropriate function in the NTDLL library. However, this approach would be easy to bypass, as it’s assumed that the adversary has arbitrary execution capabilities in the process calling the syscall. This means they would be able to unhook any functions intercepted by a security product, or simply directly call the syscall from their own assembly code. Even if the security product was to traverse the user-mode call stack from a process creation callback and check the return address against known values, the product would still be subject to evasion since an attacker could employ some creative pushes and jumps in assembly code to construct a spoofed user-mode call stack to their liking.

To create a robust detection for this behavior, information that can’t be modified or spoofed by a user-mode adversary should be used. A good example of this is a Windows file system concept called extra create parameters (ECPs).

ECPs are concepts that allow the kernel or a driver to attach some key-value information to a file create/open operation. The idea is very similar to extended file attributes, but instead of applying to an entire file on disk, ECPs are a transient property related to a specific instance of an open file. This mechanism allows the operating system and drivers to respond to a file being opened under some special circumstances.

An example of such special circumstances is a file being opened via Server Message Block (SMB). When this happens, an SRV_OPEN_ECP_CONTEXT structure is added to the IRP_MJ_CREATE IRP with GUID_ECP_SRV_OPEN as a key.

This ECP context contains information on the socket used for the communication with the SMB client, the name of the share which has been accessed, and some oplock information. A driver would then be able to use this information to appropriately handle the open operation, which might need some special treatment since the operation happened remotely.  

Interestingly, an exported, documented function named FsRtlIsEcpFromUserMode exists to determine whether an ECP originated in user mode or kernel mode. This raises the concern that forgetting to use this function in a driver or the OS would cause potential security issues, as a user mode adversary could spoof an ECP. That isn’t the case, though, as there is no functionality in the OS which allows a user to directly supply any ECP from user mode. The function itself checks whether a specific flag is set in the opaque ECP header structure, but there exists no code in the OS which can modify this flag.

Using ECPs for process creation API recognition

Starting with Windows 10, a very interesting ECP has been added to the operating system whenever a new process is created using NtCreateUserProcess. The GUID_ECP_CREATE_USER_PROCESS ECP and its related CREATE_USER_PROCESS_ECP_CONTEXT context are applied to the IRP_MJ_CREATE operation when the Windows kernel opens the process executable file. This ECP contains the token of the process to be created. In fact, the function used to open the executable path was changed from ZwOpenFile to IoCreateFileEx specifically to support ECPs on this operation.

A screenshot of code showing the CREATE_USER_PROCESS_ECP_CONTEXT.

On the other hand, as covered earlier, NtCreateProcessEx doesn’t open the process executable on its own but instead relies on the user to supply a section handle created from a file opened by the user themselves. Seeing as there is no way for the user to set the process creation ECP on their own handle, any process created using NtCreateProcessEx would be missing this ECP on the IRP_MJ_CREATE for its main image. Some cases exist in which the ECP wouldn’t be present even when the legacy API wasn’t used, but those can still be recognized. Barring those cases, the existence of the CREATE_USER_PROCESS ECP in the IRP_MJ_CREATE operation of the file object related to the main image of the process can now be used to precisely differentiate between processes created by NtCreateUserProcess and those created by NtCreateProcessEx.

Detecting processes created from files in a transient state

Since it’s now possible to check when the legacy process creation API has been used, the next step would be to check if the usage of the legacy process creation API was used to abuse the time-of-check-time-of-use (TOCTOU) issue involving process creation callbacks. This means that the executable image used to create the process has been opened and used in a transient state, which would already be rolled back when it’s to be scanned by an antimalware engine. To identify if TOCTOU was abused, it is important to examine the image section of the main executable of the process.

Windows loads executable images into memory and shares their memory between processes using memory sections (also called memory-mapped files). Each FILE_OBJECT structure for an open file contains a member called SectionObjectPointers, which contains pointers to the data and image section control areas relevant to the file, depending on whether if it has been mapped as a data file or an executable. The bits described by such a section may be backed either by a file on disk or by the page file (in which case the bits of the section won’t persist on disk). This property determines whether the mapped section can be flushed and recovered from a file or disk, or simply paged out.

However, an interesting thing happens when the connection between an image section and its backing file is severed. This can happen if, for example, the file is located on a remote machine or some removable storage, Copy-on-Write has been triggered, or most importantly, if the file has been somehow modified after the section has been created or could be modified in the future. During such cases, the image section becomes backed by the page file instead of the original file from which it was created.

A screenshot of the resulting code when the connection between an image section and its backing file is severed. A line of code with the WritableUserReferences member being set is highlighted.
Figure 5. The control area of a section breaking coherency with disk. Note the WritableUserReferences member being set.

The MmDoesFileHaveUserWritableReferences function provides the caller with the number of writable (or, more correctly, modifiable) references to the file object of a section and is used by the kernel transaction manager to preserve the atomicity of transactions. Otherwise, a file can be written, deleted, or simply gone when a transaction is to be committed. This function can be used for detection because a non-zero return value means that section coherency has been broken, and the logic switching the backing of the section to the page file has been triggered. This can help determine that the file is in one of the same transient states needed to abuse TOCTOU and evade detection.

Detection through Microsoft Defender for Endpoint

The two primitives discussed earlier can now be combined into detection logic. First, the absence of the GUID_ECP_CREATE_USER_PROCESS ECP will verify if the process was created using the legacy API NtCreateProcessEx. Then, the function MmDoesFileHaveUserWritableReferences checks if the file’s image section is backed by the page file, confirming that the process was created while the file is in a transient state. Meeting both conditions can determine that TOCTOU has been abused, whether by any of the published techniques, or a variation of it that uses similar concepts but abuses a functionality built into a driver to create a similar effect.

Microsoft Defender for Endpoint can detect each of the known techniques in this class of stealthy process execution and gives out a specific alert for variations of process ghosting, herpaderping, and doppelganging found in the wild. Apart from the specific alerts for each variation, detections exist for the generalized flow and any abuse of the legacy process creation API, including unpublished variations.

A sample screenshot of the notifications from Microsoft Defender for Endpoint for detections related to process ghosting, herpaderping, and doppelganging.
Figure 6. Microsoft Defender for Endpoint detections for variations of process ghosting, herpaderping, and doppelganging.

This blog post shares Windows internals knowledge and showcases a new detection method in Microsoft Defender for Endpoint that can help prevent detection evasion. Since data and signals from Microsoft Defender for Endpoint also feed into Microsoft 365 Defender, this new detection method further enriches our protection technologies, providing customers a comprehensive and coordinated threat defense against threats.

The stealth execution techniques discussed further prove that the threat landscape is constantly evolving, and that attackers will always look for new avenues to evade detection. This highlights the importance of continuous research on potential attack vectors, as well as future-proof solutions. We hope that the principles presented in this blog post can be used by other researchers in developing similar solutions.

Philip Tsukerman, Amir Kutcher, and Tomer Cabouly
Microsoft 365 Defender Research Team




The post Using process creation properties to catch evasion techniques appeared first on Microsoft Security Blog.

Posted in Skype for Business