Tag Archives: earlier

Inside Xbox Episode 5 News Recap – Xbox Wire

Earlier today Inside Xbox Episode 5 aired, continuing to pull back the curtain on Team Xbox to celebrate our games, features, and fans. This episode was full of closer looks at some big upcoming games, including No Man’s Sky, We Happy Few, and Earthfall, as well as the announcement of a huge addition to Xbox Game Pass. So, without further ado, let’s take a closer look at some of the biggest news coming out of this month’s episode of Inside Xbox.

Rocket League and Warhammer: Vermintide 2 are Coming to Xbox Game Pass

The Xbox Game Pass catalog continues to grow this week, thanks to the addition of a couple of awesome titles. First up, the much-loved Rocket League, which blends elements of soccer, racing, and demolition derbies together to create a wonderful whole, hits Xbox Game Pass today. Then, tomorrow, Warhammer: Vermintide 2 brings its mix of over-the-top gore and first-person hacking and slashing to the service.

The Sport White Special Edition Xbox One Controller

Featuring beautiful, clean lines and a snazzy design, the latest addition to the Xbox One controller family is a looker. Inspired by sports and sneakers, the Sport White’s got mint green accents and grey and silver patterns to go along with its fresh white design. If you’re a sneaker head, you’ll definitely want one of these. You can snag this sporty beauty at the Microsoft Store and other retailers beginning July 31st in the U.S. and Canada, and then worldwide on August 7th.

A Closer Look at No Man’s Sky

The highly-anticipated space exploration game No Man’s Sky is hitting Xbox One on July 24, so we had Hello Games founder Sean Murray on to share a bit about how excited the team is to be bringing the game to our consoles. He also showed a new video created by the team that breaks down 11 new features, from freighters to alien sidekicks, added to the game since its initial launch, all of which will be available when the game launches on Xbox One.

We Happy Few Adds a Story Mode

The Inside Xbox team was joined by Guillaume Provost from Compulsion Games, the latest studio to join the Microsoft Studios family. Guillaume showed off We Happy Few’s new story mode for the first time, sharing that you’ll be able to see events in the game from multiple perspectives as you play. This is going to be one wild ride, and we can’t wait to see more when the game releases in August.

Surviving an Alien Invasion in Earthfall

Coming to join us from their studio just up the road in Bellevue, the team from developer Holospark gave us a closer look at the upcoming game Earthfall, which releases this coming Friday, July 13. Earthfall is a four-player co-op shooter that tasks players with surviving an alien invasion, and it looks like a blast. Even better, the guys announced that all maps and additions to the game will be absolutely free to anyone who purchases it. There will also be Mixer integration, so save up that Spark to help your friends!

Seasons Change in Forza Horizon 4

To close out the show, the team was joined by some familiar faces from Playground Games, who came on to give fans a closer at this highly-anticipated (and absolutely gorgeous) Xbox One racing game. This segment lead into a special live-stream on mixer.com/forzamotorsport , where the team at Playground Games highlighted the summer season, including interviews with the team and community Q&A.

Thanks to everyone who tuned in! We hope you enjoyed the show and we can’t wait to tell you all about next month’s episode in a few weeks.

Insider preview: Windows container image

Earlier this year at Microsoft Build 2018, we announced a third container base image for applications that have additional API dependencies beyond nano server and Windows Server Core. Now the time has finally come and the Windows container image is available for Windows Insiders.

Why another container image?

In conversations with IT Pros and developers there were some themes coming up which went beyond the nanoserver and windowsservercore container images:
Quite a few customers were interested in moving their legacy applications into containers to benefit from container orchestration and management technologies like Kubernetes. However, not all applications could be easily containerized, in some cases due to missing components like proofing support which is not included in Windows Server Core.
Others wanted to leverage containers to run automated UI tests as part of their CI/CD processes or use other graphics capabilities like DirectX which are not available within the other container images.

With the new windows container image, we’re now offering a third option to choose from based on the requirements of the workload. We’re looking forward to see what you will build!

How can you get it?

If you are running a container host on Windows Insider build 17704, you can get this container image using the following command:

docker pull mcr.microsoft.com/windows-insider:10.0.17704.1000

To simply get the latest available version of the container image, you can use the following command:

docker pull mcr.microsoft.com/windows-insider:latest

Please note that for compatibility reasons we recommend running the same build version for the container host and the container itself.

Since this image is currently part of the Windows Insider preview, we’re looking forward to your feedback, bug reports, and comments. We will be publishing newer builds of this container image along with the insider builds.

Alles Gute,

Buy the World’s Most Powerful Console; Get the Hottest Multiplayer Game of 2017

Earlier this week, PlayerUnknown’s Battlegrounds (PUBG) released as a console launch exclusive on Xbox One in the Xbox Game Preview program, bringing the hottest multiplayer game of the year to console for the first time. Xbox fan excitement for the launch has been incredible, with more than 1 million players on Xbox One in its first 48 hours alone.

Released as part of the Xbox Game Preview program – in which players can preview and purchase work-in-progress digital titles, participate in the development process and help developers make Xbox One games the best they can be – in the weeks and months ahead PUBG on Xbox One will continue to receive enhancements, new content updates including the new desert map, “Miramar,” optimizations and more.

Today, in celebration of PUBG coming to the hottest console of the season, we’re excited to announce a special holiday promotion where every Xbox One X purchase will come with a copy of PUBG! That means you can join in on gaming’s biggest phenomenon and jump right into the ultimate battle royale experience on Xbox One. The promotion is available in select regions for a limited time, starting Dec. 17 through Dec. 31. For more information, please check with your local retailer, including your local Microsoft Store, whether you’re shopping in a physical store, online or through your Xbox device.

Xbox One X, which is available now for $499 USD, is the world’s most powerful console where gamers can experience the best versions of console games of the past, present and future. As part of the Xbox One family of devices, Xbox One X owners not only get access to all of the unique Xbox platform offerings like Backward Compatibility, Xbox Live, Xbox Game Pass and Xbox Play Anywhere, they also have access to a robust games library consisting of more than 1,300 games and more than 220 exclusives. With PUBG now part of the Xbox One library and more titles like Sea of Thieves, State of Decay 2 and Crackdown 3 coming in 2018, gamers have a lot to look forward to this holiday and beyond on Xbox One. For more information on Xbox One X, please visit xbox.com/xboxonex.

See you on the battleground!

Microsoft Digital Civility Challenge resonating with consumers worldwide, new data show – Microsoft on the Issues

Earlier this year, Microsoft called on people around the world to embrace “digital civility” in all online interactions by leading and acting with empathy, compassion and kindness. The concept appears to be taking hold, but there is still more work to be done, according to results of a new Microsoft research study.Chart showing teens do a better job of defending themselves online than adults

Eighty-eight percent of teens and 87 percent of adults said they treat other people with respect and dignity online, while 84 percent of both age groups responded that they show respect for other people’s points of view. Three-quarters of young people and 77 percent of adults said they pause before replying to posts, texts and other content they disagree with, and nearly the same percentages said they stand up for themselves in the digital space (77 percent of teens, 73 percent of adults). Fewer – although still significant proportions – responded that they stand up for others online (65 percent of teens, 59 percent of adults).

Findings are from Microsoft’s latest research into digital civility around the world. We’re releasing these results on World Kindness Day to emphasize that it’s never too late to help foster safer, healthier and more respectful online interactions for everyone. “Civility, Safety and Interaction Online — 2017” polled teens ages 13-17 and adults ages 18-74 in 23 countries[1] regarding 20 online risks.[2] This year’s research builds on our first study done last year, which polled the same age demographics in 14 countries about 17 types of online abuse. Nearly 11,600 teens and adults participated in this year’s research.

Highlighting the research, our campaign for digital civility was launched on Safer Internet Day 2017 and featured our Digital Civility Challenge in which we asked people across the globe to commit to four basic tenets for life online:

  • Treat others as you would like to be treated by acting with empathy, compassion, and kindness in every interaction, and affording everyone respect and dignity.
  • Respect differences by honoring diverse perspectives and, when disagreements surface, engaging thoughtfully and avoid name-calling and personal attacks.
  • Pause before replying to contrary comments and refrain from posting or sending anything that could hurt someone, damage a reputation or threaten someone’s safety.
  • Stand up for oneself and others by supporting those who are targets of online abuse or cruelty, reporting activity that threatens anyone’s safety and preserving evidence of inappropriate or unsafe behavior.

These challenge actions served as the basis for some new research questions this year. Still, more work appears to be needed. About half of teens see others demonstrating thoughtful consideration (51 percent) and standing up for others (52 percent) online, compared to 46 percent of adults, respectively. Those seeing people show respect for opposing views yielded similar results (54 percent of youth, 48 percent of adults). Meanwhile, respondents who saw others stand up for themselves online were higher: 66 percent of teens and 60 percent of adults.

Final results will be made available on international Safer Internet Day 2018 on Feb. 6, along with a year-over-year look at the Microsoft Digital Civility Index. The inaugural 14-country index, released earlier this year, represents respondents’ lifetime exposure to the 17 original online risks. (Our full Safer Internet Day 2017 release can be found at www.microsoft.com/digitalcivility.) A new international index reading will be announced next year, accounting for respondents’ experience with the expanded list of 20 online risks.

If you’d like to learn more about online safety generally and how best to protect yourself and your family, visit our website and review our resources; “like” us on Facebook and follow us on Twitter.

[1] Countries surveyed: Argentina, Australia, Belgium, Brazil, Chile, China, Colombia, France, Germany, Hungary, India, Ireland, Italy, Japan, Malaysia, Mexico, Peru, Russia, South Africa, Turkey, the United Kingdom, the United States and Vietnam.

[2] The 20 risks are grouped into four categories:

  • Reputational – “Doxing” and damage to personal or professional reputations
  • Behavioral – Being treated meanly; experiencing trolling, online harassment or bullying; encountering hate speech and microaggressions
  • Sexual – Sending or receiving unwanted sexting messages and making sexual solicitations; being a victim of sextortion or non-consensual pornography (aka “revenge porn”)-
  • Personal / Intrusive – Being the target of unwanted contact, experiencing discrimination, “swatting,” misogyny, exposure to extremist content/recruiting, or falling victim to hoaxes, scams or fraud.

Tags: digital civility, Online Safety

Your favorite apps—now available in Outlook on Android

Earlier this year, we launched add-ins for Outlook on iOS—bringing your favorite apps right in Outlook—so you can get more done on the go. We are now rolling out add-ins to Outlook on Android customers with Outlook.com and Office 365 commercial email accounts. Additionally, we’ll be bringing add-ins to Gmail customers on iOS and Android soon.

This launch will bring some of the most loved Outlook add-ins from iOS to Android, including Evernote, Microsoft Dynamics 365, Microsoft Translator, Nimble, OnePlaceMail, Outlook Customer Manager, Smartsheet, and Trello. We will also be launching several new add-ins for Outlook—including Wrike, JIRA, MeisterTask, Gfycat, and MojiLala. These add-ins will be available for Outlook customers across the web, Windows, Mac, iOS, and Android.

Get more done on the go with add-ins for Outlook

Add-ins help you accomplish tasks quickly—right from Outlook. Whether you want to save an email to your customer relationship management app, quickly add email content to your project board, translate emails on the fly, or add a bit of flair and personality to emails—add-ins have you covered. There is no need to switch back and forth between apps or copy/paste email information. With add-ins, your favorite apps are just a tap away in Outlook.

To start using add-ins for Outlook on iOS or Android, go to Settings > Add-ins and then tap the + sign next to the add-ins you want to enable.

Here’s a closer look at the new add-ins:

Wrike—A powerful online project management software for teams. The Wrike add-in for Outlook keeps you on top of work projects by enabling you to quickly capture your team’s communications in one place—giving team members greater visibility into work and making the team more productive. To use the Wrike add-in, tap the Open Wrike add-in icon to create Wrike tasks from emails, view and edit tasks, and collaborate in real-time—without leaving Outlook.

Animated image showing the how to convert an email to a task using the Wrike add-in.

Stay on top of your work projects by quickly associating any email with a Wrike project.

JIRA (by Yasoon)—Designed specifically for software teams, JIRA provides best-in-class agile tooling, deep developer tool integrations, and a single repository for every step in your software project’s lifecycle. The JIRA add-in for Outlook helps you stay on top of software project issues and communication with customers, partners, or vendors by enabling easy tracking of your project’s progress, right from Outlook. Tap the New issue or Add to issue icon to create a new issue or update an issue using content from email and attachments. Tap View issues for an overview of open issues and due dates for the current conversation or sender.

To keep your business data safe, your JIRA administrator must configure a secure connection to JIRA first. See Getting started with JIRA for Outlook for more information.

Animated image showing how to open an issue related to a project using the JIRA add-in.

Use the JIRA add-in to create and update issues using email content.

MeisterTask—A highly intuitive task manager that adapts to your team’s workflow. The MeisterTask add-in lets you quickly save emails as tasks in your project board—without needing to copy/paste or re-enter the content into another app. To use the MeisterTask add-in, tap the Create Task icon to quickly create new tasks from incoming emails, assign them to your coworkers, and easily access task details.

Animated image showing how to convert an email to a task using the MeisterTask add-in.

Stay on top of your work projects using the MeisterTask add-in.

Gfycat—Discover and share awesome GIFs to make your emails more engaging, expressive, and fun. Congratulate your coworkers or thank them for a job well done with the new Gfycat add-in for Outlook. To use the Gfycat add-in, tap React with Gfycat to search for the GIF you are looking for, such as “Congratulations” or “Thank you.” The selected GIF will then be sent as your reply—adding a touch of your personality to the conversation.

Animated image showing how to search for a GIF image to send as a reply to an email using the Gfycat add-in.

Easily discover and share awesome GIFs, right from Outlook using the Gfycat add-in.

MojiLaLa—Designers bring you their best stickers to help you share emotions and communicate with one another around the world. The MojiLaLa add-in adds color, imagination, and humor to your emails. To use the MojiLaLa add-in, tap the Reply with MojiLaLa icon and then search for a sticker, such as “Great work” or “Happy Birthday.” The selected sticker will be sent as your reply.

Animated image showing how to search for a sticker to send as a reply to an email using the MojiLaLa add-in.

Add fun, humor, and a touch of personality to your emails using the MojiLaLa add-in.

In addition to these new add-ins, several existing add-ins available for Outlook on iOS will now be available on Outlook for Android, including:

  • Evernote—Easily save emails from Outlook to a project notebook in Evernote.
  • Microsoft Dynamics 365—Quickly look up customer contacts, associate an email or appointment with an existing opportunity, or create new records with just a few taps.
  • Microsoft Translator—Translate email messages on the fly, with support for 60+ languages powered by Microsoft Translator.
  • Nimble—Get insights on any contact in Outlook, including broad social profiles, shared relationships, mutual interests, industry and company profile, revenue, and more.
  • OnePlaceMail—Seamlessly save emails and attachments to SharePoint without leaving the familiar Outlook environment.
  • Smartsheet—Easily manage your work and collaborate with stakeholders in real-time by quickly creating, assigning, and updating tasks and capturing other project information right from your email.
  • Trello—Quickly associate any incoming email with an existing board, create cards, and edit descriptions. In addition, the Trello add-in has now been updated to save email attachments to your Trello board.
  • Outlook Customer Manager (coming soon)—Track and grow customer relationships right from Outlook.

Try the new Outlook add-ins and send us your feedback

Add-ins bring your favorite apps right into Outlook, so you can accomplish more, faster. We hope you give them a try. If you have feedback or suggestions on adding your favorite apps in Outlook, visit the Outlook for Android UserVoice—we’re eager to hear from you!

Developers—If you are a developer looking to build add-ins for Outlook, check out the Outlook Dev Center for more resources.

—The Outlook team

Frequently asked questions

Q. How do I enable add-ins for Outlook on iOS and Android?

A. To start using add-ins for Outlook on iOS or Android, go to Settings > Add-ins and then tap the + sign next to the add-ins you want to enable. For detailed steps, refer to our support article. Note that add-ins for Outlook on iOS and Android are currently available when reading email.

Q. Why do the animated images in the blog look different from what I currently see on my Outlook on Android device?

A. The animated images in the blog show the new conversation experience that is coming to Outlook on Android customers over the next few weeks. It is already available to customers using Outlook on iOS.

Q. I have Outlook on Android with an Outlook.com or Office 365 commercial email account, but I still don’t see the add-ins.

A. Add-ins for Outlook on iOS and Android are rolling out to all Office 365 commercial customers and Outlook.com customers over the next few weeks. If you have an Office 365 commercial email account (a mailbox in Exchange Online) or Outlook.com email account, you should be able to see the Add-ins section in the settings tab over the next few weeks.

Q. When will add-ins be available to Gmail users?

A. Add-ins for Outlook on iOS and Android will be available to customers with Gmail accounts in the next few months.

Q. As an administrator, how do I manage access to add-ins for my organization?

A. Administrators can manage access to add-ins for users in your organization using the Exchange admin center. For more details, refer to the Add-ins for Outlook TechNet article.

Take a Lap on Some of Your Favorite Tracks, Reimagined in Forza Motorsport 7

Earlier this week, the folks at ComputerBild published a feature on tracks in Forza Motorsport 7. Featuring a discussion with Turn 10 Studios creative director Dan Greenawalt, the article pointed out the many cutting-edge systems that Turn 10 uses to bring the tracks to life with new weather scenarios and alternate times of day that literally cast the tracks of Forza Motorsport 7 in a brand-new light. If you haven’t already done so, check out the article now.

Suzuka Circuit, Completely Rebuilt

It’s one thing to read about the changes coming to tracks in Forza Motorsport 7 but it’s a very different thing to see them for yourself. Suzuka is a prime example; like all of the real-world tracks in Forza Motorsport 7, Suzuka is officially licensed and completely rebuilt with High Res assets designed to look fantastic at native 4K and on the entire family of Xbox consoles. Not only is the track completely rebuilt and updated, Suzuka also features wet weather conditions for the first time in Forza history. Imagine tackling the “S Curves” at full speed, or barreling around the harrowing 130R, only this time battling the dynamic puddles that line the edges of the circuit, and the blinding spray of the cars in front of you. The same challenge that real-world drivers face at Suzuka lap-after-lap, will now be your challenge as well.

Returning Fan-Favorite, Maple Valley

I might be wrong, but I could swear I heard an audible gasp of excitement on the Interwebz back at E3 when we confirmed that Maple Valley would be returning with Forza Motorsport 7. Is there a more lauded, more beloved track in the Forza universe? Whether you’re looking to test your sideways skills on one of Forza’s best drifting tracks, or you want to push the edges of speed on its sweeping corners, Maple Valley is a masterpiece in every respect. Like Suzuka, it will also feature wet weather conditions as well – also a first in Forza history.

I want to make sure that you all understand what I mean when referring to conditions like weather and time of day. In Forza Motorsport 7, we’ve built tracks with a central goal in mind: Making every time you return to a track a unique experience. That goal manifests itself in a variety of ways.

Rapidly Changing Dynamic Weather

There’s no such thing as a simple “rain” setting in Forza Motorsport 7. Not for Sebring or the Nürburgring, or Brands Hatch, or any other track where wet conditions are available. Instead, the team has created a system that can smoothly transition through multiple weather conditions per track, and those conditions can (and often will) change throughout a race. You might start off with gray skies and fog on a track like Sebring, only to find yourself in the middle of a thunderstorm two laps later. The lights might go green at Silverstone during a light rain, only to find drivers in dry conditions by the end of Lap 2. As in the real world, conditions change and sometimes change quickly, and its up to drivers to react to those changes.

Bringing Time of Day to Life

Those dynamic conditions extend to time of day too. Turn 10 is building on the sky technology that was first seen in Forza Horizon 3, capturing real skies that bring life, motion, and color to every track in the game. Check out the screenshot of the observation tower at the Circuit of the Americas against a darkening sky – one glance is all it takes to recognize a Texas sky at dusk. Even Laguna Seca – a track that has been in Forza Motorsport since the very first game; a track that all of us have driven hundreds, if not thousands of laps on – feels completely new in Forza Motorsport 7.

Whether you’re talking time of day or the weather you’re driving in, it all comes back to thatcentral goal: every race should feel unique. When you’re playing through the Forza Driver’s Cup single player campaign, you’ll experience that first-hand. Take a race at a track like Silverstone as an example. Maybe the first time you play it, you’ll battle the elements in a typical British downpour. Go back and revisit that same race in campaign, your conditions may be completely different; in fact, you may not encounter rain at all. The developers at Turn 10 have introduced probability into the various race conditions scenarios; meaning that there is a percentage chance that the weather conditions might (or might not) change. One race, things will go from bad to worse; the next time around, conditions might stay in your favor. It’s that element of chance – and the need to prepare for whatever the race throws at you – that promises to make racing in Forza Motorsport 7 so exciting.

For me, weather and time of day are a game-changer. It will add the kind of variety and challenge that was only hinted at in previous versions of the game. The unpredictable conditions you drive in will affect your race more than ever before, and all of it runs at the rock-solid 60 fps that Forza Motorsport fans expect.

See below for all 32 tracks available to play in Forza Motorsport 7, and as always, stay tuned to ForzaMotorsport.net for more Forza Motorsport 7 goodness as we draw closer to launch, and don’t forget to pre-order Ultimate Edition for early access on Sept. 29.

Brands Hatch

Circuit of the Americas

Daytona International Speedway

Dubai Circuit

Homestead-Miami Speedway

Maple Valley Raceway

Autodromo Internazionale del Mugello


Rio de Janeiro

Sebring International Raceway

Silverstone Racing Circuit

Circuit de Spa-Francorchamps

Suzuka Circuit

Virginia International Raceway

Yas Marina Circuit

Bernese Alps

Mount Panorama Circuit

Circuit de Catalunya


Indianapolis Motor Speedway

Sonoma Raceway

Mazda Raceway Laguna Seca

Le Mans Circuit de la Sarthe

Lime Rock

Long Beach

Autodromo Nazionale Monza

Test Track Airfield


Road America

Road Atlanta

Top Gear

Watkins Glen

How threat actors weaponized Mia Ash for a social media attack

Who is Mia Ash?

That was the question security analysts at Dell SecureWorks found themselves pondering earlier this year while investigating a flurry of phishing attacks against targets in the Middle East. Analysts believed a sophisticated advanced persistent threat (APT) group was behind the attack, for two reasons. First, the emails contained PupyRAT, a cross-platform remote access Trojan that was first discovered in 2015 and had been used by an Iranian threat actor group Dell refers to as “Cobalt Gypsy” (also known as Threat Group 2889 or “OilRig”). And second, the email addresses used in the attacks weren’t spoofed.  

“Many of the phishing emails were coming from legitimate addresses at other companies, which led us to believe those companies had been compromised,” Allison Wikoff, intelligence analyst at Dell SecureWorks, told SearchSecurity.

The email addresses used by the attackers belonged to Saudi Arabian IT supplier National Technology Group and Egyptian IT services firm ITWorx. But as sophisticated as the phishing attacks were, the targeted companies — which included energy, telecommunications, and financial services firms, as well as government agencies in the EMEA region — were largely successful in repelling the attacks and preventing the spread of PupyRAT in their environments.

But after the unsuccessful phishing attacks, Dell SecureWorks’ Counter Threat Unit (CTU) observed something else that alarmed them. Instead of another wave of phishing emails, CTU tracked a complex social media attack that indicated a resourceful, patient and knowledgeable nation-state threat actor.

Who is Mia Ash?

On Jan. 13, after the phishing attacks had ended, an employee at one of the companies targeted by Cobalt Gypsy received a message via LinkedIn from Mia Ash, a London-based photographer in her mid-20s, who said she was reaching out to various people as part of a global exercise. The employee, who SecureWorks researchers refer to anonymously as “Victim B,” connected to the photographer’s LinkedIn profile. To Victim B or the casual observer, Ash’s profile seemed legitimate; it contained a detailed work history and had more than 500 connections to professionals in the photography field, as well as individuals in the same regions and industries as Victim B.

The attackers spent a lot of time and effort building this persona, and they knew how to avoid detection.
Allison Wikoffintelligence analyst, Dell SecureWorks

After about a week of exchanged messages about photography and travel, Ash requested that Victim B add her as a friend on Facebook so the two could continue their conversation on that platform. According to SecureWorks’ new report, Victim B instead moved the correspondence to WhatsApp, a messaging service owned by Facebook, as well as email. Then on Feb. 12, Ash sent an email to Victim B’s personal email account with a Microsoft Excel file that was purportedly a photography survey. Ash requested that Victim B open the file at work in his corporate environment so that the file could run properly.

Victim B honored the request and opened the Excel on his company workstation; the Excel file contained macros that downloaded the same PupyRAT that Cobalt Gypsy used in the barrage of phishing attacks several weeks earlier. “It was the same organization that was hit before, within a month, and that was a big red flag,” Wikoff said.

Luckily, Victim B’s company antimalware defenses blocked the PupyRAT download. But the incident alarmed the company; Dell SecureWorks was asked to investigate the matter, and the CTU team soon discovered that “Mia Ash” wasn’t a professional photographer — in fact, she likely didn’t exist at all — and that another person was targeted long before Victim B.

Mia Ash Facebook page
The now-deleted Facebook page of ‘Mia Ash’

Behind the online persona

When CTU researchers started digging into the Mia Ash online persona, they discovered more red flags. While Ash’s LinkedIn profile was populated with connections to legitimate professionals, half of the connections bore striking similarities: all male individuals, between their early 20s and 40s, who work in midlevel positions as software developers, engineers and IT administrators. In addition, these connections worked at various oil and gas, financial services and aerospace companies in countries such as Saudi Arabia, India and Israel — all of which had been targeted by the Iranian APT group Cobalt Gypsy.

“We saw a good cross section of LinkedIn connections — half of them were what looked like legitimate photographers and photography professionals, and the other half appeared to be potential targets,” Wikoff said.

This wasn’t the first time threat actors used fake social media accounts for malicious purposes, but this was one of the most complex efforts the researchers had ever seen. The CTU team discovered Mia Ash had been active long before January and that Victim B wasn’t actually the first target to fall prey to this complex social media attack. The CTU team discovered a Blogger website called “Mia’s Photography” that had been created in April 2016. They also found that two other domains apparently belonging to Ash were registered in June and September of last year using a combination of Ash’s information and that of a third party, whom CTU refers to as “Victim A.”

It’s unclear why the domains were registered — they don’t contain malware or any malicious operations — or why Victim A participated. Wikoff said there are a number of possibilities; it’s likely that either Victim A registered both domains as a friendly or romantic gesture to Ash, believing she was real, or that Victim A registered the first domain as a gift for Ash and then the attackers behind the persona registered the second on behalf of Victim A to reciprocate the gesture.

Whatever the case, it appears Victim A was used as a sort of “patient zero” from whom the attackers could establish other social media connections. Wikoff said SecureWorks made attempts to contact Victim A, who like other Mia Ash targets had worked in energy and aerospace companies in the Middle East/Asia region, but so far has not heard back from him. The ironic part is that Victim A is currently an information security manager for a large consulting company – and even he was apparently fooled by this online persona.

There was more to Mia Ash than just the LinkedIn profile and Blogger site; the persona’s Facebook account was populated with personal details (her relationship status, for example, was listed as “It’s complicated”), posts about photography and images of herself, as well as her own professional photos. However, the images were stolen from the social media accounts of a Romanian photographer (Dell SecureWorks did not disclose the woman’s identity in order to protect her privacy).

“At first pass, it looks like a legitimate Facebook profile,” Wikoff said. “The attackers spent a lot of time and effort building this persona, and they knew how to avoid detection.”

For example, Wikoff said, the threat actors rotated or flipped many of the images stolen from the Romanian woman so the pictures would not show up in a reverse image search. The attackers also kept the social media accounts active with fresh postings and content to make them appear authentic and to lure potential targets like Victim A to interact with them; in fact, Victim A interacted with Mia Ash’s Facebook page as recently as March.

Online personas as social media attacks

The CTU team determined with a high confidence level that Mia Ash was a fake online persona created by threat actors to befriend employees at targeted organizations and lure those individuals into executing malware in their corporate environments. The CTU team also believes with “moderate confidence” (according to the scale used by the U.S. Office of the Director of National Intelligence) that Mia Ash was created and managed by the Cobalt Gypsy APT group.

The Mia Ash LinkedIn account disappeared before the CTU team could contact LinkedIn; the team alerted Facebook, which removed the Mia Ash profile. The CTU team wasn’t able to determine what Cobalt Gypsy’s ultimate goal was with this social media attack; they only know the threat actors were attempting to harvest midlevel network credentials with the PupyRAT malware.

While the motive for Mia Ash campaign is still a mystery, Wikoff said it was clear the APT group had done its homework on both the organizations it was targeting, as well as what was required to build and maintain a convincing online persona. In addition, the threat actors specifically targeted employees they knew had the desired network credentials and would likely respond to and engage the Mia Ash persona.

This isn’t the first time Cobalt Gypsy has used social media attacks; in 2015, SecureWorks reported the APT group used 25 fake LinkedIn accounts in a social engineering scheme. In that case, the attackers created profiles of employment recruits for major companies like Teledyne and Northrop Grumman and used them as malicious honeypots or “honey traps.” Once victims made contact with the fake profiles, attackers would lure them into filling out fraudulent employment applications.

The Mia Ash campaign demonstrates the evolution of such social media attacks. Instead of just composing a single LinkedIn profile, the attackers expanded their online footprint with other social media accounts. And the larger the online presence, Wikoff said, the more convincing the persona becomes.

“Cobalt Gypsy’s continued social media use reinforces the importance of recurring social engineering training,” the SecureWorks report states. “Organizations must provide employees with clear social media guidance and instructions for reporting potential phishing messages received through corporate email, personal email, and social media platforms.”

But Wikoff said awareness training isn’t enough to stop advanced social engineering attacks like the Mia Ash campaign. “You can train people with security awareness, but someone is always going to click,” she said. “And the attackers know this.”

In the case of Victim A, the campaign would have been successful if not for antimalware defenses that prevented PupyRAT (which, it should be noted, was a known malware signature) from downloading. But other organizations might not be as lucky, especially if these attacks use new malware types with no known signatures.

In addition, social media services offer an enormous opportunity for threat actors. Wikoff said attacks can easily set up accounts for LinkedIn, Facebook, Twitter and other services, free of charge, and use them for malicious purposes without running afoul of the sites’ terms of service. While the Mia Ash profiles for LinkedIn and Facebook were removed after the fact, Wikoff said it’s difficult for social media services to spot APT activity like the Mia Ash campaign before a user is victimized.

SecureWorks believes that Cobalt Gypsy has more online personas actively engaged in malicious activity, but finding them before they compromise their potential targets will be a challenge.

“It shows how much bigger the threat landscape has gotten,” Wikoff said. “It’s a case study on persistent threat actors and the effort they will go to in order to achieve their goals.”