This article is contributed. See the original author and article here.
Microsoft Copilot is already helping individual employees boost productivity, creativity and time savings. With the announcements at Microsoft Build 2024, we’re delivering an entirely new set of capabilities that unlock Copilot’s ability to drive bottom-line business results for every organization.
This article is contributed. See the original author and article here.
In today’s fast-paced sales landscape, prioritizing core selling activities over low-value tasks is crucial. Time spent on tasks that don’t directly contribute to sales represents missed opportunities to connect with prospects and close deals. With Dynamics 365 Sales, we’re committed to using AI to support sellers in focusing their time on what truly matters: forging meaningful connections, establishing trust, and nurturing long-term relationships to increase their sales productivity. Copilot empowers sellers to achieve greater results with less effort, enhancing your sales organization’s effectiveness. We’re happy to share that the following features are releasing this month.
Copilot chat Q&A in Dynamics 365 Sales
Copilot chat with Q&A transforms how sellers access data in your customer relationship management (CRM) system. Instead of building complicated queries or manually searching for information, sellers can ask questions using natural language. They can access vital information immediately, allowing them to focus on high-value activities like engaging customers and closing deals. The result is more time for meaningful interactions, potentially leading to higher conversion rates and increased revenue.
Natural-language Q&A is particularly valuable in fast-paced sales environments, ensuring quick, informed actions. This feature elevates customer interactions, positioning teams for higher sales productivity. Its impact extends beyond convenience, shaping the efficiency and effectiveness of the entire sales process.
Copilot chat in Dynamics 365 Sales makes it easy to retrieve information from Dataverse and your CRM system.
Sales-specific chat experience
One of the key features of Copilot in Dynamics 365 Sales is that the chat experience is specific to the sales process. Sellers can use common sales terms and phrases to ask questions and get answers from the CRM system, without having to navigate through complex menus or screens. This saves time and effort for sellers, allowing them to focus on their customers and prospects.
Some of the sales terms that Copilot understands are conversion rate, deal cycle, pipeline, deal size, win rate, and deal value. Sellers and managers can use these terms to query various aspects of the sales process, like the performance of individual sellers, teams, or regions, the progress of opportunities, and the trends and forecasts of sales outcomes. Copilot can also handle complex queries with multiple terms, filters, and aggregations.
For example, you can ask Copilot:
“Show the opportunity conversion rate for the last 4 quarters by quarter.”
“What’s the win rate for Kenny Smith?”
“What is the average deal size for successful opportunities?”
Copilot in Dynamics 365 Sales understands sales-specific terms expressed in natural language.
These examples illustrate how Copilot can help sellers access relevant information from your CRM system in a natural and intuitive way, using sales-specific terms in a chat experience. Copilot chat Q&A enhances your sales team’s productivity and efficiency and their ability to meaningfully engage with customers and prospects.
Your CRM data is always secure
Copilot respects the security and user access privilege settings of your CRM system. This means that if a seller doesn’t have permission to view or edit certain records, those records aren’t included in Copilot’s responses. For example, if you ask Copilot about the pipeline value for a region that you aren’t assigned to, Copilot informs you that you don’t have sufficient privileges to view the requested data. This ensures that Copilot maintains the integrity and confidentiality of your CRM data while providing insights and recommendations.
Immersive Copilot workspace
We are also launching the public preview of a new immersive Copilot experience in Dynamics 365 Sales. An expanded workspace enhances focus on productive conversations with Copilot, while real-time insights and effortless natural language chat functionality help sellers efficiently manage sales activities, nurture customer relationships, and drive sales success. Seamless access to insights from CRM data simplifies prioritizing actions and smarter decision-making.
The new immersive Copilot workspace in Dynamics 365 Sales helps sellers focus on sales activities.
The immersive experience works in sync with the Copilot chat pane. Start a conversation in the immersive workspace, select a record, and continue the conversation in the Copilot chat. The coherent experience makes it easy to navigate in the app without losing context.
Use the immersive workspace
The immersive experience is in preview so that we can make improvements based on your valuable feedback. To use the immersive experience in your environment, you’ll need to turn on preview features for Copilot in Dynamics 365 Sales. In the Sales Hub app, Copilot is automatically added to the site map under My Work. If you use a custom app, add the Copilot page to your app’s site map. To enter the immersive workspace, select My Work > Copilot.
Enter Copilot in immersive mode through the site map in Sales Hub or your custom app.
Transform your sales processes with Copilot
Copilot in Dynamics 365 Sales helps your sellers save time and stay focused on the things that really matter. They get the information they need faster with less context switching, making their day-to-day activities more efficient and boosting your team’s overall sales productivity.
This article is contributed. See the original author and article here.
Sellers are often faced with situations where they need to sift through a lot of information to find the one piece they need. There are often extensive knowledge bases where sellers need to search for information, and lots of precious time is lost in the process.
We are here to help with that!
With our new features outlined below, sellers can access relevant sales information from SharePoint through the Copilot chat interface in Dynamics 365 Sales.
By automating the extraction of critical insights from sales documents, Copilot in Dynamics 365 Sales frees up valuable time for sales teams to focus on nurturing leads, closing deals, and delivering exceptional customer experiences. With Copilot in Dynamics 365 Sales, businesses can streamline their sales processes, gain deeper customer insights, and ultimately drive greater revenue growth. Copilot in D365 Sales empowers sales teams to work smarter, not harder, and achieve unparalleled efficiency in their daily operations.
Contextual content recommendations
With this feature, the system seamlessly reads the CRM context, and intelligently recommends relevant product and account-related files. For example, sellers are provided with content recommendations regarding the products added to opportunities. From PDFs to Word documents and PowerPoint presentations, the Copilot pane in D365 Sales provides instant access to the most pertinent sales materials, empowering sales reps to make informed decisions and deliver personalized experiences to customers. This could include sales pitch decks, account strategy collaterals, product brochures and training materials that are made available to sellers. As a result, sales interactions are tailored and impactful, driving stronger customer engagement and business growth.
“Show product-related files” appears as a trailing prompt to opportunity summary
Users effortlessly access contextual file recommendations in Copilot in D365 Sales by selecting from the sparkle icon (marked in the image below) or typing queries in their preferred language. Sorted by relevance, the latest files and most popular results appear first. Files can be viewed, downloaded, or shared via email, ensuring seamless collaboration. Additionally, users can specify keywords for targeted searches, enhancing efficiency while upholding data security. Copilot in D365 Sales respects user permissions, displaying only accessible SharePoint files.
Access related files in Copilot in D365 Sales – through sparkles menu, natural language prompts, associated products.
SharePoint Q&A
Sellers can now easily navigate through sales documents and literature by simply asking questions. Leveraging Azure OpenAI technology, Copilot in D365 Sales swiftly scans through data and literature, summarizing pertinent information from SharePoint documents. This seamless integration empowers sellers to swiftly access insights, enhancing productivity and enabling quick, informed responses to customer inquiries.
Invoke SharePoint Q&A and get summaries from relevant documents, with citations of references.
In Copilot in D365 Sales, accessing answers is seamlessly integrated with your SharePoint documents. Simply type your question in the Copilot pane using natural language and hit Enter – no need to navigate through any of your files and folders! For instance, inquire about warranty periods or prices directly. Copilot initiates a search in SharePoint. Should the answer reside in one or more files in SharePoint, Copilot offers a concise response alongside links to relevant documents, ensuring comprehensive insights are just a click away.
Next steps
Increasing your sales team’s efficiency could be as simple as having all the information just a click away!
Not a Dynamics 365 Sales customer yet? Take a guided tour and sign up for a free trial at Dynamics 365 Sales overview.
AI solutions built responsibly.
Enterprise grade data privacy at its core. Azure OpenAI offers a range of privacy features, including data encryption and secure storage. It allows users to control access to their data and provides detailed auditing and monitoring capabilities. Copilot is built on Azure OpenAI, so enterprises can rest assured that it offers the same level of data privacy and protection.
Responsible AI by design. We are committed to creating responsible AI by design. Our work is guided by a core set of principles: fairness, reliability and safety, privacy and security, inclusiveness, transparency, and accountability. We are putting those principles into practice across the company to develop and deploy AI that will have a positive impact on society.
Dan Kershaw
Normal
Dan Kershaw
3
6436
2024-05-15T17:40:00Z
2024-05-15T17:43:00Z
1
786
4484
37
10
5260
16.00
Clean
Clean
false
false
false
false
EN-GB
X-NONE
X-NONE
We’re thrilled to announce that Bicep templates for Microsoft Graph resources will be in public preview starting May 21st. Bicep templates bring declarative infrastructure-as-code (IaC) capabilities to Microsoft Graph resources. This new capability will initially be available for core Microsoft Entra ID resources.
Bicep templates for Microsoft Graph resources allow you to define the tenant infrastructure you want to deploy, such as groups or applications, in a file, then use the file throughout the development lifecycle to repeatedly deploy your infrastructure. The file uses the Bicep language, a domain-specific language (DSL), that uses declarative syntax to deploy resources typically used in DevOps and infrastructure-as-code solutions.
What problems does this solve?
Azure Resource Manager or Bicep templates allow you to declare Microsoft Azure resources in files and deploy those resources into your infrastructure. Configuring and managing your Azure services and infrastructure often includes managing Microsoft Entra ID resources, like applications and groups. Until now, you had to orchestrate your deployments between two mechanisms using ARM or Bicep template files for Azure resources and Microsoft Graph PowerShell for Microsoft Entra ID resources.
Now, with the Microsoft Graph Bicep release, you can declare the Microsoft Entra ID resources in the same Bicep files as your Azure resources, making configurations easier to define, and deployments more reliable and repeatable.
Let’s look at how this works and then we’ll run through an example.
The Microsoft Graph Bicep extension
To provide support for Bicep templates for Microsoft Graph resources, we have released the new Microsoft Graph Bicep extension that allows you to author, deploy, and manage supported Microsoft Graph resources (initially Microsoft Entra ID resources) in Bicep template files either on their own, or alongside Azure resources.
Authoring experience
You get the same first-class authoring experience of the Bicep Extension for VS Code when you use it to create your Microsoft Graph resource types in Bicep files. The editor provides rich type-safety, IntelliSense, and syntax validation.
Editing a Bicep file containing Microsoft Graph resources
Once you have authored your Bicep file, you can deploy it using familiar tools such as Azure PowerShell and Azure CLI. When the deployment request is made to the Azure Resource Manager the deployments engine orchestrates the deployment of interdependent resources so they’re created in the correct order, including the Microsoft Graph resources.
The following image shows a Bicep template file where the Microsoft Graph group creation is dependent on the managed identity resource, as it is being added as a group member. The deployments engine first sends the managed identity request to the Resource Manager, which routes it to the Microsoft.ManagedIdentity resource provider. Next, the deployments engine sees that Microsoft.Graph/groups is an extensible resource, so it knows to route this resource request to the Microsoft Graph Bicep extension. The Microsoft Graph Bicep extension then translates the groups resource request into a request to Microsoft Graph.
Deploying a Bicep file containing Microsoft Graph resources
Scenario: Using managed identities with security groups and app roles
Using a Microsoft Entra ID group to assigned roles to managed identities
However, this configuration isn’t possible using a Bicep or Resource Manager template. With Microsoft Graph Bicep extension, this limitation is removed. Rather than assigning and managing multiple Microsoft Azure role assignments, role assignments can be managed via a security group through a single Bicep file.
Bicep file declaring an Microsoft Entra ID group with a managed identity member In the example above, a security group can be created and referenced, whose members can be managed identities. With Bicep templates for Microsoft Graph resources, declaring Microsoft Graph and Microsoft Azure resources together in the same Bicep files, enables new and simplifies existing deployment scenarios, bringing reliable and repeatable deployments.
This article is contributed. See the original author and article here.
Introduction
As ransomware attacks grow in number and sophistication every year, threat actors can quickly impact business operations if organizations are not well prepared. In this blog, we detail an investigation into a ransomware event. During this intrusion the threat actor progressed through the full attack chain, from initial access through to impact, in less than five days, causing significant business disruption for the victim organization.
During the investigation, the Microsoft Incident Response team (formerly known as DART) identified the threat actor employing a range of tools & techniques to achieve their objectives, including:
Exploitation of unpatched internet exposed Microsoft Exchange Servers
Web Shell deployment facilitating remote access
Use of living of the land tools for persistence and reconnaissance
Cobalt Strike beacons for command and control
Process Hollowing and the use of vulnerable drivers for defense evasion
Deployment of custom developed backdoors to facilitate persistence
Deployment of a custom developed data collection and exfiltration tool
Forensic analysis
Initial Access
In order to obtain initial access into the victim’s environment, the Threat Actor was observed exploiting known vulnerabilities (ProxyShell) on unpatched Microsoft Exchange Servers:
CVE-2021-34473
CVE-2021-34523
CVE-2021-31207
The exploitation of these vulnerabilities allowed the Threat Actor to:
Attain SYSTEM level privileges on the compromised Exchange host
Enumerate LegacyDN of users by sending an Autodiscover requests, including SIDs of users
Construct a valid authentication token and use it against the Exchange Powershell backend
Impersonate domain admin users and creates a web shell by using the New-MailboxExportRequest cmdlet
Create web shells in order to obtain remote control on the affected servers
The Threat Actor was observed operating from the following IP to exploit ProxyShell and access the web shell:
185.225.73[.]244
Persistence
Backdoor
Microsoft IR identified the creation of Registry Run Keys, a common persistence mechanism employed by threat actors to maintain access to a compromised device, where a payload is executed each time a specific user logs in.
api-msvc.dll, detected by Microsoft Defender Antivirus as Trojan:Win32/Kovter!MSR, was determined to be a backdoor capable of collecting system information such as installed antivirus products, device name and IP address. This information is then sent via HTTP POST request to a command and control (C2) channel:
Unfortunately, the organization was not using Microsoft Defender as the primary AV/EDR solution, preventing to take action against the malicious code.
An additional file name,api-system.png, was identified with similarities to api-msvc.dll. This file behaved like a DLL, had the same default export function, and also leveraged Run Keys for persistence.
Cobalt Strike Beacon
The threat actor leveraged Cobalt Strike, a common commercial penetration testing tool, to achieve persistence. The file sys.exe, detected by Microsoft Defender Antivirus as Trojan:Win64/CobaltStrike!MSR, was determined to be a Cobalt Strike beacon and was downloaded directly from the file sharing service temp.sh:
hxxps://temp[.]sh/szAyn/sys.exe
This beacon was configured to communicate with the following command and control (C2) channel:
Microsoft IR frequently observes threat actors leveraging legitimate remote access during an intrusion, in an effort to blend in on a victim network. In this case, the threat actor utilized AnyDesk, a common remote administration tool to maintain persistence and move laterally within the network. AnyDesk was installed as a Service and was executed from the following paths:
C:systemtestanydeskAnyDesk.exe
C:Program Files (x86)AnyDeskAnyDesk.exe
C:ScriptsAnyDesk.exe
Successful connections were observed in AnyDesk Logs (ad_svc.trace) involving anonymizer service IP addresses linked to TOR and MULLVAD VPN. This is a common technique that actors employ to obscure their source IP ranges.
Reconnaissance and Privilege Escalation
Microsoft IR found the presence and execution of the network discovery tool NetScan being used by the threat actor to perform network enumeration, under the following executable names:
Evidence of likely Mimikatz usage, a credential theft tool commonly used by threat actors, was also uncovered, through the presence of a related log file mimikatz.log.
Microsoft IR assesses that Mimikatz was likely used to attain credentials for privileged accounts.
Lateral Movement
Using compromised domain admin credentials, the threat actor used Remote Desktop Protocol and Powershell Remoting to obtain access to other servers in the environment, including Domain Controllers.
Data Staging and Data Exfiltration
A suspicious file named “explorer.exe” was identified. The file was recognized by Microsoft Defender Antivirus as “Trojan:Win64/WinGoObfusc.LK!MT” and quarantined, but after disabling Windows Defender Antivirus service, the threat actor was able to execute the file using the following command:
Explorer.exe was reverse engineered by Microsoft IR and determined to be ExByte, a GoLang based tool developed and commonly used in BlackByte ransomware attacks for collection and exfiltration of files from victim networks.
The binary is capable of enumerating files of interest across the network, and upon execution creates a log file containing a list of files and associated metadata.
Multiple log files were uncovered during the investigation in the path:
C:ExchangeMSExchLog.log
Analysis of the binary revealed a list of file extensions which are targeted for enumeration.
Binary analysis showing file extensions enumerated by explorer.exe
Forensic analysis identified a file named data.txt that was created and later deleted after ExByte execution. This file contained obfuscated credentials which ExByte leveraged to authenticate to the popular file sharing platform Mega NZ, via it’s API at:
hxxps://g.api.mega.co[.]nz
Binary analysis showing explorer.exe functionality for connecting to file sharing service MEGA NZ
Microsoft IR also determined that this tool was crafted specifically for the victim, as it contained a hardcoded device name belonging to the victim and an internal IP address.
Execution Flow
Upon execution ExByte decodes several strings and checks if the process is running with privileged access by reading .PHYSICALDRIVE0:
If this check fails, ShellExecuteW is invoked with IpOperation parameter RunAs which runs explorer.exe with elevated privilege.
After this access check, explorer.exe attempts to read data.txt file in the current location:
If the text file doesn’t exist, it invokes a command for self-deletion and exits from memory:
If data.txt exists, explorer.exe reads the file, passes the buffer to Base64 decode function and then decrypts the data using the key provided in the command-line. The decrypted data is then parsed as JSON below and fed for login function:
{
“a”:”us0”,
“user”:””
}
Finally, it then forms an URL for login to the API of file sharing service MEGA NZ:
hxxps://g.api.mega.co[.]nz/cs?id=1674017543
Data Encryption and Destruction
MICROSOFT IR found several devices where files had been encrypted and identified suspicious executables, detected by Microsoft Defender Antivirus as Trojan:Win64/BlackByte!MSR, with the following names:
wEFT.exe
schillerized.exe
The files were analyzed and determined to be BlackByte 2.0 binaries responsible for encryption across the environment. This binary requires an 8-digit key number to encrypt files.
Two modes of execution were identified:
When the -s parameter is provided, the ransomware self-deletes and encrypts the machine it was executed on
When the -a parameter is provided, the ransomware conducts enumeration and uses an UPX packed version of PsExec to deploy across the network.
Several domain admin credentials were hardcoded in the binary, facilitating the deployment of the binary across the network.
Depending on the switch (-s or -a), execution may create below files:
C:SystemDataM8yl89s7.exe (Random Name – UPX Packed PsExec)
Some capabilities identified for the BlackByte 2.0 ransomware were:
AV/EDR Bypass:
The file rENEgOtiAtES created matches RTCore64.sys, a vulnerable driver (CVE-2049-16098) that allows any authenticated user to read/write to arbitrary memory.
The BlackByte binary then creates and starts a service named RABAsSaa calling rENEgOtiAtES, and exploits this service to evade detection by installed AV/EDR software.
Process Hollowing
Invokes svchost.exe, injects to it to complete device encryption, and self-deletes by executing the following command:
The table below shows IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.
Originating IP address for ProxyShell exploitation and web shell interaction
NOTE: These indicators should not be considered exhaustive for this observed activity.
Detections
Microsoft 365 Defender
Microsoft Defender Antivirus
Trojan:Win32/Kovter!MSR
Trojan:Win64/WinGoObfusc.LK!MT
Trojan:Win64/BlackByte!MSR
HackTool:Win32/AdFind!MSR
Trojan:Win64/CobaltStrike!MSR
Microsoft Defender for Endpoint
Microsoft Defender for Endpoint customers should watch for these alerts that can detect behavior observed in this campaign. Note however that these alerts are not indicative of threats unique to the campaign or actor groups described in this report.
‘CVE-2021-31207’ exploit malware was detected
An active ‘NetShDisableFireWall’ malware in a command line was prevented from executing.
Suspicious registry modification.
‘Rtcore64’ hacktool was detected
Possible ongoing hands-on-keyboard activity (Cobalt Strike)
A file or network connection related to a ransomware-linked emerging threat activity group detected
Suspicious sequence of exploration activities
A process was injected with potentially malicious code
| where ProcessCommandLine has_any (“ExcludeDumpster”,”New-ExchangeCertificate”) and ProcessCommandLine has_any ((“-RequestFile”,”-FilePath”)
Suspicious Vssadmin Events
DeviceProcessEvents
| where ProcessCommandLine has_any (“vssadmin”,”vssadmin.exe”) and ProcessCommandLine has “Resize ShadowStorage” and ProcessCommandLine has_any (“MaxSize=401MB”,” MaxSize=UNBOUNDED”)
Conclusions
BlackByte Ransomware attacks are still targeting organizations having infrastructure with old unpatched vulnerabilities, allowing them to accomplish their objectives with a minimum effort. According to Shodan, at the time this blog was written, there are nearly 3300 public facing servers still affected to ProxyShell vulnerabilities, making this an easy target for threat actors looking to impact organizations around the world.
As Microsoft shows in theMicrosoft Digital Defense Report, key practices like “Keep up to date” in conjunction to other good practices mentioned from a basic security hygiene strategy, could protect against 98 percent of attacks.
As new tools are being developed by threat actors, a modern threat protection solution M365 Defender is necessary to prevent and detect the multiple techniques used in the attack chain, especially where the threat actor attempts to evade or disable specific defense mechanisms.
Hunting for malicious behavior should be performed regularly in order to detect potential attacks that could evade detections, as a complementary activity for continuous monitoring from security tools alerts and incidents.
To understand how Microsoft can help you secure your network and respond to network compromise, visit https://aka.ms/MicrosoftIR.
Appendix
Encryption
Different file extensions are targeted by BlackByte binary for Encryption:
.4dd
.4dl
.accdb
.accdc
.accde
.accdr
.accdt
.accft
.adb
.ade
.adf
.adp
.arc
.ora
.alf
.ask
.btr
.bdf
.cat
.cdb
.ckp
.cma
.cpd
.dacpac
.dad
.dadiagrams
.daschema
.db
.db-shm
.db-wal
.db3
.dbc
.dbf
.dbs
.dbt
.dbv
.dbx
.dcb
.dct
.dcx
.ddl
.dlis
.dp1
.dqy
.dsk
.dsn
.dtsx
.dxl
.eco
.ecx
.edb
.epim
.exb
.fcd
.fdb
.fic
.fmp
.fmp12
.fmpsl
.fol
.fp3
.fp4
.fp5
.fp7
.fpt
.frm
.gdb
.grdb
.gwi
.hdb
.his
.ib
.idb
.ihx
.itdb
.itw
.jet
.jtx
.kdb
.kexi
.kexic
.kexis
.lgc
.lwx
.maf
.maq
.mar
.masmav
.mdb
.mpd
.mrg
.mud
.mwb
.myd
.ndf
.nnt
.nrmlib
.ns2
.ns3
.ns4
.nsf
.nv
.nv2
.nwdb
.nyf
.odb
.ogy
.orx
.owc
.p96
.p97
.pan
.pdb
.pdm
.pnz
.qry
.qvd
.rbf
.rctd
.rod
.rodx
.rpd
.rsd
.sas7bdat
.sbf
.scx
.sdb
.sdc
.sdf
.sis
.spg
.sql
.sqlite
.sqlite3
.sqlitedb
.te
.temx
.tmd
.tps
.trc
.trm
.udb
.udl
.usr
.v12
.vis
.vpd
.vvv
.wdb
.wmdb
.wrk
.xdb
.xld
.xmlff
.abcddb
.abs
.abx
.accdw
.and
.db2
.fm5
.hjt
.icg
.icr
.kdb
.lut
.maw
.mdn
.mdt
File extensions targeted by BlackByte binary for encryption
Also, the following Shared Folders are targeted to encrypt:
Recent Comments