Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:Win32/Agent.SA
Detected by Microsoft Defender Antivirus
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus detects and removes this threat.
This threat is a trojan that uses a maliciously-crafted CAB file containing a malicious DLL component. This threat is one of the malwares dropped by TrojanDownloader:O97M/Donoff.SA!Gen.
Guidance for end users
Take these steps to help prevent malware infection on your computer.
Guidance for enterprise administrators
Apply these mitigations to reduce the impact of this threat.
- Submit spam and non-spam messages to Microsoft for analysis.
- Follow the appropriate Exchange Online Protection instructions to suit your business needs.
- Learn about how Microsoft Defender for Office 365 can help you block spam using machine learning. See anti-malware protection, anti-spam protection, anti-phishing protection, anti-spoofing protection for details.
- Be aware of the dangers in opening suspicious emails. Don't open email attachments or links from untrusted sources.
- Microsoft Defender SmartScreen integrates with Microsoft Edge to block malicious websites, including phishing sites, scam sites, and other malicious sites. It’s built-in and enabled by default in Microsoft email programs. On the other hand, Network protection blocks connections to malicious domains and IP addresses.
- Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
- Turn on tamper protection features to prevent attackers from stopping security services.
- Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
- Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
- Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
- Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.
- To reduce the attack surface, Microsoft 365 Defender customers can turn on attack surface reduction rules to prevent common attack techniques used in this attack.