www.microsoft.com
Open in
urlscan Pro
2a02:26f0:7100:8a6::356e
Public Scan
Submitted URL: https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protect...
Effective URL: https://www.microsoft.com/en-us/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-p...
Submission: On April 17 via api from SA — Scanned from DE
Effective URL: https://www.microsoft.com/en-us/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-p...
Submission: On April 17 via api from SA — Scanned from DE
Form analysis 1 forms found in the DOM
Name: searchForm — GET https://www.microsoft.com/en-us/security/site-search
<form class="c-search" autocomplete="off" id="searchForm" name="searchForm" role="search" action="https://www.microsoft.com/en-us/security/site-search" method="GET" data-seautosuggest=""
data-seautosuggestapi="https://www.microsoft.com/msstoreapiprod/api/autosuggest"
data-m="{"cN":"GlobalNav_Search_cont","cT":"Container","id":"c3c1c9c3c1m1r1a1","sN":3,"aN":"c1c9c3c1m1r1a1"}" aria-expanded="false"
style="overflow-x: visible;">
<div class="x-screen-reader" aria-live="assertive"></div>
<input id="cli_shellHeaderSearchInput" aria-label="Search Expanded" aria-autocomplete="list" aria-expanded="false" aria-controls="universal-header-search-auto-suggest-transparent" aria-owns="universal-header-search-auto-suggest-ul" type="search"
name="q" role="combobox" placeholder="Search Microsoft Security" data-m="{"cN":"SearchBox_nav","id":"n1c3c1c9c3c1m1r1a1","sN":1,"aN":"c3c1c9c3c1m1r1a1"}" data-toggle="tooltip"
data-placement="right" title="Search Microsoft Security" style="overflow-x: visible;">
<button id="search" aria-label="Search Microsoft Security" class="c-glyph" data-m="{"cN":"Search_nav","id":"n2c3c1c9c3c1m1r1a1","sN":2,"aN":"c3c1c9c3c1m1r1a1"}"
data-bi-mto="true" aria-expanded="false" style="overflow-x: visible;">
<span role="presentation" style="overflow-x: visible;">Search</span>
<span role="tooltip" class="c-uhf-tooltip c-uhf-search-tooltip" style="overflow-x: visible;">Search Microsoft Security</span>
</button>
<div class="m-auto-suggest" id="universal-header-search-auto-suggest-transparent" role="group" style="overflow-x: visible;">
<ul class="c-menu" id="universal-header-search-auto-suggest-ul" aria-label="Search Suggestions" aria-hidden="true" data-bi-dnt="true" data-bi-mto="true" data-js-auto-suggest-position="default" role="listbox" data-tel="jsll"
data-m="{"cN":"search suggestions_cont","cT":"Container","id":"c3c3c1c9c3c1m1r1a1","sN":3,"aN":"c3c1c9c3c1m1r1a1"}" style="overflow-x: visible;"></ul>
<ul class="c-menu f-auto-suggest-no-results" aria-hidden="true" data-js-auto-suggest-postion="default" data-js-auto-suggest-position="default" role="listbox" style="overflow-x: visible;">
<li class="c-menu-item" style="overflow-x: visible;"> <span tabindex="-1" style="overflow-x: visible;">No results</span></li>
</ul>
</div>
</form>Text Content
We use optional cookies to improve your experience on our websites, such as
through social media connections, and to display personalized advertising based
on your online activity. If you reject optional cookies, only cookies necessary
to provide you the services will be used. You may change your selection by
clicking “Manage Cookies” at the bottom of the page. Privacy Statement
Third-Party Cookies
Accept Reject Manage cookies
Skip to main content
Introducing the new Bing, your AI-powered search engine. Ask real questions. Get
complete answers. Chat and create.
No, thanks Learn more
Skip to main content
Microsoft
Microsoft Security
Microsoft Security
Microsoft Security
* Home
* Solutions
* Cloud security
* Cloud workload protection
* Frontline workers
* Identity & access
* Industrial & critical infrastructure
* Information protection & governance
* IoT security
* Passwordless authentication
* Phishing
* Ransomware
* Risk management
* Secure remote work
* SIEM & XDR
* Small & medium business
* XDR
* Zero Trust
* Products
* Product families Product families
* Microsoft Defender
* Microsoft Entra
* Microsoft Intune
* Microsoft Priva
* Microsoft Purview
* Microsoft Sentinel
* Security AI Security AI
* Microsoft Security Copilot
* Identity & access Identity & access
* Azure Active Directory part of Microsoft Entra
* Microsoft Entra Identity Governance
* Microsoft Entra Permissions Management
* Microsoft Entra Verified ID
* Microsoft Entra Workload Identities
* Azure Key Vault
* SIEM & XDR SIEM & XDR
* Microsoft Sentinel
* Microsoft Defender for Cloud
* Microsoft 365 Defender
* Microsoft Defender for Endpoint
* Microsoft Defender for Office 365
* Microsoft Defender for Identity
* Microsoft Defender for Cloud Apps
* Microsoft Defender Vulnerability Management
* Microsoft Defender Threat Intelligence
* Cloud security Cloud security
* Microsoft Defender for Cloud
* Microsoft Defender Cloud Security Posture Mgmt
* Microsoft Defender for DevOps
* Microsoft Defender External Attack Surface Management
* Azure Firewall
* Azure Web App Firewall
* Azure DDoS Protection
* GitHub Advanced Security
* Endpoint security & management Endpoint security & management
* Microsoft Defender for Endpoint
* Microsoft 365 Defender
* Microsoft Intune Core
* Microsoft Defender for IoT
* Microsoft Defender for Business
* Microsoft Defender Vulnerability Management
* Risk management & privacy Risk management & privacy
* Microsoft Purview Insider Risk Management
* Microsoft Purview Communication Compliance
* Microsoft Purview eDiscovery
* Microsoft Purview Compliance Manager
* Microsoft Purview Audit
* Microsoft Priva Risk Management
* Microsoft Priva Subject Rights Requests
* Information protection Information protection
* Microsoft Purview Information Protection
* Microsoft Purview Data Lifecycle Management
* Microsoft Purview Data Loss Prevention
* Services
* Microsoft Security Experts
* Microsoft Defender Experts for Hunting
* Microsoft Security Services for Enterprise
* Microsoft Incident Response
* Microsoft Security Services for Modernization
* Partners
* Resources
* Get started Get started
* Cybersecurity awareness
* Customer stories
* Security 101
* Product trials
* How we protect Microsoft
* Reports and analysis Reports and analysis
* Industry recognition
* Microsoft Security Insider
* Microsoft Digital Defense Report
* Security Response Center
* Community Community
* Microsoft Security Blog
* Microsoft Security Events
* Microsoft Tech Community
* Documentation and training Documentation and training
* Documentation
* Technical Content Library
* Training & certifications
* Cyberattack support Cyberattack support
* Under attack?
* Additional sites Additional sites
* Compliance Program for Microsoft Cloud
* Microsoft Trust Center
* Security Engineering Portal
* Service Trust Portal
* Contact Sales
* More
* Start free trial
* All Microsoft
* GLOBAL
* Microsoft Security
* Azure
* Dynamics 365
* Microsoft 365
* Microsoft Teams
* Windows 365
* Tech & innovation Tech & innovation
* Microsoft Cloud
* AI
* Azure Space
* Mixed reality
* Microsoft HoloLens
* Microsoft Viva
* Quantum computing
* Sustainability
* Industries Industries
* Education
* Automotive
* Financial services
* Government
* Healthcare
* Manufacturing
* Retail
* All industries
* Partners Partners
* Find a partner
* Become a partner
* Partner Network
* Find an advertising partner
* Become an advertising partner
* Azure Marketplace
* AppSource
* Resources Resources
* Blog
* Microsoft Advertising
* Developer Center
* Documentation
* Events
* Licensing
* Microsoft Learn
* Microsoft Research
* View Sitemap
Search Search Microsoft Security
* No results
Cancel
July 8, 2019 • 8 min read
DISMANTLING A FILELESS CAMPAIGN: MICROSOFT DEFENDER ATP’S ANTIVIRUS EXPOSES
ASTAROTH ATTACK
* Microsoft Defender Security Research Team
Share
* Twitter
* LinkedIn
* Facebook
* Email
* Print
The prevailing perception about fileless threats, among the security industry’s
biggest areas of concern today, is that security solutions are helpless against
these supposedly invincible threats. Because fileless attacks run the payload
directly in memory or leverage legitimate system tools to run malicious code
without having to drop executable files on the disk, they present challenges to
traditional file-based solutions.
But let’s set the record straight: being fileless doesn’t mean being invisible;
it certainly doesn’t mean being undetectable. There’s no such thing as the
perfect cybercrime: even fileless malware leaves a long trail of evidence that
advanced detection technologies in Microsoft Defender Advanced Threat Protection
(Microsoft Defender ATP) can detect and stop.
To help disambiguate the term fileless, we developed a comprehensive definition
for fileless malware as reference for understanding the wide range of fileless
threats. We have also discussed at length the advanced capabilities in Microsoft
Defender ATP that counter fileless techniques.
I recently unearthed a widespread fileless campaign called Astaroth that
completely “lived off the land”: it only ran system tools throughout a complex
attack chain. The attack involved multiple steps that use various fileless
techniques and proved a great real-world benchmark for Microsoft Defender ATP’s
capabilities against fileless threats.
In this blog, I will share my analysis of a fileless attack chain that
demonstrates:
* Attackers would go to great lengths to avoid detection
* Advanced technologies in Microsoft Defender ATP’s Antivirus expose and defeat
fileless attacks
EXPOSING A FILELESS INFO-STEALING CAMPAIGN WITH MICROSOFT DEFENDER ATP’S
ANTIVIRUS
I was doing routine review of Windows Defender Antivirus telemetry when I
noticed an anomaly from a detection algorithm designed to catch a specific
fileless technique. Telemetry showed a sharp increase in the use of the Windows
Management Instrumentation Command-line (WMIC) tool to run a script (a technique
that MITRE refers to XSL Script Processing), indicating a fileless attack.
Figure 1. Windows Defender Antivirus telemetry shows a sudden increase in
suspicious activity
After some hunting, I discovered the campaign that aimed to run the Astaroth
backdoor directly in memory. Astaroth is a notorious info-stealing malware known
for stealing sensitive information like credentials, keystrokes, and other data,
which it exfiltrates and sends to a remote attacker. The attacker can then use
stolen data to try moving laterally across networks, carry out financial theft,
or sell victim information in the cybercriminal underground.
While the behavior may slightly vary in some instances, the attack generally
followed these steps: A malicious link in a spear-phishing email leads to an LNK
file. When double-clicked, the LNK file causes the execution of the WMIC tool
with the “/Format” parameter, which allows the download and execution of a
JavaScript code. The JavaScript code in turn downloads payloads by abusing the
Bitsadmin tool.
All the payloads are Base64-encoded and decoded using the Certutil tool. Two of
them result in plain DLL files (the others remain encrypted). The Regsvr32 tool
is then used to load one of the decoded DLLs, which in turn decrypts and loads
other files until the final payload, Astaroth, is injected into the Userinit
process.
Figure 2. Astaroth “living-off-the-land” attack chain showing multiple
legitimate tools abused
It’s interesting to note that at no point during the attack chain is any file
run that’s not a system tool. This technique is called living off the land:
using legitimate tools that are already present on the target system to
masquerade as regular activity.
The attack chain above shows only the Initial Access and Execution stages. In
these stages, the attackers used fileless techniques to attempt to silently
install the malware on target devices. Astaroth is a notorious information
stealer with many other post-breach capabilities that are not discussed in this
blog. Preventing the attack in these stages is critical.
Despite its use of “invisible” techniques, the attack chain runs under the
scrutiny of Microsoft Defender ATP. Multiple advanced technologies at the core
of Windows Defender Antivirus expose these techniques to spot and stop a wide
range of attacks.
These protection technologies stop threats at first sight, use the power of the
cloud, and leverage Microsoft’s industry-leading optics to deliver effective
protection. This defense-in-depth is observed in the way these technologies
uncovered and blocked the attack at multiple points in Astaroth’s complex attack
chain.
Figure 3. Microsoft Defender ATP’s Antivirus solutions for fileless techniques
used by Astaroth
For traditional, file-centric antivirus solutions, the only window of
opportunity to detect this attack may be when the two DLLs are decoded after
being downloaded—after all, every executable used in the attack is
non-malicious. If this were the case, this attack would pose a serious problem:
since the DLLs use code obfuscation and are likely to change very rapidly
between campaigns, focusing on these DLLs would be a vicious trap.
However, as mentioned, Microsoft Defender ATP’s Antivirus catches fileless
techniques. Let’s break down the attack steps, enumerate the techniques used
using MITRE technique ID as reference, and map the relevant Microsoft Defender
ATP protection.
--------------------------------------------------------------------------------
STEP 1: ARRIVAL
The victim receives an email with a malicious URL:
The URL uses misleading names like certidao.htm (Portuguese for “certificate”),
abrir_documento.htm (“open document”), pedido.htm (“order”), etc.
When clicked, the malicious link redirects the victim to the ZIP archive
certidao.htm.zip, which contains a similarly misleading named LNK file
certidao.htm.lnk. When clicked, the LNK file runs an obfuscated BAT
command-line.
MITRE techniques observed:
* T1192 – Spearphishing Link
* T1023 – Shortcut Modification
Microsoft Defender ATP’s Antivirus protection:
* Command-line scanning: Trojan:Win32/BadEcho.A
* Heuristics engine: Trojan:Win32/Linkommer.A
* Windows Defender SmartScreen
--------------------------------------------------------------------------------
STEP 2: WMIC ABUSE, PART 1
The BAT command runs the system tool WMIC.exe:
The use of the parameter /format causes WMIC to download the file v.txt, which
is an XSL file hosted on a legitimate-looking domain. The XSL file hosts an
obfuscated JavaScript that is automatically run by WMIC. This JavaScript code
simply runs WMIC again.
MITRE techniques observed:
* T1047 – Windows Management Instrumentation
* T1220 – XSL Script Processing
* T1064 – Scripting
* T1027 – Obfuscated Files Or Information
Microsoft Defender ATP’s Antivirus protection:
* Behavior monitoring engine: Behavior:Win32/WmiFormatXslScripting
* AMSI integration engine: Trojan:JS/CovertXslDownload.
--------------------------------------------------------------------------------
STEP 3: WMIC ABUSE, PART 2
WMIC is run in a fashion similar to the previous step:
WMIC downloads vv.txt, another XSL file containing an obfuscated JavaScript
code, which uses the Bitsadmin, Certutil, and Regsvr32 tools for the next steps.
MITRE techniques observed:
* T1047 – Windows Management Instrumentation
* T1220 – XSL Script Processing
* T1064 – Scripting
* T1027 – Obfuscated Files Or Information
Microsoft Defender ATP’s Antivirus protection:
* Behavior monitoring engine: Behavior:Win32/WmiFormatXslScripting
* Behavior monitoring engine: Behavior:Win32/WmicLoadDll.A
* AMSI integration engine: Trojan:JS/CovertBitsDownload.C
--------------------------------------------------------------------------------
STEP 4: BITSADMIN ABUSE
Multiple instances of Bitsadmin are run to download additional payloads:
The payloads are Base64-encoded and have file names like: falxconxrenwb.~,
falxconxrenw64.~, falxconxrenwxa.~, falxconxrenwxb.~, falxconxrenw98.~,
falxconxrenwgx.gif, falxfonxrenwg.gif.
MITRE techniques observed:
* T1197 – BITS Jobs
* T1105 – Remote File Copy
Microsoft Defender ATP’s Antivirus protection:
* Behavior monitoring engine: Behavior:Win32/WmicBits.A
--------------------------------------------------------------------------------
STEP 5: CERTUTIL ABUSE
The Certutil system tool is used to decode the downloaded payloads:
Only a couple of files are decoded to a DLL; most are still
encrypted/obfuscated.
MITRE technique observed:
* T1140 – Deobfuscate/Decode Files Or Information
Microsoft Defender ATP’s Antivirus protection:
* Behavior monitoring engine: Behavior:Win32/WmiCertutil.A
--------------------------------------------------------------------------------
STEP 6: REGSVR32 ABUSE
One of the decoded payload files (a DLL) is run within the contexct of the
Regsvr32 system tool:
The file falxconxrenw64.~ is a proxy: it loads and runs a second DLL,
falxconxrenw98.~, and passes it to a third DLL that is obtained by reading files
falxconxrenwxa.~ and falxconxrenwxb.~. The DLL falxconxrenw98.~ then
reflectively loads the third DLL.
MITRE techniques observed:
* T1117 – Regsvr32
* T1129 – Execution Through Module Load
* T1140 – Deobfuscate/Decode Files Or Information
Microsoft Defender ATP’s Antivirus protection:
* Behavior monitoring engine: Behavior:Win32/UserinitInject.B
* Attack surface reduction: An attack surface reduction rule detects the
loading of a DLL that does not meet the age and prevalence criteria (i.e., a
new unknown DLL)
--------------------------------------------------------------------------------
STEP 7: USERINIT ABUSE
The newly loaded DLL reads and decrypts the file falxconxrenwgx.gif into a DLL.
It runs the system tool userinit.exe into which it injects the decrypted DLL.
The file falxconxrenwgx.gif is again a proxy that reads, decrypts, and
reflectively loads the DLL falxconxrenwg.gif. This last DLL is the malicious
info stealer known as Astaroth.
MITRE techniques observed:
* T1117 – Regsvr32
* T1129 – Execution Through Module Load
* T1140 – Deobfuscate/Decode Files Or Information
Microsoft Defender ATP’s Antivirus protection:
* Behavior monitoring engine: Behavior:Win32/Astaroth.A
* Attack surface reduction: An attack surface reduction rule detects the
loading of a DLL that does not meet the age and prevalence criteria (i.e., a
new unknown DLL)
COMPREHENSIVE PROTECTION AGAINST FILELESS ATTACKS WITH MICROSOFT THREAT
PROTECTION
The strength of Microsoft Defender ATP’s Antivirus engines in exposing fileless
techniques add to the capabilities of the unified endpoint protection platform.
Activities related to fileless techniques are reported in Microsoft Defender
Security Center as alerts, so security operations teams can further investigate
and respond to attacks using endpoint detection and response, advanced hunting,
and other capabilities in Microsoft Defender ATP.
Figure 4. Details of Windows Defender Antivirus detections of fileless
techniques and malware reported in Microsoft Defender Security Center; details
also indicate whether threat is remediated, as was the case with the Astaroth
attack
The rest of Microsoft Defender ATP’s capabilities beyond Antivirus enable
security operations teams to detect and remediate fileless threats and other
attacks. Notably, Microsoft Defender ATP endpoint detection and response (EDR)
has strong and durable detections for fileless and living-off-the-land
techniques across the entire attack chain.
Figure 5. Alerts in Microsoft Defender Security Center showing detection of
fileless techniques by antivirus and EDR capabilities
We also published a threat analytics report on living-off-the-land binaries to
help security operations assess organizational security posture and resilience
against these threats. New Microsoft Defender ATP services like threat and
vulnerability management and Microsoft Threat Experts (managed threat hunting),
further assist organizations in defending against fileless threats.
Through signal-sharing and orchestration of threat remediation across
Microsoft’s security technologies, these protections are further amplified in
Microsoft Threat Protection, Microsoft’s comprehensive security solution for the
modern workplace. For this Astaroth campaign, Office 365 Advanced Threat
Protection (Office 365 ATP) detects the emails with malicious links that start
the infection chain.
Microsoft Threat Protection secures identities, endpoints, email and data, apps,
and infrastructure.
CONCLUSION: FILELESS THREATS ARE NOT INVISIBLE
To come back to one of my original points in this blog post, being fileless
doesn’t mean being invisible; it certainly doesn’t mean being undetectable.
An analogy: Pretend you are transported to the world of H.G. Wells’ The
Invisible Man and can render yourself invisible. You think, great, you can walk
straight into a bank and steal money. However, you soon realize that things are
not as simple as they sound. When you walk out in the open and it’s cold, your
breath’s condensation gives away your position; depending on the type of the
ground, you can leave visible footmarks; if it’s raining, water splashing on you
creates a visible outline. If you manage to get inside the bank, you still make
noise that security guards can hear. Motion detection sensors can feel your
presence, and infrared cameras can still see your body heat. Even if you can
open a safe or a vault, these storage devices may trigger an alert, or someone
may simply notice the safe opening. Not to mention that if you somehow manage to
grab the money and put them in a bag, people are likely to notice a bag that’s
walking itself out of the bank.
Being invisible may help you for some things, but you should not be under the
illusion that you are invincible. The same applies to fileless malware: abusing
fileless techniques does not put malware beyond the reach or visibility of
security software. On the contrary, some of the fileless techniques may be so
unusual and anomalous that they draw immediate attention to the malware, in the
same way that a bag of money moving by itself would.
Using invisible techniques and being actually invisible are two different
things. Using advanced technologies, Microsoft Defender ATP exposes fileless
threats like Astaroth before these attacks can cause more damage.
Andrea Lelli
Microsoft Defender ATP Research
--------------------------------------------------------------------------------
TALK TO US
Questions, concerns, or insights on this story? Join discussions at
the Microsoft Defender ATP community.
Follow us on Twitter @MsftSecIntel.
FILED UNDER:
* AI and machine learning,
* Cybersecurity,
* Endpoint security,
* Security Intelligence,
* Security intelligence,
* Threat protection,
* Windows Security
YOU MAY ALSO LIKE THESE ARTICLES
Featured image for Out of sight but not invisible: Defeating fileless malware
with behavior monitoring, AMSI, and next-gen AV
September 27, 2018 • 16 min read
OUT OF SIGHT BUT NOT INVISIBLE: DEFEATING FILELESS MALWARE WITH BEHAVIOR
MONITORING, AMSI, AND NEXT-GEN AV
Removing the need for files is the next progression of attacker techniques.
While fileless techniques used to be employed almost exclusively in
sophisticated cyberattacks, they are now becoming widespread in common malware,
too.
Read more Out of sight but not invisible: Defeating fileless malware with
behavior monitoring, AMSI, and next-gen AV
Featured image for Latest Astaroth living-off-the-land attacks are even more
invisible but not less observable
March 23, 2020 • 6 min read
LATEST ASTAROTH LIVING-OFF-THE-LAND ATTACKS ARE EVEN MORE INVISIBLE BUT NOT LESS
OBSERVABLE
Astaroth is back sporting significant changes. The updated attack chain
maintains Astaroth’s complex, multi-component nature and continues its pattern
of detection evasion.
Read more Latest Astaroth living-off-the-land attacks are even more invisible
but not less observable
Featured image for Bring your own LOLBin: Multi-stage, fileless Nodersok
campaign delivers rare Node.js-based malware
September 26, 2019 • 10 min read
BRING YOUR OWN LOLBIN: MULTI-STAGE, FILELESS NODERSOK CAMPAIGN DELIVERS RARE
NODE.JS-BASED MALWARE
A new fileless malware campaign we dubbed Nodersok delivers two very unusual
LOLBins to turn infected machines into zombie proxies.
Read more Bring your own LOLBin: Multi-stage, fileless Nodersok campaign
delivers rare Node.js-based malware
GET STARTED WITH MICROSOFT SECURITY
Microsoft is a leader in cybersecurity, and we embrace our responsibility to
make the world a safer place.
Learn more Get started with Microsoft Security
Get all the news, updates, and more at
@MSFTSecurity twitter
What's new
* Surface Pro 9
* Surface Laptop 5
* Surface Studio 2+
* Surface Laptop Go 2
* Surface Laptop Studio
* Surface Go 3
* Microsoft 365
* Windows 11 apps
Microsoft Store
* Account profile
* Download Center
* Microsoft Store support
* Returns
* Order tracking
* Virtual workshops and training
* Microsoft Store Promise
* Flexible Payments
Education
* Microsoft in education
* Devices for education
* Microsoft Teams for Education
* Microsoft 365 Education
* How to buy for your school
* Educator training and development
* Deals for students and parents
* Azure for students
Business
* Microsoft Cloud
* Microsoft Security
* Dynamics 365
* Microsoft 365
* Microsoft Power Platform
* Microsoft Teams
* Microsoft Industry
* Small Business
Developer & IT
* Azure
* Developer Center
* Documentation
* Microsoft Learn
* Microsoft Tech Community
* Azure Marketplace
* AppSource
* Visual Studio
Company
* Careers
* About Microsoft
* Company news
* Privacy at Microsoft
* Investors
* Diversity and inclusion
* Accessibility
* Sustainability
English (United States) California Consumer Privacy Act (CCPA) Opt-Out Icon Your
California Privacy Choices California Consumer Privacy Act (CCPA) Opt-Out Icon
Your California Privacy Choices
* Sitemap
* Contact Microsoft
* Privacy
* Manage cookies
* Terms of use
* Trademarks
* Safety & eco
* Recycling
* About our ads
* © Microsoft 2023