This chapter covers the three most common attack types you must know for the SC-900 exam: phishing, ransomware, and DDoS attacks. Understanding these threats is critical because they represent a significant portion of real-world security incidents and are heavily tested on the exam (approximately 10-15% of questions touch on attack types and their mitigations). You will learn how each attack works, its impact, and the specific Microsoft security solutions that help defend against them.
Jump to a section
Think of your organization's network as a secure apartment building. Phishing is like a con artist calling residents, pretending to be building maintenance, and asking for their apartment keys to 'fix a leak.' The resident willingly hands over the key because they believe the lie. Ransomware is like a burglar who sneaks in (perhaps through an unlocked door from phishing), then changes all the locks and demands payment to give you back access to your own apartment. DDoS is like a crowd of hundreds of people blocking all entrances to the building, shouting and pushing, so that legitimate residents and deliveries cannot get in or out. The building itself isn't broken into, but normal operations are completely disrupted. In each case, the attacker exploits a different weakness: trust (phishing), access (ransomware), or availability (DDoS). Defending against each requires different tools: user education and email filters for phishing, backups and endpoint protection for ransomware, and traffic filtering and scalability for DDoS.
Phishing
Phishing is a social engineering attack where an attacker masquerades as a trusted entity to trick victims into revealing sensitive information (credentials, financial data) or installing malware. It is the most common initial attack vector.
How it works: The attacker sends a fraudulent message (email, text, voice call) that appears legitimate. The message typically creates urgency (e.g., 'Your account will be closed') or offers a reward. It contains a link to a fake login page or an attachment with malware. When the victim clicks, credentials are stolen or malware is installed.
Key types: - Spear phishing: Targeted at a specific individual or organization using personal details. - Whaling: Targets senior executives (the 'big fish'). - Smishing: Phishing via SMS. - Vishing: Phishing via voice calls. - Clone phishing: A legitimate email is copied and resent with malicious links/attachments.
Indicators: Suspicious sender address, generic greetings, urgent language, mismatched URLs (hover to check), poor grammar.
Microsoft defenses: - Microsoft Defender for Office 365: Includes anti-phishing policies, Safe Links (URL scanning), and Safe Attachments. - Microsoft Defender for Cloud Apps: Detects anomalous access patterns. - Microsoft 365 Defender: Correlates signals across email, endpoints, and identities. - Multi-factor authentication (MFA): Mitigates credential theft.
Exam tip: The SC-900 exam emphasizes that phishing is a social engineering attack, not a technical exploit. Know that Safe Links and Safe Attachments are key protections in Microsoft Defender for Office 365.
Ransomware
Ransomware is a type of malware that encrypts a victim's files or locks their system, then demands a ransom (usually cryptocurrency) for the decryption key. It often spreads via phishing emails, exploit kits, or remote desktop protocol (RDP) brute force.
How it works: 1. Delivery: User opens a malicious attachment or clicks a link. 2. Execution: The ransomware runs, often connecting to a command-and-control (C2) server to download encryption keys. 3. Encryption: It encrypts files using strong encryption (e.g., AES-256), often targeting document types (.docx, .xlsx, .pdf). 4. Ransom note: A note is displayed with payment instructions. 5. Propagation: Some ransomware spreads laterally across the network (e.g., WannaCry used EternalBlue SMB exploit).
Key variants: - Crypto ransomware: Encrypts files (e.g., CryptoLocker, Ryuk). - Locker ransomware: Locks the entire system (e.g., Police-themed ransomware). - Doxware (leakware): Threatens to publish stolen data. - Ransomware-as-a-Service (RaaS): Affiliates use pre-built ransomware kits.
Impact: Data loss, operational downtime, financial loss, reputational damage. Paying the ransom does not guarantee data recovery.
Microsoft defenses: - Microsoft Defender Antivirus: Real-time protection against known ransomware. - Microsoft Defender for Endpoint: Behavioral detection, automated investigation, and response. - Microsoft 365 Defender: Cross-domain detection. - Backup and recovery: Regularly tested backups stored offline (3-2-1 rule: 3 copies, 2 media types, 1 offsite). - Attack Surface Reduction (ASR) rules: Block common ransomware behaviors (e.g., blocking credential theft from LSASS). - Controlled folder access: Prevents unauthorized apps from modifying protected folders.
Exam tip: Know that ransomware is a type of malware that encrypts files for ransom. The primary defense is regular, offline backups. Microsoft 365 Defender provides multi-stage detection. Controlled folder access is a key feature in Windows Defender Exploit Guard.
Distributed Denial of Service (DDoS)
A DDoS attack aims to overwhelm a target (server, network, application) with traffic from multiple sources, making it unavailable to legitimate users. Unlike phishing and ransomware, DDoS does not involve a breach of confidentiality or integrity; it attacks availability.
How it works: The attacker uses a botnet (network of compromised devices) to send massive amounts of traffic to the target. This can be at Layer 3/4 (network/transport) or Layer 7 (application).
Common types: - Volumetric attacks: Flood the bandwidth (e.g., UDP floods, ICMP floods). - Protocol attacks: Consume server resources (e.g., SYN floods, fragmented packet attacks). - Application layer attacks: Target specific applications (e.g., HTTP GET/POST floods, Slowloris).
Indicators: Unusual traffic patterns, spikes from single IP ranges, degraded network performance, inability to access services.
Microsoft defenses: - Azure DDoS Protection: Basic (free, always-on) and Standard (tiered, adaptive tuning, mitigation reports). - Azure Web Application Firewall (WAF): Protects against Layer 7 attacks. - Azure Front Door: Global load balancing with DDoS protection. - Best practices: Scale resources, use CDN, implement rate limiting.
Exam tip: Understand the difference between volumetric, protocol, and application layer attacks. Know that Azure DDoS Protection Standard provides enhanced protection for Azure resources. DDoS attacks target availability (CIA triad).
Comparison and Integration
All three attack types can be combined. For example, a phishing email might deliver ransomware, and a DDoS attack could distract the security team while ransomware spreads. Microsoft's unified security solutions (Microsoft 365 Defender, Azure Defender) provide cross-domain visibility and automated responses.
CIA triad mapping: - Phishing: Targets confidentiality (credential theft) and integrity (malware injection). - Ransomware: Targets availability (data encryption) and integrity (data modification). - DDoS: Targets availability.
Exam tip: You will be asked to identify which attack type matches a given scenario. Focus on the primary impact: phishing = credential theft, ransomware = encrypted files, DDoS = resource unavailability.
Specific Values and Commands (for reference)
Azure DDoS Protection Standard pricing: Approximately $2,944/month per protected resource (as of 2023), plus data transfer costs.
Safe Links scanning: URLs are scanned at time of click, and if malicious, access is blocked.
Controlled folder access default: Not enabled by default; must be configured via Group Policy or Microsoft Endpoint Manager.
Ransomware recovery: Microsoft 365 backup retention up to 14 days for Exchange Online, 30 days for SharePoint Online (default).
No CLI commands are directly tested on SC-900, but understanding PowerShell cmdlets like Get-MpPreference for Defender settings is useful.
Summary
Phishing relies on human psychology; ransomware encrypts data for ransom; DDoS overwhelms resources. Microsoft provides layered defenses across Office 365, Azure, and endpoints. The exam expects you to match attack types to their characteristics and know the primary Microsoft security solutions.
Phishing: Attacker crafts lure
The attacker researches the target (for spear phishing) and creates a convincing email or message. They may spoof a known brand (Microsoft, Amazon) or a colleague's email address. The message includes a call-to-action: click a link, open an attachment, or reply with credentials. The attacker uses social engineering tactics like urgency ('Your account will be closed in 24 hours') or authority ('From: IT Support'). At the protocol level, email headers may show a forged 'From' address, but SPF/DMARC checks may fail if configured. The attacker often uses URL shorteners or homograph domains (e.g., microsoft.com with a Cyrillic 'o') to evade detection.
Phishing: Victim interacts
The victim receives the message and, believing it is legitimate, clicks the link or opens the attachment. If it is a link, the browser opens a fake login page that looks identical to the real service. The victim enters their username and password. If it is an attachment, it may contain macros that download malware (e.g., a PowerShell script). At the network level, a DNS lookup resolves the malicious domain. The connection is often HTTPS (using a free SSL certificate) to appear legitimate. The victim's credentials are sent to the attacker's server, or malware is executed.
Ransomware: Initial infection
Ransomware typically arrives via a phishing email attachment (e.g., a Word document with malicious macros) or a drive-by download from a compromised website. The user opens the attachment, which executes a downloader that fetches the ransomware payload from a C2 server. Alternatively, the attacker may use RDP brute force to gain access and manually deploy ransomware. In the WannaCry case, the EternalBlue exploit allowed the ransomware to spread without user interaction. At this stage, Windows Defender Antivirus may detect the malware if signatures are up-to-date. Behavioral detection (e.g., AMSI) can catch script-based downloads.
Ransomware: Encryption and ransom
The ransomware enumerates local and network drives (if it has permissions) and begins encrypting files. It typically targets user data files (.docx, .xlsx, .pdf, .jpg) and skips system files to keep the OS running. It uses a strong encryption algorithm (e.g., AES-256) and generates a unique key per victim. The encryption key is encrypted with the attacker's public key and sent to the C2 server. After encryption, the ransomware drops a ransom note (e.g., 'README.txt' or 'HOW_TO_DECRYPT.html') in every folder. It may also change the desktop wallpaper. The victim is instructed to pay a ransom (often Bitcoin) within a time limit (e.g., 72 hours) or the key is destroyed.
DDoS: Botnet assembly and attack
The attacker compromises thousands of IoT devices, home routers, or servers to form a botnet. They command the botnet to send traffic to the target IP address. For a volumetric attack, each bot sends large UDP packets to random ports on the target, overwhelming the network bandwidth. For a SYN flood, each bot sends TCP SYN packets with spoofed source IPs; the target responds with SYN-ACK and waits for the final ACK, exhausting the connection table. For an HTTP flood, bots request a resource-intensive page (e.g., a database query) repeatedly. The target's resources (CPU, memory, bandwidth) are consumed, causing legitimate requests to timeout or be dropped.
Scenario 1: Phishing attack on a financial services company A mid-sized bank deployed Microsoft 365 E5 with Microsoft Defender for Office 365. Despite anti-phishing policies, an employee received a spear-phishing email that appeared to be from the CEO. The email asked the employee to urgently wire funds to a new vendor. The employee clicked a link that led to a fake SharePoint login page and entered credentials. The attacker used those credentials to log into the real SharePoint and access sensitive client data. The bank's security team detected the anomalous sign-in (unusual location) via Microsoft 365 Defender's identity protection. They immediately revoked the session, reset the user's password, and enabled MFA for all users. The incident highlighted the need for user training (simulated phishing campaigns) and conditional access policies to block sign-ins from untrusted locations.
Scenario 2: Ransomware attack on a healthcare organization A hospital network suffered a Ryuk ransomware attack. The initial vector was a phishing email with a malicious macro. The ransomware encrypted patient records and medical imaging files on file servers and mapped drives. The hospital's backup system was also partially encrypted because backups were stored on the same network. The hospital had to pay the ransom (approximately $50,000 in Bitcoin) to regain access. After recovery, they implemented Microsoft Defender for Endpoint with controlled folder access to protect critical folders, and they adopted the 3-2-1 backup rule with immutable Azure Blob Storage backups. They also deployed Attack Surface Reduction rules to block macros from Office files originating from the internet.
Scenario 3: DDoS attack on an e-commerce platform An online retailer using Azure experienced a Layer 7 HTTP flood during Black Friday. The attack targeted the product search endpoint, causing high CPU usage on the application servers. The retailer had Azure DDoS Protection Basic enabled, but it only protected against Layer 3/4 attacks. The attack was mitigated by enabling Azure DDoS Protection Standard and configuring Azure WAF with rate limiting rules. They also scaled out the application tier using Azure App Service autoscaling. The attack lasted 6 hours, but the site remained available with degraded performance. Post-incident, they implemented Azure Front Door to absorb traffic globally and used bot protection rules in WAF.
What SC-900 Tests: This topic falls under Domain 1: Describe concepts of security, compliance, and identity (15-20% of exam). Specifically, objective 1.1 'Describe security concepts' includes identifying common attack types. The exam expects you to:
Recognize the characteristics of phishing, ransomware, and DDoS attacks.
Match attack types to their primary impact on the CIA triad.
Identify the Microsoft security solutions that defend against each attack (e.g., Microsoft Defender for Office 365 for phishing, Microsoft Defender for Endpoint for ransomware, Azure DDoS Protection for DDoS).
Understand social engineering as the basis of phishing.
Common Wrong Answers: 1. 'Phishing is a type of malware.' This is wrong because phishing is a social engineering technique, not malware. The malware (e.g., ransomware) may be delivered via phishing, but phishing itself is not malware. 2. 'Ransomware only encrypts files.' While crypto ransomware is common, some ransomware variants lock the screen (locker ransomware) or threaten to leak data (doxware). The exam may describe a scenario where the system is locked but files are not encrypted. 3. 'DDoS attacks are always volumetric.' The exam may describe a slow HTTP attack (Slowloris) which is an application layer attack, not volumetric. Know the three categories: volumetric, protocol, application. 4. 'Azure DDoS Protection Basic is sufficient for all attacks.' Basic only protects against common Layer 3/4 attacks; Standard provides adaptive tuning and Layer 7 protection with WAF.
Specific Numbers and Terms: - The term 'social engineering' is frequently used in phishing questions. - 'Botnet' is associated with DDoS. - 'Ransomware-as-a-Service (RaaS)' may appear as a variant. - 'Safe Links' and 'Safe Attachments' are specific Microsoft Defender for Office 365 features. - 'Controlled folder access' is a Windows Defender Exploit Guard feature.
Edge Cases: - A phishing attack that targets senior executives is called 'whaling.' - Ransomware that spreads without user interaction (like WannaCry) uses an exploit (EternalBlue). - DDoS attacks can be mitigated by using a CDN (Azure Front Door) to absorb traffic.
How to Eliminate Wrong Answers: - If the scenario involves a deceptive message asking for credentials, it is phishing, not malware. - If the scenario involves encrypted files and a ransom note, it is ransomware. - If the scenario involves overwhelming traffic from many sources, it is DDoS. - Look for keywords: 'email' often indicates phishing; 'encrypt' indicates ransomware; 'unavailable' indicates DDoS.
Phishing is a social engineering attack, not a malware type.
Ransomware encrypts files or locks systems; the primary defense is offline backups.
DDoS attacks target availability; Azure DDoS Protection Standard provides enhanced mitigation.
Microsoft Defender for Office 365 includes Safe Links and Safe Attachments to combat phishing.
Controlled folder access in Windows Defender Exploit Guard protects against ransomware.
DDoS attacks are categorized as volumetric, protocol, or application layer.
Ransomware-as-a-Service (RaaS) allows non-technical attackers to deploy ransomware.
These come up on the exam all the time. Here's how to tell them apart.
Phishing
Social engineering attack
Delivered via email, SMS, or voice
Primary impact: credential theft or malware delivery
Defense: user training, MFA, email filtering
Example: fake login page
Ransomware
Malware attack
Delivered via phishing, exploit, or RDP
Primary impact: file encryption or system lock
Defense: backups, endpoint protection, ASR rules
Example: CryptoLocker
Mistake
Phishing always comes via email.
Correct
Phishing can also occur via SMS (smishing), voice calls (vishing), or even social media messages. The exam may present a scenario with a text message or phone call.
Mistake
Ransomware always encrypts all files on the computer.
Correct
Ransomware often targets specific file types (documents, images) and may skip system files to keep the OS running. Some ransomware (locker) locks the screen without encrypting files.
Mistake
DDoS attacks always come from many different IP addresses.
Correct
While DDoS uses multiple sources, a single-source DoS attack is possible but not 'distributed.' The exam may distinguish between DoS and DDoS.
Mistake
Paying the ransom guarantees data recovery.
Correct
There is no guarantee. Attackers may not provide the decryption key, or the key may not work. Law enforcement recommends not paying.
Mistake
Azure DDoS Protection Standard is free.
Correct
Azure DDoS Protection Basic is free; Standard has a monthly cost per protected resource (about $2,944/month as of 2023).
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Phishing is a broad term for any attempt to trick individuals into revealing sensitive information. Spear phishing is a targeted version where the attacker customizes the message for a specific individual or organization, often using personal details (e.g., name, job title) to appear legitimate. For the exam, know that spear phishing is more dangerous because it is harder to detect.
No, but it provides significant protection. It includes anti-phishing policies, spoof intelligence, and Safe Links/Safe Attachments. However, no solution is 100% effective. User education and MFA are also critical.
The 3-2-1 rule means: keep at least 3 copies of your data, on 2 different media types (e.g., local disk and cloud), with 1 copy stored offsite (e.g., Azure Blob Storage). This ensures that even if ransomware encrypts local backups, an offsite copy remains intact.
No, Azure DDoS Protection Basic only protects against common Layer 3/4 attacks (e.g., SYN floods, UDP floods). For Layer 7 attacks (e.g., HTTP floods), you need Azure DDoS Protection Standard combined with Azure WAF.
A DoS (Denial of Service) attack originates from a single source, while a DDoS (Distributed Denial of Service) attack comes from multiple sources (often a botnet). DDoS is harder to mitigate because it is distributed.
Controlled folder access is a feature of Windows Defender Exploit Guard. It monitors apps that attempt to modify files in protected folders (e.g., Documents, Pictures). If an unauthorized app (like ransomware) tries to change a file, it is blocked and an alert is generated.
RaaS is a business model where ransomware developers sell or lease their ransomware to affiliates who then deploy it. The developer takes a cut of the ransom payments. This lowers the technical barrier for attackers.
You've just covered Common Attack Types: Phishing, Ransomware, DDoS — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?