{
	"id": "53e745eb-c364-4360-8c1a-7d010a0d1402",
	"created_at": "2026-04-06T01:30:45.946382Z",
	"updated_at": "2026-04-10T13:11:23.52516Z",
	"deleted_at": null,
	"sha1_hash": "fef0e851f653f8081290673472cd5df2794421dd",
	"title": "EDR in block mode stops IcedID cold",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 808257,
	"plain_text": "EDR in block mode stops IcedID cold\r\nBy Microsoft Threat Intelligence\r\nPublished: 2020-12-09 · Archived: 2026-04-06 00:21:32 UTC\r\nWe are happy to announce the general availability of endpoint detection and response (EDR) in block mode in\r\nMicrosoft Defender for Endpoint. EDR in block mode turns EDR detections into real-time blocking of malicious\r\nbehaviors, malware, and artifacts. It uses Microsoft Defender for Endpoint’s industry-leading visibility and\r\ndetection capabilities and Microsoft Defender Antivirus’s built-in blocking function to provide an additional layer\r\nof post-breach protection in cases where the primary antivirus misses a threat.\r\nEDR in block mode extends the behavioral blocking and containment capabilities in Microsoft Defender for\r\nEndpoint, thwarting attack chains that could allow attackers to gain a foothold on a device and, consequently, a\r\nnetwork. For each malicious behavior or malware blocked, EDR in block raises an alert in Microsoft Defender\r\nSecurity Center, enabling security teams to perform additional investigation and hunting and comprehensively\r\nresolve attacks.\r\nSince being available for public preview in August, EDR in block mode has helped customers to stop a wide range\r\nof threats, especially in cases where Microsoft Defender Antivirus isn’t the primary antivirus. Below we describe\r\nan IcedID campaign, one of many attacks foiled by EDR in block mode. In this incident, the organization’s non-Microsoft antivirus solution missed the malware, but Microsoft Defender for Endpoint picked up the malicious\r\nbehavior. EDR in block mode kicked in and protected the device from a series of malicious activities that include\r\nevasive attacker techniques like process hollowing and steganography that lead to the deployment of the info-stealing IcedID malware.\r\nhttps://www.microsoft.com/security/blog/2020/12/09/edr-in-block-mode-stops-icedid-cold/\r\nPage 1 of 6\n\nFigure 1. IcedID attack chain stopped by EDR in block mode\r\nHow EDR in block mode stopped an IcedID attack\r\nOn October 13, attackers launched a new campaign to distribute the IcedID malware. IcedID is a banking trojan\r\nthat remains in memory, monitors traffic to banking domains and financial websites, and steals sensitive financial\r\ninformation. It has also been observed to modify site content to redirect traffic to malicious sites for the same\r\npurpose.\r\nAs in many past IcedID campaigns, this attack started with an email carrying a malicious attachment, in this case,\r\na password-protected archive file. The emails used the fake reply technique and contained the password to the\r\narchive file.\r\nhttps://www.microsoft.com/security/blog/2020/12/09/edr-in-block-mode-stops-icedid-cold/\r\nPage 2 of 6\n\nFigure 2. Spear-phishing email used in the IcedID campaign\r\nThe archive file contained a document with malicious obfuscated macro code. When enabled, the malicious macro\r\nconnects to a remote site to attempt to download the IcedID loader, which would in turn download and run the\r\nmain IcedID malware.\r\nFigure 3. Document with malicious macro\r\nIn customer environments protected by Microsoft for Defender Endpoint with Microsoft Defender Antivirus as the\r\nprimary antivirus, the attack was blocked. Microsoft Defender for Endpoint uses Anti-malware Scan Interface\r\n(AMSI) and specialized machine learning classifiers on the client and in the cloud to detect malicious macro\r\nbehavior.\r\nIn one environment that wasn’t using Microsoft Defender Antivirus, the primary antivirus solution missed the\r\ncampaign, so when the user opened the document and enabled the macro, the malicious code started connecting to\r\nthe command-and-control (C2) server. Microsoft Defender for Endpoint’s EDR capabilities, however, detected the\r\nmalicious macro behavior.\r\nhttps://www.microsoft.com/security/blog/2020/12/09/edr-in-block-mode-stops-icedid-cold/\r\nPage 3 of 6\n\nEDR in block mode, which was enabled on the environment, kicked in and instantly blocked the malicious\r\ndocument, preventing a chain of evasive attacker activities that could have led to the IcedID malware being\r\ninstalled.\r\nFigure 4. Microsoft Defender Security Center alert for the blocked IcedID malware\r\nThe attack that could have been\r\nThis IcedID campaign shows why blocking malicious behavior and attacks in real time, especially in the earlier\r\nstages of the attack, is critical in preventing the full impact of threats. After gaining access to a device, attackers\r\nbring in sophisticated tools and utilize advanced techniques to operate stealthily on a system.\r\nhttps://www.microsoft.com/security/blog/2020/12/09/edr-in-block-mode-stops-icedid-cold/\r\nPage 4 of 6\n\nFor example, if the IcedID macro isn’t blocked from running, it downloads a DLL file disguised as a CAB file\r\nfrom hxxp://h4dv4c1w[.]com/ryfu/bary[.]php?l=konu13[.]cab. This DLL file is saved as [random].txt and is\r\nexecuted using regsvr32.exe. The DLL then downloads jazzcity.top, an encrypted PNG file that contains malware\r\ncode. This technique of hiding malicious code in image files, called steganography, is used by attackers to evade\r\ndetection.\r\nWhen decrypted, the PNG file creates an msiexec.exe process and uses process hollowing, a stealthy cross-process\r\ninjection technique, to inject malicious code. The hollowed-out msiexec.exe process then creates the file\r\njoavript.dll, which is the decrypted IcedID malware.\r\nFigure 5. Microsoft Defender Security Center alert for the detection of IcedID malware\r\nhttps://www.microsoft.com/security/blog/2020/12/09/edr-in-block-mode-stops-icedid-cold/\r\nPage 5 of 6\n\nOnce in memory, the IcedID malware acts as the middleman between the browser and the banking site. It does this\r\nby creating a self-signed certificate and by hooking the browser to accept this certificate.  This allows IcedID to\r\nmonitor HTTPS traffic to online banking sites and manipulate and steal information.\r\nEDR in block mode: Transforming EDR visibility into real-time blocking\r\nWith endpoint and detection response (EDR) in block mode, now generally available, Microsoft Defender for\r\nEndpoint provides another layer of post-breach protection when attacks manage to slip past the primary antivirus\r\nsolution. An extension of the behavioral blocking and containment capabilities, EDR in block mode stops attacks\r\ncold when it detects malicious behavior, malware implant, and other artifacts. It stops and blocks malicious\r\nbehavior in real-time, even if a threat has started running, helping ensure that attacks are not allowed to proceed\r\nand achieve their endgame.\r\nEDR in block mode can be enabled thru the advanced settings in Microsoft Defender Security Center.\r\nOrganizations that have not enabled this feature will also get security recommendation to do so via the threat and\r\nvulnerability management feature. To learn more, read the EDR in block mode documentation.\r\nFigure 6. Enable EDR in block mode in advanced features in Microsoft Defender Security Center\r\nEDR in block mode is part of the comprehensive endpoint protection provided by Microsoft Defender for\r\nEndpoint, which delivers preventative protection, post-breach detection, automated investigation, and response.\r\nLearn how you can secure your organization with Microsoft Defender for Endpoint.\r\nTalk to us\r\nQuestions, concerns, or insights on this story? Join discussions at the Microsoft 365 Defender tech community.\r\nRead all Microsoft security intelligence blog posts.\r\nFollow us on Twitter @MsftSecIntel.\r\nSource: https://www.microsoft.com/security/blog/2020/12/09/edr-in-block-mode-stops-icedid-cold/\r\nhttps://www.microsoft.com/security/blog/2020/12/09/edr-in-block-mode-stops-icedid-cold/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.microsoft.com/security/blog/2020/12/09/edr-in-block-mode-stops-icedid-cold/"
	],
	"report_names": [
		"edr-in-block-mode-stops-icedid-cold"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439045,
	"ts_updated_at": 1775826683,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fef0e851f653f8081290673472cd5df2794421dd.pdf",
		"text": "https://archive.orkl.eu/fef0e851f653f8081290673472cd5df2794421dd.txt",
		"img": "https://archive.orkl.eu/fef0e851f653f8081290673472cd5df2794421dd.jpg"
	}
}