Full Report
Microsoft has started testing a new "scareware blocker" feature for the Edge web browser on Windows PCs, which uses machine learning (ML) to detect tech support scams. [...]
Analysis Summary
# Tool/Technique: Edge Scareware Blocker (Tech Support Scam Blocker)
## Overview
The Edge Scareware Blocker is a feature being tested by Microsoft for the Microsoft Edge browser. Its purpose is to detect and block websites attempting to deliver scareware messages or execute common tech support scamming tactics, specifically focusing on blocking malicious pop-ups and browser alerts designed to trick users into calling fraudulent support lines.
## Technical Details
- Type: Tool (Browser Security Feature)
- Platform: Microsoft Edge (Windows)
- Capabilities: Real-time detection and blocking of tech support scam websites, prevents malicious full-screen takeover alerts.
- First Seen: Testing phase announced by Microsoft (Date not explicitly specified in context, but recent testing).
## MITRE ATT&CK Mapping
While this is a defensive tool, it directly counters specific adversarial techniques common in web-based social engineering:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.002 - Spearphishing Link (When users are tricked into clicking a link leading to the scam page)
- **TA0011 - Persistence** (Less direct, but common escalation after a scam)
- T1566 - Phishing (Used to direct users to long-term support scams)
- **TA0004 - Privilege Escalation** (Scam often leads to requests for remote access/installation)
- T1218 - Signed Binary Proxy Execution (If the scam relies on tricking users into running executables)
*Note: The primary focus of the blocker is on preventing the execution of T1566 (Phishing) attempts delivered via malicious websites.*
## Functionality
### Core Capabilities
- **Scareware Detection:** Identifying specific patterns associated with "scareware" alerts, which often involve alarming messages about viruses or system compromise.
- **Blocking:** Preventing the display of these malicious, high-pressure pop-up messages.
- **Preventing Full-Screen Takeover:** Stopping the website technique that locks the user's browser windows, forcing them to engage with the scammer.
### Advanced Features
- The feature is introduced as part of ongoing security improvements within the Edge browser infrastructure, implying reliance on established Microsoft threat intelligence feeds for real-time blocking mechanisms against known scam domains and scripts.
## Indicators of Compromise
Since this is a defensive tool, the focus is on the indicators it blocks:
- File Hashes: N/A (Defensive feature, not malware)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Domains or URLs hosting tech support scams (e.g., sites mimicking Microsoft Support or antivirus alerts) - *Defanged examples not applicable as this is a general category.*
- Behavioral Indicators: Malicious JavaScript or browser APIs used to generate mandatory, uncloseable modal dialogs or fullscreen alerts claiming system infection.
## Associated Threat Actors
This tool targets entities engaged in:
- Tech Support Scams
- Scareware operations
- Social Engineering campaigns leveraging browser alerts.
## Detection Methods
(Methods for detecting the *scam* sites this tool aims to block):
- Signature-based detection: Blacklisting known malicious URIs associated with tech support scams.
- Behavioral detection: Monitoring for rapid execution of browser alerts, changes to viewports suggestive of fullscreen takeover, or specific sequences of JavaScript calls designed to invoke system warnings.
- YARA rules: Not applicable for a browser security feature itself.
## Mitigation Strategies
- **Prevention Measures:** Users rely on the Edge Scareware Blocker being active (when available).
- **Hardening Recommendations:** Keeping the Edge browser fully updated to receive the defensive feature as soon as it is fully rolled out.
## Related Tools/Techniques
- Browser security features in competitor browsers (e.g., Chrome's Phishing and Malware Protection).
- Generic scareware/adware removal utilities targeted at cleaning up existing browser hijacks.