Skip to Main Content

Microsoft’s EMEA Digital Crimes Unit in Paris

Closing the circle on digital crime

Mae was excited to land a job at a big internet company. From a sprawling campus in California, her new employer links personal emails, social media and finances with its operating system to create a unique online identity for every user. However, all was not as it seemed and Mae found herself out of her depth in what she thought was the opportunity of a lifetime.

If you’re thinking this all sounds like a Hollywood film, you would be right. The Circle, based on the 2014 novel of the same name and starring Emma Watson, Tom Hanks and Bill Paxton (in his last film role before his death), will be released next month.

It’s little surprise that the producers believe this sinister tale of privacy and surveillance in a modern, digital world will be a hit with cinema-goers – cyber-security is big news, and needs budgets to match.

Cybercrime costs EU member states €265 billion a year, according to Europol. Globally, the figure is thought to be more than €900 billion. In 2017, cyber-security is a much greater challenge than just keeping company records safe online. It has become an important line of defence for authorities in their fight against terrorism, and in protecting anyone with an internet connection from scams and fraud.

Last month, the Queen opened the National Cyber Security Centre in London; the first time the UK has brought together its cyber expertise in one place, transforming how the country tackles cyber security issues. Part of GCHQ, the Government’s intelligence agency, the site emphasises the national commitment to pre-empting and averting online criminal activity, which is becoming increasingly sophisticated.

This level of vigilance is something Microsoft has championed for almost a decade via its specialist Digital Crime Unit (DCU), a dedicated security services operation that has grown five-fold in that time. With a presence across the world and an EMEA centre in France, the DCU employs more than 100 experts, including lawyers, investigators, data scientists, engineers, analysts and business professionals.

There are two main facets to the DCU’s work – malware-related protection (where computers are deliberately infected to wreak havoc and/or harvest sensitive data), and protecting internet users, particularly children and the elderly, who are often specifically targeted because they may be less risk-aware or lack the digital skills to protect themselves.

In the war against malware, Microsoft DCU has been instrumental in taking down huge, international botnets (armies of malware-infected computers, coordinated by command-and-control servers), by helping to trace them back to their origins, using sophisticated data analytics. (Each day, DCU servers are pinged around 700 million times by computers that are infected by malware.)

High-profile successes include the Ramnit banking Trojan, intercepted two years ago following an international campaign led by Europol’s Cybercrime Centre, EC3. The Ramnit botnet, designed to harvest online banking log-ins, passwords and personal files, had infected 3.2 million computers worldwide. Microsoft and partners including Symantec and AnubisNetwords assisted Europol and national investigators from Germany, Italy, the Netherlands and the UK, in locating and shutting down the servers involved, and redirecting hundreds of domain addresses used by the botnet’s operators. Malware investigators from the DCU used Microsoft’s cloud-based data analytics tools and telemetry to collect and analyse infection data in near real-time, which it then fed to the agencies involved.

EMEA is a strong focus for the DCU’s work: Microsoft’s formal partnership with Europol dates back three years, following successful collaboration with the latter’s EC3 operation and other international agencies to disrupt the virulent ZeroAccess botnet. Investigations spanning Latvia, Luxembourg, Switzerland, the Netherlands and Germany, aided by Microsoft’s input, led to search warrants and seizure orders on computers traced to 18 IP addresses.

There is nothing similar in the IT industry, according to Juan Hardoy, head of Microsoft’s EMEA DCU in Paris and an Assistant General Counsel at the company. He says Microsoft invests around $1 billion each year in digital safety –  across its DCU and Cybercrime Center (see box), to product design and development, encryption and meeting standards set by the International Society of Automation, to “best-in-class” data centres for Microsoft Azure cloud services. “This demonstrates our commitment to protecting everyone, everywhere,” he says. “Relative to the size of Microsoft, the DCU team may appear modest, but for a digital crime unit, it’s huge. How many other IT companies employ malware engineers, analytics and cyber forensic people in their legal departments?”

The developer of one of the world’s leading cloud ecosystems, not to mention device operating platforms and office productivity suites, Microsoft is perfectly placed to be at the forefront of digital crime prevention. This position also creates a virtuous cycle – for every new criminal threat that the DCU helps identify and eliminate, Microsoft gains new insights and expertise that can be fed back into its own developments, giving its products the latest cybersecurity features.

It isn’t just about the technology, though. Significantly, the DCU is part of Microsoft’s legal department.  This reflects its higher purpose – upholding public safety, and balancing this with the need to safeguard personal privacy for example. DCU teams work tirelessly with international partners including Europol, Interpol and the FBI to help catch criminals and bring them to justice. They influence crime detection on a broad scale, and provide insight that informs new legal theories, civil cases and court orders. This transcends any one particular technology or brand.

“We have state-of-the-art tools and techniques (see box) to analyse, visualise and provide insights to help the legal profession understand victims, how crimes are committed and how to tackle them,” Hardoy notes.

The DCU collaborates closely with a whole host of industry partners ranging from security and anti-virus companies to non-government organisations and law enforcement agencies. As part of its efforts to proactively increase child protection, the company licenses technology (for free) to combat child abuse online – for example, its cloud-based PhotoDNA solution, developed in cooperation with Dartmouth College in the US, helps identify and remove illegal images of children. The technology is the result of a partnership with the National Centre for Missing and Exploited Children which dates back several years. It allows agencies to scan and log abusive images of children, assigning each photo a unique digital ‘fingerprint’ that can then be scanned for and detected on devices and services, even if the images have been edited in some way. To date PhotoDNA has helped detect millions of illegal images online, and more than 100 organisations, including Facebook and Twitter,  use it to keep their platforms safe, guided and trained by Microsoft.

Hardoy believes this kind of concerted effort is the only way the world will stay ahead of new and evolving digital risks, given the pace of change and the speed with which harmful activity can spread now. “There is still a significant need for an efficient international framework that law enforcement agencies can use to tackle this type of crime, enabling them to share intelligence yet balance this with protecting the individual’s right to privacy,” he says, noting that Microsoft DCU plays a proactive role in related debates, in Brussels and internationally.

Hardoy feels proud to work for an organisation which so highly values the need to protect everyone, especially the most vulnerable in society. “It’s a fantastic thing to be part of,” he says. “Real-time crime detection and prevention has never been so critical, and thanks to Microsoft’s cloud technology and data analytics capabilities, we’re ideally positioned to detect new threats as they emerge so law enforcement agencies can act swiftly. The win-win for our customers and partners is that we’re also able to use those discoveries to improve our own cloud platform and solutions, giving them the highest levels of protection, and confidence, both now and in the future.”


Microsoft Digital Crimes Unit at a glance

  • What?
    • Microsoft’s Digital Crimes Unit (DCU) was formally established in November 2013 when the company opened a dedicated Cybercrime Center at its Redmond, Washington headquarters in the US – a high-profile research and analytics lab and facility where Microsoft experts can come together with partner organizations to fight digital crime. Customers are invited to visit the facility.
  • Who?
    • It is a 100-strong Microsoft-sponsored team of international legal and internet security experts, who employ the latest tools and technologies to disrupt and prevent cybercrime and cyber threats.
    • Skills range from international legal and technical team of attorneys, investigators, and forensic analysts, with expertise across the areas of malware, botnets, IP crimes, and technology-facilitated child exploitation.
    • There are satellite DCU operations around the world, including a 30-strong team in EMEA, based in Paris but including in-country analysts in UK and Ireland, Germany, Slovakia, Russia, Dubai and South Africa.
  • How?
    • The DCU, part of Microsoft’s legal department, uses creative legal strategies and cutting-edge data analytics to build civil cases and criminal referrals, partnering with law enforcement worldwide, NGOs, industry, security vendors and researchers so that cybercriminals are brought to justice.
    • Microsoft does not charge for its input, which it sees as part of its Corporate Social Responsibility remit – a mutual exchange of skills and information with external partners to fight cybercrime. The DCU’s activities boost public confidence, and help Microsoft deliver the highest security measures to its customers via its commercial operations. For example, Microsoft cloud services are promoted as being ‘protected by the DCU’.
  • The technology:
    • The DCU uses the Microsoft Azure cloud platform to capture, store, and analyze more than 600 million security threats per day.
    • The built-in security of the Microsoft cloud means the DCU can detect, protect and respond to emerging cybersecurity threats in real time.
    • Advanced analytics, enabled by Microsoft Power BI, harness big data to reveal patterns and insights that help the DCU and its international crime-fighting partners better understand cybercriminal activity.
    • Microsoft’s PhotoDNA technology helps protect children from exploitation online, keeping pace with the 720,000 abusive images that are uploaded to the internet each day.  PhotoDNA uses a complex algorithm to trace illegal images online. The software, which can run on internal systems or via the cloud, is used by the likes of Facebook and Twitter, as well as NGOs and law enforcement organizations.
  • Impact:
    • As a result of the DCU team’s malware disruption cases, tens of millions of infected devices connecting to more than 50 million IP addresses have been rescued.
    • As a result of DCU’s malware disruption cases, traffic that once communicated to criminal servers is rerouted to Microsoft’s Cyber Threat Intelligence Program (CTIP) in Microsoft’s secure cloud.
    • Microsoft PhotoDNA has been used to scan more than 125 million child victim images to date, and help bring criminals to justice.