Microsoft announces the 2024 Microsoft Security Excellence Awards winners

At this years Microsoft Security Excellence Awards, we took a journey through the evolution of cybersecurity from the 1950s to today. While this event theme celebrated the significant technological advancements that have shaped each decade, the main focus was on the Microsoft Intelligent Security...

Microsoft named an overall leader in KuppingerCole Leadership Compass for ITDR

The post Microsoft named an overall leader in KuppingerCole Leadership Compass for ITDR appeared first on Microsoft Security Blog...

Microsoft announces recipients of academic grants for AI research on combating phishing

Every day in the ever-changing technology landscape, we see boundaries shift as new ideas challenge the old status quo. This constant shift is observed in the increasingly sophisticated and connected tools, products, and services people and organizations use on a daily basis, but also in the...

Minimize cybersecurity risk with Software Asset Management

This post is authored by Patama Chantaruck, General Manager of Worldwide Software Asset Management & Compliance. By 2021, worldwide cybercrime damage is expected to reach $6 trilliondouble what it cost businesses in 2015. Unapproved apps, unmanaged devices, poor password protection, and other...

Microsoft recognized as a Leader in The Forrester Wave™ for Workforce Identity Security Platforms

Identity is the backbone of modern cybersecurity. Every access decision carries risk, across employees, partners, devices, workloads, and an expanding set of AI-powered agents. But most organizations are still operating across disparate systems. Identity signals are captured in one place, access...

How Storm-2949 turned a compromised identity into a cloud-wide breach

In this article 1. Attack chain overview 1. Cloud compromise: Microsoft Entra ID and Microsoft 365 2. Initial access and persistence through targeted social engineering and SSPR abuse 3. Directory discovery and persistence 4. Microsoft 365 discovery and exfiltration 5. Cloud compromise: Microsoft...

Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise

In this article 1. Sapphire Sleet’s campaign lifecycle 2. Defending against Sapphire Sleet intrusion activity 3. Microsoft Defender detection and hunting guidance 4. Indicators of compromise Executive summary Microsoft Threat Intelligence uncovered a macOS‑focused cyber campaign by the North Kore...

The agentic SOC—Rethinking SecOps for the next decade

Every major shift in cyberattacker behavior over the past decade has followed a meaningful shift in how defenders operate. When security operation centers SOCs deployed endpoint detection and response EDR—and later extended detection and response XDR—security teams raised the bar, pushing...

CTI-REALM: A new benchmark for end-to-end detection rule generation with AI agents

Excerpt: CTI-REALM is Microsoft’s open-source benchmark for evaluating AI agents on real-world detection engineering—turning cyber threat intelligence CTI into validated detections. Instead of measuring “CTI trivia,” CTI-REALM tests end-to-end workflows: reading threat reports, exploring telemetr...

AI as tradecraft: How threat actors operationalize AI

In this article 1. AI as an enabler for cyberattacks 2. Post-compromise misuse of AI 3. Emerging trends 4. Mitigation guidance for AI-enabled threats 5. Microsoft Defender detections Threat actors are operationalizing AI along the cyberattack lifecycle to accelerate tradecraft, abusing both...

Inside Tycoon2FA: How a leading AiTM phishing kit operated at scale

In this article 1. Operational overview of Tycoon2FA 2. Mitigation and protection guidance 3. Microsoft Defender detections Following its emergence in August 2023, Tycoon2FA rapidly became one of the most widespread phishing-as-a-service PhaaS platforms, enabling campaigns responsible for tens of...

OAuth redirection abuse enables phishing and malware delivery

Microsoft observed phishing-led exploitation of OAuth’s by-design redirection mechanisms. The activity targets government and public-sector organizations and uses silent OAuth authentication flows and intentionally invalid scopes to redirect victims to attacker-controlled infrastructure without...

Detecting backdoored language models at scale

Today, we are releasing new research on detecting backdoors in open-weight language models. Our research highlights several key properties of language model backdoors, laying the groundwork for a practical scanner designed to detect backdoored models at scale and improve overall trust in AI...

From runtime risk to real‑time defense: Securing AI agents

AI agents, whether developed in Microsoft Copilot Studio or on alternative platforms, are becoming a powerful means for organizations to create custom solutions designed to enhance productivity and automate organizational processes by seamlessly integrating with internal data and systems. From a...

Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components

CVE-2025-55182 also referred to as React2Shell and includes CVE-2025-66478, which was merged into it is a critical pre-authentication remote code execution RCE vulnerability affecting React Server Components, Next.js, and related frameworks. With a CVSS score of 10.0, this vulnerability could all...

Inside the attack chain: Threat activity targeting Azure Blob Storage

Azure Blob Storage, like any object data service, is a high-value target for threat actors due to its critical role in storing and managing massive amounts of unstructured data at scale across diverse workloads. Organizations of all sizes use Blob Storage to support key workloads—such as AI, high...

Disrupting threats targeting Microsoft Teams

The extensive collaboration features and global adoption of Microsoft Teams make it a high-value target for both cybercriminals and state-sponsored actors. Threat actors abuse its core capabilities – messaging chat, calls and meetings, and video-based screen-sharing – at different points along th...

Connect with us at the Gartner Security & Risk Management Summit

Security professionals visiting booths scattered around a hall, eager for solutions to today’s top cybersecurity challenges to protect their resources and people. The hum of hundreds of conversations. Presenters in packed sessions sharing expertise, trends, and stories to energize attendees. Few...

Announcing a new strategic collaboration to bring clarity to threat actor naming

In today’s cyberthreat landscape, even seconds of delay can mean the difference between stopping a cyberattack or falling victim to ransomware. One major cause of delayed response is understanding threat actor attribution, which is often slowed by inaccurate or incomplete data as well as...

Meet the Deputy CISOs who help shape Microsoft’s approach to cybersecurity: Part 2

Microsoft launched its Cybersecurity Governance Council in 2024, and with it, named a group of deputy chief information security officers that ensure comprehensive oversight of the company’s cybersecurity risk, defense, and compliance. These leaders work in tandem with product and engineering...

Faster, more personalized service begins at the frontline with Microsoft Intune

In healthcare, patient trust often begins at the frontline with people who deliver care, respond to questions, and manage crucial in-the-moment decisions. Increasingly, those experiences are shaped by the tools frontline workers use. When devices are secure, responsive, and tailored to clinical...

US Department of Labor’s journey to Zero Trust security with Microsoft Entra ID

For several years, Microsoft has been helping United States federal and state government groups, including military departments and civilian agencies, transition to a Zero Trust security model. Advanced features in Microsoft Entra ID have helped these organizations meet requirements to employ...

StilachiRAT analysis: From system reconnaissance to cryptocurrency theft

In November 2024, Microsoft Incident Response researchers uncovered a novel remote access trojan RAT we named StilachiRAT that demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data. Analysis of the StilachiRAT’s...

Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware

Starting in December 2024, leading up to some of the busiest travel days, Microsoft Threat Intelligence identified a phishing campaign that impersonates online travel agency Booking.com and targets organizations in the hospitality industry. The campaign uses a social engineering technique called...

New XCSSET malware adds new obfuscation, persistence techniques to infect Xcode projects

Microsoft Threat Intelligence has uncovered a new variant of XCSSET, a sophisticated modular macOS malware that infects Xcode projects, in the wild during routine threat hunting. Its first known variant since 2022, this latest XCSSET malware features enhanced obfuscation methods, updated...

Celebrate 20 years of Cybersecurity Awareness Month with Microsoft and let’s secure our world together

This year marks the twentieth anniversary of Cybersecurity Awareness Month, when we partner with the National Cybersecurity Alliance, the United States Cybersecurity and Infrastructure Security Agency CISA, and organizations around the world to amplify the importance of cybersecurity best practic...

Defenders wanted—building the new cybersecurity professionals

As part of Cybersecurity Awareness Month, we published a special blog post earlier this week featuring real-world experiences shared by cybersecurity professionals: people with diverse backgrounds in law, academia, software development, and other seemingly unrelated fields. This topic is near and...

Windows 11 enables security by design from the chip to the cloud

Over the last year, PCs have kept us connected to family, friends, and enabled businesses to continue to run. This new hybrid work paradigm has got us thinking about how we will continue to deliver the best possible quality, experience, and security for the more than 1 billion people who use...

Kazuar: Anatomy of a nation-state botnet

In this article 1. Delivery 2. Module types 3. Botnet operations 4. Who is Secret Blizzard? 5. Mitigation and protection guidance 6. Microsoft Defender detections Kazuar, a sophisticated malware family attributed to the Russian state actor Secret Blizzard, has been under constant development for...

Kazuar: Anatomy of a nation-state botnet

In this article 1. Delivery 2. Module types 3. Botnet operations 4. Who is Secret Blizzard? 5. Mitigation and protection guidance 6. Microsoft Defender detections Kazuar, a sophisticated malware family attributed to the Russian state actor Secret Blizzard, has been under constant development for...

CVE-2026-31431: Copy Fail vulnerability enables Linux root privilege escalation across cloud environments

In this article 1. Vulnerability details 2. Mitigation and protection guidance 3. Microsoft Defender XDR detections 4. References 5. Learn more Microsoft Defender is investigating a high-severity local privilege escalation vulnerability CVE-2026-31431 affecting multiple major Linux distributions...

CVE-2026-31431: Copy Fail vulnerability enables Linux root privilege escalation across cloud environments

In this article 1. Vulnerability details 2. Mitigation and protection guidance 3. Microsoft Defender XDR detections 4. References 5. Learn more Microsoft Defender is investigating a high-severity local privilege escalation vulnerability CVE-2026-31431 affecting multiple major Linux distributions...

Detection strategies across cloud and identities against infiltrating IT workers

In this article 1. Attack chain overview 1. Activities in pre-recruitment phase 2. Activities in recruiting phase 3. Activities in post-recruitment phase 2. Mitigation and protection guidance 3. Microsoft Defender XDR detections The shift to remote and hybrid work since the pandemic expanded glob...

Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise

In this article 1. Sapphire Sleet’s campaign lifecycle 2. Defending against Sapphire Sleet intrusion activity 3. Microsoft Defender detection and hunting guidance 4. Indicators of compromise Executive summary Microsoft Threat Intelligence uncovered a macOS‑focused cyber campaign by the North Kore...

Intent redirection vulnerability in third-party SDK exposed millions of Android wallets to potential risk

In this article 1. Technical details 2. Disclosure timeline 3. Mitigation and protection guidance 4. References 5. Learn more During routine security research, we identified a severe intent redirection vulnerability in a widely used third-party Android SDK called EngageSDK. This flaw allows apps ...

Observability for AI Systems: Strengthening visibility for proactive risk detection

Adoption of Generative AI GenAI and agentic AI has accelerated from experimentation into real enterprise deployments. What began with copilots and chat interfaces has quickly evolved into powerful business systems that autonomously interact with sensitive data, call external APIs, connect to...

Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft

In this article 1. From search to stolen credentials: Storm-2561 attack chain 2. Defending against credential theft campaigns 3. Microsoft Defender detection and hunting guidance 4. Indicators of compromise In mid-January 2026, Microsoft Defender Experts identified a credential theft campaign tha...

80% of Fortune 500 use active AI Agents: Observability, governance, and security shape the new frontier

Today, Microsoft is releasing the new Cyber Pulse report to provide leaders with straightforward, practical insights and guidance on new cybersecurity risks. One of today’s most pressing concerns is the governance of AI and autonomous agents. AI agents are scaling faster than some companies can s...

Infostealers without borders: macOS, Python stealers, and platform abuse

Infostealer threats are rapidly expanding beyond traditional Windows-focused campaigns, increasingly targeting macOS environments, leveraging cross-platform languages such as Python, and abusing trusted platforms and utilities to silently deliver credential-stealing malware at scale. Since late...

New Microsoft Data Security Index report explores secure AI adoption to protect sensitive data

Generative AI and agentic AI are redefining how organizations innovate and operate, unlocking new levels of productivity, creativity and collaboration across industry teams. From accelerating content creation to streamlining workflows, AI offers transformative benefits that empower organizations ...

Shai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply chain attack

The Shai‑Hulud 2.0 supply chain attack represents one of the most significant cloud-native ecosystem compromises observed recently. Attackers maliciously modified hundreds of publicly available packages, targeting developer environments, continuous integration and continuous delivery CI/CD...

Investigating active exploitation of CVE-2025-10035 GoAnywhere Managed File Transfer vulnerability

On September 18, 2025, Fortra published a security advisory regarding a critical deserialization vulnerability in GoAnywhere MFT's License Servlet, which is tracked as CVE-2025-10035 and has a CVSS score of 10.0. The vulnerability could allow a threat actor with a validly forged license response...

Retail at risk: How one alert uncovered a persistent cyberthreat​​

In the latest edition of our Cyberattack Series, we dive into real-world cases targeting retail organizations. With 60% of retail companies reporting operational disruptions from cyberattacks and 43% experiencing security compromises in the past year, the risks for businesses continue to increase...

Dissecting PipeMagic: Inside the architecture of a modular backdoor framework

Among the plethora of advanced attacker tools that exemplify how threat actors continuously evolve their tactics, techniques, and procedures TTPs to evade detection and maximize impact, PipeMagic, a highly modular backdoor used by Storm-2460 masquerading as a legitimate open-source ChatGPT Deskto...

Connect with the security community at Microsoft Ignite 2025

In today’s AI-powered world, security professionals are facing unprecedented challenges—and opportunities. As generative AI reshapes the digital landscape, the need for robust, intelligent, and adaptive security strategies has never been more urgent. At Microsoft Ignite 2025, we will showcase...

Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats

Microsoft Threat Intelligence has uncovered a cyberespionage campaign by the Russian state actor we track as Secret Blizzard that has been targeting embassies located in Moscow using an adversary-in-the-middle AiTM position to deploy their custom ApolloShadow malware. ApolloShadow has the...

14 secure coding tips: Learn from the experts at Microsoft Build

Hey friends! If you are a developer, you know that writing clean and efficient code is just the starting point. Now, with AI playing a bigger role, secure coding isn't just a 'nice-to-have'—it's a must. Whether you're building web apps, working on cloud services, or adding AI to your projects,...

Understanding the threat landscape for Kubernetes and containerized assets

The dynamic nature of containers can make it challenging for security teams to detect runtime anomalies or pinpoint the source of a security incident, presenting an opportunity for attackers to stay undetected. Microsoft Threat Intelligence has observed threat actors taking advantage of unsecured...

New innovations in Microsoft Purview for protected, AI-ready data

The Microsoft Fabric and Microsoft Purview teams are excited to be in Las Vegas from March 31 to April 2, 2025, for the second annual and highly anticipated Microsoft Fabric Community Conference. With more than 200 sessions, 13 focused tracks, 21 hands-on workshops, and two keynotes, attendees ca...

Women’s History Month: Why different perspectives in cybersecurity and AI matter more than ever before

This Women’s History Month serves as a crucial moment for us to lead and continue to pave the way for a more inclusive future. I am truly honored to support my amazing women colleagues who continue to excel in their careers and am grateful to have so many allies who have extended their hands to...