Resurgence of a multi‑stage AiTM phishing and BEC campaign abusing SharePoint

Microsoft Defender Researchers uncovered a multi‑stage adversary‑in‑the‑middle AiTM phishing and business email compromise BEC campaign targeting multiple organizations in the energy sector, resulting in the compromise of various user accounts. The campaign abused SharePoint file‑sharing services...

Resurgence of a multi‑stage AiTM phishing and BEC campaign abusing SharePoint

Microsoft Defender Researchers uncovered a multi‑stage adversary‑in‑the‑middle AiTM phishing and business email compromise BEC campaign targeting multiple organizations in the energy sector, resulting in the compromise of various user accounts. The campaign abused SharePoint file‑sharing services...

A new era of agents, a new era of posture

The rise of AI Agents marks one of the most exciting shifts in technology today. Unlike traditional applications or cloud resources, these agents are not passive components- they reason, make decisions, invoke tools, and interact with other agents and systems on behalf of users. This autonomy...

Four priorities for AI-powered identity and network access security in 2026

No doubt, your organization has been hard at work over the past several years implementing industry best practices, including a Zero Trust architecture. But even so, the cybersecurity race only continues to intensify. AI has quickly become a powerful tool misused by threat actors, who use it to...

Inside RedVDS: How a single virtual desktop provider fueled worldwide cybercriminal operations

Over the past year, Microsoft Threat Intelligence observed the proliferation of RedVDS, a virtual dedicated server VDS provider used by multiple financially motivated threat actors to commit business email compromise BEC, mass phishing, account takeover, and financial fraud. Microsoft’s...

Imposter for hire: How fake people can gain very real access

In the latest edition of our Cyberattack Series, we dive into a real-world case of fake employees. Cybercriminals are no longer just breaking into networks—they’re gaining access by posing as legitimate employees. This form of cyberattack involves operatives posing as legitimate remote hires,...

Changing the physics of cyber defense

The Deputy CISO blog series is whereMicrosoft Deputy Chief Information Security Officers CISOs share their thoughts on what is most important in their respective domains. In this series, you will get practical advice, tactics to start and stop deploying, forward-looking commentary on where the...

Cybersecurity strategies to prioritize now​​

The Deputy CISO blog series is where Microsoft Deputy Chief Information Security Officers CISOs share their thoughts on what is most important in their respective domains. In this series, you will get practical advice, tactics to start and stop deploying, forward-looking commentary on where the...

How to build forward-thinking cybersecurity teams for tomorrow

We are witnessing something unprecedented in cybersecurity: the democratization of advanced cyberattack capabilities. What once required nation-state resources sophisticated social engineering, polymorphic malware, coordinated infrastructure now fits in a prompt window. AI is no longer a futurist...

​​Ambient and autonomous security for the agentic era​​

Over the past year, I've had countless conversations with customers who are striving to unlock human ambition with AI. They are on their journey to become Frontier Firms, where humans and agents push the boundaries of innovation and create new possibilities, empowering humans to become limitless...

New IDC research highlights a major cloud security shift

Cloud security is at a tipping point. While moving to the cloud powers both growth and speed for organizations, it can also bring new risks. According to IDC’s latest research, organizations experienced an average of nine cloud security incidents in 2024, with 89% reporting a year-over-year...

​​Learn what generative AI can do for your security operations center

The busier security teams get, the harder it can be to understand the full impact of false positives, queue clutter, tool fragmentation, and more. But what is clear—it all adds up to increased fatigue and an increased potential to miss the cyberthreats that matter most. To help security teams...

Harden your identity defense with improved protection, deeper correlation, and richer context

In today’s digital-first enterprise, identities have become the new corporate security perimeter. Hybrid work and cloud-first strategies have dissolved traditional network boundaries and dramatically increased the complexity of identity fabrics. Security teams are left managing a constellation of...

The new Microsoft Security Store unites partners and innovation

On September 30, 2025, Microsoft announced a bold new vision for security: a unified, AI-powered platform designed to help organizations defend against today’s most sophisticated cyberthreats. But an equally important story—one that’s just beginning to unfold—is how the Microsoft Security Store i...

Microsoft named a Leader in the 2025 Gartner® Magic Quadrant™ for SIEM

We’re honored to share that Microsoft has again been recognized as a Leader in the2025 Gartner® Magic Quadrant™ for Security Information and Event Management SIEM.1 We believe this recognition reinforces Microsoft Sentinel's position as an industry-leading, cloud and AI-powered SIEM—designed to...

Investigating targeted “payroll pirate” attacks affecting US universities

Microsoft Threat Intelligence has observed a financially motivated threat actor that we track as Storm-2657 compromising employee accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts. These types of attacks have been dubbed “payroll...

Disrupting threats targeting Microsoft Teams

The extensive collaboration features and global adoption of Microsoft Teams make it a high-value target for both cybercriminals and state-sponsored actors. Threat actors abuse its core capabilities – messaging chat, calls and meetings, and video-based screen-sharing – at different points along th...

New Microsoft Secure Future Initiative (SFI) patterns and practices: Practical guides to strengthen security

Building on the momentum of our initial launch of the Microsoft Secure Future Initiative SFI patterns and practices, this second installment continues our commitment to making security implementation practical and scalable. The first release introduced a foundational library of actionable guidanc...

Introducing Microsoft Marketplace — Thousands of solutions. Millions of customers. One Marketplace.

A new breed of industry-leading company is taking shape — Frontier Firms. These organizations blend human ambition with AI-powered technology to reshape how innovation is scaled, work is orchestrated and value is created. They’re accelerating AI transformation to enrich employee experiences,...

Microsoft Purview innovations for your Fabric data: Unify data security and governance for the AI era

The Microsoft Fabric and Purview teams are thrilled to participate in the European Microsoft Fabric Community Conference September 15-18, 2025, in Vienna, Austria. This event is Microsoft’s largest tech conference in Europe, where data professionals gather to connect and share insights on data,...

Securing and governing the rise of autonomous agents​​

In this blog, you will hear directly from Corporate Vice President and Deputy Chief Information Security Officer CISO for Identity, Igor Sakhnov, about how to secure and govern autonomous agents. This blog is part of a new ongoing series where our Deputy CISOs share their thoughts on what is most...

Dow’s 125-year legacy: Innovating with AI to secure a long future

Founded more than 125 years ago, Dow has demonstrated a commitment to leveraging science to make the world a better place. Today, Dow’s ambition to be the most innovative, inclusive, and sustainable materials science company is supported by a global security team dedicated to keeping employees,...

Protecting customers from Octo Tempest attacks across multiple industries

In recent weeks, Microsoft has observed Octo Tempest, also known as Scattered Spider, impacting the airlines sector, following previous activity impacting retail, food services, hospitality organizations, and insurance between April and July 2025. This aligns with Octo Tempest’s typical patterns ...

Improving IT efficiency with Microsoft Security Copilot in Microsoft Intune and Microsoft Entra

When Microsoft introduced Microsoft Security Copilot last year, our vision was to empower organizations with generative AI that helps security and IT teams simplify operations and respond faster. Since then, we’ve continuously innovated and learned alongside our customers. They consistently tell ...

Unveiling RIFT: Enhancing Rust malware analysis through pattern matching

Today, Microsoft Threat Intelligence Center is excited to announce the release of RIFT , a tool designed to assist malware analysts automate the identification of attacker-written code within Rust binaries. Known for its efficiency, type safety, and robust memory safety, Rust has increasingly...

Microsoft is named a Leader in The Forrester Wave™: Security Analytics Platforms, 2025​​

What is a security operations center? Learn more ↗ Microsoft is proud to be named a Leader in The Forrester Wave™: Security Analytics Platforms, Q2 2025—which we believe reflects our deep investment in innovation and commitment to support security operations centers SOCs’s critical mission. This...

AI brands as bait: How threat actors are using the AI hype in social engineering

In this article 1. ChatGPT-themed lure leads to phishing kit collecting credit card data 2. Claude-themed phishing campaign collected credentials and access tokens 3. "Awesome AI Windows Plugin” malvertising deploys Vidar stealer 4. Fake DeepSeek V4 installers on GitHub delivered Vidar Stealer 5...

ClickFix campaign uses fake macOS utilities lures to deliver infostealers

In this article 1. Activity overview 2. Mitigation and protection guidance 3. Hunting queries 4. Indicators of compromise Microsoft researchers continue to observe the evolution of an infostealer campaign distributing ClickFix‑style instructions and targeting macOS users. In this recent iteration...

What’s new, updated, or recently released in Microsoft Security

New capabilities in Microsoft Agent 365; new Microsoft Defender and GitHub integration At Microsoft, security innovations are purpose-built to help every organization protect end-to-end with the speed and scale of AI. Our vision is simple: security should be ambient and autonomous, just like the ...

Email threat landscape: Q1 2026 trends and insights

In this article 1. Tycoon2FA disruption impact 2. QR code phishing attacks 3. CAPTCHA tactics 4. Malicious payloads 5. Business email compromise 6. Defending against email threats 7. Microsoft Defender detections During the first quarter of 2026 January-March, Microsoft Threat Intelligence detect...

8 best practices for CISOs conducting risk reviews

The Deputy CISO blog series is where Microsoft Deputy Chief Information Security Officers CISOs share their thoughts on what is most important in their respective domains. In this series, you will get practical advice, tactics to start and stop deploying, forward-looking commentary on where the...

Containing a domain compromise: How predictive shielding shut down lateral movement

In this article 1. Predictive shielding overview 2. Attack chain overview 3. How predictive shielding changed the outcome 4. MITRE ATT&CK® techniques observed 5. Learn more In identity-based attack campaigns, any initial access activity can turn an already serious intrusion into a critical incide...

Building your cryptographic inventory: A customer strategy for cryptographic posture management

Post-quantum cryptography PQC is coming—and for most organizations, the hardest part won’t be choosing new algorithms. It will be finding where cryptography is used today across applications, infrastructure, devices, and services so teams can plan, prioritize, and modernize with confidence. At...

Building your cryptographic inventory: A customer strategy for cryptographic posture management

Post-quantum cryptography PQC is coming—and for most organizations, the hardest part won’t be choosing new algorithms. It will be finding where cryptography is used today across applications, infrastructure, devices, and services so teams can plan, prioritize, and modernize with confidence. At...

Incident response for AI: Same fire, different fuel

In this article 1. The fundamentals still hold 2. Where AI changes the equation 3. Closing the gaps in telemetry, tooling, and response 4. The human dimension 5. Looking ahead When a traditional security incident hits, responders replay what happened. They trace a known code path, find the defect...

SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks

In this article 1. DNS hijacking attack chain: From compromised devices to AiTM and other follow-on activity 2. Mitigation and protection guidance 3. Microsoft Defender detection and hunting guidance Executive summary Forest Blizzard, a threat actor linked to the Russian military, has been...

Inside an AI‑enabled device code phishing campaign

In this article 1. Attack chain overview 2. Mitigation and protection guidance 3. Indicators of compromise IOC 4. References 5. Learn more Microsoft Defender Security Research has observed a widespread phishing campaign leveraging the device code authentication flow to compromise organizational...

Applying security fundamentals to AI: Practical advice for CISOs

What to know about the era of AI The first thing to know is that AI isn’t magic The best way to think about how to effectively use and secure a modern AI system is to imagine it like a very new, very junior person. It’s very smart and eager to help but can also be extremely unintelligent. Like a...

Addressing the OWASP Top 10 Risks in Agentic AI with Microsoft Copilot Studio

Agentic AI is moving fast from pilots to production. That shift changes the security conversation. These systems do not just generate content. They can retrieve sensitive data, invoke tools, and take action using real identities and permissions. When something goes wrong, the failure is not limit...

Identity security is the new pressure point for modern cyberattacks

Identity attacks no longer hinge on who a cyberattacker compromises, but on what that identity can access. As organizations manage growing numbers of human, non-human, and agentic identities, their access fabric multiplies across apps, resources, and environments, which increases both operational...

Case study: How predictive shielding in Defender stopped GPO-based ransomware before it started

In this article 1. The growing threat: GPO abuse in ransomware operations 2. The incident 3. The results 4. The hardening dilemma: Why threat actors love operational mechanisms 5. Predictive shielding: Contextual, just-in-time hardening 6. Closing the gap 7. References Summary Microsoft Defender...

When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures

In this article 1. A wide range of tax-themed campaigns 2. How to protect users and organization against tax-themed campaigns 3. Microsoft Defender detection and hunting guidance 4. Indicators of compromise During tax season, threat actors reliably take advantage of the urgency and familiarity of...

Help on the line: How a Microsoft Teams support call led to compromise

In our eighth Cyberattack Series report, Microsoft Incident Response—the Detection and Response Team DART—investigates a recent identity-first, human-operated intrusion that relied less on exploiting software vulnerabilities and more on deception and legitimate tools. After a customer reached out...

Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft

In this article 1. From search to stolen credentials: Storm-2561 attack chain 2. Defending against credential theft campaigns 3. Microsoft Defender detection and hunting guidance 4. Indicators of compromise In mid-January 2026, Microsoft Defender Experts identified a credential theft campaign tha...

AI as tradecraft: How threat actors operationalize AI

In this article 1. AI as an enabler for cyberattacks 2. Post-compromise misuse of AI 3. Emerging trends 4. Mitigation guidance for AI-enabled threats 5. Microsoft Defender detections Threat actors are operationalizing AI along the cyberattack lifecycle to accelerate tradecraft, abusing both...

Malicious AI Assistant Extensions Harvest LLM Chat Histories

Microsoft Defender has been investigating reports of malicious Chromium‑based browser extensions that impersonate legitimate AI assistant tools to harvest LLM chat histories and browsing data. Reporting indicates these extensions have reached approximately 900,000 installs. Microsoft Defender...

Signed malware impersonating workplace apps deploys RMM backdoors

In February 2026, Microsoft Defender Experts identified multiple phishing campaigns attributed to an unknown threat actor. The campaigns used workplace meeting lures, PDF attachments, and abuse of legitimate binaries to deliver signed malware. Phishing emails directed users to download malicious...

Threat modeling AI applications

Proactively identifying, assessing, and addressing risk in AI systems We cannot anticipate every misuse or emergent behavior in AI systems. We can , however, identify what can go wrong, assess how bad it could be, and design systems that help reduce the likelihood or impact of those failure modes...

New e-book: Establishing a proactive defense with Microsoft Security Exposure Management

Effective exposure management begins by illuminating and hardening risks across the entire attack surface. Some of the most meaningful shifts in security happen quietly—when teams take a clear look at their exposure landscape and acknowledge the gap between where they stand today and where they...

Running OpenClaw safely: identity, isolation, and runtime risk

Self-hosted agent runtimes like OpenClaw are showing up fast in enterprise pilots, and they introduce a blunt reality: OpenClaw includes limited built-in security controls. The runtime can ingest untrusted text, download and execute skills i.e. code from external sources, and perform actions usin...