Select Page
Structured threat hunting: One way Microsoft Threat Experts prioritizes customer defense

Structured threat hunting: One way Microsoft Threat Experts prioritizes customer defense

Today’s threat landscape is incredibly fast-paced. New campaigns surface all the time, and the amount of damage that they can cause is not always immediately apparent. Security operations centers (SOCs) must be equipped with the tools and insight to identify ... continue reading
Column chart showing number of notifications for 2019, 2020, and 2021

Iranian targeting of IT sector on the rise

Iranian threat actors are increasing attacks against IT services companies as a way to access their customers’ networks. This activity is notable because targeting third parties has the potential to exploit more sensitive organizations by taking advantage of trust and ... continue reading
Timeline showing dates, threat actor, and malware payload of ransomware attacks by Iranian threat actors

Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021

Over the past year, the Microsoft Threat Intelligence Center (MSTIC) has observed a gradual evolution of the tools, techniques, and procedures employed by malicious network operators based in Iran. At CyberWarCon 2021, MSTIC analysts presented their analysis of these trends ... continue reading
Diagram showing how adaptive protection works

AI-driven adaptive protection against human-operated ransomware

In human-operated ransomware attacks, threat actors use predictable methods to enter a device but eventually rely on hands-on-keyboard activities to move inside a network. To fortify our existing cloud-delivered automated protection against complex attacks like human-operated ransomware, we developed a ... continue reading
Diagram showing typical attack chain of HTML smuggling

HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks

HTML smuggling, a highly evasive malware delivery technique that leverages legitimate HTML5 and JavaScript features, is increasingly used in email campaigns that deploy banking malware, remote access Trojans (RATs), and other payloads related to targeted attacks. Notably, this technique was ... continue reading
Screenshot of commands related to credential dumping

Threat actor DEV-0322 exploiting ZOHO ManageEngine ADSelfService Plus

Microsoft has detected exploits being used to compromise systems running the ZOHO ManageEngine ADSelfService Plus software versions vulnerable to CVE-2021-40539 in a targeted campaign. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322, a group operating ... continue reading
Screenshot of csrutil showing the SIP status

Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection

Microsoft has discovered a vulnerability that could allow an attacker to bypass System Integrity Protection (SIP) in macOS and perform arbitrary operations on a device. We also found a similar technique that could allow an attacker to elevate their privileges ... continue reading
Screenshot of HTML code showing zero-point font technique

Franken-phish: TodayZoo built from other phishing kits

A phishing kit built using pieces of code copied from other kits, some available for sale through publicly accessible scam sellers or are reused and repackaged by other kit resellers, provides rich insight into the state of the economy that ... continue reading

Iran-linked DEV-0343 targeting defense, GIS, and maritime sectors

DEV-0343 is a new activity cluster that the Microsoft Threat Intelligence Center (MSTIC) first observed and began tracking in late July 2021. MSTIC has observed DEV-0343 conducting extensive password spraying against more than 250 Office 365 tenants, with a focus ... continue reading
Diagram showing structure of Microsoft.IdentityServer.ServiceHost.exe after loading version.dll

FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor

Microsoft continues to work with partners and customers to track and expand our knowledge of the threat actor we refer to as NOBELIUM, the actor behind the SUNBURST backdoor, TEARDROP malware, and related components. As we stated before, we suspect ... continue reading