Select Page
Screenshot of a section of a configuration file.

MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone

Microsoft security researchers have discovered a post-compromise capability we’re calling MagicWeb, which is used by a threat actor we track as NOBELIUM to maintain persistent access to compromised environments. NOBELIUM remains highly active, executing multiple campaigns in parallel targeting government ... continue reading

Password Expiry Notification Using Teams and Graph API

Q: How do I send a password expiration notification to a user using Teams chat? A: Not only can you send the password notification, but you can use PowerShell with the Teams Graph API to send any message to a ... continue reading

Industrial systems: What it takes to secure and staff them

The security community is continuously changing, growing, and learning from each other to better position the world against cyberthreats. In the latest post of our Community Voices blog series, Microsoft Security Senior Product Marketing Manager Brooke Lynn Weenig talks with ... continue reading
Diagram of the use of Azure Arc to enable Azure AD authentication for SQL Server 2022.

Azure Active Directory authentication for SQL Server 2022

Part of the SQL Server 2022 blog series.Azure Active Directory (Azure AD) authentication is now supported for SQL Server 2022 preview on-premises for Windows and Linux Operating Systems.Azure AD Authentication methods The new functionality extends existing authentication modes, such asSQL ... continue reading
Enterprise Scale for Azure VMware Solution - Identity and Access

Enterprise Scale for Azure VMware Solution – Identity and Access

I had the pleasure of talking with Xavier Elizondo where he went over identity and access in Azure VMware Solution. Watch below! Important things to note for Azure VMware Solution AVS has the control plane in Azure that is managed ... continue reading
A screenshot of the digital signature details tab from the file properties page. The tab states that the digital signature for the file is OK. The name indicated under the signer information portion is DSIRF GmbH.

Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits

The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a private-sector offensive actor (PSOA) using multiple Windows and Adobe 0-day exploits, including one for the recently patched CVE-2022-22047, in limited and targeted attacks against European ... continue reading
Check out new Azure AD Certificate-Based Authentication (CBA) enhancements

Check out new Azure AD Certificate-Based Authentication (CBA) enhancements

In February 2022, we made an announcement of the public preview of Azure AD Certificate-Based Authentication as a part of Microsoft’s commitment to Executive Order 14028, Improving the Nation’s Cybersecurity .     The public preview process gives us the opportunity to get great feedback ... continue reading

SCOM MP for M365 – V3 (now GA)

Update on July 20, 2022 CTP is now GA. No changes for users who have installed CTP in their environment. Users on V1/V2, follow instructions highlighted in MP guide to update. ================================== We are back with the latest version of ... continue reading
DNS over TLS available to Windows Insiders

DNS over TLS available to Windows Insiders

Credit and thanks to Alex Jercaianu, Matthew Cox, Miguel Reyes Badilla, and Milan Justel for implementation work DNS over TLS (DoT) is an alternative encrypted DNS protocol to DNS over HTTPS (DoH). Where DoH treats DNS traffic as one more ... continue reading
Diagram containing icons and arrows illustrating the sequence of steps in an AiTM phishing campaign.

From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud

A large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites stole passwords, hijacked a user’s sign-in session, and skipped the authentication process even if the user had enabled multifactor authentication (MFA). The attackers then used the stolen credentials and session ... continue reading