Select Page
Code displaying drop_sip’s functionality

New macOS vulnerability, Migraine, could bypass System Integrity Protection

A new vulnerability, which we refer to as “Migraine” for its involvement with macOS migration, could allow an attacker with root access to automatically bypass System Integrity Protection (SIP) in macOS and perform arbitrary operations on a device. We shared ... continue reading
Volt Typhoon targets US critical infrastructure with living-off-the-land techniques

Volt Typhoon targets US critical infrastructure with living-off-the-land techniques

Microsoft has uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States. The attack is carried out by Volt Typhoon, a state-sponsored actor based in China ... continue reading
graphical user interface, application

Cyber Signals: Shifting tactics fuel surge in business email compromise

Today we released the fourth edition of Cyber Signals highlighting a surge in cybercriminal activity around business email compromise (BEC). Microsoft has observed a 38 percent increase in cybercrime as a service (CaaS) targeting business email between 2019 and 2022.1 ... continue reading
Diagram of Mint Sandstorm attack chain examples

Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets

Over the past several months, Microsoft has observed a mature subgroup of Mint Sandstorm, an Iranian nation-state actor previously tracked as PHOSPHORUS, refining its tactics, techniques, and procedures (TTPs). Specifically, this subset has rapidly weaponized N-day vulnerabilities in common enterprise ... continue reading
Annotated screenshot of file information showing modification dates and file names matching BlackLotus-associated files.

Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign

This guide provides steps that organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2022-21894 via a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus. UEFI bootkits are particularly dangerous as they run ... continue reading

DEV-0196: QuaDream’s “KingsPawn” malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia

Microsoft Threat Intelligence analysts assess with high confidence that a threat group tracked by Microsoft as DEV-0196 is linked to an Israel-based private sector offensive actor (PSOA) known as QuaDream. QuaDream reportedly sells a platform they call REIGN to governments ... continue reading
Attack flow of the threat actor through initial access, execution, discovery, persistence, credential access, lateral movement, execution, impact, and communications stages.

MERCURY and DEV-1084: Destructive attack on hybrid environment

Microsoft Threat Intelligence has detected destructive operations enabled by MERCURY, a nation-state actor linked to the Iranian government, that attacked both on-premises and cloud environments. While the threat actors attempted to masquerade the activity as a standard ransomware campaign, the ... continue reading
DevOps threat matrix table

DevOps threat matrix

The use of DevOps practices, which enable organizations to deliver software more quickly and efficiently, has been on the rise. This agile approach minimizes the time-to-market of new features and bug fixes. More and more companies are implementing DevOps services, ... continue reading

Latest Microsoft Entra advancements strengthen identity security

If you read behind the attention-grabbing headlines, most novel techniques rely on compromised identities.1 In fact, of all the ways an attacker can get into your digital estate, identity compromise is still the most common.2 This makes identity your first ... continue reading

Gain real-time identity protection with Microsoft and Recorded Future

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA.  You’ve implemented multifactor authentication for access to your enterprise network. But what if multifactor authentication isn’t as foolproof as you’re hoping? Are you comfortable ... continue reading