Select Page
Diagram of the attacks using Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082

Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082

October 1, 2022 update – Added information about Exploit:Script/ExchgProxyRequest.A, Microsoft Defender AV’s robust detection for exploit behavior related to this threat. We also removed a section on MFA as a mitigation, which was included in a prior version of this ... continue reading
Attack chain diagram of ZINC campaign showing steps and related activities

ZINC weaponizing open-source software

In recent months, Microsoft has detected a wide range of social engineering campaigns using weaponized legitimate open-source software by an actor we track as ZINC. Microsoft Threat Intelligence Center (MSTIC) observed activity targeting employees in organizations across multiple industries including ... continue reading
A diagram of the attack chain. It presents the flow of activity from left to right, starting with the attacker gaining access to its target tenant and leading to spam messages being sent to targets.

Malicious OAuth applications used to compromise email servers and spread spam

Microsoft researchers recently investigated an attack where malicious OAuth applications were deployed on compromised cloud tenants and then used to control Exchange servers and spread spam. The investigation revealed that the threat actor launched credential stuffing attacks against high-risk accounts ... continue reading
This diagram illustrates the typical infection chain of this Android malware. The infection starts from an SMS message that contains a malicious link that leads to the malicious APK.

Rewards plus: Fake mobile banking rewards apps lure users to install info-stealing RAT on Android devices

Our analysis of a recent version of a previously reported info-stealing Android malware, delivered through an ongoing SMS campaign, demonstrates the continuous evolution of mobile threats. Masquerading as a banking rewards app, this new version has additional remote access trojan ... continue reading

New Windows 11 security features are designed for hybrid work

Attackers are constantly evolving, becoming increasingly sophisticated and destructive—the median time for an attacker to access your private data if you fall victim to a phishing email is 1 hour, 12 minutes.1 Microsoft tracks more than 35 ransomware families and ... continue reading
Two graphs showing that 39 percent of incidents were detected by Microsoft Defender for Cloud, while 23 percent were detected by Microsoft Sentinel.

Secure your endpoints with Transparity and Microsoft

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA.  Endpoint protection platforms (EPPs) are dead and no longer sufficient to protect your organization, right? Wrong. When it comes to cybersecurity, the ... continue reading
An organizational chart of the different threat actors that worked together in attacking the Albanian government. The top level mentions Iran's Ministry of Intelligence and Security as the sponsor organization. A table on the left side lists down the threat actor group names and their corresponding aliases.

Microsoft investigates Iranian attacks against the Albanian government

Shortly after the destructive cyberattacks against the Albanian government in mid-July, the Microsoft Detection and Response Team (DART) was engaged by the Albanian government to lead an investigation into the attacks. At the time of the attacks and our engagement ... continue reading
Infection chain describing the usual tactics and techniques used by DEV-0270 actor group.

Profiling DEV-0270: PHOSPHORUS’ ransomware operations

Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including ... continue reading

Cyber Signals: 3 strategies for protection against ransomware

The “as a service” business model has gained widespread popularity as growing cloud adoption has made it possible for people to access important services through third-party providers. Given the convenience and agility of service offerings, perhaps it shouldn’t be surprising ... continue reading
MERCURY attack chain throughout the initial access, execution, discovery, persistence, credential theft, lateral movement, and communications stages.

MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations

In recent weeks, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team detected Iran-based threat actor MERCURY leveraging exploitation of Log4j 2 vulnerabilities in SysAid applications against organizations all located in Israel. MSTIC assesses with high confidence ... continue reading