Select Page
A diagram of the attack chain. It presents the flow of activity from left to right, starting with the attacker gaining access to its target tenant and leading to spam messages being sent to targets.

Malicious OAuth applications used to compromise email servers and spread spam

Microsoft researchers recently investigated an attack where malicious OAuth applications were deployed on compromised cloud tenants and then used to control Exchange servers and spread spam. The investigation revealed that the threat actor launched credential stuffing attacks against high-risk accounts ... continue reading
An organizational chart of the different threat actors that worked together in attacking the Albanian government. The top level mentions Iran's Ministry of Intelligence and Security as the sponsor organization. A table on the left side lists down the threat actor group names and their corresponding aliases.

Microsoft investigates Iranian attacks against the Albanian government

Shortly after the destructive cyberattacks against the Albanian government in mid-July, the Microsoft Detection and Response Team (DART) was engaged by the Albanian government to lead an investigation into the attacks. At the time of the attacks and our engagement ... continue reading
fbinotto_0-1662504725093.png

Fun with Azure VPN

Introduction   Hi folks! My name is Felipe Binotto, Cloud Solution Architect, based in Australia. I decided to make this post for a couple reasons. The first reason is to demonstrate how you can quickly build a hub between your ... continue reading
One step closer to modernization: The MFA Server Migration Utility

One step closer to modernization: The MFA Server Migration Utility

Hi folks!  We are always working to keep maximize your security and productivity. We focus on solutions to make modernization as easy as possible. As customers work towards modernizing security by adopting Azure AD, they have told us they need ... continue reading
MERCURY attack chain throughout the initial access, execution, discovery, persistence, credential theft, lateral movement, and communications stages.

MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations

In recent weeks, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team detected Iran-based threat actor MERCURY leveraging exploitation of Log4j 2 vulnerabilities in SysAid applications against organizations all located in Israel. MSTIC assesses with high confidence ... continue reading
Screenshot of a section of a configuration file.

MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone

Microsoft security researchers have discovered a post-compromise capability we’re calling MagicWeb, which is used by a threat actor we track as NOBELIUM to maintain persistent access to compromised environments. NOBELIUM remains highly active, executing multiple campaigns in parallel targeting government ... continue reading
Screenshot of a Sliver implant configuration data extracted from the process memory of a Sliver backdoor.

Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks

Microsoft has observed the Sliver command-and-control (C2) framework now being adopted and integrated in intrusion campaigns by nation-state threat actors, cybercrime groups directly supporting ransomware and extortion, and other threat actors to evade detection. We’ve seen these actors use Sliver ... continue reading

Cyber Signals: Defend against the new ransomware landscape

Today, Microsoft is excited to publish our second edition of Cyber Signals, spotlighting security trends and insights gathered from Microsoft’s 43 trillion security signals and 8,500 security experts. In this edition, we pull back the curtain on the evolving cybercrime ... continue reading
A screenshot of a LinkedIn profile identified for fraudulent behavior. The fake profile uses the name Westley Dyck, who allegedly identifies as a research assistant.

Disrupting SEABORGIUM’s ongoing phishing operations

The Microsoft Threat Intelligence Center (MSTIC) has observed and taken actions to disrupt campaigns launched by SEABORGIUM, an actor Microsoft has tracked since 2017. SEABORGIUM is a threat actor that originates from Russia, with objectives and victimology that align closely ... continue reading
Passwordless is here and at scale

Passwordless is here and at scale

Hi everyone, I’m Sue, the VP of Identity’s Customer & Partner Success team, and I love having the opportunity to share stories from real customers via this blog series. We've designed this collection of stories from real customers that have ... continue reading