Select Page
A diagram of the attack chain. It presents the flow of activity from left to right, starting with the attacker gaining access to its target tenant and leading to spam messages being sent to targets.

Malicious OAuth applications used to compromise email servers and spread spam

Microsoft researchers recently investigated an attack where malicious OAuth applications were deployed on compromised cloud tenants and then used to control Exchange servers and spread spam. The investigation revealed that the threat actor launched credential stuffing attacks against high-risk accounts ... continue reading
Diagram explaining the threat hunting cycle.

The art and science behind Microsoft threat hunting: Part 2

We discussed Microsoft Detection and Response Team’s (DART) threat hunting principles in part 1 of The art and science behind Microsoft threat hunting blog series. In this follow-up post, we will talk about some general hunting strategies, frameworks, tools, and ... continue reading
BrandonWilson_1-1662757157500.png

Check This Out! (CTO!) Guide (August 2022)

  Hi everyone! Brandon Wilson here once again with this month’s “Check This Out!” (CTO!) guide.   These posts are only intended to be your guide, to lead you to some content of interest, and are just a way we ... continue reading
Screenshot of a Sliver implant configuration data extracted from the process memory of a Sliver backdoor.

Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks

Microsoft has observed the Sliver command-and-control (C2) framework now being adopted and integrated in intrusion campaigns by nation-state threat actors, cybercrime groups directly supporting ransomware and extortion, and other threat actors to evade detection. We’ve seen these actors use Sliver ... continue reading
A screenshot of a LinkedIn profile identified for fraudulent behavior. The fake profile uses the name Westley Dyck, who allegedly identifies as a research assistant.

Disrupting SEABORGIUM’s ongoing phishing operations

The Microsoft Threat Intelligence Center (MSTIC) has observed and taken actions to disrupt campaigns launched by SEABORGIUM, an actor Microsoft has tracked since 2017. SEABORGIUM is a threat actor that originates from Russia, with objectives and victimology that align closely ... continue reading
BrandonWilson_20-1659625297384.png

CIS Tech Community-Check This Out! (CTO!) Guide (July 2022)

Hi everyone! Brandon Wilson here once again with this month’s “Check This Out!” (CTO!) guide. These posts are only intended to be your guide, to lead you to some content of interest, and are just a way we are trying ... continue reading
This flow diagram describes how Microsoft Defender Experts for Hunting can be split into three distinct steps. These are track, hunt, and analyze. These three steps form the basis of the service and allow Microsoft to proactively reveal the unseen threats impacting customers.

Microsoft Defender Experts for Hunting proactively hunts threats

Today, we announced the general availability of Microsoft Defender Experts for Hunting to support organizations and their cybersecurity employees with proactive threat hunting. Defender Experts for Hunting was created for customers who have a robust security operations center but want ... continue reading
Diagram containing icons and arrows illustrating the sequence of steps in an AiTM phishing campaign.

From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud

A large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites stole passwords, hijacked a user’s sign-in session, and skipped the authentication process even if the user had enabled multifactor authentication (MFA). The attackers then used the stolen credentials and session ... continue reading
Network ATC on Azure Stack HCI

Network ATC on Azure Stack HCI

Update: Network ATC is now publicly available with Azure Stack HCI 21H2 As you may be aware, Microsoft announced the general availability of the Azure-connected Hyper-Converged Infrastructure, Azure Stack HCI. Previously Azure Stack HCI was built off Windows Server which ... continue reading
Diagram showing the relationship between players in the ransomware-as-a-service affiliate model. Access brokers compromise networks and persist on systems. The RaaS operator develops and maintain tools. The RaaS affiliate performs the attack.

Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself

Microsoft processes 24 trillion signals every 24 hours, and we have blocked billions of attacks in the last year alone. Microsoft Security tracks more than 35 unique ransomware families and 250 unique threat actors across observed nation-state, ransomware, and criminal ... continue reading