
Volt Typhoon targets US critical infrastructure with living-off-the-land techniques
Microsoft has uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States. The attack is carried out by Volt Typhoon, a state-sponsored actor based in China ... continue reading

Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets
Over the past several months, Microsoft has observed a mature subgroup of Mint Sandstorm, an Iranian nation-state actor previously tracked as PHOSPHORUS, refining its tactics, techniques, and procedures (TTPs). Specifically, this subset has rapidly weaponized N-day vulnerabilities in common enterprise ... continue reading
Bitlocker is not resuming after reboot count has been reached
Hi, I'm Helmut Wagensonner, a Cloud Solution Architect Engineer at Microsoft. Recently, I ran into an unexpected Bitlocker behavior at a customer. It turned out that this behavior is on purpose so I thought I let you know about ... continue reading
Change Configuration Manager Site Server OS – Side-by-Side Migration Reference
Hello! My name is Herbert Fuchs and together with other members of the Customer Success Unit and the Customer Service & Support Organization we want to help our Customers with This Blog-Series. We gathered information and put our field ... continue reading
Change Configuration Manager Site Server OS – High Availability Reference
Hello! My name is Herbert Fuchs and together with other members of the Customer Success Unit and the Customer Service & Support Organization we want to help our Customers with This Blog-Series. We gathered information and put our field ... continue reading
How To Upgrade/Change the Operating System Which Hosts Microsoft Configuration Manager
Hello! My name is Herbert Fuchs and together with other members of the Customer Success Unit and the Customer Service & Support Organization we want to help our Customers with This Blog-Series. We gathered information and put our field and ... continue reading

DEV-0569 finds new ways to deliver Royal ransomware, various payloads
Recent activity from the threat actor that Microsoft tracks as DEV-0569, known to distribute various payloads, has led to the deployment of the Royal ransomware, which first emerged in September 2022 and is being distributed by multiple threat actors. Observed ... continue reading

Stopping C2 communications in human-operated ransomware through network protection
Command-and-control (C2) servers are an essential part of ransomware, commodity, and nation-state attacks. They are used to control infected devices and perform malicious activities like downloading and launching payloads, controlling botnets, or commanding post-exploitation penetration frameworks to breach an organization ... continue reading

DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector
In recent months, Microsoft has detected active ransomware and extortion campaigns impacting the global education sector, particularly in the US, by a threat actor we track as DEV-0832, also known as Vice Society. Shifting ransomware payloads over time from BlackCat, ... continue reading

Defenders beware: A case for post-ransomware investigations
Ransomware is one of the most pervasive threats that Microsoft Detection and Response Team (DART) responds to today. The groups behind these attacks continue to add sophistication to their tactics, techniques, and procedures (TTPs) as most network security postures increase ... continue reading