Select Page
Volt Typhoon targets US critical infrastructure with living-off-the-land techniques

Volt Typhoon targets US critical infrastructure with living-off-the-land techniques

Microsoft has uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States. The attack is carried out by Volt Typhoon, a state-sponsored actor based in China ... continue reading
Diagram of Mint Sandstorm attack chain examples

Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets

Over the past several months, Microsoft has observed a mature subgroup of Mint Sandstorm, an Iranian nation-state actor previously tracked as PHOSPHORUS, refining its tactics, techniques, and procedures (TTPs). Specifically, this subset has rapidly weaponized N-day vulnerabilities in common enterprise ... continue reading

Bitlocker is not resuming after reboot count has been reached

Hi,   I'm Helmut Wagensonner, a Cloud Solution Architect Engineer at Microsoft. Recently, I ran into an unexpected Bitlocker behavior at a customer. It turned out that this behavior is on purpose so I thought I let you know about ... continue reading
msfoxworks_1-1679044850525.png

Change Configuration Manager Site Server OS – Side-by-Side Migration Reference

Hello!   My name is Herbert Fuchs and together with other members of the Customer Success Unit and the Customer Service & Support Organization we want to help our Customers with This Blog-Series. We gathered information and put our field ... continue reading
msfoxworks_1-1679043424671.png

Change Configuration Manager Site Server OS – High Availability Reference

Hello!   My name is Herbert Fuchs and together with other members of the Customer Success Unit and the Customer Service & Support Organization we want to help our Customers with This Blog-Series. We gathered information and put our field ... continue reading

How To Upgrade/Change the Operating System Which Hosts Microsoft Configuration Manager

Hello!   My name is Herbert Fuchs and together with other members of the Customer Success Unit and the Customer Service & Support Organization we want to help our Customers with This Blog-Series. We gathered information and put our field and ... continue reading
Screenshot of a BATLOADER landing site that poses as a TeamViewer website hosting a fake installer.

DEV-0569 finds new ways to deliver Royal ransomware, various payloads

Recent activity from the threat actor that Microsoft tracks as DEV-0569, known to distribute various payloads, has led to the deployment of the Royal ransomware, which first emerged in September 2022 and is being distributed by multiple threat actors. Observed ... continue reading
A human-operated ransomware attack example highlighting C2 usage. The attacker begins with the initial access stage, followed by execution, the initial C2 connection, persistence, a beaconing C2 connection, a post-exploitation C2 connection that continues throughout the attack, leading to lateral movement, and the final impact stage.

Stopping C2 communications in human-operated ransomware through network protection

Command-and-control (C2) servers are an essential part of ransomware, commodity, and nation-state attacks. They are used to control infected devices and perform malicious activities like downloading and launching payloads, controlling botnets, or commanding post-exploitation penetration frameworks to breach an organization ... continue reading
DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector

DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector

In recent months, Microsoft has detected active ransomware and extortion campaigns impacting the global education sector, particularly in the US, by a threat actor we track as DEV-0832, also known as Vice Society. Shifting ransomware payloads over time from BlackCat, ... continue reading
Timeline of events for a recent ransomware incident.

Defenders beware: A case for post-ransomware investigations

Ransomware is one of the most pervasive threats that Microsoft Detection and Response Team (DART) responds to today. The groups behind these attacks continue to add sophistication to their tactics, techniques, and procedures (TTPs) as most network security postures increase ... continue reading