Microsoft Threat Intelligence
@MsftSecIntel
Followers
184,538
Following
1,053
Media
688
Statuses
5,336
We are Microsoft's global network of security experts. Follow for security research and threat intelligence.
Redmond, WA
Joined November 2010
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Sanchez
• 1518408 Tweets
Paiporta
• 628796 Tweets
Fenerbahçe
• 336086 Tweets
Chelsea
• 288346 Tweets
Verstappen
• 249546 Tweets
Flamengo
• 176859 Tweets
Norris
• 158144 Tweets
Mourinho
• 119083 Tweets
#MUNCHE
• 87489 Tweets
#BrazilianGP
• 78706 Tweets
Garnacho
• 77097 Tweets
Atlético
• 73722 Tweets
Palmer
• 70522 Tweets
Plata
• 65216 Tweets
#TSvFB
• 62658 Tweets
Ocon
• 62075 Tweets
Alpine
• 58920 Tweets
Amrabat
• 56231 Tweets
Caicedo
• 55104 Tweets
Gabigol
• 54547 Tweets
Atilla Karaoğlan
• 34898 Tweets
Rashford
• 33966 Tweets
Cowboys
• 33783 Tweets
Hulk
• 27089 Tweets
Maracanã
• 25078 Tweets
Zirkzee
• 24177 Tweets
Broncos
• 23232 Tweets
Acun
• 20274 Tweets
Arrascaeta
• 19091 Tweets
Falcons
• 16620 Tweets
Olave
• 16304 Tweets
Dolphins
• 15795 Tweets
GABRIEL BARBOSA
• 14656 Tweets
Amad
• 13847 Tweets
Wesley
• 12792 Tweets
Derek Carr
• 10803 Tweets
Bo Nix
• 10230 Tweets
Microsoft has taken steps to disrupt and mitigate a widespread campaign by the Russian nation-state threat actor Midnight Blizzard targeting TeamCity servers using the publicly available exploit for CVE-2023-42793.
65
710
2K
Microsoft identified a unique destructive malware operated by an actor tracked as DEV-0586 targeting Ukrainian organizations. Observed activity, TTPs, and IOCs shared in this new MSTIC blog. We'll update the blog as our investigation unfolds.
62
1K
2K
Microsoft has uncovered a vulnerability in ESXi hypervisors, identified as CVE-2024-37085, being exploited by threat actors to obtain full administrative permissions on domain-joined ESXi hypervisors and encrypt critical servers in ransomware attacks.
27
486
1K
We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry.
21
760
1K
The Microsoft Threat Analysis Center (MTAC) shares intelligence about Iranian actors laying the groundwork for influence operations aimed at US audiences and potentially seeking to impact the 2024 US presidential election:
51
409
1K
Microsoft recently observed a campaign targeting SQL servers that, like many attacks, uses brute force methods for initial compromise. What makes this campaign stand out is its use of the in-box utility sqlps.exe.
5
380
986
Microsoft Threat Intelligence Center (MSTIC) has uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP, GoldMax, and other related components.
10
619
961
The 404 Not Found page tells you that you’ve hit a broken or dead link – except when it doesn’t. Phishers are using malicious custom 404 pages to serve phishing sites. A phishing campaign targeting Microsoft uses such technique, giving phishers virtually unlimited phishing URLs.
16
348
879
Microsoft has observed nation-state threat actor Storm-0062 exploiting CVE-2023-22515 in the wild since September 14, 2023. CVE-2023-22515 was disclosed on October 4, 2023. Storm-0062 is tracked by others as DarkShadow or Oro0lxy.
8
354
919
Microsoft Security Threat Intelligence teams have published additional analysis on observed exploitation of Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082 with security product mitigations and detections to help protect against further attacks
29
504
853
Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks.
7
564
828
Microsoft has discovered exploitation of a 0-day vulnerability in the SysAid IT support software in limited attacks by Lace Tempest, a threat actor that distributes Clop ransomware. Microsoft notified SysAid about the issue (CVE-2023-47246), which they immediately patched.
10
308
819
We just rolled out a new consolidated
#Log4j
dashboard for threat and vulnerability management in the Microsoft 365 Defender portal to help customers identify and remediate files, software, and devices exposed to the Log4j vulnerabilities.
9
378
823
Microsoft is tracking threats taking advantage of the CVE-2021-44228 remote code execution (RCE) vulnerability in Apache Log4j 2 ("Log4Shell"). Get technical info and guidance for preventing, detecting, and hunting for related attacks:
9
454
804
Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site. The threat actor has used similar vulnerabilities in the past to steal data & extort victims.
10
397
795
Microsoft has detected increased credential attack activity by the threat actor Midnight Blizzard using residential proxy services to obfuscate the source of their attacks. These attacks target governments, IT service providers, NGOs, defense industry, and critical manufacturing.
4
339
766
Microsoft has released a new, one-click mitigation tool, the Microsoft Exchange On-Premises Mitigation Tool, to help customers who do not have dedicated security or IT teams to apply security updates for Microsoft Exchange Server. Learn more:
14
456
728
Here's our analysis of the compromised DLL that led to the Solorigate attack. While the extent of the compromise is being investigated, we want to continue providing the defender community with intel, remediation guidance, and protections we have built:
17
389
720
Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM.
14
599
716
New blog post: Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability
3
347
704
While we currently see only coin miners being dropped, we agree w/ the research community that CVE-2019-0708 (BlueKeep) exploitation can be big. Locate and patch exposed RDP services now. Read our latest blog w/ assist from
@GossiTheDog
&
@MalwareTechBlog
2
436
687
Microsoft has identified a Russian-based nation-state threat actor tracked as Forest Blizzard (STRONTIUM, APT28, FANCYBEAR) actively exploiting CVE-2023-23397 to provide secret, unauthorized access to email accounts within Exchange servers:
6
306
680
We’re seeing more activity leveraging the CVE-2020-1472 exploit (ZeroLogon). A new campaign shrewdly poses as software updates that connect to known CHIMBORAZO (TA505) C2 infrastructure. The fake updates lead to UAC bypass and use of wscript.exe to run malicious scripts.
10
401
674
We are very proud to share that Microsoft was named a Leader in the 2019 Gartner Magic Quadrant for Endpoint Protection Platforms and positioned highest in execution
9
145
648
We have observed a China-based ransomware operator that we’re tracking as DEV-0401 exploiting the CVE-2021-44228 vulnerability in Log4j 2 (aka
#log4shell
) targeting internet-facing systems running VMWare Horizon.
12
381
655
Multiple ransomware groups that have been accumulating access and maintaining persistence on target networks for several months activated dozens of ransomware deployments in the first two weeks of April.
8
314
636
Microsoft has detected Danabot (Storm-1044) infections leading to hands-on-keyboard activity by ransomware operator Storm-0216 (Twisted Spider, UNC2198), culminating in the deployment of Cactus ransomware. In this campaign, Danabot is distributed via malvertising.
7
218
628
Microsoft identified a North Korean threat actor exploiting a zero-day vulnerability in Chromium (CVE-2024-7971) to gain remote code execution. Our assessment of ongoing analysis and observed infrastructure attributes this activity to Citrine Sleet.
25
258
611
Microsoft found a vulnerability (CVE-2021-30892) that could allow an attacker to bypass System Integrity Protection (SIP) in macOS. We shared our findings with Apple via coordinated vulnerability disclosure, and a fix was released October 26. Get details:
5
275
596
Microsoft has identified new Qakbot phishing campaigns following the August 2023 law enforcement disruption operation. The campaign began on December 11, was low in volume, and targeted the hospitality industry. Targets received a PDF from a user masquerading as an IRS employee.
6
249
596
Volt Typhoon, a Chinese state-sponsored actor, uses living-off-the-land (LotL) and hands-on-keyboard TTPs to evade detection and persist in an espionage campaign targeting critical infrastructure organizations in Guam and the rest of the United States.
15
305
580
The hashes for the two-stage destructive malware are now in VirusTotal:
stage1.exe:
stage2.exe:
18
238
562
With lockdown still in place in many parts of the world, attackers are paying attention to the increase in use of pirate streaming services and torrent downloads. We saw an active coin miner campaign that inserts a malicious VBScript into ZIP files posing as movie downloads.
14
189
532
There has been a spike in email campaigns using HTML smuggling to deploy banking Trojans, RATs, and ransomware. Attackers use this technique to build malware on a device via the browser instead of passing payloads directly through the network. Details:
10
287
549
Microsoft discovered and patched a 0-day exploit (CVE-2022-22047) that
#KNOTWEED
, an Austria-based private sector offensive actor, used to deploy
#Subzero
malware. Analysis of campaigns, tactics, & payloads in this
#MSTIC
blog w/
@msftsecresponse
@RiskIQ
:
7
309
549
Microsoft has discovered a post-compromise capability we’re calling MagicWeb, which the threat actor tracked as NOBELIUM is using to maintain persistent access to environments they have compromised. In-depth technical analysis and hunting guidance here:
2
332
544
Microsoft has observed a new version of the BlackCat ransomware being used in recent campaigns. This version includes the open-source communication framework tool Impacket, which threat actors use to facilitate lateral movement in target environments.
4
218
550
Dudear (aka TA505/SectorJ04/Evil Corp), used in some of the biggest malware campaigns today, is back in operations this month after a short hiatus. While we saw some changes in tactics, the revived Dudear still attempts to deploy the info-stealing Trojan GraceWire.
10
153
520
Cybercriminals continue to take advantage of the coronavirus pandemic in multiple malware campaigns, including the new ransomware in the news this week. We uncovered a HawkEye campaign that uses emails with a misleading “corona virus cure” (sic) subject line.
6
468
519
New blog: In-depth analysis of newly detected NOBELIUM malware: a post-exploitation backdoor that Microsoft refers to as FoggyWeb. NOBELIUM uses FoggyWeb to remotely exfiltrate data from compromised AD FS servers. Get IOCs, protection info, and guidance:
4
300
517
New blog: Attackers used a large cloud-based infrastructure to compromise mailboxes via phishing then add forwarding rules that allowed them to get access to emails. Learn how cross-domain threat data led to the discovery & disruption of this BEC campaign.
6
244
522
We’ve been tracking a phishing campaign that has been using open redirects for months, and it continues to evolve and persist. As recently as last week, we detected a spam run that abused a different web app but utilized the same TTPs and infrastructure.
10
232
507
Our continued investigation into the Solorigate attack has uncovered new details about the handover from the Solorigate DLL backdoor (SUNBURST) to the Cobalt Strike loader (TEARDROP, Raindrop, and others):
6
289
496
Microsoft has identified highly targeted social engineering attacks by the threat actor Midnight Blizzard (previously NOBELIUM) using credential theft phishing lures sent as Microsoft Teams chats. Get detailed analysis, IOCs, and recommendations:
12
246
495
We're seeing numerous extensive hands-on-keyboard attacks emanating from the Gootkit malware, which is distributed via drive-by downloads as a JavaScript within a ZIP file. The JavaScript is launched via WScript and establishes C2, enabling attackers to take control of devices.
5
230
488
Microsoft has released security updates to address CVE-2021-34527 (Windows Print Spooler Remote Code Execution Vulnerability)
Microsoft has released updates to protect against CVE-2021-34527. Please see:
20
395
648
14
291
486
As we continue to monitor threats taking advantage of the CVE-2021-44228 Log4j 2 vulnerability, we’re seeing activity ranging from experimentation to exploitation from multiple groups, including nation-state actors and access brokers linked to ransomware:
8
291
473
Microsoft has observed the Iranian nation-state actor Peach Sandstorm attempting to deliver a newly developed backdoor named FalseFont to individuals working for organizations in the Defense Industrial Base (DIB) sector.
11
189
467
We’re sharing more details from our investigation of the Storm-0558 campaign that targeted customer email, including our analysis of the threat actor’s techniques, tools, and infrastructure, and the steps we took to harden systems involved:
10
247
461
The threat of malicious Excel 4.0 macros continues to evolve, with attackers finding new ways to evade detection. One technique that attackers have started to use recently involves external function calls that allow malicious code to jump across multiple macro sheets.
3
228
468
More actors are exploiting unpatched CVE-2023-27350 in print management software Papercut since we last reported on Lace Tempest. Microsoft has now observed Iranian state-sponsored threat actors Mint Sandstorm (PHOSPHORUS) & Mango Sandstorm (MERCURY) exploiting CVE-2023-27350.
4
196
456
New blog post: Microsoft Defender ATP data scientists developed a probabilistic time series model for detecting RDP brute force attacks and collaborated with threat hunters to protect customers against real-world threats through Microsoft Threat Experts
3
93
425
We're sharing additional details related to the attacks by the threat actor that Microsoft tracks as ZINC targeting security researchers. Read our analysis, and get IoCs, detection and hunting information, and recommended actions and preventive measures:
8
286
443
Microsoft has uncovered a supply chain attack by North Korean threat actor Diamond Sleet (ZINC) involving the modification of an installer file from software maker CyberLink. The payload calls back to attacker infrastructure for instructions. Learn more:
7
228
441
Microsoft took action against the Trickbot botnet, disrupting one of the world’s most persistent malware operations. In this blog, we detail the evolution of Trickbot, associated tactics, recent campaigns, and dive into the anatomy of a specific attack.
9
280
429
Our researchers are tracking a phishing infrastructure that’s being used to launch phishing attacks targeting enterprises. The campaign is notable for its use of HTML attachments that pose as Excel files and contain encoded information about targets, indicating prior recon.
10
210
433
Learn how the protection stack in Microsoft Defender for Office 365 works. This article details the four phases of filtering – edge protection, sender intelligence, content filtering, and post-delivery protection – that incoming mail passes through:
7
153
432
Ransomware campaigns are often described in terms of payload. In reality, however, a ransomware incident is a breach involving human adversaries attacking a network. Learn what this means. Read the Microsoft Digital Defense Report:
4
209
426
Microsoft detected a unique operation in which threat actors, tracked as MERCURY and DEV-1084, carried out destructive actions in both on-premises and cloud environments. Learn more about the observed activity and tools and get TTPs and protection info:
4
236
425
Microsoft has observed a significant surge in activity associated with the threat actor Storm-0539, known to target retail organizations for gift card fraud and theft using highly sophisticated email and SMS phishing during the holiday shopping season.
4
148
409
We’re releasing a second version of our threat matrix for storage services, a structured tool that can help identify and analyze potential security threats on data stored in cloud storage services. Learn about the new attack techniques in the matrix:
6
190
405
Microsoft researchers are tracking an ongoing wide-ranging click fraud campaign where attackers monetize clicks generated by a browser node-webkit or malicious browser extension secretly installed on devices. Microsoft attributes the attack to a threat actor tracked as DEV-0796.
7
196
394
Microsoft Defender ATP is extending its protection capabilities to the firmware level with a new UEFI scanner
4
170
395
Microsoft Incident Response's investigation of a BlackByte 2.0 ransomware attack that progressed in less than five days highlights the importance of disrupting common attack patterns, stopping attacker activities that precede ransomware deployment:
9
181
395
An ongoing malvertising campaign is targeting gamers by using code-signed malware with file names like "pubg.exe", "minecraft.exe", "fortnite.exe", "chrome.exe", "apex.exe", "flash-player.exe", and "roblox.exe".
13
108
362
Microsoft has detected a 0-day remote code execution exploit being used to attack SolarWinds Serv-U FTP software in limited and targeted attacks. The vulnerability being exploited is CVE-2021-35211, reported by Microsoft and recently patched by SolarWinds.
3
236
392
MSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (ZeroLogon) in active campaigns over the last 2 weeks. We strongly recommend patching. Microsoft 365 Defender customers can also refer to these detections:
5
276
385
Beginning July 2023, Storm-0324, a financially motivated threat actor known to gain access to networks and then hand off access to other actors, was observed distributing payloads by sending phishing lures thru Microsoft Teams chats. Get TTPs, mitigation:
9
163
391
We’re tracking a rampant phishing attack that uses DGA domains, free email services, and even compromised email accounts to send massive numbers of phishing emails. These emails are linked by open redirector URLs that begin with a distinct pattern: hxxps://t[.]domain[.]tld/r/?
3
220
382
Microsoft identified multiple vulnerabilities in the open-source platform OpenVPN, integrated into millions of devices worldwide, which could be exploited to create an attack chain allowing remote code execution (RCE) and local privilege escalation (LPE).
6
212
394
Microsoft has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, & Storm-1674, misusing the ms-appinstaller URI scheme (App Installer) to distribute malware. Get TTPs and protection info:
11
176
383
The latest biannual report on Iran from the Microsoft Threat Analysis Center (MTAC) presents details on the series of cyberattacks and influence operations launched by Iranian government-aligned actors since October 2023:
7
176
373
New blog: We're sharing technical information about CVE-2021-35211 that we shared with SolarWinds via coordinated vulnerability disclosure. Learn how we found the issue and how we worked with SolarWinds to fix the vulnerability and mitigate the attacks.
4
212
368
We’ve been building detailed and comprehensive investigation playbooks for analysts of different skill levels. This guide for new analysts describes steps for taking full advantage of Microsoft 365 Defender capabilities for triage, analysis, remediation: :
1
124
367
New blog post: In-depth analysis of PowerShell-based downloader Trojan
#sLoad
, which uses the Background Intelligent Transfer Service (BITS) almost exclusively as alternative protocol for data exfiltration and most of its other malicious activities:
5
127
354
Microsoft has discovered Raspberry Robin activity establishing its role in a complex, interconnected malware ecosystem that facilitates human-operated ransomware. Our latest blog details active operations and links to other malware and threat actors:
13
195
364
A large-scale remote encryption attempt from an Akira ransomware operator tracked by Microsoft as Storm-1567 was disrupted when Microsoft Defender for Endpoint identified and contained a compromised user account being used in the attack. Learn how:
1
102
359
We’re tracking an active credential phishing attack targeting enterprises that uses multiple sophisticated methods for defense evasion and social engineering. The campaign uses timely lures relevant to remote work, like password updates, conferencing info, helpdesk tickets, etc.
9
187
362
Microsoft Threat Analysis Center’s latest report notes that China is using fake social media accounts to poll U.S. voters on what divides them most to sow division and possibly influence the outcome of the U.S. presidential election in its favor.
19
168
355
We have expanded the integration of Antimalware Scan Interface (AMSI) with Office 365 to include the runtime scanning of Excel 4.0 (XLM) macros to help antivirus solutions tackle the increase in attacks that use malicious XLM macros
2
169
355
We're tracking an active BazaCall malware campaign leading to human-operated attacks and ransomware deployment. BazaCall campaigns use emails that lure recipients to call a number to cancel their supposed subscription to a certain service.
3
220
355
The recent surge of IcedID campaigns indicate that this malware family is likely being used to fill in some of the void left by recent malware infrastructure disruptions. We are tracking multiple active IcedID campaigns of various sizes, delivery methods, and targets.
4
186
351
Microsoft is attributing the recently reported attacks exploiting the CVE-2023-27350 and CVE-2023-27351 vulnerabilities in print management software PaperCut to deliver Clop ransomware to the threat actor tracked as Lace Tempest (overlaps with FIN11 and TA505).
3
163
353
Microsoft Detection and Response Team (DART) was engaged to lead the investigation on destructive cyberattacks launched against the Albanian government in mid-July. We assess that the attack was launched by an Iranian state-sponsored actor. Full report:
4
170
348
Since the beginning of September 2024, Microsoft Threat Intelligence has observed a phishing campaign using emails with “eFax” themed lures containing links or QR codes within PDF attachments, leading to a domain controlled by the EvilProxy phishing-as-a-service (PhaaS) platform.
7
105
357
We recently discovered the latest variant of a Mac malware tracked as UpdateAgent (aka WizardUpdate) with new persistence and evasion tactics, the latest in a series of upgrades over the past year. Given its history, this Trojan will likely continue to grow in sophistication.
6
154
340
Phishing has been quietly evolving. In 2019, we saw phishing attacks reach new levels of creativity and sophistication. Here are the most notable phishing techniques that Office 365 ATP spotted this year.
4
128
336
Following exploitation, Midnight Blizzard uses scheduled tasks to keep a variant of VaporRage malware persistent. The VaporRage variant, which is similar to malware deployed by the threat actor in recent phishing campaigns, abuses Microsoft OneDrive and Dropbox for C2.
1
37
341
Microsoft has identified longstanding activity by the Russian-based threat actor we track as Forest Blizzard using a custom tool we call GooseEgg to exploit CVE-2022-38028 in the Windows Print Spooler service to elevate permissions and steal credentials:
5
165
345
Human-operated ransomware, a class of attacks driven by expert human intelligence and culminate in intentional business disruption and extortion, have become even more impactful in recent years with the evolution of the cybercrime gig economy:
6
190
342
Microsoft Threat Intelligence Center (MSTIC) is naming the actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, & related components as NOBELIUM. Read our analysis of 3 new malware used in late-stage activity by this actor.
3
230
340
We are tracking multiple active email campaigns that use BazarLoader to deliver a wide range of payloads. These campaigns appear disparate but share a common trait: their tactics attempt to challenge conventional email security solutions and best practices.
2
158
337
A threat group tracked by Microsoft as DEV-0196 is linked to an Israel-based private sector offensive actor (PSOA) known as QuaDream, which reportedly sells a suite of exploits, malware, and infra. Read our analysis in collaboration with
@citizenlab
:
2
197
336
Attack Surface Analyzer 2.0: Runs on Windows, Linux, macOS. Available as an open source project on GitHub. Includes both Electron & command line interface options. For latter, results written to HTML or JSON file that can be added to automated toolchain.
1
190
336
An active phishing campaign is using a crafty combination of legitimate-looking original sender email addresses, spoofed display sender addresses that contain the target usernames and domains, and display names that mimic legitimate services to try and slip through email filters.
9
185
334
Microsoft has observed a subset of Iran-based threat actor Mint Sandstorm (PHOSPHORUS) employing new TTPs to improve initial access, defense evasion, and persistence in campaigns targeting individuals at universities and research orgs. Read our analysis:
9
135
329
A new malware campaign we dubbed
#Nodersok
delivers two very unusual LOLBins to turn infected machines into zombie proxies. Read our latest research here:
5
216
328
Several documents that contain Base64-encoded malicious codes in the Comments property of their metadata (which makes them, quite literally, documents with malicious properties) that are decoded into various payloads, including a Metasploit implant, surfaced last week.
8
178
328
Today, Microsoft is open sourcing Cloud Katana, a cloud-native serverless application built on the top of Azure Functions to assess security controls in the cloud and hybrid cloud environments. Read about the design principles and learn how to deploy:
7
155
332
An active malware campaign using emails in European languages distributes RTF files that carry the CVE-2017-11882 exploit, which allows attackers to automatically run malicious code without requiring user interaction.
6
158
313