Microsoft Threat Intelligence, Author at Microsoft Security Blog

Research
November 8, 2021
7 min read

Threat actor DEV-0322 exploiting ZOHO ManageEngine ADSelfService Plus

Microsoft has detected exploits being used to compromise systems running the ZOHO ManageEngine ADSelfService Plus software versions vulnerable to CVE-2021-40539 in a targeted campaign.

Research
October 28, 2021
7 min read

Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection

Microsoft found a vulnerability (CVE-2021-30892) that could allow an attacker to bypass System Integrity Protection (SIP) in macOS.

Lightly bearded man working on a laptop while sitting next to another person on a dark blue couch.

Research
October 25, 2021
13 min read

NOBELIUM targeting delegated administrative privileges to facilitate broader attacks

The Microsoft Threat Intelligence Center (MSTIC) has detected nation-state activity associated with the threat actor tracked as NOBELIUM, attempting to gain access to downstream customers of multiple cloud service providers (CSP), managed service providers (MSP), and other IT services organizations.

Man in a hooded sweater/sweatshirt inside a secure room, pointing at a geographic area displayed on a large monitor.

Research
October 21, 2021
13 min read

Franken-phish: TodayZoo built from other phishing kits

A phishing kit built using pieces of code copied from other kits, some available for sale through publicly accessible scam sellers or are reused and repackaged by other kit resellers, provides rich insight into the state of the economy that drives phishing and email threats today.

Research
October 11, 2021
8 min read

Iran-linked DEV-0343 targeting defense, GIS, and maritime sectors

MSTIC has observed DEV-0343 conducting extensive password spraying against more than 250 Office 365 tenants, with a focus on United States and Israeli defense technology companies, Persian Gulf ports of entry, or global maritime transportation companies with business presence in the Middle East.

Research
September 27, 2021
20 min read

FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor

In-depth analysis of newly detected NOBELIUM malware: a post-exploitation backdoor that Microsoft Threat Intelligence Center (MSTIC) refers to as FoggyWeb.

Research
September 21, 2021
15 min read

Catching the big fish: Analyzing a large-scale phishing-as-a-service operation

With over 100 available phishing templates that mimic known brands and services, the BulletProofLink operation is responsible for many of the phishing campaigns that impact enterprises today.

Research
September 15, 2021
8 min read

Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability

This blog details our in-depth analysis of the attacks that used the CVE-2021-40444, provides detection details and investigation guidance for Microsoft 365 Defender customers, and lists mitigation steps for hardening networks against this and similar attacks.

Research
August 26, 2021
10 min read

Widespread credential phishing campaign abuses open redirector links

Microsoft has been actively tracking a widespread credential phishing campaign using open redirector links, which allow attackers to use a URL in a trusted domain and embed the eventual final malicious URL as a parameter.

Research
August 18, 2021
11 min read

Trend-spotting email techniques: How modern phishing emails hide in plain sight

By spotting trends in the techniques used by attackers in phishing attacks, we can swiftly respond to attacks and use the knowledge to improve customer security and build comprehensive protections through Microsoft Defender for Office 365 and other solutions.

Research
August 12, 2021
13 min read

Attackers use Morse code, other encryption methods in evasive phishing campaign

During our year-long investigation of a targeted, invoice-themed XLS.

Research
August 4, 2021
8 min read

Spotting brand impersonation with Swin transformers and Siamese neural networks

Our security solutions use multiple detection and prevention techniques to help users avoid divulging sensitive information to phishers as attackers continue refining their impersonation tricks.

Microsoft Threat Intelligence posts