Microsoft Security

Microsoft Security

Sign in

Image of two coworkers collaborating at a desk.

Microsoft Detection and Response Team (DART)

A blog series focused on the latest attack methods as well as cybersecurity best practices derived from our investigations and engagements, helping our customers respond to compromises and become cyber-resilient.

Photo of enterprise office workers in focused work in an open work space.

March 24, 2023 • 17 min read

Guidance for investigating attacks using CVE-2023-23397

This guide provides steps organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397.

Multicolor arrows pointing towards a center dot, with a yellow diamond filled with 1’s and 0’s and a bug crawling towards it to suggest malware.

February 8, 2023 • 2 min read

Solving one of NOBELIUM’s most novel attacks: Cyberattack Series

This is the first in an ongoing series exploring some of the most notable cases of the Microsoft Detection and Response Team (DART), which investigates cyberattacks on behalf of our customers. The Cyberattack Series takes you behind the scenes for an inside look at the investigation and share lessons that you can apply to better protect your own organization. In this story, we’ll explore how NOBELIUM continues to target identity providers with novel attacks—and how Microsoft DART identified one of NOBELIUM‘s most creative exploits yet.

female developer wearing headphones; coding at her PC workspace in an enterprise office, using Visual Studio on a multi-monitor set up.

December 12, 2022 • 10 min read

IIS modules: The evolution of web shells and how to detect them

This blog aims to provide further guidance on detecting malicious IIS modules and other capabilities that you can use during your own incident response investigations.

Male developer coding in front of two monitors at desk in office. Programming code shown on both monitors.

November 16, 2022 • 9 min read

Token tactics: How to prevent, detect, and respond to cloud token theft

As organizations increase their coverage of multifactor authentication (MFA), threat actors have begun to move to more sophisticated techniques to allow them to compromise corporate resources without needing to satisfy MFA. Recently, the Microsoft Detection and Response Team (DART) has seen an increase in attackers utilizing token theft for this purpose.

Two males and three females collaborating in a conference room featuring an HP Teams Meeting Rooms touch display. The meeting has nine remote participants shown on a wall mounted display joined via Teams Meetings. Two subjects are using Surface devices.

November 2, 2022 • 9 min read

Microsoft Security tips for mitigating risk in mergers and acquisitions

Mergers and acquisitions can be challenging. Microsoft’s Security Experts share what to ask before, during, and after one to secure identity, access control, and communications.

Practitioner and CISO collaboration in a security war room.

October 18, 2022 • 13 min read

Defenders beware: A case for post-ransomware investigations

The Microsoft Detection and Response Team (DART) details a recent ransomware incident in which the attacker used a collection of commodity tools and techniques, such as using living-off-the-land binaries, to launch their malicious code.

Practitioner and CISO collaboration in a security operations center.

September 21, 2022 • 6 min read

The art and science behind Microsoft threat hunting: Part 2

In this follow-up post in our series about threat hunting, we talk about some general hunting strategies, frameworks, tools, and how Microsoft incident responders work with threat intelligence.

Chief information security officer presents to the board of executives on security topics.

September 8, 2022 • 7 min read

The art and science behind Microsoft threat hunting: Part 1

At Microsoft, we define threat hunting as the practice of actively looking for cyberthreats that have covertly (or not so covertly) penetrated an environment. This involves looking beyond the known alerts or malicious threats to discover new potential threats and vulnerabilities.

September 8, 2022 • 20 min read

Microsoft investigates Iranian attacks against the Albanian government

Shortly after the destructive cyberattacks on the Albanian government in mid-July, the Microsoft Detection and Response Team (DART) was engaged to lead an investigation into the attacks.

Ground-up view of a city‘s architecture and skyline.

August 24, 2022 • 21 min read

MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone

Microsoft security researchers have discovered a post-compromise capability we’re calling MagicWeb, which is used by a threat actor we track as NOBELIUM to maintain persistent access to compromised environments.

Security practitioner in front of two computer screens, working on their laptop to investigate threats.

April 12, 2022 • 7 min read

Tarrask malware uses scheduled tasks for defense evasion

Microsoft Detection and Response Team (DART) researchers have uncovered malware that creates “hidden” scheduled tasks as a defense evasion technique. In this post, we will demonstrate how threat actors create scheduled tasks, how they cover their tracks, and how the malware's evasion techniques are used to maintain and ensure persistence on systems.

Microsoft Cyber Defense Operations Center

March 22, 2022 • 17 min read

DEV-0537 criminal actor targeting organizations for data exfiltration and destruction

The activity we have observed has been attributed to a threat group that Microsoft tracks as DEV-0537, also known as LAPSUS$. DEV-0537 is known for using a pure extortion and destruction model without deploying ransomware payloads.