-
-
Automatic disruption of human-operated attacks through containment of compromised user accounts
User containment is a unique and innovative defense mechanism that stops human-operated attacks in their tracks. We’ve added user containment to the automatic attack disruption capability in Microsoft Defender for Endpoint. User containment is automatically triggered by high-fidelity signals and limits attackers’ ability to move laterally within a network regardless of the compromised account’s Active Directory state or privilege level. -
Malware distributor Storm-0324 facilitates ransomware access
The threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors. These handoffs frequently lead to ransomware deployment. Beginning in July 2023, Storm-0324 was observed distributing payloads using an open-source tool […] -
Storm-0978 attacks reveal financial and espionage motives
Microsoft has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting defense and government entities in Europe and North America. The campaign involved the abuse of CVE-2023-36884, which included a zero-day remote code execution vulnerability exploited via Microsoft Word documents. -
The five-day job: A BlackByte ransomware intrusion case study
In a recent investigation by Microsoft Incident Response of a BlackByte 2.0 ransomware attack, we found that the threat actor progressed through the full attack chain, from initial access to impact, in less than five days, causing significant business disruption for the victim organization. -
Stopping C2 communications in human-operated ransomware through network protection
Providing advanced protection against increasingly sophisticated human-operated ransomware, Microsoft Defender for Endpoint’s network protection leverages threat intelligence and machine learning to block command-and-control (C2) communications. -
Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity
Microsoft has discovered recent activity indicating that the Raspberry Robin worm is part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread. -
DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector
In recent months, Microsoft has detected active ransomware and extortion campaigns impacting the global education sector, particularly in the US, by a threat actor we track as DEV-0832, also known as Vice Society. -
Defenders beware: A case for post-ransomware investigations
The Microsoft Detection and Response Team (DART) details a recent ransomware incident in which the attacker used a collection of commodity tools and techniques, such as using living-off-the-land binaries, to launch their malicious code. -
New “Prestige” ransomware impacts organizations in Ukraine and Poland
The Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a novel ransomware campaign attributed to IRIDIUM targeting organizations in the logistics and transportation industry in Ukraine and Poland utilizing a previously unidentified ransomware payload.
Retain Microsoft Security Experts
Microsoft Security Experts are now available to strengthen your team with managed security services. Learn how to defend against threats with security experts.
Simplify endpoint management with Microsoft Intune
Microsoft Intune is a cloud-based unified endpoint management platform that empowers IT to manage, assess, and protect apps and devices.
