Threat intelligence

The Microsoft Threat Intelligence community is made up of world-class experts, security researchers, analysts, and threat hunters who analyze 100 trillion signals daily to discover threats and deliver timely and timely, relevant insight to protect customers. See our latest findings, insights, and guidance.

Refine Results

Filtered by

Clear All

Threat intelligence
Microsoft Defender
Microsoft Defender Vulnerability Management

Refine results

Sort By

Content Type

Topic

Products and services

Publish date

Start Date

End Date

December 15, 2025

16 min read

Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components

CVE-2025-55182 (also referred to as React2Shell and includes CVE-2025-66478, which was merged into it) is a critical pre-authentication remote code execution (RCE) vulnerability affecting React Server Components and related frameworks.
October 6, 2025

8 min read

Investigating active exploitation of CVE-2025-10035 GoAnywhere Managed File Transfer vulnerability

Storm-1175, a financially motivated actor known for deploying Medusa ransomware and exploiting public-facing applications for initial access, was observed exploiting the deserialization vulnerability in GoAnywhere MFT’s License Servlet, tracked as CVE-2025-10035.
August 18, 2025

16 min read

Dissecting PipeMagic: Inside the architecture of a modular backdoor framework

A comprehensive technical deep dive on PipeMagic, a highly modular backdoor used by Storm-2460 masquerading as a legitimate open-source ChatGPT Desktop Application.
July 22, 2025

20 min read

Disrupting active exploitation of on-premises SharePoint vulnerabilities

Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting vulnerabilities targeting internet-facing SharePoint servers.
Retain Microsoft Security Experts

Microsoft Security Experts are now available to strengthen your team with managed security services. Learn how to defend against threats with security experts.

Get started
May 1, 2025

9 min read

Analyzing CVE-2025-31191: A macOS security-scoped bookmarks-based sandbox escape

Microsoft uncovered a vulnerability in macOS that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the system.
April 9, 2025

13 min read

Stopping attacks against on-premises Exchange Server and SharePoint Server with AMSI

Exchange Server and SharePoint Server are business-critical assets and considered crown-jewels for many organizations, making them attractive targets for attacks.
March 5, 2025

13 min read

Silk Typhoon targeting IT supply chain

Silk Typhoon is a Chinese state actor focused on espionage campaigns targeting a wide range of industries in the US and throughout the world.
January 13, 2025

9 min read

Analyzing CVE-2024-44243, a macOS System Integrity Protection bypass through kernel extensions

Microsoft discovered a macOS vulnerability allowing attackers to bypass System Integrity Protection (SIP) by loading third party kernel extensions, which could lead to serious consequences, such as allowing attackers to install rootkits, create persistent malware, bypass Transparency, Consent, and Control (TCC), and expand the attack surface to perform other unauthorized operations.
Modernize your Security Operations Center with Microsoft Sentinel

Microsoft Sentinel is a cloud-native SIEM solution powered by AI and automation that delivers intelligent security analytics across your entire enterprise.

Learn more
September 26, 2024

20 min read

Storm-0501: Ransomware attacks expanding to hybrid cloud environments

August 27, 2025 update: Storm-0501 has continuously evolved to achieve sharpened focus on cloud-based TTPs as their primary objective shifted from deploying on-premises endpoint ransomware to using cloud-based ransomware tactics.
August 8, 2024

15 min read

Chained for attack: OpenVPN vulnerabilities discovered leading to RCE and LPE

Microsoft researchers found multiple vulnerabilities in OpenVPN that could lead to an attack chain allowing remote code execution and local privilege escalation.
July 25, 2024

11 min read

Onyx Sleet uses array of malware to gather intelligence for North Korea

On July 25, 2024, the United States Department of Justice (DOJ) indicted an individual linked to the North Korean threat actor that Microsoft tracks as Onyx Sleet.
May 1, 2024

15 min read

“Dirty stream” attack: Discovering and mitigating a common vulnerability pattern in Android apps

Microsoft discovered a vulnerability pattern in multiple popular Android applications that could enable a malicious application to overwrite files in the vulnerable application’s internal data storage directory, which could lead to arbitrary code execution and token theft, among other impacts.

Threat intelligence

Filtered by

Refine results

Retain Microsoft Security Experts

Modernize your Security Operations Center with Microsoft Sentinel

Get started with Microsoft Security